EWRM Awareness

TNB EWRM
Outline of Presentation

 Introduction
 GWRA Process
 Issues discussed at GRMC
 Q&A
Introduction
 Regulatory Requirement

The Revamped The Malaysian

Listing Code on
Requirements of Corporate
Bursa Malaysia Governance

Statement on Internal Control

Principles and


 Identify principal risks and best practices
ensure the implementation
of an appropriate risk
management system
 Review the adequacy and
integrity of internal control
systems and management
information systems
 Establishment & the
independence of the
internal audit functions
TNB EWRM Framework

Risk policy and guidelines

Guidance on Group Wide Guidance on Risk

Risk Assessment Treatment Options

Risk
identification  Terminate
TNB Risk
Information  Reduce
Risk
measurement System (TRIS) Mitigation
Plan  Accept
(Monitoring
Risk control system)  Pass on

Risk profiling
Management
Reporting of Response
information
‘Portfolio of key risks’
Guideline Principal

 Enterprise Wide Risk Management Policy 2nd Edition

 Enterprise Wide Risk Management Circular No. 1/2008

 TNB’S EWRM Policy Summary

 integrate ongoing  identify and assess

risks to our business
risk management
objectives and
activities within the
understand how such
business
risks influence our
performance

 ensure that risk  support the framework and

information is strategy with an appropriate
communicated through a organisational structure by
clear and robust reporting ensuring responsibilities are
structure clearly defined and
communicated at all levels
Roles & Responsibilities - TNB Board of
Directors

 Responsible for all elements of risk management and

internal control as set out under the Malaysian Code of
Corporate Governance.
 The Board of Directors shall:
 satisfy itself that significant risks faced are being managed
appropriately;
 ensure that an appropriate organisation and reporting structure;
and,
 adequately discuss and provide challenge on issues of risk and
opportunity, their treatment, and the overall risk appetite and risk
portfolio of the Group.
 The Board of Directors may delegate the above
responsibility to any of the Board Committees as deemed
appropriate.
Roles & Responsibilities - TNB Board Audit
Committee

 Responsible to assist the Board of Directors to establish

appropriate policies on risk oversight and management.
 The Board Audit Committee shall assist the Board of
Directors:
 to identify principal risks and ensure the implementation of
appropriate systems to manage these risks;
 to oversee the establishment and implementation of the risk
management system,
 to approve the risk management policies and practices on behalf of
the Board; and review periodic reports on risk management
 to be informed on risk management matters and present periodic
summarised information on the Group-wide risk assessment
process.
Roles & Responsibilities - TNB Board Audit
Committee (Con’t..)

 The Committee may, as and when necessary, invite other

Board members and management personnel to attend the
meetings
 The Board Audit Committee shall:
 independently review the adequacy and effectiveness of risk
management at the TNB Group;
 review the adequacy and integrity of the system of internal control
put in place ;
 receive summary reports from the External Auditors and Group
Internal Audit
Roles & Responsibilities - TNB Group Risk
Management Committee

 Responsible for the continuous development of risk

management in the Group;
 The responsibility is carried out through developing risk
management strategy and policy for the Board’s
agreement;
 The GRMC will form part of the activities of TNB's Group
Executive Committee.
Roles & Responsibilities - TNB Group Risk
Management Working Committee

 The Group Risk Management Working Committee (GRMWC)

is responsible to assist the Group Risk Management
Committee
 The authority delegated from the Group Risk Management
Committee for which the GRMWC's roles and
responsibilities are:
 Responsible for the continuous development of risk management in
TNB Group;
 Reviews and report to the Group Risk Management Committee on
a half yearly basis;
 Review and approve all guidelines on to risk management;
 Mandated to decide on the status and matters arising with regard
to the operating divisions' risks; and
 Identify key issues at the operating level that need to be escalated
for the Group Risk Management Committee attention / decision.
Roles & Responsibilities - TNB Group Chief
Risk Officer

 Responsible for the leadership, direction and coordination

of the Group-wide application of risk management within
the Group.
 Ensures that the principles and requirements of managing
risk are consistently adopted throughout the Group
 Responsible for establishing the EWRM framework
 Produce an annual Group-wide risk assessment report for
the GRMC and BAC through GRMWC.
Roles & Responsibilities - Chief Internal
Auditor

 Provide assurance to TNB Board Audit Committee on the

adequacy and effectiveness of the internal control systems
 Offer independent challenge to the divisions to ensure the
principles and requirements of managing risks are
consistently adopted
 As the third line of defence providing an independent
assurance to the Board
 Provide periodic Internal Audit activity report and follow-up
reviews
Roles & Responsibilities - TNB Group EWRM
Department

 Responsible for the ongoing development and co-ordination

of the EWRM system as well as the consolidation and
reporting of all EWRM information;
 Responsible for the co-ordination, negotiation and purchase
of all TNB Group insurance covers and self-insurance
arrangements ;
 The principal reporting responsibility of the EWRM
Department is to submit bi-annual risk assessment reports
on key risks as identified by the Group-wide risk
assessment process.
Roles & Responsibilities - TNB’s Operating
Division

 Responsible for the identification, measurement, control,

monitoring and reporting risk ;
 Responsible for implementing the requirements of this
policy ;
 Specifically, the responsibilities are to:
 enhance its own organisation structure to include an
appropriate risk management structure to sustain the EWRM
framework;
 identify and assess risks to business objectives through the
Group-wide risk assessment process;
 ensure that appropriate controls are in place to manage
identified risks ;
Roles & Responsibilities - TNB’s Operating
Division (Con’t..)

 Specifically, the responsibilities are to:

 ensure that continuous review and monitoring of identified risks
are carried out periodically;
 Incorporate the risk assessments and mitigation plans into the
annual business/operating plan;
 provide ongoing assurance on the status of key risks and actions
taken to manage them;
 ensure that full consideration and commentary on risks are
provided to support business strategy and the planning cycle;
 appoint divisional Risk Managers and departmental Risk
Coordinators;
 communicate risk management policy and strategy together with
defined responsibilities to all management and staff.
Roles & Responsibilities - Other Support
Functions

 Other Corporate Support Functions provide assistance and

expert advice to the Operating Divisions;
 The principal reporting responsibility of the Corporate
Support Functions is their submission of risk assessment
reports in conformance to the EWRM reporting
requirement.
Roles & Responsibilities - Risk Managers &
Risk Coordinators

Each operating division, subsidiary and corporate support

function is also responsible for the appointment of Risk
Manager and Risk Coordinator who will be responsible for:
 Risk Reporting and Monitoring
 Coordinating the bi-annual risk reporting and monitoring
processes at operating division;
 Identifying and assessing risks to business objectives ;
 Identifying and reporting on the critical risks and its current status
as well as actions taken to manage them;
 Monitoring and reporting the implementation of approved
mitigation plans for key operating risks; and
 Ensuring that appropriate controls are in place to manage
identified risks.
Roles & Responsibilities - Risk Managers &
Risk Coordinators

 Risk Advisory
 To represent the department at the TNB EWRM forum and TNB
Group risk management committee meetings (if required);
 To keep abreast with new developments in EWRM and
 Acting as a focal point for all EWRM support and advice within their
respective departments.
Roles & Responsibilities - Risk Managers &
Risk Coordinators

 Risk Communication
 Communicating the enterprise wide risk management strategies,
policies and processes to all management and staff within the
operating division; and
 Engaging in dialogue and discussion with management and staff
within the operating Division.
Roles & Responsibilities - TNB Management

 The Management has a front line responsibility for the

identifying and evaluating risks within their area of
responsibility, implementing agreed actions to manage
risk;
 Primarily, all managers must ensure that their area of
responsibility does not expose the TNB Group to
unnecessary risk.
Roles & Responsibilities - TNB Employees

 All employees have a general duty of care and are

responsible for this policy.
 All TNB employees to be conscious of the risks related to
their actions and decisions.
 Through appropriate preventative action, all reasonable
care should be taken to prevent loss and to maximise
opportunity.
Group Wide Risk
Assessment Process
Group Wide Risk Assessment Process (GWRA)

 Continual & consistent identification and assessment of key

risks is critical to realise business objectives
 Changing business conditions and the decisions made in
the course of running the business will continuously alter
the status of the key risks identified and introduce new key
risks over time. It is important to have frequent and
explicit discussions about risk in order to maintain continual
awareness of which risks are significant.
 The Group-Wide Risk Assessment Process requires that
Group operating divisions, subsidiaries and corporate
functions undertake the annual identification and
assessment, and periodic update of all risks to the Group
and operating division/subsidiary business objectives in
conformance to the reporting requirements.
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
 Define Entity Level Business Model (ELBM)
EXTERNAL BUSINESS DRIVERS AND STAKEHOLDERS

Legislation Political Environment Technology Environmental Factors

Customers Economic Trends Stakeholders Suppliers Regulators

Strategic Management Processes

Corporate Governance Domestic:
Domestic:
- TNB Business Planning & Strategy Development
TNB
- IPP
Core Business Processes
Repair &
- Oil & Gas Alstom
Maintenance

Overseas:
Overseas:
- Generation Resource Management Processes

- Oil & Gas

Regulatory and Legal Financial Management

Marketing Business Development

Procurement Safety & Environmental

Management
Human Resources Information Systems

Core
Markets Business Processes Alliances / Customers
Products/
Suppliers
Services
Prepare Business Process Analysis - Template
Business Process Analysis – Template (cont’d)
Business Process Analysis – Template (cont’d)
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
Risk Categories

High-level risks that may hinder the

company from achieving its strategic
objectives

Management may also escalate risks

that are beyond their control to the
Strategic strategic level for the attention of the
Board

Risks that may prevent the divisions

from achieving their business
objectives/ goals.
Operating Divisions
Normally these risks are within the
control of the respective operating
divisions.
Broad Risk Areas
Governance

Compliance Integrity

RISKS

Information Operational

Human
Financial
Resource
Broad Risk Categories
No. Broad Risk Sub Broad Risk

Authority, Leadership, Performance, Corporate

1. Governance Direction & Strategy, Incentives, Limits, Internal
audit, Board of Directors

HR management, Competencies, Recruitment,

Recognition, Retention, Compensation,
2. Human Resources
Performance measurement, Leadership
development, Succession planning, Employee
benefits
Funding, Financial instruments, Accounting
information, Foreign exchange/ currency, Cash
3. Finance flow, Investment evaluation, Financial reporting,
Tax, Pension fund, Treasury, Payroll, Cash
management, Insurance, Debtor/ creditor
management, Interest rates, Budgeting and
planning, Securities
External IT, Dependence of IT, Reliability,
4. Technology Management information systems,
Access/availability, IT security, Relevance
Broad Risk Categories (cont’)
No. Broad Risk Sub Broad Risk

Management fraud, Employee fraud, Illegal

5. Integrity acts, Unauthorised use

Copyright and trademarks/ Contractual liability,

6. Compliance Taxation, Consumer protection, Health and
safety, Environment, Pension fund, Regulatory,
Legal, Data protection

Brand, Reputation, Intellectual property,

7. Reputation Stakeholder perception

Seasonality, Globalisation, Competition, E-

8. Environment commerce, Share price, Economic, Political,
Catastrophic loss, Social, Strategic uncertainty
Broad Risk Categories (cont’)
No. Broad Risk Sub Broad Risk

Quality, Customer service, Cycle time, Pricing,

Obsolescence, Shrinkage, Efficiency, Capacity
planning, Sourcing, Product development, Product
failure, Business interruption, Performance
management, HR competencies, Motivation, Training,
9. Operational Repair & maintenance, Project management, Security
systems, Marketing, Security procedures,
Contingency planning, Channel, Supplier selection &
mgmt, Supply chain mgmt, key suppliers, Speed to
market, Capital projects, Physical plant, Buildings,
Logistics, Mergers & acquisitions, Joint ventures &
alliance
Completeness/ assurance, Market intelligence, Mgmt
10. Mgmt Information information reporting, Integrity of information

Morale, Workplace environment, Confidentiality,

Communication flow, Communication infrastructure,
11. Preparedness Change acceptance, Change readiness, Challenge,
Ethics, Empowerment
Identify risks and determine causes

Example : Loss of key personnel

Causes may include :

 Uncompetitive remuneration
 Poaching by competitors
 Poor training and development
 Perceived end of career opportunities
Determine impact

Example : Loss of key personnel

 Business interruption

 Increased cost of recruitment and training

 Loss of morale

 Damage to reputation
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
Identify controls

Example : Loss of key personnel

Existing controls: Proposed controls:

 Awareness of market
remuneration levels
 Regular remuneration
reviews
 Well-developed training
programme
 To further enhance
existing succession
planning
 To establish career
development programme
 Determine Control Effectiveness

Controls are strong and operating properly,

Satisfactory providing a reasonable level of assurance that
objectives are being achieved.

Some control weaknesses/ inefficiencies have been

Some identified. Although these are not considered to
weakness present serious risk exposure, improvements are
required to provide reasonable assurance that
objectives will be achieved.

Controls do not meet an acceptable standard, as

Weak many weaknesses/ inefficiencies exist. Controls do
not provide reasonable assurance that objectives
will be achieved
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
Determine Likelihood

Description Risk Likelihood Description

Rare Event may occur only in exceptional circumstances,
e.g. approximately below 5% chance of occurring in
the next 12 months
Unlikely The event could occur at some time, e.g.
approximately below 25% but above 5% chance of
occurring in the next 12 months
Moderate The event might occur at some time, e.g.
approximately below 50% but above 25% chance of
occurring in the next 12 months
Likely The event will probably occur in most
circumstances, e.g. approximately below 95% but
above 50% chance of occurring in the next 12
months
Almost Certain The event is expected to occur in most
circumstances, e.g. approximately above 95%
chance of occurring in the next 12 months
Determine Gross and Residual Risk Ratings

Likelihood of
Occurrence

Almost S S H H H
certain

Likely M S S H H

Moderate L M S H H

Unlikely L L M S H

Rare L L M S S

Insignificant Minor Moderate Major Catastrophic

Magnitude of Impact
 Generate Risk Profile
Illustrative residual risk profile Tenaga Nasional Berhad

Almost Market risks

certain Ability to cost-
(FX,interest
effectively finance
Shortage of rates and fuel
and re-finance
skilled planners cost)

Failure of
Increase in Ineffective
business
Likely theft of manpower
ventures
Dependence electricity planning
on gas-fired
plants
Likelihood

Safety, health Changes in

Moderate Competition Unsatisfied
& environment regulatory
from IPPs customers
requirements

Credit
risk
Lack of
performance-
based culture Loss of
Unlikely key personnel High

Significant

Loss of Moderate
assets
Low
Rare

Insignificant Minor Moderate Major Catastrophic

Magnitude of Impact
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
TNB Risk Treatment Strategy

S To focus on key risks viewed as

critical to the business, rated as high
t and/or significant
r
a The residual risk ratings to be
continuously monitored
t
e Key risks can be categorised as:
g i. Strategic risks
y ii. Operating risks
Determine Risk Treatment Decision

Ri
s k Risk Treatment Options
pr
of
il e

Terminate

Reduce
Management
Risk action
appetite
Accept

Pass-on
Risk treatment option – “Terminate”

 Eliminating the business area or significantly altering it

 Option selected typically for risks that could have
catastrophic or major impact on the business and when
the costs of pursuing other choices significantly outweigh
the potential benefits
 Example, if an investment is found to be consistently
non-performing and it is determined that the resources
consumed to improve performance far outweigh the
return on investment, the decision may be to divest or
dispose of the investment
 Risk treatment option – “Reduce”

 Management can choose to reduce the risks by taking

specific actions aimed at:
 Reducing the likelihood that a risk will occur in the
first place; and
 Reducing the impact of that a risk might have on
Deadline the business should it actually occur.
 Examples of risk reduction techniques
 Management can choose to reduce the likelihood by
actions including:
 Physical measures – improving building security can
reduce the risk of losing assets
 Policies – employee training (formal or OJT) and
reasonable health and safety procedures can reduce
the workplace accidents
 Diversification – product, market, or supplier
diversification, etc. For example,
 Entering other markets or selling other energy related
products could reduce exposure to a decline in one
market or product
 Using alternative suppliers
 Controls – compliance with policies and procedures;
proactively calculate and monitor KPIs
 Examples of risk reduction techniques (cont’d.)

 Management can choose to reduce the impact by actions

including:
 Contingency planning – business continuity planning
for events that may affect TNB’s ability to provide core
services
 Maintaining resilience
 having access to back-up production resources
 having liquid assets or the ability to borrow and
raise new capital
 developing and maintaining spare capacity
 having good relations with the government,
suppliers, customers and employees,
Other examples of risk reduction techniques

Determine policy
Update
Clarify performance
accountabilities contracts

Improve Risk Establish

processes reduction minimum
techniques controls
Seek expert
advice Education and
training
Project programme
evaluation
Establish performance
Business plan reporting requirements
review
 Risk treatment option – “Accept”

 Management may decide that the level of residual risk is

acceptable after considering factors such as:
 Adequacy of current controls;
 The quality and quantity of information about the
controls;
 The likelihood and consequences of the risk occurring
 The cost of additional controls
 This options means management chooses not to act and
to consciously accept a certain risk. For example, a risk
ranked as “low” may be accepted because the level of
the risk of acceptable in relation to TNB’s risk appetite
 Risk treatment option – “Pass-On”

 Transferring an entire business process to another party

as is the case with sub-contracting and outsourcing
arrangements
 Sharing the business process with another party as is the
case with partnership and joint venture arrangements
 Retaining the process and transferring the legal or
financial risks as is the case with insurance arrangements
and the use of certain treasury products
Develop Risk Mitigation Plan

Task Focus
Owners Identify the personnel to undertake the
mitigation plans

Mitigation plan Determine the plan to undertake to manage the

risk based on the risk treatment decision

Mitigation cost Ascertain the estimated cost for the risk

treatment

Commencement & Develop the timeline and identify the

Completion date commencement and completion dates of
mitigation plans

Mitigation status Determine the status of the action plans i.e.

implemented, work in progress (with percentage
of completion) or not implemented
Revised Group-Wide Risk Assessment Process
1
Business
Determine Risk
Assessment

Define Entity Level Prepare Business

Overview
Pre Risk

Business Model Process Analysis Parameters

2
Risk
Identification Identify Risk Determine Causes Determine Impact

3
Risk Assessment

Controls
Determine Control
Identification Identify Controls Effectiveness
Weak
Existing Some Weaknesses
Proposed Satisfactory

4
Risk
Determine Residual Determine Gross Determine Residual Generate Risk
Rating Profile
Likelihood & Impact Likelihood & Impact & Gross Risk Rating

Rare Almost Certain Insignificant Major Low Significant

Likely Unlikely Minor Catastrophic Moderate High
Moderate Moderate

5
Risk
Determine Risk Develop Mitigation
Treatment Plan
Treatment
Post Risk Assessment

6
Risk
Reporting & Monitor Risk Profile Prepare Risk
Review Risk Profile
Monitoring Assessment Report
 Risk Monitoring & Review

 Risk monitoring and review involves the following:

 a re-examination of all risks identified to ensure that
the current assessments remain valid; and
 reviewing the progress of risk treatment actions and
the relevant fallback plans, if required.
 Risk monitoring and review should form part of the
normal management reviews. The risk register is
updated after every review and assessment.
Q&A
 Thank You

Powering The Nation’s Progress

www.tnb.com.my