Risk and Opportunities

Enterprise Risk Governance and Management

The FPH Enterprise Risk Management (ERM) process follows ISO 31000:2018. An ERM review across the FPH businesses is conducted annually. The process involves defining the review’s scope, context and criteria of the cycle’s activities, doing a risk assessment, designing activities to mitigate risks, monitoring and review, recording the review’s output and reporting it to relevant bodies, and communication and consultation with all parties involved. The process is iterative and goes in a feedback loop, taking into account changes in context, objectives, and internal and external factors that may have an impact to value creation. All outputs are captured and documented through a risk register. The annual cycle ends with oversight through regular monitoring and review done at various levels.

The Board of Directors maintains its oversight role of the process through the Board Risk Oversight Committee (BROC). The BROC reviews all major risks and opportunities and works with the FPH businesses on their corresponding management strategies, and action plans.

The Chief Risk Officer (CRO) and Senior Management review the critical strategic risks and opportunities prior to the BROC review. The CRO and ERM Team serve as the process champion to ensure a fully functioning ERM system is in place.

The ERM team provides the framework and supports respective risk management systems, initiatives, and programs placed in each of our businesses. Within each subsidiary’s risk management system, major risks are identified with the appropriate risk owners.

At the level of the subsidiary, the risk owners evaluate, monitor, manage, and report their assigned risks, including the mitigation and application of appropriate risk management solutions. Project risks and opportunities are reviewed by project teams with support either from the subsidiary’s respective risk management champions and/or the FPH Risk Management Team, as the case may be.

With regard to Cybersecurity risks, this is a joint responsibility of ERM/Tech Risk and IT and its management is lodged with both the CRO and the Chief Digital Officer (CDO). Cybersecurity risks and its management are included in the annual risk management review cycle.

Risk management and risk awareness are embedded into employee knowledge through Enterprise Risk Management 101 lectures. This is part of the onboarding of all new employees, as well as given as a refresher to everyone involved in the risk review process every ERM cycle. The ERM team also gives the ERM 101 lecture and other briefings to the subsidiaries for their own new employees, as requested.

Developments in Business Continuity Management

Throughout 2020 to 2021, our ability to respond and thrive through crises was challenged. Since the beginning of the pandemic, the concurrent Taal eruption in 2020, adapting to each COVID wave, and transitioning to the new normal, we strengthened our Business Continuity Management (BCM) to be prepared for any crisis that may come our way—whether this could be another health crisis, natural disaster, or the threat of The Big One (earthquake).

In 2022 we finished conducting BCM 101, Gap Assessments, and Business Impact Assessment 101 for most of our major subsidiaries. In 2023, we will complete pending BIA 101 sessions along with completing the subsidiaries’ Business Impact Assessments (BIA). From the BIAs each subsidiary will develop a Business Impact Assessment Template which will guide them during times of crisis. This reference document will guide the subsidiary in determining mission critical positions; identify emergency response leads, crisis management leads, and business continuity leads; and establish mission critical activities including dependencies, recovery time objectives, and alternative arrangements. Finalization of the BIA templates will be done in 2023, and will be followed up with its implementation, testing, drills, and simulations.

Managing Risks and Exploring Opportunities in 2022

Majority of the risks faced by our businesses are outcomes from events happening at the global scale. Namely, these are the Ukraine and Russia war, China’s Zero COVID lockdowns and energy crisis, and food shortages in some parts of the world. With these events coming right after years of the COVID-19 health crisis, the economy we have now is one with high inflation rates, a looming recession, and disrupted supply chains. On the other end, our businesses also face risks unique to their industries and the nature of their operations. Amidst all these, FPH and the subsidiaries remain steadfast in managing these risks and finding opportunities in our landscape.

The impacts of climate change are still ever present, and we have made preparations to address related risks and opportunities in three ways: disaster management, climate adaptation and resilience, and a decarbonization program. Immediate natural disasters such as typhoons, floods, landslides, and the like will be addressed through our business continuity management framework. Our power segments also have natural catastrophe programs to proactively address these risks, which also forms part of how they adapt and become resilient to climate change impacts; more on this in the section on Manufactured Capital on page 92. With regard to our non-power generation segments, they too have figured climate impacts into infrastructure and process designs specific to their operations, detailed below. And lastly, to proactively contribute to the global goal of decarbonization, our businesses have begun developing their decarbonization plans this 2022; this is detailed in the succeeding section on TCFD reporting requirements.

Updates on Actions on Major Disruptions

Implementation of TCFD Recommendations

We started following the prescriptions of the TCFD in 2020 in order to systematically analyze our climate risks and opportunities. Since we laid out our roadmap in our 2021 Integrated Report, our progress on these prescriptions is on track. Below is a summary:

In 2022, the FPH Corporate Sustainability Group conducted a series of sessions with the FPH subsidiaries and head office departments on the topic of decarbonization. These sessions had the following objectives:

These decarbonization sessions included several workshops for the groups to immediately begin planning:

In our decarbonization sessions, we analyzed the various principles on climate change and its impacts; the related definitions and nuances of IPCC’s prescriptions; and the Philippine climate commitments in its Nationally Determined Contribution (NDC). This discussion ensured the accuracy of our climate measures. Our growing understanding of these decarbonization requirements made us more cautious with our commitments. We understand that our mitigation plans are challenged by a lack of commercially-scaled and affordable GHG removal technologies at this time. Hence, we agreed that the resulting decarbonization plans from the sessions will be continually refined as technical measures become available, based on our role in the national climate strategy, and subject to other considerations based on the group’s circumstances.

The planning process spanned a total of four months, inclusive of further internal discussions within the subsidiaries and review of the plans by the parent company. This resulted in each subsidiary crafting their own decarbonization plan.

Social Issues

In 2021, various social issues became emerging concerns triggered by the pandemic. We also set human rights as our main mechanism to address these issues, to protect our stakeholders, and make our operations inclusive. In our 2021 Integrated Report, we discussed the results of our subsidiaries’ human rights impact assessments across their value chains. By 2022, we completed the remaining requirements of human rights due diligence, namely: a) the formulation of management measures for the potential human rights issues identified by the subsidiaries in 2021; and b) the completion and enhancements of the subsidiaries’ Grievance Redress Mechanisms. Below summarizes our human rights measures. Additional details on human rights in the workplace are found within the section for Human Capital, on page 121, while respecting the rights of our stakeholders are expounded in the section on Social and Relationships capital on pages 133-135.

In addition to the above measures, subsidiaries were asked to provide information on how they plan to conduct performance evaluation and monitoring. For each potential human rights risk, the following parameters were identified: accountable group to address the risks, baseline information, indicators, data verification, key collectors, and method of collection.

Recognizing that every company has the potential to cause harm to others and in turn harm the business itself, the last due diligence requirement we completed in 2022 was Grievance Redress Mechanism (GRM). The GRM designed by each subsidiary is bespoke to their organization and their project needs. This mechanism enables various stakeholders (employee, customers, host communities, and other affected entities) to raise their concerns about the business and seek resolution when they perceive a negative impact arising from business activities. Ultimately, a GRM aims to provide remedy that will restore the situation of individuals and groups that have been harmed. The development of the GRMs considered the whole process including uptake of concerns, investigation, grievance monitoring, and the various modes of doing such.

In 2022, we went beyond human rights concerns to protect our stakeholders. As a proactive move, we worked on other factors that would promote a regenerative community.