PSPC’s Risk Management Policy explicitly states that management is responsible for implementing, operating and monitoring the system of internal control, which is designed to provide reasonable but not absolute assurance of achieving business objectives. The approach to internal control includes a number of general and specific risks management processes and policies. The primary control mechanisms are self-appraisal processes in combination with strict accountability for results.
Enterprise Risk Management
Information on Pilipinas Shell's risk management policies
Responsibilities of the Board, Executive Management, Line Management and Assurance Providers
A. Board of Directors Responsibility (via Board Audit and Risk Oversight Committee)
- Evaluate PSPC’s management culture
- Evaluate PSPC’s risks and effectiveness of risk management processes, including the adequacy of the overall control environment, and controls in selected areas representing significant risks
- Assess (with internal and external auditors) any fraud, illegal acts, deficiencies in internal controls or other similar issues
- Assess and monitor management’s implementation of internal control recommendations made by internal and external auditors
B. Executive Management
- Establish clear objectives, identify and evaluate the significant risks to the achievement of those objectives, set boundaries for risk taking, and apply fit-for-purpose risk responses
- Incorporate risk responses into a system of internal control which is designed to address opportunities, protect PSPC assets, facilitate effective and efficient operations, and help to ensure reliable reporting and compliance with applicable laws and regulations
- Monitor the effectiveness of the system of risk and internal control management
- Provide annual self-assurances regarding the extent of compliance with PSPC’s and Shareholders’ Control Framework
C. Line Management
- Design, resource, operate, and monitor the system of internal control
- Ensure that a risk-based approach to internal control is communicated to staff, embedded in business processes, and responsive to evolving risks
- Assign accountability for managing risks within agreed boundaries
- Report the results of balanced self-assessments regarding the effectiveness of the risk based internal control system, including identified weaknesses or incidents, to Executive Management.
D. Independent Assurance Providers (including External Audit, Internal Audit and CAAD)
- Undertake periodic review to assess effectiveness of the design and operation of the system of risk management and internal control or parts thereof.
- In 2017, Corporate Assurance and Audit Department (CAAD) was established to provide an independent and objective assurance to the Management and Board Audit & Risk
- Committee on the design and operation of PSPC’s governance, internal control and risk management processes.
Risk Response Strategies & Accountabilities
To manage risk effectively for PSPC, every Business and Function is required to:
- Review the environment
- State clear objectives
- Identify risks to the achievement of those objectives
- Assess the impact and likelihood of the risks materialising
Accountabilities for Risks
Market/Operational/Business risks are mostly the accountabilities of business/line managers. Corporate risks such as Foreign Exchanges risks, Interest Rate risks, and Liquidity risks, among others, are under the responsibility of the Corporate Finance Department in coordination with business and function managers.