Risk Management System | Ayala

Risk Management System

Governance  >  Annual Corporate Governance Report  > Risk Management System


Risk Management at Ayala: From Avoidance and Mitigation to Value Creation

Risk Management has become an increasingly important business driver and part of successful corporate governance. By treating risk as intrinsic to the conduct of business, risk management is elevated from an exercise in risk avoidance to an essential consideration in every decision, initiative and activity. At Ayala, we ensure that our risk management system has the right architecture, strategy, and protocols to support the risk management process. We revisit these three key factors yearly to ensure that we have the right approach in mitigating risks and maximizing opportunities.

Institutionalized in 2002, the Company has adopted an enterprise risk management (ERM) framework that is continuously being enhanced and improved. The oversight for the operationalization of Ayala's risk management program rest with the Risk Management and Related Party Transactions Committee, a Board-level Committee that provided transparency and visibility into the corporate's risk management practices. The Chief Risk Officer (CRO), being a risk management advocate, reports to the Committee any improvement in the design, implementation and maintenance of the enterprise risk management roadmap. The Group Risk Management & Sustainability Unit supports the CRO in the execution of its responsibilities and continues to align Ayala's risk governance with Deloitte's concept of risk intelligent enterprise, espousing the best practice that goes beyond risk avoidance and mitigation to utilize risk-calculated decision-making as a means to create value. It also convenes the ERM Council, a group comprising the risk officers of Ayala business units, for risk framework alignment, continuous risk process improvement, and other group projects. On a semi-annual basis, the ERM Council provides the top risks of their respective organization to the Group Management & Sustainability Unit for reporting to both the CRO and the Risk Management and Related Party Transactions Committee. 

Management committees also provide support to the CRO by ensuring the existence of a structure at the operating level that will communicate and monitor key principal and emerging risks. They also ensure that risks are discussed during project and investment meetings. As risk owners, the business unit leaders are responsible for managing the risks they face in the day-to-day operations within the established risk framework. They have the responsibility to identify, measure, monitor, control and report on risks to the management. Finally, the Internal Audit Unit provides an independent assurance on the adequacy, effectiveness, and efficiency of the risk management process.

Every year, the corporate conducts an enterprise-wide risk assessment workshop to identify emerging risks, evaluates its impact to the corporate and the business units, and prioritize risks according to both impact and likelihood. For 2019, the Company assessed that key risk exposures include brand and reputation, political and regulatory and business resiliency. The company and the group have laid down the mitigation plans to address these exposures.


 Board Review of the effectiveness of the risk management system

As set forth in its Charter approved by the Board of Directors, the Risk Management and Related Party Transactions Committee has reviewed and assessed the adequacy and the effectiveness of the Corporation's enterprise risk management process:

  • The Committee has reviewed the following policies: enterprise risk management policy, related party transactions policy and the business continuity management policy.
  • Thru the Chief Risk Officer, as supported by the Group Risk Management and Sustainability Unit, the Committee has ascertained that an effective risk management process was in place and that the risk management practices of the Company transcend mere compliance. The shift was driven by the mindset that understands the interconnectedness and interdependency of risks that require collaborative risk mitigation strategies. Silos were broken down through risk assessment methodologies, such as the black swan approach, risk interaction mapping, bow tie analysis and risk sensing.
  • With a deeper understanding of the sustainability megatrends, participants in the annual risk assessment exercise identified emerging risks presumably caused by these trends, such as climate change, which could interrupt business operations. In addition, the impact scale for risk scoring was expanded to include the potential environmental impact of risk events to the business operations and the communities where our businesses operate in.
  • The Committee has also noted management support as the Managing Directors made themselves available to discuss their risk strategies and respond to queries raised by the Committee.

Risk Maturity Assessment

In addition to the regular reports of the CRO thru the Group Risk Management and Sustainability Unit, the Corporation has engaged Aon Risk Solutions to execute a group-wide risk management maturity assessment, the first round of which was completed in 2015. According to best practice, the assessment of the maturity of the risk management process should be performed every two to three years.

The Aon Risk Maturity Index (RMI) is designed to capture and assess an organization’s risk management practices and provide participants with immediate feedback in the form of a Risk Maturity Rating and actionable steps for improvement. Aon has partnered with the Wharton School of the University of Pennsylvania to develop the Index and conduct joint research on the relationships between risk management practices and actual performance. The Aon Risk Maturity Index contains questions on risk management processes, corporate governance and risk understanding. The questions are based upon the ten characteristics of an advanced risk management maturity:

  • Board-level understanding of and commitment to risk management as a critical factor for decision-making and for driving value;
  • A senior-level executive who drives and facilitates key risk management processes and development;
  • Transparency of risk communication;
  • A risk culture that encourages full engagement and accountability at all levels of the organization;
  • Identification of existing and emerging risks using internal and external data and information;
  • Participation of key stakeholders in risk management strategy development and policy setting;
  • Formal collection and incorporation of operational and financial risk information into decision-making and governance processes;
  • Integration of risk management insights into human capital processes to drive sustainable business performance;
  • Use of sophisticated quantification methods to understand risk and demonstrate added value through risk management; and,
  • A move from focusing on risk avoidance and mitigation to leveraging risk and risk management options that extract value.

Through this study, the Corporation and the Group evaluated the effectiveness of the improvements implemented since 2015. Similarly, the Corporation’s ERM roadmap was revised to address other potential areas for improvement.



 For the Company


Risk Exposure Risk Definition Objective
Brand and reputation The inability to maintain our stature as a company of choice may result in significant difficulty in creating and/or maximizing value for all stakeholders. To maintain and improve one of its core values, the strong Ayala brand,
Political and regulatory The inability to anticipate changes in the political and regulatory landscapes may result in the Group being unable to shield our profitability and brand value. To ensure that the Corporation van adapt to changes in the political and regulatory landscapes to continue its long-term value creation process for all its stakeholders. 
Business resiliency Being unable to restore normal operations following natural/man-made disaster and/or failure of business contingency processes and systems may cause significant revenue loss and customer trust.  To put measures in place that will allow the continuity of business operations and swift recovery following a natural or man-made disaster. 


For the Group

Risk Exposure Risk Management Policy Objective
Political and regulatory The inability to anticipate changes in the political and regulatory landscapes may result in the Group being unable to shield our profitability and our brand value. To improve the Group’s ability to anticipate and adapt to political and regulatory changes, which may impact each business unit's business models and other value creation activities.
Portfolio management The inability to align portfolio management strategy with business objectives may result in the failure to provide the right balance of risk and return. 

To ensure that the products and services mix of each business unit will provide the right balance of risk and return to the organization.


Failure and/or inefficient operational processes, people and systems may result in inability to meet business objectives.

To ensure that all business units have efficient and effective processes, right talent and appropriate systems to support the achievement of business objectives.


For Minority Shareholders

Risk to Minority Shareholders​
The Company’s Related Party Transactions policy that took effect last December 2014 ensures that the rights of the minority shareholders are protected. The Corporation established a mechanism to ensure that related party transactions are at arms-length, the terms are fair, and that they inure to the best interest of the Corporation and all of its shareholders. The Corporation strictly monitored, reported, and disclosed related party transactions as well as inter-company transactions.



 For the Company

Risk Exposure

Risk Assessment

(Monitoring and Measurement Process)​

Risk Management and Control (Structures, Procedures, Actions Taken)​
Brand and reputation
  • Scanning of local, regional and international news
  • Inclusion of social media in the monitoring of trends
  • The Corporate Communications Unit set up a social media plan that includes a quarterly analysis of social trends/sentiment and continuous monitoring of social media pages.
  • The same unit is also developing a Stakeholder Plan, including a stakeholder mapping and engagement initiatives to address stakeholder issues.
  • The Sustainability Team collaborates with community partners on areas of sustainable livelihood, environmental protection, children and women’s health, among others.
Political and regulatory
  • Continuous scanning of political and regulatory landscapes
  • Evaluation of new laws and regulations on how they could impact the companies’ business operations
  • The Ayala Regulatory Council regularly identifies and monitors new policy issues across sectors and industries and makes recommendation to the Ayala Group Management Committee on how to address regulatory issues.
  • The Corporate Services Compliance Unit of Ayala Group Legal handles regulatory compliance.
  • Set aside political connections of key employees in formulating business strategy.
Business resiliency
  • Hazard monitoring
  • Annual review of crisis management, business continuity and IT disaster recovery plans
  • Test the adequacy and effectivity of crisis management and IT disaster recovery plans on a regular basis.
  • Assess the effectiveness of business continuity plans through tabletop testing or simulation exercise every two years.
  • Distribute go-bags, CPR kits and other paraphernalia that will help all employees to recover from any disaster.
  • Invest in a comprehensive insurance program and periodically review the adequacy of insurance coverage.


For the Group

Risk Exposure

Risk Assessment

(Monitoring and Measurement Process)​

Risk Management and Control (Structures, Procedures, Actions Taken)​
Political and regulatory
  • Continuous scanning of political and regulatory landscapes
  • Evaluation of new laws and regulations on how they could impact the companies’ business operations
The Ayala Regulatory Council ensures legal and regulatory compliance of the Group, and periodically discusses new regulations that may affect the companies’ business operations.
Portfolio management
  • Monthly monitoring of segment performance and how far they are from set targets
  • End-of-year performance review per business unit
  • Annual monitoring of Key Result Area (KRA) scorecard of the business units
  • Regularly monitor business units’ performance on a periodic basis.
  • The Business Development Unit of all business units conducts early spotting of opportunities both within existing and emerging businesses.
  • Maintain relationship with existing partners and proactively identify and build network with potential business partners and investors.
  • The monitoring and measurement processes vary across industries and business segments.
  • The Internal Audit Unit of business units provides assurance on the soundness and effectivity of operational policies and processes in place.




Copyright © 2017, Ayala Corporation

privacy | terms of use