An effective risk management framework is essential in managing the diverse risks faced by the Group. British American Tobacco Malaysia’s Board of Directors has, through the Audit Committee, established a Risk Management Team to proactively manage the risks of the Group.
The business risks of the Group are affected by a number of factors, not all of which are within the Group’s control. The externally driven challenges, together with general business risk exposures such as corporate reputation, security, environment, health and safety issues, product quality and information technology are constantly reviewed as part of the Group’s Enterprise Risk Management programme.
The Group adopts a proactive Enterprise Risk Management programme with the following objectives:
- Ensuring the continuity of its supply to consumers at all times
- Protecting its assets and reputation
- Preserving the safety and health of its employees
- Ensuring that the Group’s operations do not impact negatively on its neighbours and the environment
- Protecting the interests of all other stakeholders
- Ensuring compliance with the Malaysian Code of Corporate Governance, British American Tobacco p.l.c. guidelines and all applicable laws
- Promoting an effective risk awareness culture where risk management is an integral aspect of the Group’s management systems
The Risk Management Team, headed by the Finance Director and comprising senior managers from all functions of the Group is entrusted to drive the Enterprise Risk Management programme. The team’s responsibilities are to:
- Steer the Group's enterprise risk management programme
- Promote a pro-active risk awareness culture in the Group
- Conduct an annual review of the business risks
- Coordinate the development of risk mitigation action plans
- Develop and update business continuity plans for key business risks
- Plan and coordinate the testing of business continuity plans
- Organise training and education for employees on risk management
- Monitor the results of key performance indicators
- Ensure good corporate governance
Risk Management is firmly embedded in the Group’s management system and is every employee’s responsibility.
The Group’s Enterprise Risk Management process comprises five phases, namely:
In the risk identification process, all potential events that could adversely impact the achievement of business objectives, including failure to capitalise on opportunities are identified. Risks can be identified by the relevant Leadership team, Risk Management Team or any senior management involved in managing the risk. As part of the risk identification stage, consideration would be given to the following:
- Business Strategy / Objective;
- Cause of Risk
- Consequence and Impact
- Time Frame of Risk
The identified business risks are then evaluated based on the matrix below to determine its impact on the relevant business strategy / objective and whether the risk is likely to occur:
- LIKELIHOOD of the risk crystallising
- IMPACT of the consequence
- Degree of internal control and risk management measures in place.
The assessment is done using two scales, both from 1 to 3, the combination of which provides the total risk rating from 1 to 9. This step will assist in determining the significance of the risk to the organisation and is mapped to the risk heat map.
The outcome of the risk identification and evaluation process is a risk register which documents all identified business risks, their risk levels as well as action plans to manage these business risks. Risk owners are identified during this process who has the overall responsibility for identifying, assessing and evaluating the risk, agreeing the current and future action plans to manage the risk; and monitoring the progress of the agreed further activities. The Risk Owner is a senior manager and part of the relevant functional leadership team.
This categorisation of business risks enables the Group to allocate its resources more effectively to deal with the different levels of business risks. A combination of risk management measures are then selected to manage these business risks: