SM Prime follows an 8-step Risk Management Approach, which starts from the identification and prioritization of risks, to the assessment of risk interrelationship and analysis of the sources of risks, then to the development of risk management strategies and action plans, and ultimately, to the monitoring and continuous improvement of the risk management process.

The Executive Committee provides oversight on the assessment of the impact of risks on the strategic and long-term goals of the Company. The business unit heads are responsible for managing operational risks by implementing internal controls within their respective units. On a quarterly basis, the Board Risk Oversight Committee is updated on status of risk management and improvement plans of the Company.

The Board, through its Risk Oversight Committee (ROC), is responsible for the oversight of the Company’s Enterprise Risk Management system to ensure its functionality and effectiveness. On a quarterly basis, the ROC is updated on the status of risk management and risk mitigation plans of the Company.  Action plans to mitigate risks include investment in technology, provision of continuous trainings to employees, performance of regular audits, establishment and implementation of policies for a strong IT governance, and constant partnerships with various stakeholders.

The Board puts emphasis on prudent IT risk management. The IT Team reports to the Board the status of risk management and risk mitigation plans of the Company particularly on issues concerning availability of continuity plans, backup procedures, protection against damaging code and malicious activities, system and information access control, and incident management and reporting. It ensures to protect the confidentiality, integrity, and availability of all physical and electronic information assets of SM Prime to make certain that regulatory, operational, and contractual requirements are satisfied. Through risk assessments, threats to assets are identified, vulnerability to and likelihood of occurrence are evaluated and potential impact are estimated in the areas of network, operating system, application and database in production. Specifically, system vulnerability assessments, to proactively detect and address threats and vulnerabilities, are regularly implemented. In terms of cyber security management, the Company has adopted globally accepted standards to employ similar approach of cyber security strategies within the organization.

Click here for the details of key risks and risk management program of SM Prime.

Risks are subject to regular review and assessment.  The Company’s risk management system, as well as governance and internal control systems, are subject to independent evaluation of the Internal Audit Department.