Corporate Governance
Sembcorp is led by an effective board comprising mainly independent non-executive directors. The board is collectively responsible for providing overall strategic direction and ensuring the long-term success of the Group. Several board committees have been established with clear terms of reference, both to assist the board in fulfilling its responsibilities and to provide independent oversight of management.

Furthermore, the board and management of Sembcorp recognise that well-defined corporate governance processes are essential to enhancing corporate accountability and long-term sustainability, and are committed to high standards of governance to preserve and maximise shareholder value. We comply with the principles and guidelines set out in the Singapore Code of Corporate Governance 2012 issued by the Monetary Authority of Singapore, and our corporate governance practices are set out in the Corporate Governance Statement .

To facilitate the effective execution of both our internal processes and business needs, we have in place a clearly defined organisational structure which includes detailed roles and responsibilities for key appointment holders. This is further supported by an established matrix for delegation of authority as well as financial authority limits, which have been approved by the board. A comprehensive set of group-wide governance and functional policies ensure entity-level controls are also implemented across the Group. The Group’s internal controls policy and manual, which adopts principles of the Committee of Sponsoring Organizations of the Treadway Commission, provides a framework for what constitutes an effective and adequate system of internal controls. It also provides guidelines on the appropriate segregation of duties and a checklist of recommended internal controls for operations in our various markets to put in place.

We are in the midst of transitioning our current GAF to an IAF to provide a more holistic and robust basis of assurance for the adequacy and effectiveness of our risk management and internal control system. The process identifies risk from a top-down strategic perspective and a bottom-up perspective from each key market, putting greater emphasis on the three lines of defence (LOD) model.

a. First LOD
Key markets and business units are required to regularly review their risk and internal control environment to ensure that they operate within the prescribed risk appetite. This is done through a combination of detailed risk and control registers and review processes, established escalation procedures and well-defined consequence management. In addition, a rigorous management attestation process, the Management Control Assessment (MCA), is submitted quarterly by each market and business unit to provide the assurance that its risk management and internal control system is adequate and effective.

b. Second LOD
The second LOD sets the policies, standards and standard operating procedures that the markets and business units are required to adopt. Additionally, submissions and responses from the MCA are further validated through substantive review by the business lines, subject matter experts and corporate functions as an added layer of assurance.

c. Third LOD
Group Integrated Audit (GIA) provides independent assurance across financial, operational, compliance and IT risks through a series of walkthroughs and substantive testing. Management works closely with GIA in closing out all material issues and gaps in a timely manner to ensure that there is continual improvement to our risk and controls environment as well as an effective feedback loop to the first and second LODs. External audit considers internal controls relevant to the preparation of financial statements to ensure they give a true and fair view.

Risk Management
The Group manages risk under an overall strategy, determined by the board of directors and supported by the board’s Risk Committee and Audit Committee. The Risk Committee reviews and enhances the effectiveness of the Group’s risk management and health, safety and environment (HSE) plans, systems, processes and procedures. It also regularly reviews group-wide risks including significant risk exposures relating to foreign exchange rates, commodity prices and major investment projects as well as corresponding risk mitigation plans. HSE policies, guidelines and limits are also regularly reviewed. Oversight for risk management within the Group’s listed entities lies with their respective boards.

Risk appetite framework
The board has determined a risk appetite framework for Sembcorp that forms a common understanding among both our board and management to execute the Group’s strategy and objectives. Under this framework, the board has approved risk appetite statements with respect to the areas below. These are aligned with how the Group categorises our material issues for the management and reporting of our overall sustainability performance:

a. Economic
Sembcorp actively pursues global strategies to deliver sustainable long-term value and growth. We will continue to invest in and develop our capabilities and expand our business in both existing and new markets. Investing in such markets inevitably carries with it inherent risks; however, the Group is a disciplined investor with a robust investment approval process that calls for the necessary due diligence and risk management to be done. The Group has set appropriate limits for investment exposure in each country to manage concentration risk.

The Group is committed to maintaining a strong financial position and targets to achieve an investment grade equivalent credit rating to ensure access to funding and protect shareholder value. The Group has a defined set of risk management policies to manage our financial risks. The Group will not take part in any form of transaction that is deemed speculative in nature, under any circumstances.

b. Environmental
Sembcorp is committed to operate in a socially responsible manner to manage our impact on the environment, as well as provide high quality products and services that contribute to the sustainable development of the communities in which we operate.

In addition to being committed to complying with all applicable environmental standards and requirements through our established internal policies and processes, we assess the impact of environmental and climate-related risks on our business, and apply appropriate control measures to manage them. Where viable, we also invest in the latest technologies and utilise our capabilities to achieve better operational efficiencies and promote environmental sustainability.

c. Social
Sembcorp is committed to being a responsible business that ensures the health and safety of our people, and makes a positive impact on our people and communities. In our pursuit of operational excellence and business growth, Sembcorp will not compromise the health and safety of our internal and external stakeholders. The health and safety of all our employees, contractors, customers and the public is of paramount importance to the Group. We take a serious view of any breach of health and safety standards and regulations across all our operations and facilities.

Sembcorp recognises the need to have in place a strong and competent team that is committed to our values for transformation and growth. Sembcorp will continue to equip our employees with the relevant capabilities / competencies and provide an engaging employment experience, thereby creating a values-based and performance-led culture to ensure a sustainable business.

Sembcorp is also committed to building our digital capabilities to improve the efficiency of our business and maintain an effective control environment to manage the cyber risk exposure of our and our customers’ data and our assets and operations.

In addition, Sembcorp believes that as an integral part of our communities, we should conduct our business in a responsible manner and make a positive contribution to the communities in which we operate. The Group is therefore committed to high standards of business conduct, engaging our stakeholders and managing our environmental and social impact on local communities responsibly.

d. Governance
As a listed company on the Singapore Exchange that has both responsibility and accountability to a wide range of stakeholders, Sembcorp is committed to maintaining high standards of behaviour and integrity, and aims to be best in class for governance practices. The Group will strive to comply with all applicable laws and regulatory requirements in the countries where we operate, including adopting a zero tolerance stance towards any form of fraud, bribery and corruption. We expect all employees to adhere to the guidelines set forth in the company’s Code of Conduct (CoC).

Our risk appetite statements are also supported by key risk indicators, which are monitored and reported to the board’s Risk Committee on an ongoing basis.

Enterprise risk management
The Group is committed to ensuring that an effective and practical enterprise risk management (ERM) framework is in place. Our framework aims to safeguard our people and assets, protect shareholders’ interests, facilitate informed decisions for value creation and ultimately enhance our brand and reputation. In designing our ERM framework, the Group has adapted and made reference to various industry risk management standards, such as ISO 31000 and the Enterprise Risk Management – Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission. This ensures that we are in line with best practice. To sustain a successful ERM programme, we believe in having the right processes and tools as well as instilling the right risk awareness culture. Our ERM framework specifically sets out a systematic and structured approach towards risk management through the following activities:

• Awareness training and workshops
• Risk identification and assessment
• Formulation of key risk management strategies
• Design and implementation of risk mitigation controls (preventive, detective and responsive controls)
• Monitoring and timely reporting of risk management performance and risk exposure levels
• Continual improvement of risk management capabilities and mitigation measures

Our ERM framework is supported by the following key pillars:

a. Fraud Risk Management
The possibility of fraud is an inherent risk in any organisation. To manage this, the Group has established a fraud prevention policy, which has been approved by our board’s Risk Committee. The policy provides a framework and comprehensive guidance on anti-fraud measures to proactively manage the risk of fraud, bribery and corruption. We actively influence and encourage our joint ventures and associates to adopt our fraud risk management framework. The Group maintains a zero tolerance policy for fraud, which we take to include corruption and bribery. This stance is regularly communicated to employees through awareness training and e-learning programmes.

The following key activities and complementary policies and procedures are part of our holistic approach towards fraud risk management, and also address the risk of bribery and corruption:

Preventive anti-fraud measures
• Code of Conduct
• Conflict of Interest Policy
• Gifts and Entertainment Policy
• Fraud risk assessments
• Employee and third party due diligence

Detective anti-fraud measures
• Whistle-blowing Policy
• Forensic data analysis
• Compliance and monitoring
• Pre-employment screening

Responsive anti-fraud measures
• Fraud reporting procedures
• Fraud investigation procedures
• Grievance handling procedures

Whistle-blowing policy
Sembcorp has a Whistle-blowing Policy in place. We provide employees and external parties with well-defined and accessible channels through which they may, in confidence, raise concerns regarding possible improprieties in the conduct of business activities, financial reporting or other matters to the Audit Committee. This facilitates independent investigation of such matters for appropriate resolution. The policy is available on our website and is subject to review on a regular basis.

A whistle-blower may submit his / her allegations or concerns either by telephone, email, our whistle-blowing portal or other communication channels.

The company will take reasonable steps to protect the identity of the whistle-blower. The company does not condone retaliatory action against the whistle-blower. The whistle-blowing case will be received by the Head of GIA and an investigation will be conducted in compliance with the requirements set out in the company’s Whistle-blowing Policy.

b. Operational Risk Management
The Group’s management of operational risk is focused on the following areas:

Crisis management and business continuity
A robust and effective crisis management framework is put in place with the Group’s crisis management, emergency response and business continuity procedures and plans. These procedures and plans are regularly tested and fine-tuned. The Group also addresses crises and emergencies through the implementation of appropriate prevention, preparedness, and response and recovery programmes. Some of these material operational risks include natural disasters, terrorism, cybersecurity attacks, epidemic outbreak and failure of critical equipment.

With operations across the globe, the Group monitors for emerging threats that may disrupt our operations, and formulates and updates our strategies and mitigation measures accordingly. Focus is placed on establishing a robust and effective crisis management framework that is relevant to the current business environment and risk landscape. The Group aims to enhance and improve existing emergency response protocols and business continuity plans across our business entities, to strengthen operational readiness. Crisis communication procedures are also embedded as part of the Group’s crisis management framework. The Group’s crisis management, emergency response and business continuity procedures and plans are regularly tested and fine-tuned to ensure that the Group can respond effectively to crises and emergencies. The Group also addresses crises and emergencies through the implementation of appropriate prevention, preparedness, and response and recovery programmes, while ensuring that critical business functions can recover and continue in a timely manner. In addition, the Group adopts key standards and practices set out by ISO 22301:2012 under Societal Security – Business Continuity Management Systems – Requirements. This approach enables us to build resilience and enhance our ability to manage and respond to emergencies. It also helps to minimise the impact of incidents on people and the environment, prevent loss of assets and mitigate disruption to business operations, while safeguarding the company’s reputation.

Health, safety and the environment
A group-wide HSE management system which is aligned with international standards and industry best practice sets the standard for operations in the various markets to actively manage HSE risks.

The Group Health, Safety, Security and Environment (HSSE) department is guided by our Group President & CEO and the board-level Risk Committee, reflecting the high priority accorded to HSE issues at Sembcorp. The department has formalised a group-wide HSE management system and promotes global HSE efforts to ensure effective and timely management of HSE issues across the Group. This management system is aligned with ISO 14001 and OHSAS 18001 standards and provides guidance to business units in actively managing HSE risks associated with our activities and services in a systematic manner.

Insurance
As a risk transfer mechanism, the Group has in place a comprehensive insurance programme to protect our worldwide business operations against financial loss arising from property damage, machinery breakdown, business interruption and / or third party liability. The Group has also engaged a panel of top-tier insurance consultants, leveraging their technical expertise and resources to negotiate competitive pricing and comprehensive coverage with insurance companies. To balance the cost of risk transfer, the Group focuses on insuring catastrophic events while maintaining our emphasis on improving internal controls over operations and maintenance. Sembcorp Captive Insurance, a wholly-owned captive insurance subsidiary, provides first-layer coverage against property damage and business interruption losses for the Group’s power and utilities operations in Singapore and Teesside in the UK. Sembcorp Captive Insurance serves not only as an internal risk transfer mechanism, but also showcases the Group’s efforts to promote greater accountability and responsibility in operations and maintenance. Over the years, Sembcorp Captive Insurance has successfully built up a strong capital surplus, allowing it to extend its insurance reach to other operations and broaden its scope of coverage should the need arise.

c. Financial, Market and Credit Risk Management
The Group actively manages our financial, market and credit risk exposures with respect to foreign exchange rates, commodity prices and interest rates via established policies, including treasury policies, financial authority limits and Governance Assurance Certification. These policies set out the parameters for managing the Group’s exposure to counterparty, liquidity, foreign exchange and other material transaction risks.

Financial and market risks
The Group defines and utilises approved financial instruments to manage exposure to foreign exchange, commodity prices and interest rate fluctuations arising from operational, financing and investment activities. Under the Group’s overall treasury policy, transactions for speculative purposes are strictly not allowed. The commodities include fuel oil, coal and natural gas. Transactions such as foreign exchange forwards, interest rate swaps, commodities swaps, purchase of options and contracts for differences are used to manage these risks as appropriate. Transactions are only allowed for hedging purposes based on the underlying business and operating requirements. Exposure to foreign currency risk is also hedged naturally where possible. In addition, the Group has financial authority limits, which seek to limit and mitigate operational risk by setting out the threshold of approvals required for entering into contractual obligations and investments.

Default and counterparty credit risks
A group-wide credit risk policy has been put in place to ensure that we transact with creditworthy counterparties as much as possible. We also screen for material concentrations of credit risk to ensure that no single counterparty or group-related counterparties has excessive credit exposure that may result in material impact on the Group in the event of a default.

Our default and counterparty credit risks arise from varied counterparties such as customers, vendors, joint venture partners and financial institutions who may fall short of their payment and / or performance obligations. As such, a group-wide credit risk policy has been put in place to ensure that we transact with creditworthy counterparties as much as possible. This is achieved via thorough credit analysis and limit setting prior to entering into any business contract. After entering into business contracts, we perform periodic credit reviews and monitor credit exposures closely to detect signs of credit deterioration. In the event that we have to deal with counterparties who do not meet our minimum credit criteria due to commercial reasons, approval from the relevant authorities according to the credit risk policy has to be obtained before proceeding and risk mitigation measures such as parental and banker’s guarantee, letter of credit, deposit securities and, collateral may be deployed on a case-by-case basis as credit enhancements. Last but not least, we also screen for material concentrations of credit risk to ensure that no single counterparty or group of related counterparties has excessive credit exposure that may result in material impact on the Group in the event of a default.

d. Investment Risk Management
The Group has in place an investment approval process to ensure a prudent and disciplined approach to all investment decisions, including a country risk framework that sets appropriate country risk limits.

To ensure that prudence is exercised in all investment decisions, the Group has in place an investment approval process, under which a disciplined approach is taken to review the key risks and opportunities presented by potential investments. As part of our investment approval process, all new investments and transactions are reviewed by a cross-functional project team that provides risk assessments, mitigation measures and recommendations to the respective authorised persons for approval in accordance with the applicable financial authority limits.

In addition, to ensure that Sembcorp maintains appropriate diversification across different geographies, the Group has put in place a country risk framework to monitor and report our investment exposure globally. Furthermore, our investment exposure to each country is regularly reported to the board’s Risk Committee. This framework also defines limits that have been approved by the board and stipulates that any deviation from these country limits requires prior board approval according to a set procedure. In reviewing any request for deviations from the country limits, the board will consider the key risk drivers at hand, in terms of investment size, duration and economic life of the project, as well as the level of residual risk after the implementation of mitigation plans.

As at December 31, 2018, the countries outside of Singapore in which the Group has the largest investment exposure are India (S$3.6 billion), China (S$1.8 billion), Brazil (S$1.6 billion) and the UK (S$1.2 billion). Investment exposure comprises invested capital, including reserves and committed contingent support for projects and assets.

e. Tax Risk Management
It is our policy to comply with all relevant taxation laws, regulations and regulatory disclosure requirements.

In 2018, Singapore implemented Country-by-Country (CbC) Reporting for Singapore multinational enterprise (MNE) groups. As a Singapore-headquartered MNE, Sembcorp is required to file a CbC Report for financial years beginning on or after January 1, 2017. We are pleased to report that during the financial year, we filed the CbC Report in compliance with the submission requirements of the Inland Revenue Authority of Singapore.

With regard to our approach to tax risk management, our policy stipulates the following:

• Comply with relevant taxation laws and regulations and other regulatory disclosure requirements
• Apply diligent professional care and judgement to arrive at well-reasoned recommendations, supplemented by advance rulings from tax authorities, written advice and confirmation from external tax advisors / experts, as appropriate
• Ensure that all decisions are taken at an appropriate level and supported by a business purpose / commercial rationale and the appropriate documentation
• Establish and maintain adequate documentation of the Group's tax risk evaluation and tax risk management, and update the Group's tax risk management policies including internal controls, as and when appropriate
• Develop and foster good and respectful professional relationships with all tax authorities, government bodies and other related third parties

Ethical Business and Compliance
Sembcorp’s values of Creative Insight, Committed and Connected define our approach to sustainable growth, and form the foundation of Sembcorp’s CoC. Employees are required to comply with the requirements of the CoC, which addresses Sembcorp’s stance in the following ways:

• We treat each other fairly and with respect
• We protect personal information
• We do not bribe
• We deal with government officials responsibly
• We work with trustworthy business partners and representatives
• We compete ethically
• We avoid conflicts of interest
• We treat gifts, entertainment and hospitality responsibly
• We safeguard company assets and information
• We work with ethical suppliers
• We do not disclose or act on inside information
• We do not facilitate money laundering or financial crimes
• We maintain accurate records, contracts and sound internal controls
• We are good corporate citizens
• We are politically neutral
• We manage our health, safety, security and environmental responsibilities as our first priority

The CoC is endorsed by the Board. Requirements of the CoC are communicated to employees globally through a message from the Group President & CEO, face to face training in the local language as well as a video presentation. Employees are required to complete an annual declaration to acknowledge that they have read and understood the principles and requirements of the CoC, and agree to comply with its principles and requirements and promptly report any violation through available reporting channels. Suppliers and contractors who work with Sembcorp are expected to respect and follow the CoC as well.

The CoC also provides for escalation procedures in the event of a breach of the CoC as well as feedback channels for employee clarification and queries.

Full compliance with all legal and regulatory requirements is the minimum expectation we prescribe for all our businesses. As part of our IAF, all heads of markets have to certify that they have complied with all relevant legal and regulatory requirements in their respective entities and countries of operation. Any monetary fines and non-monetary sanctions imposed on the markets are also to be reported.

In view of emerging concerns on data privacy, the Group has established the Group Personal Data Protection Policy which sets out the principles and processes to govern the collection, use, disclosure and retention of personal data across all markets and business units. Markets and business units are expected to abide by the policy, subject to local laws and regulations on data protection.

Regular audits are conducted by the GIA and Group HSSE departments to ensure compliance and also to identify gaps and lapses in compliance. They also work closely with management to develop action plans to prevent future recurrences of gaps and lapses.