SIA RISK MANAGEMENT FRAMEWORK
1. RISK MANAGEMENT FRAMEWORK
In 2002, SIA formalised its Risk Management Framework, encompassing a Governance and Reporting
Structure, a standardised Risk Management Process and a set of risk management principles, policies
and guidelines.
2. GOVERNANCE & REPORTING STRUCTURE
2.1. Board of Directors – Annually, a formal report is submitted to the SIA Board of Directors to review and
discuss the Strategic and other key risks of the Group. Various key risk topics are also surfaced to the
SIA Board as required throughout the year.
2.2. Board Committees – The Board’s oversight is supported by the Board Safety & Risk Committee and
other Board Committees that review and ensure that key risks are managed appropriately. The Board
Safety & Risk Committee oversees the management’s implementation of the Risk Management
Framework and assesses its adequacy and effectiveness through regular reviews.
2.3. Risk Management Committee – The Group Risk & Compliance Management Committee and various
Company Risk Management Committees or its equivalent drive the implementation of the Risk
Management Framework, through detailed reviews of risks and corresponding controls and risk
governance structure, to ensure key risks are identified, managed and surfaced to the Board
Committees.
SIA Group Risk Governance Structure
2.4. Risk Management Function – The SIA Risk Management Department provides support to the Risk
Committees and the Business Units, ensuring that risks are surfaced by Business Units from the
bottom-up to complement the top-down perspectives provided by the Management and Risk
Committees. Risks are structured based on a standardised risk assessment methodology and
� categorisation to ensure the review of risks is consistent and aligned across business functions and SIA
Group Companies. In addition, dedicated corporate functions with subject matter expertise are in
place to oversee the policies and standards to manage specific areas of key risks.
3. RISK MANAGEMENT PROCESS
3.1. Structured Process – Within the Risk Management Framework, a 5-step “Risk Management Process”
is adopted to facilitate communication, understanding and application by all levels of staff. The 5 steps
– Identify, Evaluate, Prioritise, Treat and Monitor risks – form a re-iterative process to assess risks
and are depicted as follows:
SIA’s 5-Step Risk Management Process
3.2. Multi-pronged Strategies – Risk appetite, risk policies and guidelines are developed and embedded in
the risk management process to ensure a sound system of risk management and internal controls, in
safeguarding the interests of the Company and that of shareholders. Within this process, multi-
pronged risk response strategies, such as Avoidance, Prevention, Mitigation and Transference, are
employed to address the identified risks. A combination of control measures adopted would serve to
protect the organisation in various aspects for more effective management of risks. Crisis
Management, Business Continuity and Disaster Recovery Plans are also developed to mitigate the
impact on business operations and ensure business resilience.
3.3. Ongoing Review of Risks – The SIA Risk Management Framework emphasises on an iterative process
of assessing risks through various activities that facilitate on-going reviews of risks. These activities are
embedded within the work schedules of the Business Units and driven by the quarterly reviews and
reports surfaced to the Risk Committees. In addition, a formal process is in place to ensure all
identified risks are consolidated at the Company and Group Levels through a Group-wide Risk
Management Review exercise conducted annually, during which Business Units ensure that risk
registers are kept current in terms of the identification, assessment and management of prevailing
risks.
�4. PRINCIPLES, POLICIES AND GUIDELINES
4.1. Risk Appetite Statement – SIA Group’s Risk Appetite Statement outlines the Group’s stance and
approach towards various key risk areas. It provides an overarching guidance for managing and
prioritising risks in pursuing the Group’s objectives and business opportunities.
4.2. Risk Management Policies – As part of the SIA Risk Management Framework, a comprehensive Risk
Management Manual, accompanied by the Business Continuity Management Guidelines and Third-
Party Risk Management Guidelines has been developed with reference to established guidelines and
best practices such as the ISO 31000, a globally recognised standard for risk management. In addition,
other Governance, Risk & Compliance (GRC) stakeholders have established various corporate policies
and guides that cover a wide range of risk areas, ensuring that all key risks are managed in a holistic
and integrated manner. These resources provide our staff with clear and comprehensive guidance on
best practices and equip them with the knowledge and tools required to manage risks effectively in
their respective areas of operation, thereby fostering a strong risk-aware culture across the Group.
