RISK MANAGEMENT

ACEN’s enterprise risk management framework

We strive to enhance our internal governance framework to align with the evolving business landscape and meet the expectations of our regulators, shareholders, business partners, customers, suppliers, employees and other stakeholders.

In 2022, we appointed a chief risk officer
and established a team on both operational and financial risks – the risk and insurance management team and health, safety, security and environment team. In addition, we launched our Enterprise Risk Management (ERM) Policy that incorporates risk management approaches from ISO 31000:2019 (Risk Management – Guidelines) and the COSO
(Committee of Sponsoring Organizations).

The ERM Policy contains the following:

  • ERM Policy Statement
  • Risk Appetite Statement
  • Risk Universe
  • Risk Management Process
  • Risk Ownership Guidelines
  • Risk Assessment Matrices
  • Alternatives for Risk Mitigation Measures

In 2023 and 2024, we enhanced the alignment of risk-based processes to the ERM Policy, particularly the risk assessment matrices. We improved and cascaded a risk dictionary and reporting protocol to teams handling development and construction projects based on the Risk Assessment Matrices. To guide emergency response and incident management teams on the level of preparation and response for specific risk scenarios, we created alert

levels as part of our business resiliency efforts. As we aggressively grow our retail supply business, we also enhanced the review and monitoring of customer credit risk through the ACEN RES Credit Scoring system.

Finally, the Risk Assessment Matrices were used to align and expand the criteria for determining audit findings by the Internal Audit team.

Read more about our risk management process in our ERM policy.

Strategic risks

Through a bottom-up and top-down approach, we review strategic risks or risks that could significantly impact our strategies and business directions on an annual basis. The Risk team presents these risks to senior management to discuss and prioritize the risks vis-Ă -vis our 2030 goals and global portfolio. The final list is reviewed approved by the Board Risk Management and Related Party Transactions (BRMRPT) Committee following the risk assessment matrix stated in the ERM policy.

For each strategic risk, we’ve established mitigation measures and their respective residual impact and likelihood. Residual impact and likelihood refer to the potential impact and likelihood of the risk occurring after existing controls and mitigating measures have been implemented. Residual impact is classified into five levels: minimal, minor, moderate, major, and significant, with significant representing the highest impact. Similarly, residual likelihood is categorized as rare, unlikely, possible, likely, and almost certain, with almost certain indicating the highest probability of risk occurrence.

risk 1 2 01
Risk management 2 v2 01

Operational risks

We’ve increased the risk reporting frequency of operating assets, requiring them to update their risk registers on a quarterly basis. For projects under development, project teams are also required to report their risks and mitigation measures during milestone approvals.

Insurance management

Our global insurance portfolio grew as a reflection of our continued expansion. In 2023, we launched an initiative to refine our insurance portfolio, which was fully implemented in 2024.

Master Insurance Programs were created for the Philippine solar, wind and thermals portfolio the Vietnam portfolio, and the Australian portfolio. Besides the administrative benefits of single anniversary dates, the portfolio has resulted in improved signings. In addition, the average subscription rate increased from 110 percent to 215 percent due to the consolidation of the insurances policies and aggressive marketing to insurance companies. As an effect, the blended rate decreased by 7 percent along with the improvements of several insurance terms and coverages.

Risk Milo Alejo at WTC Risk COnference

Milo Alejo, head of risk and insurance management at ACEN, joined a breakout session at the WTW Strategic Risk Conference 2024 to discuss the realistic challenges of climate and the energy transition.

Cybersecurity

We recognize that cyber threats, if not mitigated, could lead to business disruption, security threats to our employees and clients, financial losses and reputational damage. We work towards addressing cybersecurity risks as we adopt and leverage information technology (IT) tools to improve organizational efficiency and increase relevance to our stakeholders.

We have aligned our Information Security Policy with ISO 27001 on information security management system and ISO 27002 on information security controls. The policy supports in ensuring that our IT environment is secure, particularly on the confidentiality, integrity and availability of information and information systems.

Our chief risk officer, John Philip Orbeta, is in-charge of ensuring policy compliance and managing cybersecurity threats in ACEN.
He is supported by Albert Palero, head of information security, who leads the information security team. To provide strategic guidance on IT investments, our IT Steering Committee approves IT projects, covering applications, infrastructure, security and analytics.

Annually, we conduct Vulnerability Assessment and Penetration Testing (VAPT) and third-party audit covering the ACEN IT Suite to ensure that our current security measures are either within industry standards or above them. We also employ third-party information security tools to enhance our cyber threat response.

Since cybersecurity incidents mainly stem from a company’s workforce, often through malware, phishing, and social engineering, we conduct mandatory cybersecurity awareness training on a quarterly basis. 92 percent of our employees completed cybersecurity awareness trainings cascaded during the year.

In 2024, we also implemented several initiatives to further manage cybersecurity risks:

  • Completed the gap analysis to secure ISO certification
  • Collaborated with a third-party to conduct risk assessment and identify areas for improvement in our information systems
  • Partnered with Globe Telecom for 24/7 Managed Security Operation Center, a log monitoring and log analysis service covering all security events and alerts, to extend our detection capability
  • Coordinated with internal audit to align current initiatives and procedures with industry best practices
  • Completed the IT disaster recovery strategy that is now under IT Steering Committee
  • Secured cyber insurance for the year 2025

As a result of these measures, there were
zero breaches of information security for ACEN in 2024.

Learn more about our approach to information security in our Information Security Policy.

Risk ACEN x Globe Business signing

In August 2024, we partnered with Globe Business to enhance our Security Operations Center. This collaboration gives ACEN access to skilled professionals with deep expertise and knowledge of the necessary platforms to protect our assets and data.

Given the nature of our transactions, independence to cyber activities, segregation of databases and risk mitigation measures already in place, cybersecurity risk was not included in our top risks. However, recognizing that it can have impact to the tactical and operational aspect of the business, cybersecurity risk is still closely monitored.

We commit to observe the highest ethical standards on using and protecting information and information systems.