G MAN AGEMENT AKFEN HOLDIN G AND GR OUP C OMP ANIES CORPORA TE GO VERN AN CE FIN AN CIAL T ABLES
9. Akfen Company Group Corporate Risk Management Operating Principles
9.1. Determination of cRM Framework and content
The Corporate Risk Management organizational structure along with roles and responsibilities are reviewed annually by the Board of Directors and approved after the necessary modifications. · The Risk Management Unit sets the annual
corporate risk management calendar and submits it for the approval of the Board of Directors through the Risk Committee. The Corporate Risk Management calendar is set in accordance with the Budget and Performance Assessment calendar and notified to the concerned parties beforehand.
· The Risk Management Unit drafts the main framework of risk assessment implementation, main risk categories to be included in the scope and main risks by taking the feedback into account and submits the draft for approval after conferring with the Risk Committee.
· The Risk Committee drafts the risk categories, risk appetite and risk tolerance on the basis of companies, strategies and special subjects in order to submit them for the approval of the Board of Directors.
· Risk appetite is processed in the risk portfolio in required detail by using the following scale:
risk
vulnerable risk tolerant Indifferent to risk avoiding risk moderately avoiding risk
approach to taking risk Taking risk is perceived as a part of company strategy. The Company displays an aggressive approach to taking risk. The Company displays a balanced approach to taking risk. The Company displays a cautious approach to taking risk. The Company accepts as little risk as possible.
risk – profit relationship
It is possible to face risk for high profit.
Profit objectives are prioritized over risk amount.
Equal importance is assigned to risk and profit targets.
Risk management targets are prioritized over profit.
High profit can be given up in order to have more protection against risk. preferred response to risk approach Risk is accepted to the extent/if permitted by laws. The choice between accepting or controlling risk is made in accordance with internal criteria/ measures. There is no preference in response to risk approach. A choice is made between avoiding risk or sharing (transfer) it with third parties. Risks to which an effective response cannot be given, or which cannot be transferred to third parties, are avoided.
decision criterion for responding to risk No decision criterion is sought for responding to risk.
Actions are taken to respond to risk only if a sound cost effectiveness analysis is performed.
Actions are taken to respond to risk as per cost effectiveness and priorities of management. Actions are taken to respond to risk by prioritizing occurrence/ emergence cost.
Actions are taken to respond to risk even if the cost of preventing risk is more than occurrence/ emergence cost.
· The impact and risk vulnerability criteria to be used during risk assessment are reviewed, updated when necessary and submitted for the approval of the Board of Directors by the Risk Management Unit and Risk Committee in accordance with the table given in Annex 2.
154
9.2. Determination of Risks
· The Corporate Risk Management Unit shares the main risk categories with the Risk Officers of the companies and requests the current and possible main risks that would constitute the risk portfolio in the specified format by associating them with these categories and establishes the consolidated risk portfolio of Akfen Company Group as a result of the information received.
· The current and possible risks that have been determined within the year, in newly established processes, during strategic decisions, for events other than routine or as a result of internal audit are added to the risk portfolio in order to be reviewed in future risk assessments.
· The risks, which have lost relevance are removed from the risk portfolio and the ones that should be updated are corrected.
· Root risks in risk portfolio are associated with related main risks and risk categories.
9.3. Assessment of Risks
· The Risk Management Unit invites company Risk Officers, relevant unit managers, sector and subject experts to risk assessment workshops within the framework of the prescribed calendar.
· During the workshops, all main risks included in the risk portfolio in Annex 2, the impact (financial, compliance/legal, reputation, impact on operations) and risk vulnerability (internal controls, misuse or error history, human resources, automation and
integration) criteria in Annex 2 are assessed by using the risk assessment model. · After risks are assessed individually,
particularly the main risks that are based on the same root cause or have the same impact, are put through an additional assessment in regards to their cumulative impact which may arise in case they occur at different units or locations and, if necessary, impact values are updated accordingly.
· When impact criteria are assessed during risk assessment, the internal (natural) risk is assessed by ignoring all current controls. Among the impact criteria, only those directly related to the risk are subjected to the assessment and during calculation the value of the one with the highest value is directly accepted as the impact value of the. · After impact criteria and risk vulnerability
are assessed, the current situation and the residual risk after current controls are included in the calculation as values. · After impact and risk vulnerability criteria
are assessed on the basis of all companies for the entire risk portfolio, risks are prioritized individually and by taking the weight given to companies into consideration. The criteria, which are taken as basis for such weighting, are Company turnover, profit and number of employees.
· According to the result of impact and risk vulnerability values determined at the end of risk assessment, value at risk values are determined. According to this:
9.4. Response to Risks
· The Risk Management Unit specifies the risk responses for each risk that has been assessed and prioritized with Company Risk Officers by also taking risk appetite and tolerances into account. Risk responses may include risk avoidance, risk acceptance, risk reduction and risk transfer according to the determined risk appetite and the value at risk concluded as a result of the assessment.
CORPORATE RISk MAnAGEMEnT GUIDE BOOk
5 4 3 2 1 1 2 3 4 5 GRAPHIC
VALUE AT RISK SCALE Low Medium High Very high CORPORA Te RI Sk M An AG eM en T GU IDE B OOK