Risk Management

Xscale Risk Management Policy

​

Purpose

​

By establishing this Policy we seek to proactively manage risks that might affect our business and capture new opportunities. The policy aims to guide our decision-making on risk related issues.

​

Scope

 

This Policy applies to all current and future business activities of Xscale. All employees and contractors must follow the policy in a uniform manner.

 

Policy Principles

 

1. Risk awareness. Our employees are aware of the risks we face in our business and understand their role in managing risk in their area of responsibility.

2. Relevance. Our risk management practices are relevant to our organizational context and in sync with our business objectives.

3. Improvement. We use the lessons learned from our successes and failures to continually improve our decision-making and risk management framework.

4. Integration. Risk management is integrated into our business processes; it is factored in decision-making across all business activities.

5. Opportunities. We use positive risks to capture new opportunities and achieve profitable outcomes.

​

Responsibilities

Board of Directors is required to:

• Provide policy, oversight and review of risk management

 

Managing Director is required to:

• Ensure company-wide compliance with the policy

• Maintain risk awareness among staff and drive a culture of risk management

• Review and monitor risk management activities on an ongoing basis

 

All Employees are required to:

• Read, understand and comply with this risk management policy

• Be conversant with risk management concepts and be able to apply risk management principles within your area of control

• Identify, manage and report risks in your daily business activities to Board of Directors

​

Risk Management Process

​

Our risk management process is made up of 3 key steps: 1) identify risks; 2) analyze risks; 3) treat risks.

1. Identify Risks. We identify negative or positive risks relevant to our business and document them in our Risk Register. This includes regular discussions with employees at all levels, reading CAPA reports, team brainstorming, etc.

2. Analyze Risks. We measure risks in two dimensions - the likelihood of the risk event occurring (probability) and the extent of the consequences if it were to occur (impact). We then combine the likelihood and impact of a risk event to assign it a rating - extreme, high, medium, low or very low.

(1) Analyze inherent risk - what is the likelihood and consequence of a risk event if it were to occur in an uncontrolled environment? This helps us understand the importance of controls in mitigating risk.

(2) Identify and assess controls - what existing controls (process, policy, device) are in place to address the identified risk and how effective are these controls in operation? A control is any action that we put in place that either reduces the likelihood of an event occurring or reduces its potential consequence.

(3) Analyze residual risk - what is the likelihood and consequence of a risk event if it were to occur in the current control environment? Once the inherent risk and the effectiveness of relevant controls have been considered, the residual risk can be assessed using the same process as in Step 1 but based on the effectiveness of the current controls as assessed in Step 2.

3. Treat Risks. Depending on the type and nature of the risk, we choose one or more options to treat risks: avoid, reduce, share/transfer or accept risk. Once implemented, treatments provide or modify the controls. Risk treatment plan, treatment progress and resolution dates must be documented by risk owners in our Risk Register and reported to the Board of Directors. The results should also be an input to our annual Management Review and improvement of our risk management framework.

When selecting risk treatment options, we consider the following:

 

• Efficiency of treatment and reduction of the overall cost of the risk;

• Available approaches to treat the risk, cost-benefit ratio for each viable treatment;

• Treatment priority, we should address the highest rated risks as a matter of urgency.

​

Continuous monitoring and communication of risks is part of the process. We must also ensure that our risk management framework remains relevant to our organizational context per our Strategic Plan.

​

Risk Categories

​

We have identified the following categories of internal and external risks:

 

• Financial risks

• Operational risks

• Strategic risks

• Human resources

• Technological risks

• Legal & regulatory

• Health & safety

• Geopolitical risks

​

Risk Categories

​

Risk management is a cross-functional process. That means our risk KPIs are reflective of our strategic priorities across all business functions of our Company. Some of our risk management KPIs include:

 

• Quality: Customer satisfaction score: not less than 90%

• Financial: Keep bad debt ratio to 1% of customer sales

• HR: keep the number of high performer turnover to 0 per annum

• Risk Management: Reduce the number of risks occurred to 3 per annum

​

We also use leading risk metrics or KRIs to assess the health of our risk management program and predict risks, including:

 

• Number of risks identified/outstanding

• Internal audit performance scores

• Time taken to resolve risk issues

​

Updates and Communication

​

We periodically review and update this policy to respond to the evolving risk environment and our organizational context. The latest version is published on our website and corporate portal. For any questions please contact us at info@xscale.one or +65 6850 5095.