enterprise risk management report to the Risk Management Committee. For functional risk management, a summary report is required at respective line/functional team meetings. For Star KPI-aligned risks, a quarterly summary report on KPIs and risk management is required at the VP meeting. IRPC has adopted the Business Continuity Management System (BCMS) in accordance with ISO 22301 (2019) to enable the Company to conduct contingency planning and respond effectively to emergency situations to ensure business continuity, mitigate impacts, and preserve the corporate public image and reputation. 3. Control Activities IRPC has put in place effective control activities with a view to establish sound internal control to minimize risks that threaten the Company’s ability to achieve its objectives. Such control activities include creation of rules, policies, regulations, handbooks, and procedures in written form, defining managers’ scope of authority and duties and employees’ job descriptions at each level, along with determination of authority to approve business transactions, and regular operational reviews to ensure compliance with rules, policies, regulations, and operational handbooks. In addition, the Company has formulated policies and guidelines with regard to transactions with actual or potential conflicts of interest to ensure transparency, accountability, and fairness of all transactions and to ascertain that they are approved in the best interests of the Company. IRPC has implemented Continuous Control Monitoring System (CCMS) for purchase/procurement and payments as well as sales and receipts as a tool to effectively monitor business operations and detect irregularities, in line with the segregation of duties concepts. The Company has developed the Control Self-Assessment (CSA) form to cover its key operations, such as the enterprise-wide internal control self-assessment form and process-specific internal control self-assessment form. These self-assessment forms help executives develop comprehensive and broad-based approach to control activities to minimize risks in various operational processes. IRPC has established Project Governance guidelines to improve efficiency and effectiveness of project management by requiring relevant committees and business units to thoroughly review information on investment projects at all and implemented Leadership Development Program. Systematic and standardized performance assessment process was established, together with regular performance monitoring to ensure fair rewards that provide incentives for employees to discharge their duties effectively. IRPC has adopted the internationally accepted “Three Lines of Defense model” of enterprise risk management and sound internal control. Staff and managers (First Line), internal control unit, compliance unit and other auxiliary units (Second Line), and the Office of Corporate Internal Audit (Third Line) are required and encouraged to apply the model continuously and consistently, from risk identification and determination of control activities to risk monitoring and assessment. In this regard, the First Line of Defense plays the most crucial role in ensuring success and efficiency of internal control. 2. Risk Assessment The Board and the management attach foremost importance to risk management to build confidence and provide assurance as to the achievement of the Company’s short- and long-term goals. The Risk Management Committee (RMC) and Risk Management and Internal Control Committee (RMCC), established by the Board, are chaired by the Chief Executive Officer and the President, respectively. These committees provide oversight for appropriate and effective risk management and internal control as well as strict implementation of enterprise-wide risk management under the following management approaches: IRPC has adopted ISO 31000 (2018) and COSO Enterprise Risk Management (2017) and formulated a risk management policy to provide guidelines for the management of risks that could potentially threaten the Company’s ability to achieve its objectives. Such risk management approaches comprise corporate risk management, functional risk management as well as project risk management, taking into account the corporate goals, changing internal and external factors, including opportunity for fraud and corruption. Such enterprise risk management standards also provide risk management approaches, coupled with risk review process and performance monitoring of risk management plan implementation on a regular basis to ensure risks stay at acceptable levels. The Company requires the submission of a quarterly summary report on enterprise risk management to the Risk Management and Internal Control Committee, and a monthly 274 IRPC PUBLIC COMPANY LIMITED 56-1 ONE REPORT 2021
RkJQdWJsaXNoZXIy ODg4NTI=