The Group instills and promotes a culture of risk managing to allow prudent risk-based decision-making activities which seeks to balance an acceptable risk tolerance level against anticipated returns by embedding core values, principles, compliance and dynamic internal control systems in its day-to-day operations. Ongoing communication, education, monitoring and mitigation are an integral part of the Group’s risk management culture and is adopted across all its business activities.
The wider Yoma Group’s Enterprise Risk Management (“ERM”) framework provides a sound system of risk management and internal controls; and is underpinned by a sound foundation of the wider Yoma Group’s strong corporate governance culture, supported by five pillars of management control system being: Policies and Procedures, Internal External Audits, Due Diligence Reviews, Compliance Monitoring Reporting and Enterprise Risk Assessments.
ENTERPRISE RISK ASSESSMENT
The enterprise risk assessment (“ERA”) is conducted across the wider Yoma Group by the Risk Management & Assurance team, in accordance with the Enterprise Risk Management (“ERM”) framework applied by the wider Yoma Group. The senior management from each business unit participates in the ERA exercise.
The objectives of the ERA are to assist the wider Yoma Group in:
-
- Identifying and assessing the strategic, financial, operational, compliance and information technology risks of the wider Yoma Group;
- Establishing the controls mitigating the risks identified; and
- Confirming that there are adequate and effective controls to manage the risks of the wider Yoma Group.
As part of the ERM Framework, the annual enterprise risk assessment is undertaken to identify material risks faced by the Group along with mitigating measure in place. Where appropriate, related policies and internal controls are refined by the Management with guidance from the ARMC and the Board. It is also carried out to determine the existence and effectiveness of the controls in place, review the changes in risk profile, and update the existing controls if required.
Investment assessments and due diligence exercises are carried out on prospective business opportunities to ensure that potential financial, operational and strategic risks are identified and mitigated prior to the Group making a commitment. In addition, Enterprise Risk Assessment is conducted across the wider Yoma Group as part of the Enterprise Risk Management Framework to ensure consistency with the wider Yoma Group’s commitment to anti-corruption.
- The ERM Framework provides a sound and systematic approach towards risk management and internal control through the following activities: Risk identification and assessment;
- Development of key risk management strategies;
- Implementation of prevention, detection and response controls;
- Monitoring and mitigation of key risks and risk exposure levels and;
- Reporting key risks and management performance to the wider Yoma Group board of directors.
RISK-BASED INTERNAL AUDIT
Risk-based internal audit is one of the main functions carried out by the wider Yoma Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the ERM framework.The risks identified and the adequacy of any mitigating controls are measured and monitored through Risk-Based Independent Audits (“RBIA”) as part of the process of prevention, detection and response controls implemented by the Management. Results of the RBIA are presented to the ARMC and the BOD with any residual risks, along with the necessary corrective actions, being highlighted.
The Group categorises its risk profile into five key areas:
-
- Strategic & Macro Risks
- Operational Risks
- Financial Risks
- Compliance Risks
- Information Technology Risks
Description | Mitigation | |
---|---|---|
STRATEGIC & MACRO RISKS |
||
Business model & Strategy Risk | The Group recognizes that competitive landscapes, changing customer preferences and market-driven forces impact the strategy and operations of each of the Group’s business units and their financial performance. | Regular and constant strategy sessions are held across the Group to review existing strategies at each business unit, including the relevant digital trends in different sectors, and to formulate pre-emptive measures, such as diversifying the Group’s business mix and sources of revenue and profitability. |
Business Environment Risk | Since February 1st, there has been substantial uncertainty in the economic and business environment in Myanmar. This has resulted in economic contraction and welfare challenges across the country. The situation continues to evolve, remains unclear and strong headwinds could prevail. Henceforth, macro risks have risen sharply for the Group conducting its businesses in Myanmar. | As the Group has made a long-term commitment to Myanmar, its continued presence, participation and provision of essential services is paramount in fulfilling its mission to Build a Better Myanmar for its People. Management continues to maintain a balanced approach in making decisions to ensure commercial survival, business resilience and sustainability. |
OPERATIONAL RISKS | ||
Corruption & Fraud Risk | The risk of corruption and fraud is inherent to any business in Myanmar and has increased in the current operating environment. These acts could be perpetrated by employees, officers, customers or vendors engaged by the Group. |
|
Pandemic Risk | The unprecedented global COVID-19 pandemic, in particular the latest wave from the more contagious Delta variant, has created unexpected challenges for the Yoma Group’s businesses. The severity and duration of the pandemic has disrupted operations and accelerated structural changes that could have long-term effects on the business plans of each business unit and their ability to implement them. Meanwhile, the imposition of travel and movement restrictions, curfews and nationwide lockdown measures has impacted the consistency of operations, particularly in business units that are considered non-essential. | The Yoma Group has advanced its digital transformation journey while embracing operational efficiency improvements and cross-collaboration between business units. Digital technology platforms have become critical in the changing operating environment and to maintain business continuity. Mandatory vaccination program for all employee of the Yoma Group employees, remote working arrangements where possible and the continuous maintenance of workplace hygiene standards to prevent the spread of infections and ensure the safety and wellbeing of employees and customers. In addition, provided essential staff with temporary housing at both gated residential communities to enable Groupwide business continuity. |
FINANCIAL RISKS | ||
Credit Risk | The Yoma Group has extended credit to selected customers as access to financing has become increasingly challenging across the market. This extension of credit carries inherent risks of delinquency and default. | Customers’ credit-worthiness is evaluated within approved underwriting policies which take into account background checks, financial standing, loan-to-value and the ability to meet repayments. Rigorous approvals are required within each business unit where credit is extended. Cash terms are prioritized where possible to minimize credit risk. |
Foreign Exchange & Interest Rate Risk | The Yoma Group’s operations are exposed to fluctuations in Myanmar kyat against US dollar. In addition to currency translation movements, foreign exchange risk arises as local currency cashflows may need to be converted into US dollars to meet certain international payment obligations. Furthermore, the foreign exchange conversion cycle is limited by US dollar availability in the market. The Yoma Group is also exposed to unfavorable movements in interest rates. | Constant review of the foreign currency exposures in each business unit’s operations and monitoring of the Yoma Group’s overall economic exposure to movements in foreign exchange rates. Strategies to mitigate the impact of foreign exchange risk include implementing natural hedges to balance sheet positions, increasing the proportion of local currency borrowings and shortening the foreign exchange cycle.Maintaining a mix of both fixed and floating rates on borrowings to manage interest rate fluctuations. |
COMPLIANCE RISKS | ||
Environmental and Social Governance Compliance Risk | Non-compliance with various laws and regulations may have a detrimental effect on the financial and operational performance of each of the Yoma Group’s business units. Furthermore, Environmental, Social and Governance (ESG) compliance has become one of the most pressing issues expected by key stakeholders, including customers, lenders and regulators, and has posed additional challenges in the current business environment. | The Yoma Group’s compliance framework is guided by our core values and Code of Conduct. This entails regular reporting by each business unit to ensure that compliance risks are effectively assessed, managed and mitigated while keeping updated on changes to laws and regulations. In addition, the Group Risk Management and Assurance Team monitors the Group’s compliance with its ESG targets and obligations and ensures that ESG disclosures are documented, accurate and complete. |
INFORMATION TECHNOLOGY RISKS | ||
Cyber Security Risk | The Yoma Group has increasingly shifted towards remote working arrangements which relies on technology to facilitate its operations and to maintain business continuity. This increased dependence on technology has increased the Yoma Group’s exposure to cyber security threats including network security, data protection and cybercrimes. | The Yoma Group remains focused on embedding cyber security and data governance into business processes to ensure that data protection and privacy are managed in addition to other commercial risks. These reduce the likelihood and severity of breaches in cyber security and data protection which increasingly have an impact on the Yoma Group’s businesses. Established strict information security policies are in place which are designed to continuously monitor the following:
|
Internal Control System
FMI’s subsidiaries have their respective internal control system. At Head Office level, the whole financial management system is managed and overseen by the Company’s Financial Controller. To ensure that the strategic vision set out for its subsidiaries are aligned, the Company has delegated its executive directors to serve on the respective Boards. These delegates will regularly update the results of operations of the subsidiaries to the ARMC, which endorses the results to the Board for approval. The ARMC and FMI’s management ensures that management of the subsidiaries maintain a sound risk management framework and internal control system to mitigate material risk exposures identified internally.
Yoma Bank
Yoma Bank (the “Bank”) places great importance on maintaining a sound risk management and internal control framework. The Board of the Bank, via the Audit and Risk Oversight Committees, is tasked with ensuring that appropriate risk management and internal systems are established and working effectively. Among other things, the Board of the Bank (i) approves risk management procedures and ensures compliance with such procedures; (ii) analyzes, evaluates, and improves the effectiveness of the internal risk management and internal control procedures on a regular basis; (iii) develops adequate incentives for executive bodies, departments and employees to apply internal control systems; and (iv) ensures that the Bank complies with legislation and charter provisions. In implementation of the framework, a strong independent internal audit team is in place to directly report to the Audit Committee of YB and to conduct periodic review of key identified areas including changes in relevant policies, internal control system, corporate governance, operations, and security risks. Acting as the main liaison between the External Auditors and the Board of YB, the Audit Committee monitors YB’s internal controls and framework to ensure transparency across the business functions of the Bank, and periodically reviews the integrity of the Bank and makes recommendations for improvement. YB’s Risk Oversight Committee reviews the effectiveness of the Enterprise Risk Management Framework particularly in relation to risk identification, measurement, mitigation, and monitoring. It ensures the risk appetite approved by the Board is properly implemented; and facilitates ongoing dialogue on risk within YB.
Pun Hlaing Hospitals (“PHHs”)
The operating guideline of PHHs is under the governance of its Chief Financial Officer. The shareholders of PHHs namely, the Company and its joint venture partner, OUE Lippo Healthcare Limited (“OUELH”) have appointed their senior management personnel on the boards of PHHs to oversee the financial system and operation of PHHs’ periodically. This is to ensure that 1) strategic objectives set for PHHs are aligned; 2) compulsory steps are taken for the achievement of its strategic goals; and 3) a comprehensive set of oversight controls to put management decisions in check and to prevent it from exposing to various risks that are prone to occur in the healthcare sector.
RISK RESPONSE & MITIGATION MEASURES
Environmental, Health & Safety Risks
Risk description
Negative impacts on the Group’s financial performance and productivity.
Drivers
1.1 Fire accidents
1.2 Climate change, extreme weather, natural disaster, e.g. earthquakes, floods
1.3 Infectious diseases outbreak such as COVID 19, swine flu, SARS, Ebola
Implications for value creation
1.1 Delayed business expansion and recovery
1.2 Operations suspension
1.3 Loss of lives, reputational damage and interruption in our business operations
Risk response and mitigating measures
1.1 Delivering regular fire drill training to all employees across the Group on a regular basis
1.2 Implemented Health and Safety Policy, HR Policies and Guidelines to practice across the Group
• In the case of COVID 19, the Group set up a Covid Control Center (CCC) to deliver Covid-19 Emergency Response.
1.3 Provide all employees, medial plans, life insurance plans and special medical coverage to employees who are diagnosed as COVID-19 patients.
Internal & External Risks
Risk description
Risk of loss resulting from inadequate or failed internal organizational practices or driven by external forces.
Drivers
1.4 Financial losses and business instability
1.5 Increase in competition among property developers, healthcare providers, destination management companies, financial services providers
Implications for value creation
1.4 Failures in operational processes, internal policies or support systems in all business activities
1.5 Increased costs to acquire land and raw material, increases in unsold properties, decreases in earning from our core businesses due to lack of competitive advantages
Risk response and mitigating measures
1.4 Apply a risk-based internal audit to help the Group’s businesses accomplish the objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the enterprise risk management (ERM) framework. ERM also helps to address operational and finance risks are within the risk appetite monitored by management and are with the Group’s overall business objectives.
1.5 Maintain win-win business relationship with our businesses’ suppliers and business partners
Risk description
Volatility in interest rates, foreign exchange rates could have a material adverse effect on our cash flows and results of operations.
Drivers
2.1 Liquidity Risk
2.2 Capital Risks
Implications for value creation
2.1 A firm’s possible inability to meet its short-term debt obligations, thereby incurring exceptionally large losses
2.2 Inability to make regular dividend payment
Risk response and mitigating measures
2.1 Board of Directors approve an asset liability management (ALM) policies. Liquidity limits are set to address liquidity shocks, whether affecting most financial institutions or the Yoma Bank uniquely, are fully covered and a Contingent Funding Plan is developed. Liquidity levels are being strictly monitored for adherence to the Board specified minimums (as defined in the ALM policy) or the requirements prescribed by the CBM.
2.2 The Group’s objectives when managing capital are to safeguard the Group’s ability to continue as a going concern and to maintain an optimal capital structure so as to maximize shareholder value. In order to maintain or achieve an optimal capital structure, the Group may adjust the amount of dividend payment, return capital to shareholders, issue new shares, obtain new borrowings or sell assets to reduce borrowings.
Human Resources Risks
Risk description
Increase in labor cost and loss of efficiency.
Drivers
3.1 Our dependence on our Management team and skilled personnel
3.2 Our inability to attract and retain such persons
3.3 Lack of Keyman Insurance
Implications for value creation
3.1 Adverse financial impact
3.2 Increase in employee turnover, and costs to hire qualified employees and contractors
3.3 Interruption in business operations and slow down business growth
Risk response and mitigating measures
3.1 Consistently providing training and leadership programs to every level of employees across the Group.
3.2 The Yoma Group’s Human Resources Department is tasked to constantly review and identify high-performing individuals internally and externally to serve as a pipeline for leadership succession planning.
-
-
- Develop innovative talent retention programmes such as leadership training and other development programmes
- Create safe, fun and flexible working environment
- Develop effective internal communication system to increase employees’ synergy
- Provide a variety of welfare benefit plans and Yoma Employees’ Perks so that employees feel that they are taken care of and to increase their sense of belonging
- Lay out core values to increase employee morale and sense of belong across the Group.
-
3.3 Limit the number of The Group personnel travelling together, which means transportation or business travel should be arranged such that no single event could create a catastrophic loss of key personal for the Corporation. This means that when possible, no more than five Executive of the Company should travel on the same aircraft (be it a commercial, private, or corporate flight) or other vehicle of transportation. Pre-approval from Human Resources is required if more than half of an organization, group, or entity functional management team will be on the same aircraft.
Societal Risks: Economic and Social Instability
Risk description
Change in customers’ and shareholders’ behavior and taste which results in them investing in other types of investments.
Drivers
3.4 The Company’s inability to pay dividends annually
3.5 Claims or lawsuits derived from medical malpractice claims and accidents due in mismanagement in construction sites
3.6 Credit Risks in the banking services sector
Implications for value creation
3.4 Loss of shareholders’ loyalty and reputational damage
3.5 Loss of customers’ loyalty and reputational damage
3.6 Risk of loss arising from any failure by a borrower or counterparty to meet its financial obligations when such obligation is due
Risk response and mitigating measures
3.4 Shareholder’s complaints are taken seriously and are solved by the Corporate Office Team as soon as they arise. In a financial year when dividend is not paid, the Management will explain the rationale behind such action during media briefings and the Company’s Annual General Meeting.
-
-
- Established a Corporate Office Team (Corporate Office Team) to regularly analyse the market trend and to develop strategies with the Management to ensure FMI’s shares are competitive in value and quality among its fellow listed companies;
- The Team is also tasked to maintain and build positive relationships with individual shareholders by providing one-on-one meeting at the Company’s Head Office or Annual General Meetings, and via other communication platforms;
- Group Legal and Group Communication departments are tasked with monitoring all commercial materials to minimize the risk of potential threat of adverse media publicity.
- The Company’s effort in being transparent and open in communicating the internal movements are evident in the public announcements and annual media briefing.
-
3.5 Provide channels for stakeholders and customers to report grievances such as a feedback box at each business operation unit and anonymous reporting via a QR code available in the Company’s Stakeholder Engagement Policy
3.6 Board of Directors from banking services approve major policies and limits that govern the monitoring of the credit risk. It structures the levels of credit risk it undertakes by placing limits on the amount of risk acceptable in relation to one borrower, or group of borrowers and industry segments.
Risk description
Risk of loss resulting from inadequate or failed internal processes, people or from external event.
Drivers
4.1 Weaknesses, disruption or failures in overall management and IT systems
Implications for value creation
4.1 Loss of competitive advantage and fragile to external attacks
Risk response and mitigating measures
4.1 Balancing the cost and risk within the constraints of the risk appetite of the Company and the Group’s businesses to ensure that this balance is consistent with the prudent management required of a large Myanmar organization.
-
-
- Implemented a centralized core banking system (CBS) at our subsidiary, Yoma Bank, to provide a common and stable operating platform to develop multi-channel service delivery.
- Implemented IT security for the overall network system across the Group.
- Utilized a firewall system to monitor internal traffic, defend against potential external anti-hacking and anti-virus attacks.
- Planning to integrate the proxy system to monitor and filter contact traffics in the network.
- Implemented a directory server to authenticate users and passwords.
- Adopted Advance Threat Prevention (ATP) scanning function to monitor phishing and malware.
- Adopted SSLVPN to build a secured virtual tunnel for WFH employees.
- Applied two-factor authentication on for email access.
-
Risk description
Material adverse effect on the Group’s businesses and its financial condition
Drivers
5.1 Failure or inability of the Group to comply with relevant industry-specific laws, regulations or procedures; Directors Breach of Fiduciary Duties, Corruption and Bribery and Corporate Fraud
5.2 Changes in business environment factors
Implications for value creation
5.1 Revoking of rights by the government without compensation
5.2 Delays encountered in procuring the necessary approvals from the relevant regulatory bodies
Risk response and mitigating measures
5.1 Identifies and manages compliance risk through effective use of its external and internal compliance advisers
-
-
- Monitors its entities’ compliance with relevant international regulatory requirements
- Ensuring and communicating risk and its control information among the board, auditors and management which is led by Audit and Risk Management Committee and Group’s Risk Management Department
-
5.2 Build brand loyalty among our businesses’ consumers
EVOLUTION OF RISK
Five major risks identified are affecting FMI’s ability to create value over the short, medium and long term.
The Group instills and promotes a culture of risk managing to allow prudent risk-based decision-making activities which seeks to balance an acceptable risk tolerance level against anticipated returns by embedding core values, principles, compliance and dynamic internal control systems in its day-to-day operations. Ongoing communication, education, monitoring and mitigation are an integral part of the Group’s risk management culture and is adopted across all its business activities.
The wider Yoma Group’s Enterprise Risk Management (“ERM”) framework provides a sound system of risk management and internal controls; and is underpinned by a sound foundation of the wider Yoma Group’s strong corporate governance culture, supported by five pillars of management control system being: Policies and Procedures, Internal External Audits, Due Diligence Reviews, Compliance Monitoring Reporting and Enterprise Risk Assessments.
RISK-BASED INTERNAL AUDIT
Risk-based internal audit is one of the main functions carried out by the Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the Enterprise Risk Management Framework, outlined as follows:
- identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
- assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
- treating all identified risks, as far as possible, through established controls or pending control plans;
- monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
- reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.
Risk-based internal audit is one of the main functions carried out by the Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the Enterprise Risk Management Framework, outlined as follows:
- identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
- assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
- treating all identified risks, as far as possible, through established controls or pending control plans;
- monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
- reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.
EVOLUTION OF RISK
Five major risks identified are affecting FMI’s ability to create value over the short, medium and long term.
FY 2016 - 17
FY 2018 - 19
5 major risks have been identified to
provide a more integrated approach.
FINANCIAL SERVICES
- Interest Rate Risk
- Exchange Rate Risk
- Maturity Risk
- Cyber Security Risk
- Collateral Risk
HEALTHCARE
- Common Healthcare Sector Risk
- Pandemic Risk
REAL ESTATE
- Demand Risk
- Cost Risk
- Liquidity Risk
GENERAL
- Market Competition Risk
- IT Risk
- HR Risk
- Regulatory Risk
- Profitability Risk
- Technology Risk
5 MAJOR RISK CATEGORIES
INFORMATION TECHNOLOGY RISK
- Inadequate IT Governance
- Cyber Security Risk
STRATEGIC RISK
- Societal Risks: Political, Economic and Social Instability
- Competition Risks
- Investment and Market Risk
- Human resources Risk
OPERATIONAL RISK
- Environmental, Health and Safety Risks
- Project Risk
- Sub-contractor and raw material risks
FINANCIAL RISK
- Long Term Profitability and Net Margin
- Cash Flow and Funding Risk
- Cash Management Risk
COMPLIANCE RISK
- Changes in Legislation and Policies
- Legal and Regulatory Compliance Risk
RISK RESPONSE & MITIGATION MEASURES
ENTERPRISE RISK ASSESSMENT
Introduction
An Annual Enterprise Risk Assessment is conducted across the Yoma Group by the Risk Management & Assurance team, in accordance with the Enterprise Risk Management (“ERM”) Framework applied by the Yoma Group. Senior Management from each business unit participates in the ERA exercise.
Objectives
Pursuant to the Corporate Governance Framework, Policies, Procedures and Standards adopted by the Group, the objectives of the ERA are to assist the Board in:
-
- Identifying and assessing the strategic, financial, operational, compliance and information technology risks of the Group;
- Establishing the controls mitigating the risks identified; and
- Confirming that there are adequate and effective controls to manage the risks of the Group.
Approach
The Senior Management from the Group provides inputs to identify and assess the impact and likelihood of each risk to determine a risk rating of “High”, “Significant”, “Moderate”, or “Low”, with the help of the Enterprise Risk Map found in Figure 1 below.
Likelihood of Occurrence | Almost Certain | |||||
Likely | ||||||
Moderate | ||||||
Unlikely | ||||||
Remote | ||||||
Insignificant | Minor | Moderate | Major | Catastrophic | ||
Magnitude of Impact |
Figure 1: FMI Group’s Enterprise Risk Map
The ERA includes the assessment of inherent (before control) and residual (after control) risk ratings. Participants first assess the inherent risks before considering any established controls Management take to alter either the risk’s likelihood or impact. After established controls are identified to mitigate the inherent risks, participants then categorize these as residual risks. Residual Risk identified as being significant and high are reviewed further to ascertain if adequate risk responses exist, taking into consideration established controls and comparing this against approved risk tolerance levels. Thereafter action plans are developed for those specific areas where gaps occur between the Group’s strategy including a system for risk reporting that is monitored by the Audit & Risk Management Committee.