RISK MANAGEMENT

ACEN’s enterprise risk
management framework

We embed enterprise risk management (ERM) into our core business to identify risks and opportunities, support strategic decision-making, and build confidence among our investors, partners, customers, employees, and other stakeholders. We incorporate risk management approaches from ISO 31000:2019 (Risk Management – Guidelines) and the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM framework in our ERM policy and procedures.

Our Group Chief Risk Officer (CRO) oversees and serves as the champion of risk management in ACEN, overseeing enterprise risk and operational risk management. The CRO is supported by the Health, Safety, Security, and Environment (HSSE) team and Risk and Insurance team to manage and mitigate operational and financial risks.

Read more about our risk management process in our ERM policy.

Our ERM framework integrates strategic risk management, operational risk management, and business continuity management to support the achievement of corporate objectives while strengthening organizational resilience:

  • Strategic risk management focuses on identifying and addressing internal and external risks through corporate planning, strategic initiatives, and performance management.
  • Operational risk management ensures that day-to-day operations and development activities are conducted within defined risk parameters through reviews, resource and capital management, and insurance.
  • Business continuity management prepares the organization to respond to adverse events through emergency response, crisis management, and business recovery.

These three elements are connected by a strong risk management culture, supported by scenario analysis, contingency planning, and special ERM projects, enabling consistent, enterprise-wide risk awareness and informed decision-making.

Our ERM framework

erm framework

To ensure effective risk management throughout the organization, we also define clear ownership and oversight of risks across three levels.

risk type

We continue to align risk-based processes with our ERM Policy, particularly through the consistent application of risk assessment matrices. To support this, we cascaded a standardized risk dictionary and reporting protocols to teams managing development and construction projects. The risk assessment matrices were also adopted to expand the criteria used by the Internal Audit team in determining audit findings, further strengthening risk oversight across the organization. Finally, in line with the rapid expansion of our retail supply business, we reinforced the review and monitoring of customer credit risk through the ACEN RES Credit Scoring system.

In 2025, we enhanced risk management through:

  • Refresher training on enterprise risk management to all sites to update and refine risk and opportunity registers
  • Enhancements to the Risk Management Standard for project risk reviews
  • Risk workshops for projects under pre-development stage
  • Clearer escalation and communication protocols and standardized alert levels established within the Incident Management System
dr. ted esguerra
Safety expert Dr. Ted Esguerra engaged ACEN employees with practical, life-saving tips to prepare for the “Big One,” strengthening earthquake readiness during the Disaster Preparedness Week plenary session in September 2025.

Strategic risks

Using a bottom-up and top-down approach, we assess strategic risks—those that may materially affect our strategy and business direction—on an annual basis. These risks are consolidated and presented by the Risk and Insurance team to senior management for discussion in the context of our goals and global portfolio, before

final review and approval by the Board Risk Management and Related Party Transactions
(BRMRPT) Committee in accordance with the risk assessment matrix set out in the ERM Policy.

We define mitigation measures and assess current impact and likelihood for each risk to reflect the level of residual impact after existing controls are applied.

strategy risk
strategy risk 2

Operational risks

For operational risks—defined as risks that may result in deviations from targets without altering overall strategy—we increased the frequency of risk reporting for operating assets, requiring quarterly updates to their risk registers. For projects under development, project teams are likewise required to report identified risks and corresponding mitigation measures as part of milestone approval processes. For construction projects, a monthly risk register is required to be updated on a monthly basis.

Insurance management

As our footprint expanded, the scale and complexity of our insurance requirements increased. To address this, we undertook a comprehensive review of our insurance arrangements beginning in 2023, culminating in the rollout of consolidated Master Insurance Programs in 2024 covering our Philippine renewable energy assets, as well as our operations in Vietnam and Australia. This consolidation simplified portfolio management, delivered cost efficiencies, and strengthened insurance protection across the group.

Cybersecurity

We acknowledge that unaddressed cyber threats may result in operational disruptions, risks to the security of our employees and clients, financial losses, and reputational harm. As we continue to adopt and use information technology to enhance efficiency and stakeholder value, we actively manage cybersecurity risks. Our Information Security Policy is aligned with ISO 27001 for information security management systems and ISO 27002 for security controls,

ensuring a secure IT environment that safeguards the confidentiality, integrity, and availability of information and system.

Oversight of policy compliance and cybersecurity risk management at ACEN is the responsibility of the Group Chief Risk Officer, John Philip Orbeta. He is supported
by Albert Palero, Head of Information Security, who leads the information security function. Our IT Steering Committee approves IT projects encompassing applications, infrastructure, security, and analytics.

We conduct annual Vulnerability Assessment and Penetration Testing (VAPT) and third-party audits across the ACEN IT Suite to ensure that our security controls meet or exceed industry standards. We also utilize third-party information security tools to strengthen our cyber threat detection and response capabilities.

Recognizing that most cybersecurity incidents originate from human factors—such as malware, phishing, and social engineering—we regularly distribute cybersecurity newsletters and conduct phishing simulations to strengthen employee awareness and preparedness.

In 2025, we implemented initiatives to test and validate security controls to address cybersecurity risks:

  • Collaborated with a third-party company to conduct vulnerability assessment and testing to identify assets with weaknesses and opportunities for improvement.
  • Rolled out a zero-trust platform across the organization to further reinforce endpoint security.
  • Established a Cyber Incident Management Team responsible for managing cyber- related incidents.
  • Implemented continuous threat exposure management to track, prioritize, and address threats and vulnerabilities.
  • Progressed a group-wide project to support contingency planning, strengthening overall business continuity strategies.
  • Reviewed and updated our IT policies.

Due to robust controls, safeguards, and monitoring measures in place, we are confident that all data and information remain secure, protected, and managed in accordance with best-practice standards.

Given the nature of our transactions, cyber independence, database segregation,

and mitigation controls, cybersecurity risk is
not included in our top risks. Nevertheless, cybersecurity risks are closely monitored given their potential impact `on business operations.

Amid the rapid adoption and growing influence of artificial intelligence across industries, ACEN adopts a responsible and well-governed approach to AI use that aligns with business objectives, risk management, and ethical standards. Our AI Policy, which establishes clear guardrails and recommended implementation frameworks, was approved by the IT Steering Committee in early 2026 and has been endorsed for Board approval.

Learn more about our approach to information security in our Information Security Policy

acen scada
At ACEN, we uphold robust cybersecurity standards to protect our data and digital assets across the group.

Climate risk

Governance

A strong governance structure is essential to advancing climate action. With active oversight from the Board and senior management, we translate our climate strategy into clear targets and coordinated action, with sustainability embedded in corporate key result areas and regularly reported to the Board.

JPO and Jaime urquijo

Our executive-level ESG Committee, which includes our CHRO JP Orbeta (left), and Board-level Sustainability Committee, headed by Board Director Jaime Urquijo (right), oversee our strategic sustainability priorities.

At the Board level

  • Our Board of Directors reviews and approves major strategic decisions proposed by senior management around energy transition, decarbonization strategy, and portfolio of top risks including climate and medium
    and long-term climate targets. The Board reviews and approves management’s specific responsibilities against ESG targets, including our Net Zero targets. The Board likewise approves our ESG Policy and its amendments.
  • › Our Board-level Sustainability Committee reviews strategic priorities on sustainability and monitors the progress of sustainability initiatives, including our Net Zero performance.
  • Our Board-level Risk Management and Related Party Transaction Committee oversees our Enterprise Risk Management system, which includes climate risks.

At the management level

  • Our Leadership team, headed by our
    Chief Executive Officer (CEO), is primarily responsible for the execution of Board-approved climate strategies. It is also responsible for implementing systems of internal controls and risk management processes to ensure achievement of objectives while maintaining compliance with laws, rules, and regulations.
  • Our ESG Committee reviews, monitors, and aids senior management and the Board on policymaking and decision-making processes around ESG issues. It is composed of the functional heads of governance and compliance, sustainability and investor relations, and headed by the Group Chief Human Resources and Administrative Officer and Group Chief Risk Officer.
ACEN board room

Our sustainability team, led by head of corporate communications and sustainability, Irene Maranan (left), works in close collaboration with our CEO Eric Francia and the Board to advance the company’s sustainability agenda.

At the corporate level, the sustainability team, led by our Head of Corporate Communications and Sustainability, performs oversight functions and manages group-wide sustainability initiatives, including climate-related risks, opportunities, and disclosures. At the project level, development leads proactively address physical climate risks during the planning and design of new projects.

The sustainability team works closely with development teams to ensure environmental and climate-related

risks are properly identified, assessed, and managed. For operating projects, plant managers, together with health, safety, security, and environment teams, coordinate with the sustainability team to address environmental matters and manage physical climate risks.

Through strong governance and cross-functional coordination, we strengthen accountability, integrate climate considerations into decisions, and support long-term resilience.

Strategy

As a fast-growing company with a 100 percent renewables portfolio and a Net Zero target by 2050, climate action is integrated into our long-term strategy. We review and update our climate strategy through risk assessments and engagements with climate consultants.

We conducted a climate scenario analysis in 2022 to quantify the impact of climate risks to 40 existing sites, using Representative Concentration Pathways (RCPs) 4.5 and 8.5 scenarios to model the financial impacts until 2030. The Modelled Average Annual Loss (MAAL) was used to determine the possible loss after considering the investments made on existing risk mitigation measures.

ninh thuan wind

Our 88 MW Ninh Thuan Wind, a project in partnership with The Blue Circle, supplies clean power to around 25,000 homes annually in Vietnam.

Recognizing that our asset portfolio continues to grow and that climate models improve over time, we began an engagement on climate risk assessment in 2025 to update our risk register and priority physical and transition risks and opportunities. This will be followed by a climate scenario analysis over the short, medium, and long term in 2026.

Climate-related physical risks
The results of the 2022 scenario analyses identified extreme temperature to be the most significant physical risk, followed by flooding. We monitor heat indices and adjust work schedules accordingly to safeguard workers during extreme heat. To address flooding, we place key equipment in higher areas and improve
the resiliency of our assets through design and engineering interventions. Climate hazards are included in our emergency response plans to strengthen preparedness, minimize potential impacts, and ensure the health and safety of our people, assets, and surrounding communities.
climate physical risk
Climate-related transition risks
Changes in technology and impacts on reputation were identified to be the most significant transition risk. To address these, we have established our Net Zero by 2050 roadmap, with near-term emission reduction targets aligned with the GHG Protocol and the latest climate-science, and long-term targets that are consistent with the deep decarbonization of the power sector. We are also leading efforts on energy transition, having completed the first market-based Energy Transition Mechanism (ETM) and pioneering initiatives on Transition Credits.
climate transition risk

Risk management

As part of our enterprise risk management process, we consider climate-related risks in our risk universe and risk dictionary. In addition, our ESMS process includes assessment and mitigation of physical risks throughout our project development and operational cycles.

Natural catastrophe analysis
We assess risks around topography, weather patterns, hydrological studies, seismological

studies, volcanic activities, and water levels as part of our project development process. These assessments inform mitigation measures that are implemented across the construction and operation phases. For operating assets, we regularly review the risk of natural catastrophes to our projects sites, leveraging available
tools and engaging with consultants for insurance purposes.

For example, together with our consultant,
we conducted a geohazard assessment of
our facility in San Marcelino, Zambales. The study combined site inspections, geotechnical analysis, and climate-driven hydrology data to identify riverbank migration and internal channel formation occurrences caused by heavy rainfall. The initial estimated impact to the facility is about ₱6.3 billion in property damage. Engineering interventions and mitigation strategies were then applied, adjusting the Estimated Maximum Loss (EML) to about ₱2.85 billion, well within the coverage limits of the facility.

Metrics and targets

Across this report, we have disclosed metrics and targets used to assess and manage relevant climate-related risks and opportunities where such information is material.