Risk Management - First Myanmar Investment Public Company Limited

The Group instills and promotes a culture of risk managing to allow prudent risk-based decision-making activities which seeks to balance an acceptable risk tolerance level against anticipated returns by embedding core values, principles, compliance and dynamic internal control systems in its day-to-day operations. Ongoing communication, education, monitoring and mitigation are an integral part of the Group’s risk management culture and is adopted across all its business activities.

The wider Yoma Group’s Enterprise Risk Management (“ERM”) framework provides a sound system of risk management and internal controls; and is underpinned by a sound foundation of the wider Yoma Group’s strong corporate governance culture, supported by five pillars of management control system being: Policies and Procedures, Internal External Audits, Due Diligence Reviews, Compliance Monitoring Reporting and Enterprise Risk Assessments.

ENTERPRISE RISK ASSESSMENT

The enterprise risk assessment (“ERA”) is conducted across the wider Yoma Group by the Risk Management & Assurance team, in accordance with the Enterprise Risk Management (“ERM”) framework applied by the wider Yoma Group. The senior management from each business unit participates in the ERA exercise.

The objectives of the ERA are to assist the wider Yoma Group in:

- Identifying and assessing the strategic, financial, operational, compliance and information technology risks of the wider Yoma Group;
- Establishing the controls mitigating the risks identified; and
- Confirming that there are adequate and effective controls to manage the risks of the wider Yoma Group.

As part of the ERM Framework, the annual enterprise risk assessment is undertaken to identify material risks faced by the Group along with mitigating measure in place. Where appropriate, related policies and internal controls are refined by the Management with guidance from the ARMC and the Board. It is also carried out to determine the existence and effectiveness of the controls in place, review the changes in risk profile, and update the existing controls if required.

Investment assessments and due diligence exercises are carried out on prospective business opportunities to ensure that potential financial, operational and strategic risks are identified and mitigated prior to the Group making a commitment. In addition, Enterprise Risk Assessment is conducted across the wider Yoma Group as part of the Enterprise Risk Management Framework to ensure consistency with the wider Yoma Group’s commitment to anti-corruption.

The ERM Framework provides a sound and systematic approach towards risk management and internal control through the following activities: Risk identification and assessment;
Development of key risk management strategies;
Implementation of prevention, detection and response controls;
Monitoring and mitigation of key risks and risk exposure levels and;
Reporting key risks and management performance to the wider Yoma Group board of directors.

RISK-BASED INTERNAL AUDIT

Risk-based internal audit is one of the main functions carried out by the wider Yoma Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the ERM framework.The risks identified and the adequacy of any mitigating controls are measured and monitored through Risk-Based Independent Audits (“RBIA”) as part of the process of prevention, detection and response controls implemented by the Management. Results of the RBIA are presented to the ARMC and the BOD with any residual risks, along with the necessary corrective actions, being highlighted.

The Group categorises its risk profile into five key areas:

- Strategic & Macro Risks
- Operational Risks
- Financial Risks
- Compliance Risks
- Information Technology Risks

	Description	Mitigation
STRATEGIC & MACRO RISKS
Business model & Strategy Risk	The Group recognizes that competitive landscapes, changing customer preferences and market-driven forces impact the strategy and operations of each of the Group’s business units and their financial performance.	Regular and constant strategy sessions are held across the Group to review existing strategies at each business unit, including the relevant digital trends in different sectors, and to formulate pre-emptive measures, such as diversifying the Group’s business mix and sources of revenue and profitability.
Business Environment Risk	Since February 1st, there has been substantial uncertainty in the economic and business environment in Myanmar. This has resulted in economic contraction and welfare challenges across the country. The situation continues to evolve, remains unclear and strong headwinds could prevail. Henceforth, macro risks have risen sharply for the Group conducting its businesses in Myanmar.	As the Group has made a long-term commitment to Myanmar, its continued presence, participation and provision of essential services is paramount in fulfilling its mission to Build a Better Myanmar for its People. Management continues to maintain a balanced approach in making decisions to ensure commercial survival, business resilience and sustainability.
OPERATIONAL RISKS
Corruption & Fraud Risk	The risk of corruption and fraud is inherent to any business in Myanmar and has increased in the current operating environment. These acts could be perpetrated by employees, officers, customers or vendors engaged by the Group.	Reviewing and assessing the Group’s Code of Conduct and Conflict of Interest Policy and reinforcing a zero-tolerance policy towards any incidents of corruption and fraud. Having a Whistleblowing Policy that provides accessible channels for reporting improprieties or concerns to the Group Risk Management and Assurance Team for investigation and ultimate oversight by the ARMC. Conducting regular internal audits focused on areas with greater inherent risks, such as procurement and cash management, and introducing adequate internal controls commensurate with each business unit’s operations.
Pandemic Risk	The unprecedented global COVID-19 pandemic, in particular the latest wave from the more contagious Delta variant, has created unexpected challenges for the Yoma Group’s businesses. The severity and duration of the pandemic has disrupted operations and accelerated structural changes that could have long-term effects on the business plans of each business unit and their ability to implement them. Meanwhile, the imposition of travel and movement restrictions, curfews and nationwide lockdown measures has impacted the consistency of operations, particularly in business units that are considered non-essential.	The Yoma Group has advanced its digital transformation journey while embracing operational efficiency improvements and cross-collaboration between business units. Digital technology platforms have become critical in the changing operating environment and to maintain business continuity. Mandatory vaccination program for all employee of the Yoma Group employees, remote working arrangements where possible and the continuous maintenance of workplace hygiene standards to prevent the spread of infections and ensure the safety and wellbeing of employees and customers. In addition, provided essential staff with temporary housing at both gated residential communities to enable Groupwide business continuity.
FINANCIAL RISKS
Credit Risk	The Yoma Group has extended credit to selected customers as access to financing has become increasingly challenging across the market. This extension of credit carries inherent risks of delinquency and default.	Customers’ credit-worthiness is evaluated within approved underwriting policies which take into account background checks, financial standing, loan-to-value and the ability to meet repayments. Rigorous approvals are required within each business unit where credit is extended. Cash terms are prioritized where possible to minimize credit risk.
Foreign Exchange & Interest Rate Risk	The Yoma Group’s operations are exposed to fluctuations in Myanmar kyat against US dollar. In addition to currency translation movements, foreign exchange risk arises as local currency cashflows may need to be converted into US dollars to meet certain international payment obligations. Furthermore, the foreign exchange conversion cycle is limited by US dollar availability in the market. The Yoma Group is also exposed to unfavorable movements in interest rates.	Constant review of the foreign currency exposures in each business unit’s operations and monitoring of the Yoma Group’s overall economic exposure to movements in foreign exchange rates. Strategies to mitigate the impact of foreign exchange risk include implementing natural hedges to balance sheet positions, increasing the proportion of local currency borrowings and shortening the foreign exchange cycle.Maintaining a mix of both fixed and floating rates on borrowings to manage interest rate fluctuations.
COMPLIANCE RISKS
Environmental and Social Governance Compliance Risk	Non-compliance with various laws and regulations may have a detrimental effect on the financial and operational performance of each of the Yoma Group’s business units. Furthermore, Environmental, Social and Governance (ESG) compliance has become one of the most pressing issues expected by key stakeholders, including customers, lenders and regulators, and has posed additional challenges in the current business environment.	The Yoma Group’s compliance framework is guided by our core values and Code of Conduct. This entails regular reporting by each business unit to ensure that compliance risks are effectively assessed, managed and mitigated while keeping updated on changes to laws and regulations. In addition, the Group Risk Management and Assurance Team monitors the Group’s compliance with its ESG targets and obligations and ensures that ESG disclosures are documented, accurate and complete.
INFORMATION TECHNOLOGY RISKS
Cyber Security Risk	The Yoma Group has increasingly shifted towards remote working arrangements which relies on technology to facilitate its operations and to maintain business continuity. This increased dependence on technology has increased the Yoma Group’s exposure to cyber security threats including network security, data protection and cybercrimes.	The Yoma Group remains focused on embedding cyber security and data governance into business processes to ensure that data protection and privacy are managed in addition to other commercial risks. These reduce the likelihood and severity of breaches in cyber security and data protection which increasingly have an impact on the Yoma Group’s businesses. Established strict information security policies are in place which are designed to continuously monitor the following: Secure access two-factor authentication. Back-up and privileged access protocols. Data storage capacity and utilisation monitoring.

Internal Control System

FMI’s subsidiaries have their respective internal control system. At Head Office level, the whole financial management system is managed and overseen by the Company’s Financial Controller. To ensure that the strategic vision set out for its subsidiaries are aligned, the Company has delegated its executive directors to serve on the respective Boards. These delegates will regularly update the results of operations of the subsidiaries to the ARMC, which endorses the results to the Board for approval. The ARMC and FMI’s management ensures that management of the subsidiaries maintain a sound risk management framework and internal control system to mitigate material risk exposures identified internally.

Yoma Bank

Yoma Bank (the “Bank”) places great importance on maintaining a sound risk management and internal control framework. The Board of the Bank, via the Audit and Risk Oversight Committees, is tasked with ensuring that appropriate risk management and internal systems are established and working effectively. Among other things, the Board of the Bank (i) approves risk management procedures and ensures compliance with such procedures; (ii) analyzes, evaluates, and improves the effectiveness of the internal risk management and internal control procedures on a regular basis; (iii) develops adequate incentives for executive bodies, departments and employees to apply internal control systems; and (iv) ensures that the Bank complies with legislation and charter provisions. In implementation of the framework, a strong independent internal audit team is in place to directly report to the Audit Committee of YB and to conduct periodic review of key identified areas including changes in relevant policies, internal control system, corporate governance, operations, and security risks. Acting as the main liaison between the External Auditors and the Board of YB, the Audit Committee monitors YB’s internal controls and framework to ensure transparency across the business functions of the Bank, and periodically reviews the integrity of the Bank and makes recommendations for improvement. YB’s Risk Oversight Committee reviews the effectiveness of the Enterprise Risk Management Framework particularly in relation to risk identification, measurement, mitigation, and monitoring. It ensures the risk appetite approved by the Board is properly implemented; and facilitates ongoing dialogue on risk within YB.

Pun Hlaing Hospitals (“PHHs”)

The operating guideline of PHHs is under the governance of its Chief Financial Officer. The shareholders of PHHs namely, the Company and its joint venture partner, OUE Lippo Healthcare Limited (“OUELH”) have appointed their senior management personnel on the boards of PHHs to oversee the financial system and operation of PHHs’ periodically. This is to ensure that 1) strategic objectives set for PHHs are aligned; 2) compulsory steps are taken for the achievement of its strategic goals; and 3) a comprehensive set of oversight controls to put management decisions in check and to prevent it from exposing to various risks that are prone to occur in the healthcare sector.

RISK RESPONSE & MITIGATION MEASURES

OPERATIONAL RISKS

Environmental, Health & Safety Risks

Risk description

Negative impacts on the Group’s financial performance and productivity.

Drivers

1.1 Fire accidents
1.2 Climate change, extreme weather, natural disaster, e.g. earthquakes, floods
1.3 Infectious diseases outbreak such as COVID 19, swine flu, SARS, Ebola

Implications for value creation

1.1 Delayed business expansion and recovery
1.2 Operations suspension
1.3 Loss of lives, reputational damage and interruption in our business operations

Risk response and mitigating measures

1.1 Delivering regular fire drill training to all employees across the Group on a regular basis
1.2 Implemented Health and Safety Policy, HR Policies and Guidelines to practice across the Group
• In the case of COVID 19, the Group set up a Covid Control Center (CCC) to deliver Covid-19 Emergency Response.
1.3 Provide all employees, medial plans, life insurance plans and special medical coverage to employees who are diagnosed as COVID-19 patients.

Internal & External Risks

Risk description

Risk of loss resulting from inadequate or failed internal organizational practices or driven by external forces.

Drivers

1.4 Financial losses and business instability
1.5 Increase in competition among property developers, healthcare providers, destination management companies, financial services providers

Implications for value creation

1.4 Failures in operational processes, internal policies or support systems in all business activities
1.5 Increased costs to acquire land and raw material, increases in unsold properties, decreases in earning from our core businesses due to lack of competitive advantages

Risk response and mitigating measures

1.4 Apply a risk-based internal audit to help the Group’s businesses accomplish the objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the enterprise risk management (ERM) framework. ERM also helps to address operational and finance risks are within the risk appetite monitored by management and are with the Group’s overall business objectives.
1.5 Maintain win-win business relationship with our businesses’ suppliers and business partners

FINANCIAL RISKS

Risk description

Volatility in interest rates, foreign exchange rates could have a material adverse effect on our cash flows and results of operations.

Drivers

2.1 Liquidity Risk
2.2 Capital Risks

Implications for value creation

2.1 A firm’s possible inability to meet its short-term debt obligations, thereby incurring exceptionally large losses
2.2 Inability to make regular dividend payment

Risk response and mitigating measures

2.1 Board of Directors approve an asset liability management (ALM) policies. Liquidity limits are set to address liquidity shocks, whether affecting most financial institutions or the Yoma Bank uniquely, are fully covered and a Contingent Funding Plan is developed. Liquidity levels are being strictly monitored for adherence to the Board specified minimums (as defined in the ALM policy) or the requirements prescribed by the CBM.
2.2 The Group’s objectives when managing capital are to safeguard the Group’s ability to continue as a going concern and to maintain an optimal capital structure so as to maximize shareholder value. In order to maintain or achieve an optimal capital structure, the Group may adjust the amount of dividend payment, return capital to shareholders, issue new shares, obtain new borrowings or sell assets to reduce borrowings.

STRATEGIC RISKS

Human Resources Risks

Risk description

Increase in labor cost and loss of efficiency.

Drivers

3.1 Our dependence on our Management team and skilled personnel
3.2 Our inability to attract and retain such persons
3.3 Lack of Keyman Insurance

Implications for value creation

3.1 Adverse financial impact
3.2 Increase in employee turnover, and costs to hire qualified employees and contractors
3.3 Interruption in business operations and slow down business growth

Risk response and mitigating measures

3.1 Consistently providing training and leadership programs to every level of employees across the Group.
3.2 The Yoma Group’s Human Resources Department is tasked to constantly review and identify high-performing individuals internally and externally to serve as a pipeline for leadership succession planning.

- - Develop innovative talent retention programmes such as leadership training and other development programmes
  - Create safe, fun and flexible working environment
  - Develop effective internal communication system to increase employees’ synergy
  - Provide a variety of welfare benefit plans and Yoma Employees’ Perks so that employees feel that they are taken care of and to increase their sense of belonging
  - Lay out core values to increase employee morale and sense of belong across the Group.

3.3 Limit the number of The Group personnel travelling together, which means transportation or business travel should be arranged such that no single event could create a catastrophic loss of key personal for the Corporation. This means that when possible, no more than five Executive of the Company should travel on the same aircraft (be it a commercial, private, or corporate flight) or other vehicle of transportation. Pre-approval from Human Resources is required if more than half of an organization, group, or entity functional management team will be on the same aircraft.

Societal Risks: Economic and Social Instability

Risk description

Change in customers’ and shareholders’ behavior and taste which results in them investing in other types of investments.

Drivers

3.4 The Company’s inability to pay dividends annually
3.5 Claims or lawsuits derived from medical malpractice claims and accidents due in mismanagement in construction sites
3.6 Credit Risks in the banking services sector

Implications for value creation

3.4 Loss of shareholders’ loyalty and reputational damage
3.5 Loss of customers’ loyalty and reputational damage
3.6 Risk of loss arising from any failure by a borrower or counterparty to meet its financial obligations when such obligation is due

Risk response and mitigating measures

3.4 Shareholder’s complaints are taken seriously and are solved by the Corporate Office Team as soon as they arise. In a financial year when dividend is not paid, the Management will explain the rationale behind such action during media briefings and the Company’s Annual General Meeting.

- - Established a Corporate Office Team (Corporate Office Team) to regularly analyse the market trend and to develop strategies with the Management to ensure FMI’s shares are competitive in value and quality among its fellow listed companies;
  - The Team is also tasked to maintain and build positive relationships with individual shareholders by providing one-on-one meeting at the Company’s Head Office or Annual General Meetings, and via other communication platforms;
  - Group Legal and Group Communication departments are tasked with monitoring all commercial materials to minimize the risk of potential threat of adverse media publicity.
  - The Company’s effort in being transparent and open in communicating the internal movements are evident in the public announcements and annual media briefing.

3.5 Provide channels for stakeholders and customers to report grievances such as a feedback box at each business operation unit and anonymous reporting via a QR code available in the Company’s Stakeholder Engagement Policy
3.6 Board of Directors from banking services approve major policies and limits that govern the monitoring of the credit risk. It structures the levels of credit risk it undertakes by placing limits on the amount of risk acceptable in relation to one borrower, or group of borrowers and industry segments.

INFORMATION TECHNOLOGY RISKS

Risk description

Risk of loss resulting from inadequate or failed internal processes, people or from external event.

Drivers

4.1 Weaknesses, disruption or failures in overall management and IT systems

Implications for value creation

4.1 Loss of competitive advantage and fragile to external attacks

Risk response and mitigating measures

4.1 Balancing the cost and risk within the constraints of the risk appetite of the Company and the Group’s businesses to ensure that this balance is consistent with the prudent management required of a large Myanmar organization.

- - Implemented a centralized core banking system (CBS) at our subsidiary, Yoma Bank, to provide a common and stable operating platform to develop multi-channel service delivery.
  - Implemented IT security for the overall network system across the Group.
  - Utilized a firewall system to monitor internal traffic, defend against potential external anti-hacking and anti-virus attacks.
  - Planning to integrate the proxy system to monitor and filter contact traffics in the network.
  - Implemented a directory server to authenticate users and passwords.
  - Adopted Advance Threat Prevention (ATP) scanning function to monitor phishing and malware.
  - Adopted SSLVPN to build a secured virtual tunnel for WFH employees.
  - Applied two-factor authentication on for email access.

COMPLIANCE RISKS

Risk description

Material adverse effect on the Group’s businesses and its financial condition

Drivers

5.1 Failure or inability of the Group to comply with relevant industry-specific laws, regulations or procedures; Directors Breach of Fiduciary Duties, Corruption and Bribery and Corporate Fraud
5.2 Changes in business environment factors

Implications for value creation

5.1 Revoking of rights by the government without compensation
5.2 Delays encountered in procuring the necessary approvals from the relevant regulatory bodies

Risk response and mitigating measures

5.1 Identifies and manages compliance risk through effective use of its external and internal compliance advisers

- - Monitors its entities’ compliance with relevant international regulatory requirements
  - Ensuring and communicating risk and its control information among the board, auditors and management which is led by Audit and Risk Management Committee and Group’s Risk Management Department

5.2 Build brand loyalty among our businesses’ consumers

EVOLUTION OF RISK

Over the years, FMI assessed various risks it is exposed to. The diagram below indicates a snapshot of FMI’s evolving risks.
Five major risks identified are affecting FMI’s ability to create value over the short, medium and long term.

RISK-BASED INTERNAL AUDIT

Risk-based internal audit is one of the main functions carried out by the Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the Enterprise Risk Management Framework, outlined as follows:

identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
treating all identified risks, as far as possible, through established controls or pending control plans;
monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.

identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
treating all identified risks, as far as possible, through established controls or pending control plans;
monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.

EVOLUTION OF RISK

FY 2016 - 17

FY 2018 - 19

5 major risks have been identified to
provide a more integrated approach.

FINANCIAL SERVICES

Interest Rate Risk
Exchange Rate Risk
Maturity Risk
Cyber Security Risk
Collateral Risk

HEALTHCARE

Common Healthcare Sector Risk
Pandemic Risk

REAL ESTATE

Demand Risk
Cost Risk
Liquidity Risk

GENERAL

Market Competition Risk
IT Risk
HR Risk
Regulatory Risk
Profitability Risk
Technology Risk

5 MAJOR RISK CATEGORIES

INFORMATION TECHNOLOGY RISK

Inadequate IT Governance
Cyber Security Risk

STRATEGIC RISK

Societal Risks: Political, Economic and Social Instability
Competition Risks
Investment and Market Risk
Human resources Risk

OPERATIONAL RISK

Environmental, Health and Safety Risks
Project Risk
Sub-contractor and raw material risks

FINANCIAL RISK

Long Term Profitability and Net Margin
Cash Flow and Funding Risk
Cash Management Risk

COMPLIANCE RISK

Changes in Legislation and Policies
Legal and Regulatory Compliance Risk

RISK RESPONSE & MITIGATION MEASURES

ENTERPRISE RISK ASSESSMENT

Introduction

An Annual Enterprise Risk Assessment is conducted across the Yoma Group by the Risk Management & Assurance team, in accordance with the Enterprise Risk Management (“ERM”) Framework applied by the Yoma Group. Senior Management from each business unit participates in the ERA exercise.

Objectives

Pursuant to the Corporate Governance Framework, Policies, Procedures and Standards adopted by the Group, the objectives of the ERA are to assist the Board in:

- Identifying and assessing the strategic, financial, operational, compliance and information technology risks of the Group;
- Establishing the controls mitigating the risks identified; and
- Confirming that there are adequate and effective controls to manage the risks of the Group.

Approach

The Senior Management from the Group provides inputs to identify and assess the impact and likelihood of each risk to determine a risk rating of “High”, “Significant”, “Moderate”, or “Low”, with the help of the Enterprise Risk Map found in Figure 1 below.

Likelihood of Occurrence	Almost Certain
	Likely
	Moderate
	Unlikely
	Remote
		Insignificant	Minor	Moderate	Major	Catastrophic
		Magnitude of Impact

Figure 1: FMI Group’s Enterprise Risk Map

The ERA includes the assessment of inherent (before control) and residual (after control) risk ratings. Participants first assess the inherent risks before considering any established controls Management take to alter either the risk’s likelihood or impact. After established controls are identified to mitigate the inherent risks, participants then categorize these as residual risks. Residual Risk identified as being significant and high are reviewed further to ascertain if adequate risk responses exist, taking into consideration established controls and comparing this against approved risk tolerance levels. Thereafter action plans are developed for those specific areas where gaps occur between the Group’s strategy including a system for risk reporting that is monitored by the Audit & Risk Management Committee.