ACEN’s Enterprise Risk Management Framework

We strive to enhance our internal governance framework to align with the evolving business landscape and meet the expectations of our regulators, shareholders, business partners, customers, suppliers, employees and other stakeholders.

In 2022, we appointed a Chief Risk Officer and established a team on both operational and financial risks – the Health, Safety, Security, Environmental, Risk, & Insurance Team. In addition, we launched our Enterprise Risk Management (ERM) Policy that incorporates risk management approaches from ISO31000:2019 (Risk Management – Guidelines) and the COSO (Committee of Sponsoring Organizations).

The ERM Policy contains the following:
ERM Policy Statement
Risk Appetite Statement
Risk Universe
Risk Management Process
Risk Ownership Guidelines
Risk Assessment Matrices
Alternatives for Risk Mitigation Measures

With the ERM policy in place, we further improved the company’s risk management practices in 2023.

During the WTW Asian Power and Energy Conference, ACEN group chief risk officer JP Orbeta explained how the insurance industry played a key role in the company’s landmark Energy Transition Mechanism (ETM) deal.

Strategic risks
We deployed a combination of a bottom-up and top-down approach for the review of the company’s Strategic Risks, or risks that could significantly impact our strategies and business directions. These risks were discussed by senior management and were later approved by the Board Risk Management and Related Party Transactions Committee.

Operational risks
Enhanced reporting frequency of operating assets is now in place, particularly from the operational assets, development projects and functional departments. Operating assets have been required by the BRMRPT Committee to update their risk registers on a quarterly basis. Project teams handling development projects are required to include the risks and mitigation measures during milestone approvals. Functional departments are required to update their risk registers on an annual basis as part of their planning and budgeting process.

Insurance management
In 2023, we launched an initiative called ”Project Auxo” with the aim of refining our insurance portfolio. By mid-2023, we already had more than 70 policies across the globe, providing insurance coverage for approximately US$5 billion of our assets and revenues. Recognizing the importance of avoiding a chaotic and excessive costs for our insurance portfolio, management prioritized strategies to ensure comprehensive coverage of insurable risk exposures.

Cybersecurity risk
While we embrace and utilize various Information Technology (IT) tools to become more efficient and stay relevant to our internal and external stakeholders, we also recognize that cyber threats are real. If not mitigated, these cyber threats could lead to business interruption, security threats to our personnel and clientele, financial damages, and reputational harm.

On January 8, 2023, the Board of Directors approved the Information Security Policy which also covers our major subsidiaries throughout the world. The Information Security Policy is aligned with ISO 27001 / 27002 and is our first step towards our ISO certification journey. The said policy strengthened the ongoing activities and investments being done to ensure that our IT environment is secure, particularly with respect to the confidentiality, integrity, and availably of information and information systems.

To ensure that the Information Security Policy is complied with and that the threat of cybersecurity is managed, the chief risk officer, John Philip Orbeta, was assigned to lead the charge. He is supported by an internal team of three led by Albert Palero, Head of Information Security.

As a large number of cybersecurity incidents that occur in the world can be traced to a company’s workforce, particularly through malware, phishing, and social hacking, we regularly conducts mandatory cybersecurity awareness training. Our employees are required to undergo online training on a quarterly basis. In 2023, the completion rate for cybersecurity awareness trainings was at ~90 percent.

We also employ third party information security tools such as online monitoring, firewall, software and patch management, virus management, and vulnerability assessments to strengthen the company’s capability to respond to cyber threats.

Staying ahead in cybersecurity innovation, we tapped IBM and PT&T’s IT expertise to further safeguard our cybersecurity infrastructure.

In 2022, we also conducted two (2) Vulnerability Assessment and Penetration Testing (VAPT) and one (1) third party audit covering the ACEN IT Suite. In all of these third party reviews, the results were more than satisfactory with the auditors determining that our current security measures were either within industry standards or above them.
As a work in progress, our team is now developing our IT Disaster Recovery Plan and aligning it with our Incident Management System and Business Continuity Plans. In parallel, we are also conducting financial risk modeling exercises to determine the business case for a Cyber Insurance Policy.
We consider cybersecurity risk as a major risk to continuously watch out for but given all the activities related to the management of information security threats, the residual risk was deemed manageable and, thus, not included in our Top Risks.

Read more about our efforts in enhancing our cybersecurity