+632 8888-3055 +632 8888-3955 CONTACT US

Manual on Corporate Governance

Code of Conduct and Business Ethics

Integrated Annual Corporate Governance Report

Board Committees and Charters

Internal Audit Charter

Enterprise Risk Management

ASEAN Corporate Governance Scorecard

Company's Policies

2019 SMPC Annual and Sustainability Report


Corporate Governance > Enterprise Risk Management

Enterprise Risk Management

Semirara Mining and Power Corporation (SMPC) and its subsidiaries (collectively called SMPC Group) recognize that risks are an integral part of our business which cannot be totally eliminated. Risks are better controlled if measured more consistently, accurately, and timely.


Risk Management is an essential part of SMPC Group’s process in ensuring the achievement of its strategic objectives of value creation and protection of stakeholder value, supporting its vision and mission. Such process also helps ensure that SMPC Group complies with laws and regulations, as well as policies, standards and procedures. It decreases the risk of unexpected losses or damage to SMPC Group’s reputation and business value.


Policy Statement


SMPC Group’s Enterprise Risk Management (ERM) Policy is to maximize strategic and business opportunities and minimize adverse outcomes, thereby optimizing shareholder value and ensuring sustainable growth through an effective balance of risks and rewards.




SMPC Group’s ERM framework is guided by international leading practices and the Committee of Sponsoring Organizations of the Treadway Commission or COSO’s ERM – Integrated Framework.


Risk Advisory Department

The Risk Advisory (RA) Department assists Senior Management and the Risk Committee in ensuring that there is an effective and integrated risk management system in-place.


Risk Governance



Risk Management is basically a top-down and bottom-up process in SMPC Group. Risk management activities simultaneously take place at the following levels:


  • Strategic Level– This includes the risk management activities performed by the Board and Management, such as:
    • Overseeing risk management activities
    • Defining and assessing all the  risks
    • Formulating strategies and policies for managing risks
    • Establishing adequate systems and controls to ensure that overall risks remain within acceptable levels.


  • Macro Level – This includes the risk management activities of the Chief Risk Officer (CRO) and units devoted to risk reviews such as Internal Audit and Compliance. The CRO or Designate shall develop risk management control policies and procedures, and shall monitor the transactions and operations of SMPC Group for risk identification, assessment and measurement, control/treatment and monitoring. Functional areas such as, but not limited to, Controllership, Environment & Safety, Security, IMS, Legal and Compliance, play essential roles as the ‘second line of defense’.  


  • Micro Level - This includes the risk management activities of Risk Owners involved in the day-to-day operations of the SMPC Group. They are directly accountable for all the risks taken. Risk Owners are responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Risk Owners play a vital role in identifying, assessing, treating/controlling, monitoring and reporting of risks.


Roles and responsibilities of each line of defense are further enumerated in detail under the ‘Roles and Responsibilities’ section of this policy.


Risk Management Process


The holistic and systematic approach of Risk Management (RM) Process focuses on understanding the SMPC’s top business risk.  As an integrated approach, the RM process are linked from strategic down to operational perspective to ensure seamless monitoring of significant business risks.


To ensure a holistic and systematic approach, the ERM process shall focus on gaining an understanding and agreement of the organization’s top risks and related management through the following:


  • Risk Identification


Risk Identification is the most critical part of the entire risk management process. SMPC Group should identify risks and corresponding sources, causes and impact. Emerging significant risks in relation to the achievement of the Semirara Group’s objectives should also be considered.


  • Risk Assessment


Risk Assessment requires assessing risks, in quantitative and qualitative terms, as to impact and likelihood of occurrence. Existing controls should also be identified and assessed in terms of design and operating effectiveness.


  • Risk Treatment or Control


Risk Treatment or Control involves selecting one or more options (accept, transfer, mitigate or avoid) for addressing risks. Appropriate risk treatment or responses for those ‘high” risks shall be reviewed by the Board against established risk appetite levels.




Risk Transfer involves sharing all or some part of the risk with another party, (e.g. insurance company or joint partner) through mutual agreement, usually for a price premium. This treatment does not mean the risk is no longer present nor not a responsibility of the organization.


Risk Avoidance means the decision that the risk is not able to be mitigated effectively or cannot be transferred. This treatment is risk averse to address risks that are outside an organization’s core business or competency.


Risk Mitigation means the organization continues to bear the risk and its threat cannot be avoided or transferred economically. Being the most common response to business and process risks, this treatment is critical in the development of systems, policies and procedures to reduce risks until such risks are managed below the risk tolerance threshold.


Risk Acceptance means no response to address risk is done usually because the cost of mitigation actions or strategies outweighs the economic benefits.


  • Monitoring and Reporting


Risk reviews are conducted regularly to monitor effectiveness of the risk management process. Regular monitoring of risk portfolios enables early detection of lapses or errors in existing controls. 


Significant risks shall be reported in a timely manner to the Board, through the Audit Committee, by the Chief Risk Officer or Designate.


Risk Categories

A comprehensive risk assessment process shall cover the following main risk categories:


  • Operations Risk - refers to risks related to coal quality, supply chain, slope stability, operational efficiency and asset performance. This also refers to inadequate or failed internal processes and controls, people (e.g., internal and external fraud, human error, inability to deliver products and services, etc.), systems failure (IT systems) or from external events (e.g., natural & man-made calamities/events).


  • Strategic Risk - refers to risks due to adverse business decisions, improper formulation and implementation of strategy. This may also include investment risks with impact on capital allocation, equity investment and guarantees in subsidiaries.


  • Market Risk - refers to risks related to market share, industry/economic/political change, competitors, shift in demand, consumer preference, price volatility, customer dependence and energy market trading.


  • Reputation & Compliance Risk - refers to risks related to regulatory compliance, environment, workplace health and safety, community relations, contractual obligations, loss of investor or market confidence, and/or reputational damage.


  • Financial Risk - refers to risks related to financial loss to the Group. Financial risk generally arises due to instability and losses in the financial market caused by movements in market fundamentals such as stock prices, currencies, commodity, interest rates, credit risk, liquidity risk, price risk, interest rate risk and foreign currency risk.


  • People & Talent Risk - refers to risks related to key people movement, talent management, war of talent, among others.


  • Project Risk – refers to risks related to new and major projects established by SMPC Group (i.e., new entities) that include construction timeline, compliance to regulatory requirements and standards, start-up operations (e.g., recruitment of personnel, quality and installation of required systems and equipment), cost overruns, opportunity costs and personnel health and safety.



Risk Appetite


SMPC Group operates within an overall Low risk range in the pursuit of its objectives, with the lowest risk appetite for risks related to operations and regulatory compliance and a zero tolerance level for risks related to employee safety.


Significant risks must have Board-approved risk management strategies and policies. Risk tolerances shall be set reflective of the risk appetite established by the Board and be cascaded into all levels of the organization.


Risk Appetite is defined as the degree of risk, on a broad-based level, that Semirara Group is willing to accept or take in pursuit of its strategic and business objectives. It is governed at the broad and high level.


Risk Tolerance is defined as the risk level (measurable in quantitative and qualitative terms) that Semirara Group is willing to accept at a risk factor and/or business unit level. It is governed at the lower unit level.”



Roles and Responsibilities


Board of Directors


The following are the duties of the Board:


  • Sets the tone and articulates the overall risk appetite level by formulating high-level strategic objectives and allocating resources based on priorities.
  • Reviews and gains understanding of SMPC Group’s risk portfolio and leverages risk information into decision making process
  • Sets and approves the risk governance structure, framework and agrees on risk policies including its procedures in alignment with strategies
  • Approves Management’s risk assessment and ranking in relation to the established risk appetite
  • Ensures timely information and updates are received from Management on the significant risks and the corresponding key indicators and responses
  • Oversees assurance on risk management’s effectiveness and compliance with enterprise risk management policy through its Audit Committee and Internal Audit
  • Reports to stakeholders the SMPC Group’s risk management activities and approves the related disclosure.


Risk Committee


The Risk Committee assists the Board in its oversight functions over Management’s activities in managing risks. Its role involves regular receipt from Management of information on identified risks and related risk responses, including:


  • Obtaining reasonable assurance that risk management policies are being adhered to through regular reporting by Management, regular assessment by Internal Audit and others as needed,
  • Overseeing the compliance program and monitoring of compliance with risk management policies, and
  • Escalating risk management issues and reports to the Board.


Chief Executive Officer


The Chief Executive Officer is ultimately responsible and assumes ownership of the ERM. He meets regularly with Management Committee, business unit heads and key leaders to ensure adequacy and effectiveness of risk responses to the identified significant risks.


Chief Risk Officer


The Chief Risk Officer (CRO) or Designate leads and supervises the development, implementation, reporting and monitoring of risk management activities across SMPC Group and recommends for continual improvement and enhancement of its ERM process. CRO role includes but is not limited to the following:


  • Reporting on aggregate risk profile, control effectiveness and corrective actions taken by Business Units (Process and Risk Owners)
  • Developing and implementing appropriate risk management processes and methodologies, tools, techniques, analysis and training
  • Monitoring and regular reporting on significant risk exposures and related status of controls and action plans to Senior Management
  • Establishing a common risk language and risk register as basis for understanding of risk owners across all levels in the SMPC Group
  • Coordinating appropriate and timely delivery of risk management information
  • Recommending areas for continual improvement and enhancement of the ERM process.


Risk Owners


The Risk Owners (ROs) comprise all of the Group’s business units that are involved in the day-to-day operations and transactions. They are responsible for identifying and assessing risks, taking risk positions and actively monitoring, evaluating and adjusting the action plans to mitigate and manage risks.





The ERM Policy shall be reviewed regularly or as needed by Senior Management and the Board for effectiveness and continual improvement.