90 information, and Data Loss Prevention (DLP) software deployment. Access controls are strictly enforced through Two-Factor Authentication, conditional access policies for company resources, and regular reviews of user permissions. Business continuity measures include annual testing of Disaster Recovery systems, regular review and updating of the Business Continuity Plan, staff emergency response training, and comprehensive risk analysis for all business functions. The Manager also maintains appropriate insurance coverage and has developed specific response plans for various scenarios including pandemic situations. B. Risk Management Application Other risk management tools are used to manage risks besides the RAS and the Key Risks and Control Matrix. Compliance Matrix The Manager maintains a register known as the Compliance Matrix to record major rules and regulations relevant to both ESR-REIT and the Manager. The register is reviewed yearly or whenever the business environment changes substantially or whenever there are new rules or changes to relevant rules and regulations. Policies and Procedures Policies and procedures have been established to reduce operational risks by providing uniform practices that serve as a basis for guidance in day-to-day operations and to facilitate the understanding and correct implementation of different work processes. All policies and procedures must be reviewed and updated where relevant at least once a year to ensure they are kept up-to-date. Any revisions, amendments and supplements to the various policies must be approved by the Board, the ARCC or the CEO, as appropriate. Education and Training To increase the level of awareness and knowledge of various risks, controls, requirements and processes within ESR-REIT and the Managers, all new employees are required to undergo induction training by the various departments. On-the-job training is provided to equip the employees with the knowledge and skills to carry out their work. Internal bite-sized compliance training is also conducted for the purpose of information sharing, especially on changes relating to internal policies. As part of the ESR Group’s compliance training program, employees are required to complete mandatory compliance online training which covers topics that are relevant to the corporate compliance policies and other governance related matters. Employees are also encouraged to seek external training to deepen their field of expertise and/or acquire new skills and knowledge as part of their personal development plans. Skills and knowledge acquired via such training can be applied to their work to improve work processes or control requirements thus effectively reducing operational risks for the Managers. Whistleblowing The Manager has put in place a Policy on Whistleblowing to provide an avenue to all employees and external parties to raise any concerns about possible improprieties in matters of financial reporting or other matters to the ARCC Chairman, without fear of reprisals. Valid reports made in good faith are investigated independently with appropriate follow-up actions. C. Risk Monitoring The Board and the ARCC are kept abreast of ESR-REIT and the Managers’ key risk exposures as well as the risk management activities and results via the following quarterly reports by the Management: 1. Quarterly monitoring of ESR-REIT’s and the Manager’s RAS 2. Quarterly review of the Key Risk and Control Matrix 3. Quarterly monitoring of outstanding internal/external audit recommendations and regulatory inspection findings 4. Quarterly attestations from employees, appointed representatives, Heads of Departments and Directors in terms of compliance with relevant regulatory requirements Risk Management 5. Quarterly reporting of actual and potential breaches and loss events In addition to the above risk monitoring methods, the Manager has formulated a Compliance Monitoring Framework using the Compliance Matrix as a base document. A risk assessment of all regulatory requirements impacting ESRREIT and the Managers is performed on an annual basis. This will guide the approach taken for Compliance’s oversight function which includes a combination of routine monitoring and risk-based monitoring programmes (otherwise known as the Compliance Monitoring Program). A two-year Compliance Monitoring Program based on the results of the risk assessment is then tabled to both the ARCC as well as the Board for approval. Upon the approval of the program, the Compliance and Risk Management team will proceed to implement the program and the results of the reviews will be tabled to both the ARCC and the Board on a quarterly basis for their review. In order to give the ARCC and the Board the assurance that the Manager’s risk management and internal control systems are adequate and effective, an annual internal control review based on the top risks identified in the Key Risk and Control Matrix is conducted by the Compliance and Risk Management team and the results are tabled to both the ARCC and the Board. The outsourced internal auditor also conducts and independent review of the risk management and internal control systems implemented by the Manager so as to provide independent assurance to the ARCC and the Board on the adequacy and effectiveness of the risk management and internal control systems. Together, these monitoring tools provide greater assurance that ESR-REIT’s and the Managers’ identified risks are adequately managed. D. Risk Reporting Reports are provided to the ARCC, the Board and/or regulators on a regular basis to provide updates on the Managers’ risk and compliance management activities. ESR-REIT ANNUAL REPORT 2025
RkJQdWJsaXNoZXIy NTM2MDQ5