FPH has a robust enterprise risk management process that brings to light areas of the business where rigorous monitoring may be needed, and effectively supports our businesses in their strategy and decision-making processes.
Enterprise Risk Management Process
- The FPH Enterprise Risk Management (ERM) process follows the ISO 31000:2018 Standard. It is iterative, taking into account changes in our business’ context, objectives, and internal and external factors that may have an impact on value creation.
- The FPH ERM process is conducted annually across the relevant FPH subsidiaries. The engagement with each subsidiary is guided by the following steps:
Our risk process includes the determination of credible worst case scenarios, using which the subsidiaries assess the sufficiency of risk treatment plans and calibrate where necessary. This ensures that mitigation plans best manage the worst case scenario of a given risk.
Our ERM policy and processes are included in the Internal Audit Group’s (IAG) audit universe, and is subject to IAG’s own periodic risk assessment. The ERM function is not currently assessed as a high risk audit priority based on IAG’s risk assessment in 2024. Nevertheless, IAG recently performed a review of the Information Security risk being a subset of ERM processes, as the need to focus on increasing cybersecurity risk was raised by some of the organization’s key stakeholders. Results of the review were generally satisfactory, showing that internal controls were effective.
The ERM process uses a risk register that captures all possible risks our businesses can experience. In the annual risk review, each subsidiary reviews the risk register to assess each risk. Risks are prioritized using a 5x5 matrix where they are scored one to five on likelihood and impact. Risks with the highest scores have the highest priority.
In 2024, our ERM process and governance structure was expanded to better focus on three aspects of a subsidiary’s business: organizational capability risk, operational risks, and project risks. This will enable us to have more in-depth assessments of risks and opportunities throughout our businesses.
Enterprise Risk Governance
Cybersecurity Risks
Cybersecurity risk is a joint responsibility of ERM and IT, and its management is lodged with the Chief Risk Officer and the Chief Digital Officer. Cybersecurity risks and their management are included in the annual risk management review cycle.
ESG and Climate-related Risks
These risks are part of the FPH risk register. During the annual review of risks, the risk register is reviewed and top risks are identified. Where ESG-related and climate-related risks are surfaced to be material, these are further discussed with senior management.
Risk Culture
Risk management and risk awareness are embedded into employee knowledge through ERM 101 lectures. These are part of the onboarding process of all new employees and are given as a refresher to everyone involved in the risk review process every ERM cycle. The ERM team also gives risk lectures to the subsidiaries, as requested.
Risk Profile
In the 2024 review of our business’ risks, the following were the resulting risk profiles of our business segments presenting their top three risks.
More details on the risk profile of First Gen may be found in their 2024 Integrated Report.
Our strategy of talent centricity and organizational agility rendered by our governance, structures and systems gave us the flexibility to adapt to the risks and to identify opportunities to create optionality.
Emerging Risks
FPH supports its businesses to maintain stable operations and, where possible, find opportunities in the dynamic and, at times, uncertain landscape we operate in. The following risks were identified as emerging in the business environment FPH plays a role in.
Cybersecurity Risks
The influx of Artificial Intelligence (AI) tools and applications poses risks for data privacy and security breaches.
Political Risks
2025 in the country is an election year for national and local officials. This event, along with the transition to new officials, may result in delays in new national policies and regulations that are currently being developed.
Geopolitical Risks
Tensions in the global setting have indirect consequences on our businesses, from disruptions in the supply chain to increased costs due to tariffs.
Climate Risks and Opportunities
The analysis and embedding of climate risks and opportunities in our processes and strategies has been a continuing and fruitful journey. In 2024, we began capability-building sessions to bridge the process of identifying climate-related risks and opportunities while determining what their financial impacts are to our businesses. This engagement with our businesses is ongoing and will continue on to 2025.
