Open 32.25
Close 32.20

Enterprise Risk Management

Semirara Mining and Power Corporation (SMPC) and its subsidiaries (collectively called SMPC Group) recognize that risks are an integral part of our business which cannot be totally eliminated. Risks are better controlled if measured more consistently, accurately, and timely.


Risk Management is an essential part of SMPC Group’s process in ensuring the achievement of its strategic objectives of value creation and protection of stakeholder value, supporting its vision and mission. Such process also helps ensure that SMPC Group complies with laws and regulations, as well as policies, standards and procedures. It decreases the risk of unexpected losses or damage to SMPC Group’s reputation and business value.



This Policy is a risk management framework document of SMPC Group. It serves as a core document providing a Group-wide disciplined approach to risk management in relation to SMPC Group’s achievement of strategic and business objectives. It defines the minimum requirements to identify, assess, treat/control and monitor & report risks within the day-to-day operations of the business.


Policy Statement
SMPC Group’s Enterprise Risk Management (ERM) Policy is to maximize strategic and business opportunities and minimize adverse outcomes, thereby optimizing shareholder value and ensuring sustainable growth through an effective balance of risks and rewards.



SMPC Group’s ERM framework is guided by the International Organization for Standardization’s ISO 31000:2018 and other leading practices such as the Committee of Sponsoring Organizations of the Treadway Commission or COSO’s ERM – Integrated Framework. It is centered around value creation and protection and it adopts the following key guiding principles:

  1. Risk Management is an integral part of organizational processes, including strategic planning, and project & change management processes. It is not a stand-alone activity that is separate from the main processes.
  2. Risk Management is established upon a structured and comprehensive
  3. Risk Management is customized. It is linked and tailored to fit SMPC’s objectives and context.
  4. Risk Management is inclusive. All necessary stakeholders, their knowledge, views and perceptions are included and taken into account.
  5. Risk Management is dynamic, responsive to change brought about by external, and internal events/developments, knowledge change, etc.
  6. Risk Management is based on the best available information. It accounts for any limitations and uncertainties regarding the provided historical and current information and future expectations.
  7. Risk Management is heavily influenced by both human and cultural factors into account. This recognizes the capabilities, perceptions and intentions of external and internal stakeholders that can facilitate or hinder the achievement of SMPC’s objectives.
  8. Risk Management is continually improved through learning and experience. SMPC develops and implements strategies to improve Risk Management maturity alongside all other aspects of the company.


Risk Management Culture

The following risk management statements define the Risk Management Philosophy of SMPC Group:

  1. An effective risk management process is a vital component in SMPC Group’s business activities and is the foundation for a sound and responsible operations.
  2. Risks are inherent in SMPC Group’s business and day-to-day operations. SMPC Group shall, however, always strive to prudently manage these risks to the best of its ability.
  3. The management of risk is embedded in SMPC Group’s operations. Risk is better managed and controlled if it has been adequately identified and measured at the onset.
  4. Risk management does not necessarily lead to risk avoidance. Rather, SMPC Group’s goal is to optimize the risk and reward trade-off.
  5. SMPC Group aims to promote a culture of strong risk awareness and control, with emphasis on strict participation and role of each employee.
  6. SMPC Group shall consistently conform to applicable legal and regulatory provisions of the country, as well as to its internal policies, standards and procedures.


SMPC Group’s Enterprise Risk Management (ERM) framework is with the support, leadership and commitment of the company’s top management and is based on the nature, size and complexity of its operations.

  1. Integration - Integrating a Risk Management process in the SMPC’s purpose, governance, leadership and commitment, strategy, and business activities and operations.
  2. Design- A Risk Management design that is customized to the SMPC’s needs and culture giving emphasis on:
    1. Understanding and examining the internal and external context of SMPC.
    2. The articulation of the continual commitment of the Top Management to Risk Management through policy.
    3. A well-constituted organizational structure that specifically defines the roles and responsibilities of individuals involved in risk management.
    4. Allocation of appropriate resources for Risk Management
  3. Implementation - The implementation of the Risk Management process requires the engagement and awareness of internal and external stakeholders which will enable the organization to address uncertainty in decision-making, while also ensuring that any new or subsequent uncertainty can be taken into account as it arises.
  4. Evaluation - The Risk Management process is evaluated periodically to determine whether it remains suitable and effective in supporting SMPC in achieving its objectives and plans.
  5. Improvement - The Risk Management process is continually monitored and improved to adapt to the external and internal changes understands the SMPC’s internal and external context. Relevant gaps and improvement opportunities are identified to develop plans to enhance suitability, adequacy and effectiveness of the Risk Management process.

Part of the Risk Management improvement of SMPC Group is the establishment of contingency plans to ensure its ability to operate as a going concern and to minimize losses in the event of severe business disruption or incident. Contingency plans may include disaster recovery plan, business continuity plan, liquidity contingency plan, public relations damage control, litigation strategy, and responding to regulatory criticism, among others.


These Contingency plans shall be reviewed and tested regularly to ensure that they cover events that could have an impact on SMPC Group.


Risk Governance*

*Patterned after IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control (issued date: January 2013)


Risk Management is basically a top-down and bottom-up process in SMPC Group. Risk management activities simultaneously take place at the following levels:

  • Strategic Level– This includes the risk management activities performed by the Board and Management, such as:
    • Overseeing risk management activities
    • Defining and assessing all the risks
    • Formulating strategies and policies for managing risks
    • Establishing adequate systems and controls to ensure that overall risks remain within acceptable levels.
  • Macro Level – This includes the risk management activities of the Chief Risk Officer (CRO) and units devoted to risk reviews such as Internal Audit and Compliance. The CRO shall develop risk management control policies and procedures, and shall monitor the SMPC Group’s risk identification, assessment and measurement, control/treatment and monitoring.

Functional areas such as, but not limited to, Controllership, Environment & Safety, Security, IMS, Legal and Compliance, Risk Advisory play essential roles as the ‘second line of defense’.

  • Micro Level - This includes the risk management activities of Risk Owners involved in the day-to-day operations of the SMPC Group. They are directly accountable for all the risks taken. Risk Owners are responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Risk Owners play a vital role in identifying, assessing, treating/controlling, monitoring and reporting risks.

The roles and responsibilities of each line of defense are further enumerated in detail under the ‘Roles and Responsibilities’ section of this policy.


ERM Process

SMPC Group shall develop and maintain a robust ERM framework that provides a current risk perspective of the business and uses tools to rationalize risk management activities.


To ensure an integrated and systematic approach, the ERM process shall focus on gaining an understanding and agreement of the organization’s top risks and related management and embedding the management of risks into the organization’s culture and practices through the following:


  • Establishment of the Context

Establishing the context includes defining the purpose and the scope of the risk management activities, taking into account the internal and external environments of the organization. SMPC Group should identify the objectives, boundaries and constraints, and a Risk Criteria for its risk management process.

  • Risk Assessment
    • Risk Identification

Risk Identification is the most critical part of the entire risk management process. SMPC Group should identify internal and external risks and opportunities, their corresponding sources, causes and impact across all areas of the business. Emerging significant risks in relation to the achievement of the SMPC Group’s objectives should also be considered.

    • Risk Analysis

Risk Analysis requires understanding the risks, assessing these risks in terms of their likelihood of occurrence and how they may impact the organization. The likelihood and impact of risk determine the Level of the Risk which enables the organization to define whether the risk is acceptable or not.

    • Risk Evaluation

Risk Evaluation includes determining if the risk is within the organization’s risk appetite. The organization determines the ranking of the importance of the risks and whether a need for treatment, further analysis or alternative action should be established.

  • Risk Treatment or Control

Risk Treatment or Control involves selecting one or more options (modification, retention, avoidance, sharing) for addressing risks. Appropriate risk treatment or responses for those ‘high” risks shall be reviewed by the Board against established risk appetite levels.


Risk Modification involves managing the level of risks through introducing, removing or altering processes so that the residual risk can be assessed as being acceptable. Appropriate and justified processes should be selected to meet requirements identified by the risk assessment and the risk treatment and take into account the risk acceptance criteria, legal and regulatory requirement, the cost and implementation of the processes.


Risk Retention means no response to address risk is done usually because the cost of mitigation actions or strategies outweighs the economic benefits.

Risk Avoidance means the decision to completely avoid the identified risks by withdrawing from a planned or existing activity, or changing the conditions under which the activity is operated due to these risks being considered too high or the cost of implementing risk treatment exceeds the benefits.


Risk Sharing involves sharing all or some part of the risk with another party, (e.g. insurance company or joint partner) through mutual agreement, usually for a price premium. This treatment does not mean the risk is no longer present nor not the responsibility of the organization.

  • Communication and Consultation

The Risk Management Process requires continuous communication and consultation with the internal and external stakeholders of the organization. Communication ensures that all stakeholders understand the risks present in the organization’s activities and they are aware of the means to respond to these risks. Consultation supports the organization in decision-making and helps check if the risk management process is effective and on track.

  • Monitoring and Review

Risk reviews are conducted regularly to monitor the effectiveness of the risk management process. Regular monitoring of risk portfolio enables early detection of lapses or errors in existing controls. 

  • Recording and Reporting

Significant risks shall be reported in a timely manner to the Board, through the Risk Committee, by the Chief Risk Officer or Designate.


Risk Categories

A comprehensive risk assessment process shall cover the following main risk categories:

Occupational Health and Safety Risk – refers to risks related to all aspects of health, safety and security in the workplace. These risks refer to the assessment of activities, working environment, and working culture of employees that can lead to harm, injury, death or illness.

Compliance and Reputation Risk – refers to risks related to regulatory and legal compliances, compliance obligations arising from the environmental, workplace health and safety, community issues, contractual obligations, loss of investor or market confidence, and/or reputational damage. Compliance and Reputation Risks include environmental, regulatory, social risks.

    • Environmental Risks – are risks related to the actual or potential threat of the organization’s activities to living organisms and the environment by effluents, emissions, wastes, resource depletion, etc.
    • Regulatory Risks – are risks related to the organization’s adherence to laws, regulations, guidelines and specifications relevant to the business processes and changes in laws and regulations that could potentially cause losses to the organization’s business and operations.
    • Social Risks – these are risks that arise from the perception around the impact of the business and operations on the communities. These depend on the issues associated with the organization’s operation, industry and context.
  • People and Talent Risk – are risks to the organization and its performance that can be attributed to the workforce. These risks refer to “attracting and retaining” the talent needed for the organization to compete including key people movement, technical/ professional capacity of the organization, talent management, war for talent, aging workforce, and succession planning among others.
  • Climate-related Risk– refers to risks related to recent climate-related extremes. Climate-related risks are divided into two major categories: risks related to the physical impacts of climate change and risks related to the transition to a lower-carbon economy.
    • Physical Risks– risks associated with the physical effects of climate change that may result in financial implications such as direct damage to assets and impacts from operation and supply chain disruption. Organizations’ financial performance may also be affected by changes in water availability, sourcing, and quality; food security; and extreme temperature changes affecting organizations’ premises, operations, supply chain, transport needs, and employee safety.
      • Acute physical risks refer to those that are event-driven, including increased severity of extreme weather events, such as cyclones, hurricanes, or floods.
      • Chronic physical risks refer to longer-term shifts in climate patterns (e.g., sustained higher temperatures) that may cause sea level rise or chronic heat waves.

    • Transition Risks– are risks associated with the unplanned and abrupt changes or disruptions to businesses, policies, technologies and/or assets stemming from the need to adapt to changes in the climate system and a transition to a greener and climate-resilient economy. These risks may entail extensive policy, legal, technology, and market changes to address mitigation and adaptation requirements related to climate change.
      • Market Risks – one of the major ways climate change can affect the market is through the shifts in supply and demand for certain commodities, products and services taking into account climate-related risks and opportunities.
      • Technology Risks – uncertainties in technological development, improvements or innovations brought about by the transition to a lower-carbon, energy-efficient economic system that can have a significant impact on the organization and its operations.
      • Climate Policy and Legal Risks
        • Policy actions relating to climate change continue to develop and evolve. Objectives for the policies can attempt to constrain actions that contribute to the adverse effects of climate change or provide actions that seek to promote adaptation to climate change. Some examples include implementing carbon-pricing mechanisms to reduce GHG emissions, shifting energy use towards lower emission sources, adopting energy-efficient programs/solutions, and promoting more efficient and sustainable water and land-use practices.
        • Legal Risks are risks associated with the organization’s failure in mitigating the impacts of climate change or to adapt to climate change, and the organization’s insufficiency of disclosure around climate-related financial risks.
      • Reputational Risks – climate change is tied to the changing customers and/or the communities’ perceptions of the organization’s contribution or detraction from the transition to a less polluted and greener economy.
  • Price Volatility and Supply/Demand Balance Risk – are risks arising from customer requirements/specifications and the instability and losses in the financial market caused by movements in market fundamentals such as stock prices, currencies, commodity, interest rates, credit, liquidity, price, and foreign currency.

Also included under Price Volatility and Supply/Demand Balance is the Market Dynamics, which refers to risks related to market share, industry/economic/political change, competitors, shift in demand, consumer preference, price volatility, customer dependence and energy market trading.

  • Procurement & Inventory Management Risk– refers to risks related to the inadequacy or failure of the procurement process designed to purchase services, products or resources such as inadequate needs analysis, poor supply chain management, vendor management, inefficient contract management, fraud and corruption, inventory and materials management.
  • Investment Risk–refers to strategic risks related to adverse business decisions, improper formulation and implementation of strategy affecting capital allocation, equity investment and guarantees in subsidiaries. This risk includes the following:
    • Sustainability Risks refers to the uncertainty in being able to sustain the growth of the business and operations because of certain practices and/or social or environmental events or conditions that can cause a significant negative impact on the organization
    • Emerging Risks refer to changes and issues that are perceived as potentially significant, at least by some stakeholders or decision-makers, but their probabilities and consequences are not widely understood or appreciated.
  • Asset Performance and Production Efficiency Risk – refers to operational risks that arise due to inefficiency and ineffectively utilizing the organization’s assets in executing the company’s business model and achieving the company’s quality, cost and time performance objectives.
  • Information Technology Risk – refers to risks to the organization that could occur due to the threats and vulnerabilities associated with the operation and use of information systems and the environments in which those systems operate.


Risk Appetite

SMPC Group operates within an overall Low-risk range in the pursuit of its objectives, with the lowest risk appetite for risks related to operations and regulatory compliance and a zero-tolerance level for risks related to employee safety.


Significant risks must have Board-approved risk management strategies and policies. Risk tolerances shall be set reflective of the risk appetite established by the Board and be cascaded into all levels of the organization.


Risk Appetite is defined as the degree of risk, on a broad-based level, that SMPC Group is willing to accept or take in pursuit of its strategic and business objectives. It is governed at the broad and high level.


Risk Tolerance is defined as the risk level (measurable in quantitative and qualitative terms) that SMPC Group is willing to accept at a risk factor and/or business unit level. It is governed at the lower unit level.”


Roles and Responsibilities

  • Board of Directors

The following are the duties of the Board:

    • Sets the tone and articulates the overall risk appetite level by formulating high-level strategic objectives and allocating resources based on priorities.
    • Reviews and gains understanding of SMPC Group’s risk portfolio and leverages risk information into decision-making process
    • Sets and approves the risk governance structure, framework and agrees on risk policies including its procedures in alignment with strategies
    • Approves Management’s risk assessment and ranking in relation to the established risk appetite
    • Ensures timely information and updates are received from Management on the significant risks and the corresponding key indicators and responses
    • Oversees assurance on risk management’s effectiveness and compliance with enterprise risk management policy through its Audit Committee and Internal Audit
    • Reports to stakeholders the SMPC Group’s risk management activities and approves the related disclosure.

  • Risk Committee

The Risk Committee assists the Board in fulfilling its oversight of risk management function. The primary purpose of the Risk Committee is to oversee and approve the company’s Enterprise-wide Risk Management framework through the following:

    • Oversee that Management has identified and assessed all the risks that the organization faces and has established a risk management infrastructure capable of addressing those significant risks affecting the achievement of the Company’s objectives;
    • Oversee that risk-related responsibilities of each Board Committee are clearly addressed in conjunction with other Board-level Committees or the full Board
    • Conduct investigations into any matter within its scope of responsibility, as necessary
    • Meet with other Board Committees to avoid overlap as well as potential gaps in overseeing the organization’s significant risks

  • Chief Executive Officer

The Chief Executive Officer is ultimately responsible and assumes ownership of the ERM. He meets regularly with the Management Committee, business unit heads and key leaders to ensure the adequacy and effectiveness of risk responses to the identified significant risks.

  • Senior Management

Senior Management’s responsibility in relation to risk management includes:

    • Integrating risk management activities in strategic planning and decision making,
    • Reporting regularly to the Board on the significant risks and on how such risks are being effectively managed,
    • Allocating appropriate level of resources including creation of a management committee or working group to ensure success and support of ERM efforts,
    • Communicating risk management policies to all levels in the organization,
    • Ensuring that significant risks are consistently and continuously identified, assessed, managed, monitored and reported on by Business Units/Risk Owners to appropriate management levels,
    • Championing the development and maintenance of an effective risk culture throughout the organization, and
    • Initiating and promoting the continuing ERM education and training for key officers and business units to strengthen ERM capabilities.

  • Chief Risk Officer

The Chief Risk Officer (CRO) or Designate leads and supervises the development, implementation, reporting and monitoring of risk management activities across SMPC Group and recommends for continual improvement and enhancement of its ERM process. CRO role includes but is not limited to the following:

    • Reporting on aggregate risk profile, control effectiveness and corrective actions taken by Business Units (Process and Risk Owners);
    • Developing and implementing appropriate risk management processes and methodologies, tools, techniques, analysis and training;
    • Monitoring and regular reporting on significant risk exposures and related status of controls and action plans to Senior Management and Board;
    • Establishing a common risk language and risk register as basis for understanding of risk owners across all levels in the SMPC Group;
    • Coordinating appropriate and timely delivery of risk management information;
    • Recommending areas for continual improvement and enhancement of the ERM process.

  • Chief Governance Officer

The Chief Governance Officer provides key support to the Board of Directors, Board Committees and Senior Management in the fulfillment of their oversight responsibilities in governance, risk and compliance matters.

  • Risk Owners

The Risk Owners (ROs) comprise all of the Group’s business units that are involved in the day-to-day operations and transactions. They are responsible for identifying and assessing risks, taking risk positions and actively monitoring, evaluating and adjusting the action plans to mitigate and manage risks. Due to the considerable discretion inherent in their activities, ROs have the following responsibilities:

    • Business Unit Head as Risk Champion
      • Supports the organization’s risk management philosophy by managing risks within their functional areas of responsibility.
      • Implements the risk management policies and procedures in their day-to-day activities, performance measures, operational planning and budgeting.
      • Reports and monitors action plans to close the identified gaps and enhance risk responses to identified risks.
      • Operates their business unit within the set risk appetite and tolerances.
      • Conducts risk reviews regularly including identification and both inherent and residual risks in terms of impact and likelihood and control the performance of their respective business units.
      • Reports to Senior Management and Chief Risk Officer or its designate on the significant risks and how such risks are being managed and monitored.
      • Coordinates with other business units to which they have interdependencies on risk-related matters.

    • Employees as Risk Owners

Managing risk is the day-to-day responsibility of the business units. Employees, as owners of business processes with inherent risks, shall recognize that risk management is everyone’s responsibility. They shall continually identify, assess, manage, monitor and report at appropriate levels of risks and controls embedded in their day-to-day activities. 

  • Risk Advisory

The Risk Advisory (RA) assists the Board in performing the oversight function on the implementation of Enterprise Risk Management practices throughout the organization. RA responsibilities include the following:

    • Facilitates activities such as risk and control self-assessment, key risk indicator monitoring, incident management reporting and business continuity implementation
    • Develops and manages a skilled, agile and responsive risk organization and ensures a robust risk management
    • Develops a risk management strategy to meet organizational needs and manages the company’s Risk Management Process
    • Periodically reports on the Key Risk Indicators to the Management and the Board.

  • Internal Audit

The Internal Audit (IA) function is an essential part of the ERM governance structure. IA responsibilities include the following:

    • Providing independent and objective assurance on the adequacy and effectiveness of the assessment, monitoring and reporting of identified risks and related risk management processes.
    • Reporting to the Audit Committee, Board and Senior Management the results of its risk reviews.
    • Consulting services such as facilitation, training and advice to assist Management in the continual improvement of the risk management process.
    • Evaluating results of risk self-assessments at strategic and business unit levels in preparing the annual audit plan.



The ERM Policy shall be reviewed regularly or as needed by Senior Management and the Board for effectiveness and continual improvement.