The Group instils and promotes a risk management culture to allow prudent risk-based decision-making by embedding core values, principles, compliance and dynamic internal control systems in its day-to-day operations. Ongoing communication, education, monitoring and mitigation are an integral part of the Group’s dynamic risk management culture and is adopted across all its business activities.

Investment assessments and due diligence exercises are carried out on prospective business opportunities to ensure that potential financial, operational and strategic risks are identified and mitigated prior to commitment. In addition, Fraud Risk Assessment is conducted across the Group as part of the Annual Internal Audit Programme to ensure consistency with the Group’s commitment to anti-corruption.

Half yearly and annual enterprise risk assessments are carried out to validate the existence and effectiveness of the controls in place, review the changes in risk profile, and update the existing controls if required.

The Enterprise Risk Management Framework provides a sound system of risk management and internal control, and is underpinned by a sound foundation of the Group’s strong corporate governance culture, supported by five pillars of management control system being: Policies and Procedures, Internal External Audits, Due Diligence Reviews, Compliance Monitoring Reporting and Enterprise Risk Assessments, all of which are overseen by the ARMC and the Board.


Risk-based internal audit is one of the main functions carried out by the Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the Enterprise Risk Management Framework, outlined as follows:

  1. identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
  2. assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
  3. treating all identified risks, as far as possible, through established controls or pending control plans;
  4. monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
  5. reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.


Over the years, FMI assessed various risks it is exposed to. The diagram below indicates a snapshot of FMI’s evolving risks.
Five major risks identified are affecting FMI’s ability to create value over the short, medium and long term.

FY 2016 - 17

FY 2018 - 19

5 major risks have been identified to
provide a more integrated approach.


  • Interest Rate Risk
  • Exchange Rate Risk
  • Maturity Risk
  • Cyber Security Risk
  • Collateral Risk


  • Common Healthcare Sector Risk
  • Pandemic Risk

Operational Risk
Financial Risk


  • Demand Risk
  • Cost Risk
  • Liquidity Risk


  • Market Competition Risk
  • IT Risk
  • HR Risk
  • Regulatory Risk
  • Profitability Risk
  • Technology Risk

Strategic Risk
IT Risk
Compliance Risk



  • Inadequate IT Governance
  • Cyber Security Risk


  • Societal Risks: Political, Economic and Social Instability
  • Competition Risks
  • Investment and Market Risk
  • Human resources Risk



  • Environmental, Health and Safety Risks
  • Project Risk
  • Sub-contractor and raw material risks


  • Long Term Profitability and Net Margin
  • Cash Flow and Funding Risk
  • Cash Management Risk


  • Changes in Legislation and Policies
  • Legal and Regulatory Compliance Risk


Environmental, Health & Safety Risks

Risk description

Negative impacts on the Group’s financial performance and productivity.


1.1 Fire accidents
1.2 Climate change, extreme weather, natural disaster, e.g. earthquakes, floods
1.3 Infectious diseases outbreak such as COVID 19, swine flu, SARS, Ebola

Implications for value creation

1.1 Delayed business expansion and recovery
1.2 Operations suspension
1.3 Loss of lives, reputational damage and interruption in our business operations

Risk response and mitigating measures

1.1 Delivering regular fire drill training to all employees across the Group on a regular basis
1.2 Implemented Health and Safety Policy, HR Policies and Guidelines to practice across the Group
• In the case of COVID 19, the Group set up a Covid Control Center (CCC) to deliver Covid-19 Emergency Response.
1.3 Provide all employees, medial plans, life insurance plans and special medical coverage to employees who are diagnosed as COVID-19 patients.

Internal & External Risks

Risk description

Risk of loss resulting from inadequate or failed internal organizational practices or driven by external forces.


1.4 Financial losses and business instability
1.5 Increase in competition among property developers, healthcare providers, destination management companies, financial services providers

Implications for value creation

1.4 Failures in operational processes, internal policies or support systems in all business activities
1.5 Increased costs to acquire land and raw material, increases in unsold properties, decreases in earning from our core businesses due to lack of competitive advantages

Risk response and mitigating measures

1.4 Apply a risk-based internal audit to help the Group’s businesses accomplish the objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the enterprise risk management (ERM) framework. ERM also helps to address operational and finance risks are within the risk appetite monitored by management and are with the Group’s overall business objectives.
1.5 Maintain win-win business relationship with our businesses’ suppliers and business partners

Risk description

Volatility in interest rates, foreign exchange rates could have a material adverse effect on our cash flows and results of operations.


2.1 Liquidity Risk
2.2 Capital Risks

Implications for value creation

2.1 A firm’s possible inability to meet its short-term debt obligations, thereby incurring exceptionally large losses
2.2 Inability to make regular dividend payment

Risk response and mitigating measures

2.1 Board of Directors approve an asset liability management (ALM) policies. Liquidity limits are set to address liquidity shocks, whether affecting most financial institutions or the Yoma Bank uniquely, are fully covered and a Contingent Funding Plan is developed. Liquidity levels are being strictly monitored for adherence to the Board specified minimums (as defined in the ALM policy) or the requirements prescribed by the CBM.
2.2 The Group’s objectives when managing capital are to safeguard the Group’s ability to continue as a going concern and to maintain an optimal capital structure so as to maximize shareholder value. In order to maintain or achieve an optimal capital structure, the Group may adjust the amount of dividend payment, return capital to shareholders, issue new shares, obtain new borrowings or sell assets to reduce borrowings.


Human Resources Risks

Risk description

Increase in labor cost and loss of efficiency.


3.1 Our dependence on our Management team and skilled personnel
3.2 Our inability to attract and retain such persons
3.3 Lack of Keyman Insurance

Implications for value creation

3.1 Adverse financial impact
3.2 Increase in employee turnover, and costs to hire qualified employees and contractors
3.3 Interruption in business operations and slow down business growth

Risk response and mitigating measures

3.1 Consistently providing training and leadership programs to every level of employees across the Group.
3.2 The Yoma Group’s Human Resources Department is tasked to constantly review and identify high-performing individuals internally and externally to serve as a pipeline for leadership succession planning.

      • Develop innovative talent retention programmes such as leadership training and other development programmes
      • Create safe, fun and flexible working environment
      • Develop effective internal communication system to increase employees’ synergy
      • Provide a variety of welfare benefit plans and Yoma Employees’ Perks so that employees feel that they are taken care of and to increase their sense of belonging
      • Lay out core values to increase employee morale and sense of belong across the Group.

3.3 Limit the number of The Group personnel travelling together, which means transportation or business travel should be arranged such that no single event could create a catastrophic loss of key personal for the Corporation. This means that when possible, no more than five Executive of the Company should travel on the same aircraft (be it a commercial, private, or corporate flight) or other vehicle of transportation. Pre-approval from Human Resources is required if more than half of an organization, group, or entity functional management team will be on the same aircraft.

Societal Risks: Economic and Social Instability

Risk description

Change in customers’ and shareholders’ behavior and taste which results in them investing in other types of investments.


3.4 The Company’s inability to pay dividends annually
3.5 Claims or lawsuits derived from medical malpractice claims and accidents due in mismanagement in construction sites
3.6 Credit Risks in the banking services sector

Implications for value creation

3.4 Loss of shareholders’ loyalty and reputational damage
3.5 Loss of customers’ loyalty and reputational damage
3.6 Risk of loss arising from any failure by a borrower or counterparty to meet its financial obligations when such obligation is due

Risk response and mitigating measures

3.4 Shareholder’s complaints are taken seriously and are solved by the Corporate Office Team as soon as they arise. In a financial year when dividend is not paid, the Management will explain the rationale behind such action during media briefings and the Company’s Annual General Meeting.

      • Established a Corporate Office Team (Corporate Office Team) to regularly analyse the market trend and to develop strategies with the Management to ensure FMI’s shares are competitive in value and quality among its fellow listed companies;
      • The Team is also tasked to maintain and build positive relationships with individual shareholders by providing one-on-one meeting at the Company’s Head Office or Annual General Meetings, and via other communication platforms;
      • Group Legal and Group Communication departments are tasked with monitoring all commercial materials to minimize the risk of potential threat of adverse media publicity.
      • The Company’s effort in being transparent and open in communicating the internal movements are evident in the public announcements and annual media briefing.

3.5 Provide channels for stakeholders and customers to report grievances such as a feedback box at each business operation unit and anonymous reporting via a QR code available in the Company’s Stakeholder Engagement Policy
3.6 Board of Directors from banking services approve major policies and limits that govern the monitoring of the credit risk. It structures the levels of credit risk it undertakes by placing limits on the amount of risk acceptable in relation to one borrower, or group of borrowers and industry segments.

Risk description

Risk of loss resulting from inadequate or failed internal processes, people or from external event.


4.1 Weaknesses, disruption or failures in overall management and IT systems

Implications for value creation

4.1 Loss of competitive advantage and fragile to external attacks

Risk response and mitigating measures

4.1 Balancing the cost and risk within the constraints of the risk appetite of the Company and the Group’s businesses to ensure that this balance is consistent with the prudent management required of a large Myanmar organization.

      • Implemented a centralized core banking system (CBS) at our subsidiary, Yoma Bank, to provide a common and stable operating platform to develop multi-channel service delivery.
      • Implemented IT security for the overall network system across the Group.
      • Utilized a firewall system to monitor internal traffic, defend against potential external anti-hacking and anti-virus attacks.
      • Planning to integrate the proxy system to monitor and filter contact traffics in the network.
      • Implemented a directory server to authenticate users and passwords.
      • Adopted Advance Threat Prevention (ATP) scanning function to monitor phishing and malware.
      • Adopted SSLVPN to build a secured virtual tunnel for WFH employees.
      • Applied two-factor authentication on for email access.

Risk description

Material adverse effect on the Group’s businesses and its financial condition


5.1 Failure or inability of the Group to comply with relevant industry-specific laws, regulations or procedures; Directors Breach of Fiduciary Duties, Corruption and Bribery and Corporate Fraud
5.2 Changes in business environment factors

Implications for value creation

5.1 Revoking of rights by the government without compensation
5.2 Delays encountered in procuring the necessary approvals from the relevant regulatory bodies

Risk response and mitigating measures

5.1 Identifies and manages compliance risk through effective use of its external and internal compliance advisers

      • Monitors its entities’ compliance with relevant international regulatory requirements
      • Ensuring and communicating risk and its control information among the board, auditors and management which is led by Audit and Risk Management Committee and Group’s Risk Management Department

5.2 Build brand loyalty among our businesses’ consumers



An Annual Enterprise Risk Assessment is conducted across the Yoma Group by the Risk Management & Assurance team, in accordance with the Enterprise Risk Management (“ERM”) Framework applied by the Yoma Group. Senior Management from each business unit participates in the ERA exercise.


Pursuant to the Corporate Governance Framework, Policies, Procedures and Standards adopted by the Group, the objectives of the ERA are to assist the Board in:

    • Identifying and assessing the strategic, financial, operational, compliance and information technology risks of the Group;
    • Establishing the controls mitigating the risks identified; and
    • Confirming that there are adequate and effective controls to manage the risks of the Group.


The Senior Management from the Group provides inputs to identify and assess the impact and likelihood of each risk to determine a risk rating of “High”, “Significant”, “Moderate”, or “Low”, with the help of the Enterprise Risk Map found in Figure 1 below.



Likelihood of OccurrenceAlmost Certain
Magnitude of Impact

Figure 1: FMI Group’s Enterprise Risk Map

The ERA includes the assessment of inherent (before control) and residual (after control) risk ratings. Participants first assess the inherent risks before considering any established controls Management take to alter either the risk’s likelihood or impact.  After established controls are identified to mitigate the inherent risks, participants then categorize these as residual risks. Residual Risk identified as being significant and high are reviewed further to ascertain if adequate risk responses exist, taking into consideration established controls and comparing this against approved risk tolerance levels. Thereafter action plans are developed for those specific areas where gaps occur between the Group’s strategy including a system for risk reporting that is monitored by the Audit & Risk Management Committee.