CHAPTER 35  ERM at Malaysia's Media Company Astro  Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies PATRICK ADAM K. ABDULLAH Vice President, Enterprise Risk Management, Astro Overseas Limited GHISLAIN GIROUX DUFORT President, Baldwin Risk Strategies Inc. This case study focuses on the implementation and use of enterprise risk management (ERM) to screen proposed investments, assess the risk-adjusted performance of a portfolio of foreign investments, and make key investment decisions at Astro Overseas Limited, the company responsible for all international investments (subsidiaries and joint ventures) for Astro Holdings Sendirian Berhad (herein known as “Astro”). We start by providing some background information on Malaysia, on its corporate governance code and practices, and risk management practices at Astro. We then describe how Astro Overseas Limited uses ERM to assess and filter potential investments, and subsequently, how ERM is implemented at successful investments. Finally, we explain how Astro Overseas Limited combines information from the risk profile and financial performance of each investment, and reflects the performance on a dashboard together with all other investments in its portfolio to make better risk/return investment decisions. MALAYSIA Situated between 2 degrees and 7 degrees to the north of the equator, Malaysia is a diversely populated federal democracy of 29.3 million1 Malays, Indians, Chinese, and many other ethnic groups2 who speak Malay (the official language), English, various Chinese dialects, Tamil, Telugu, and Malayalam. Its major religions are Islam, Buddhism, Taoism, Hinduism, Christianity, and Sikhism. The life expectancy of its citizens ranges from 73 years (for men) to 77 years (for women), and the literacy rate is 89 percent.3 Geographically, Malaysia is almost as diverse as its culture (see Exhibit 35.1). Eleven states and two federal territories—Kuala Lumpur and Putrajaya—form Peninsular Malaysia, which is separated by the South China Sea from East Malaysia, where we find the states of Sabah and Sarawak on the island of Borneo and a third federal territory, the island of Labuan. Exhibit 35.1 Map of Malaysia Source: U.S. Central Intelligence Agency's World Factbook. Malaysia's main industrial sectors are rubber and palm oil processing and manufacturing, light manufacturing industry, logging, and petroleum production and refining. Its main exports are electronic equipment, petroleum and liquefied natural gas, wood and wood products, and palm oil. The country's gross domestic product (GDP) per capita is equivalent to U.S. $8,800, and its currency is the ringgit (1 RM being equivalent to 0.3140 USD).4 The country's capital, Kuala Lumpur, is at the center of the Multimedia Super Corridor (MSC), Asia's equivalent of the United States' Silicon Valley. That is where we find the head office of our company, Astro Malaysia Holdings Berhad, mo.

1. CHAPTER 35
ERM at Malaysia's Media Company Astro
Quickly Implementing ERM and Using It to Assess the Risk-
Adjusted Performance of a Portfolio of Acquired Foreign
Companies
PATRICK ADAM K. ABDULLAH
Vice President, Enterprise Risk Management, Astro Overseas
Limited
GHISLAIN GIROUX DUFORT
President, Baldwin Risk Strategies Inc.
This case study focuses on the implementation and use of
enterprise risk management (ERM) to screen proposed
investments, assess the risk-adjusted performance of a portfolio
of foreign investments, and make key investment decisions at
Astro Overseas Limited, the company responsible for all
international investments (subsidiaries and joint ventures) for
Astro Holdings Sendirian Berhad (herein known as “Astro”).
We start by providing some background information on
Malaysia, on its corporate governance code and practices, and
risk management practices at Astro. We then describe how
Astro Overseas Limited uses ERM to assess and filter potential
investments, and subsequently, how ERM is implemented at
successful investments. Finally, we explain how Astro Overseas
Limited combines information from the risk profile and
financial performance of each investment, and reflects the
performance on a dashboard together with all other investments
in its portfolio to make better risk/return investment decisions.
MALAYSIA
Situated between 2 degrees and 7 degrees to the north of the
equator, Malaysia is a diversely populated federal democracy of
29.3 million1 Malays, Indians, Chinese, and many other ethnic
groups2 who speak Malay (the official language), English,
various Chinese dialects, Tamil, Telugu, and Malayalam. Its
major religions are Islam, Buddhism, Taoism, Hinduism,

2. Christianity, and Sikhism. The life expectancy of its citizens
ranges from 73 years (for men) to 77 years (for women), and the
literacy rate is 89 percent.3
Geographically, Malaysia is almost as diverse as its culture
(see Exhibit 35.1). Eleven states and two federal territories—
Kuala Lumpur and Putrajaya—form Peninsular Malaysia, which
is separated by the South China Sea from East Malaysia, where
we find the states of Sabah and Sarawak on the island of Borneo
and a third federal territory, the island of Labuan.
Exhibit 35.1 Map of Malaysia
Source: U.S. Central Intelligence Agency's World Factbook.
Malaysia's main industrial sectors are rubber and palm oil
processing and manufacturing, light manufacturing industry,
logging, and petroleum production and refining. Its main
exports are electronic equipment, petroleum and liquefied
natural gas, wood and wood products, and palm oil. The
country's gross domestic product (GDP) per capita is equivalent
to U.S. $8,800, and its currency is the ringgit (1 RM being
equivalent to 0.3140 USD).4
The country's capital, Kuala Lumpur, is at the center of the
Multimedia Super Corridor (MSC), Asia's equivalent of the
United States' Silicon Valley. That is where we find the head
office of our company, Astro Malaysia Holdings Berhad, more
precisely located at the All Asia Broadcast Center, in
Technology Park Malaysia.
THE ASTRO GROUP
Established in 1996, the Astro Group is a leading and growing
integrated consumer media and entertainment group present in
Malaysia, Southeast Asia, and regional foreign markets, with
operations in four key areas of business: pay TV, radio,
publications, and digital media.5 It has established partnerships
in different countries with A&E, Google, Lionsgate, MSNBC,
and other leading media companies. Through Celestial Pictures,
Astro also owns and distributes the Shaw Library, the world's
largest Chinese film library. It owns Adrep as well, a national

3. radio airtime management and sales company operating in
China.
The Astro Group is comprised of Astro Malaysia Holdings
Berhad (AMH), which was listed in the main board of the
Malaysian Stock Exchange in 2012, and Astro Overseas Limited
(AOL) overlooking all international investments.
AMH focuses on Pay-TV, Radio, Publications, and Digital
operations in Malaysia and has a customer base of over 4
million residential pay TV customers or approximately 56
percent penetration of Malaysian TV households. Astro Radio
operates Malaysia's highest-rated stations across key languages.
AOL holds investments in a portfolio of companies involved in
Pay-TV, radio, content aggregation, creation and distribution,
digital and multimedia services, and includes companies in
Australia, China, Hong Kong, India, Indonesia, Singapore,
Vietnam, Saudi Arabia and the MENA region, United Kingdom,
and North America (see Exhibit 35.2).
Exhibit 35.2 AOL's Regional Investments
CORPORATE GOVERNANCE IN MALAYSIA
The 1997 Asian financial crisis exposed many weaknesses in the
region and spurred multiple reforms, including a drive to
improve corporate governance.6 Malaysia introduced its first
corporate governance code in 2000 and revised it in 2007. In
2011, its Securities Commission established a “Blueprint” to
achieve excellence in corporate governance, and in 2012
delivered a new “comply or explain” code.7 According to its
risk management guidance, the board of directors should:
· Establish a sound framework to manage risks.
· Understand the principal risks of all aspects of the company's
business.
· Recognize that business decisions involve the taking of
appropriate risks.
· Achieve a proper balance between risks incurred and potential
returns to shareholders.
· Ensure that there are systems in place that effectively monitor

4. and manage these risks.
· Determine the company's level of risk tolerance and actively
identify, assess, and monitor key business risks to safeguard
shareholders' investments and the company's assets.
· Disclose in the annual report the main features of the
company's risk management framework and internal controls
system.
According to the 2013 ASEAN Corporate Governance Scorecard
published jointly by the ASEAN Capital Markets Forum and the
Asian Development Bank,8 the performance of Malaysia's Top
100 companies (PLCs) in terms of conformity to recommended
corporate governance principles and practices “is commendable
and at the same time presents opportunities for more
improvement.” Among the areas for improvement identified by
the report was the “lack of disclosure of key risks (other than
financial risks).”
ENTERPRISE RISK MANAGEMENT AT ASTRO
In the aforementioned corporate governance context, Astro's
listed vehicle, AMH states in its Annual Report 2013: “The
Board is committed to applying and upholding high standards of
corporate governance to safeguard and promote the interests of
the shareholders and to enhance the long-term value of the
Group. To this end, it has adopted the principles and
recommendations set out in the Malaysian Code on Corporate
Governance 2012.”9
The annual report states that the board is charged with, among
other responsibilities, the review and approval of changes to
management and control structures, including ERM. “The Board
is committed to the implementation of Group Risk Management
(GRM) as an integral part of the Group's planning practices and
business processes, encapsulating the continuous identification,
assessment, monitoring, and reporting of risks at all levels,
from projects, [to] operations to strategy. The Group Risk
Management Framework, consistent with the Committee of
Sponsoring Organizations (COSO) enterprise risk management
framework, sets out the risk management governance and

5. infrastructure, risk management processes and control
responsibilities.”10
The board of directors, through its Audit Committee, is assisted
in these responsibilities by AMH's Group Risk Management
Committee (GRMC). The GRMC meets at least quarterly,
includes senior management from each business segment and
unit, and is chaired by AMH's CEO. The CEO and CFO are
accountable to the board of directors for the implementation of
strategies, policies, and procedures to achieve an effective risk
management framework.
Furthermore, Astro has linked senior executive pay to sound
risk management up to the highest level of the organization:
“Risk management has been identified as a key result area in the
annual performance evaluation of the CEO and CFO.”11
If the lack of disclosure of key risks (other than financial risks)
by top Malaysian companies was noted in the 2013 Corporate
Governance Scorecard mentioned earlier, it is not the case at
Astro, which also follows the guidance of the Global Reporting
Initiative Framework and discloses—in addition to financial
risks—seven other key risks: market and competition; political,
legal, and regulatory; services availability; procuring exclusive
and compelling content; technology and innovation; people; and
branding and reputation.
Astro is also committed to what is increasingly recognized as a
key success factor of long-lasting ERM implementation: risk
culture. “Risk awareness and control consciousness are integral
in cultivating a good risk and governance culture among the
Group employees. Risk and control briefings, online training,
and a web portal are in place to facilitate the ease of reference
and better understanding of the risk management framework and
internal control procedures.”12
Finally, to ensure consistent practices, Astro has adopted the
concepts and terminology of the ISO 31000 International
Standard (Risk Management—Principles and Guidelines, 2009)
and the COSO process to ensure the ERM program is effectively
implemented.

6. ASTRO OVERSEAS LIMITED
We now focus on the implementation and use of ERM to assess
the risk-adjusted performance of a portfolio of foreign
investments and to make key investment decisions at Astro
Overseas Limited (AOL), the company responsible for all
international investments (subsidiaries and joint ventures).
AOL's board of directors is very experienced and oversees the
company's risk management framework. The board of AOL
reiterates regularly that risk management is as important as
maximizing profitability, and they should both be given equal
weight in establishing investment performance benchmarks.
AOL's objective is to achieve investment returns that are
considered reasonable for markets in which it invests and the
stage at which the investment is in its life cycle and risks for
the investments. It looks at the long-term success of these
investments, the risks of these companies over time and not
necessarily to obtain short-term gain. While the board of
directors is cognizant of ERM framework and methodology,
they are also mindful that the approach to its implementation
varies from one investment to another depending on the size and
scale of each business. In this respect, influence of the investee
company's board and audit committee plays an important role to
ensure the process is successfully implemented. Senior
management needs to fully understand and appreciate that
although the process is a little provocative, it is value adding
and has the potential to create a more robust business. Also, for
investments which are smaller, resources and talent may be
limited and there is a need for AOL to extend assistance to
these investee companies to implement and manage the program
until such time the investee company has adequate resources to
do it on their own.
EVOLUTION OF ERM AT AOL
As we will soon see in detail, AOL has reached a level of
maturity sufficient to work with the management of the investee
companies to implement its ERM Framework. The evolution of
AOL's ERM maturity over time is illustrated in Exhibit 35.3.

7. Exhibit 35.3 Evolution of AOL's Risk Management
Like many companies, AOL's approach to risk management
started in a reactive mode, with a basic ability to respond to
negative events. It then progressed to being able to recover as
quickly as possible from a potential interruption, and then
moved on to a more proactive mode with business continuity
planning (BCP)—being able to prepare to ensure the continuity
of critical operations and business activities in almost any
circumstance. Later on, AOL started to enter the adaptive mode,
with a focus of the risk management function on revenue
preservation.
Now well into the adaptive stage, AOL is able to use ERM for
anticipating risks before they impact employees or assets,
protecting revenue generation, gaining competitive advantage,
and creating value by adapting to the complex and changing
media business environments one finds while investing in
foreign countries and cultures. This ability plays an important
part in the screening of potential investments by AOL and
contributes to AOL's profitable growth strategy through
international expansion.
· AOL's investment strategy is to focus on businesses in the
media and entertainment sector including platforms, distribution
of content, and businesses closely related to AMH's core
businesses, including media such as TV, radio, content creation
and aggregation, Internet Protocol television (IPTV),13 and
advertising. A major challenge for AOL is implementing ERM
across its investment portfolio where it does not have a majority
position. Other key challenges in terms of risk management
include: Implementing ERM consistently across all investments.
· Managing differences in terms of cultures and obtaining buy-
in from management.
· Managing the expectations of board members.
ROLE OF ERM IN THE ACQUISITION PROCESS
Astro is growing through acquisitions and therefore has
developed a method to systematically and efficiently screen

8. investment opportunities. Exhibit 35.4 shows how AOL makes
investment decisions through a layered investment risk funnel.
Exhibit 35.4 Making Key Investment Decisions
A first risk review of the opportunity pipeline is performed by
the senior leadership team of AOL.
If that first hurdle is cleared, a second risk review is conducted.
This review is led by the Business Development (BD) Team in
conjunction with the ERM Team. As anyone who has ever been
involved in mergers and acquisitions knows, a full risk
assessment prior to an acquisition is almost impossible to carry
out during the due diligence process, owing to the speed at
which negotiations evolve and to their highly confidential
nature. When in the process of making an investment, it is not
the right time to be running risk workshops. This being said,
AOL's ERM Team has established a number of key activities to
be carried out during the preacquisition portion of the process,
as we see in more detail in Exhibit 35.5. The result of this
second risk review is either an approved investment proposal or
a rejection of it.
Exhibit 35.5 Overview of ERM's Role in AOL's Acquisition
Process
A third risk review is performed by the BD Team during the
negotiation period. After the negotiation, if the acquisition offer
is accepted and the contract is signed, AOL's ERM Team enters
the most important portion of the process, the focus on
implementing its ERM Framework: the operationalization
phase, or the Monitor and Review panel of Exhibit 35.5.
During the Preacquisition portion of the process in Exhibit 35.5,
the ERM Team uses a set of guidelines to determine a
preliminary risk profile of each of the potential target
companies. The word preliminary is important here. The initial
evaluation will include issues related to political and regulatory
risks, partner management, skills, expertise and human
resources, operational influence, the company's business model,

9. its strategy, growth plans, operations, and cultural fit. From the
initial assessment come the preliminary key risks and existing
risk treatments or mitigation plans required for the potential
target. Once this preliminary risk profile has been obtained, the
BD Team will then identify the potential acquisition's funding
structure, management fees, and return on investment, as well
as exit strategy options. These analyses and scenarios are then
put to the test or confirmed further. Finally, the preacquisition
activities conclude with a “go/no-go” recommendation to the
board of directors. If the board of directors approves the
investment proposal, the approval will normally have
recommendations and stipulated conditions that need to be met
for the acquisition to proceed.
During the monitor and review phase, the ERM Team will
further develop the preliminary risk profile using the strategic
objectives approved by the board of the investee company as a
starting point. Based on these objectives, the ERM Team will
also use specific financial and nonfinancial targets set by
management to undertake their assessments. The risk profile
provides further evidence as to whether the current targets can
be met under existing business conditions. It is then reasonable
to assume that the strategic objectives, as well as the financial
and nonfinancial targets, may be adjusted once the board of the
investee company is fully apprised of the risks associated with
the business. Designated directors from AOL who are on the
board of the investee company will work with management to
make the necessary adjustments. The adjustments made are
normally to ensure that objectives are reasonable and
adequately robust to meet set performance targets.
AOL's ERM function adopts a consistent methodology and has
an established risk dashboard and reporting templates for all
companies within its portfolio. It also has developed appropriate
and effective mechanisms for its implementation and use. The
initial risk-based strategy review is followed by regular annual
reviews over the life of the investment. Finally, AOL's ERM
function has oversight and regularly monitors the risk

10. management process of the investee company.
The postacquisition stage is concerned with the execution of an
appropriate exit/divestment strategy. In the preacquisition
phase, potential exit strategies are identified. In the monitor and
review step, these strategies are constantly reviewed and
relevant triggers determined and tracked. These are indicators
or metrics with thresholds set so as to trigger the consideration
of exit strategy options and eventual execution of one of them—
terminating the investment. The divestment process starts when
the monitoring of triggers has resulted in the decision to
execute an exit strategy. The ERM Team contributes to the
escalation of the recommendation to divest, through
management and to the board of directors of AOL, with a focus
on the risk/return aspect of the recommendation. Once the
decision has been obtained from the board, where required, the
ERM function helps the divestiture team to set the negotiation
guidelines, assess the risk profile of potential buyers, and
manage sensitive confidential information until the divestiture
is closed.
THE MONITOR AND REVIEW STEP—FOCUS OF AOL'S
ERM
As mentioned, the monitor and review step is focused on the
effective implementation of AOL's ERM Framework. Once the
investment has been made, AOL seeks to work with
management to adopt and integrate AOL's ERM Framework
quickly. To that effect, AOL has instituted a number of key
measures to ensure not only that ERM is implemented quickly
and effectively, but in addition, it seeks to have the ERM
framework adopted by the business for the long term. The key
measures put in place to ensure those results are achieved
include:
· A risk key performance indicator (KPI) (with an estimated
weight of 10 percent tied to the compensation package) is
assigned to the business heads of each investment to ensure that
they are vigilant in managing their risks and implementing the
necessary mitigation strategies.

11. · Risk management performance is monitored on a quarterly
basis, after which a report card is developed outlining the areas
of compliance and areas where gaps have been identified (i.e.,
the proportion of their risk management actions that are on
target).
· Results are consolidated on an annual basis for review by the
Remuneration Committee of the board of directors.
· To further inculcate the ERM culture, an “Introduction to
ERM” course has been included as part of the core syllabus for
induction training.
AOL is sufficiently experienced at implementing ERM that it
rolls out its Framework using typically 60 person-days of its
own ERM Team over a three- to four-month period. However,
as mentioned earlier, the plan can only materialize if there is
full support from the board and audit committee of the investee
company, and there is management commitment in ensuring the
program meets its objectives.
Shortly after AOL has completed the investment, AOL's ERM
Team identifies two or three persons from the investee company
who will be trained into AOL's ERM approach and brought on
board as soon as the implementation project starts. We will
collectively refer to them as the Joint ERM Team (JET). The
overall ERM implementation process is illustrated in Exhibit
35.6. It will culminate in the investee company having an up-to-
date risk profile consisting of a risk map, a risk register, and
details for each risk identified (causes, treatments, controls,
action plans, and steps required to complete each action plan).
Exhibit 35.6 Typical ERM Implementation Process for
Operating Entities
This process is performed in three steps: Planning, Rollout, and
Sustainability.
At the Planning step, the JET starts the stakeholder management
activity, first engaging with the investee company's senior
management team (SMT) to explain the process, reach mutual
understanding, and obtain buy-in. A risk champion is

12. determined among the SMT members. This senior executive will
be the sponsor of the ERM implementation process. A Risk
Committee, which also constitutes the ERM steering committee
during the implementation stage, is also formed. It will include
the CFO, other senior executives, and their direct reports.
Then, the implementation project plan is devised, including its
scope, time line, the project team membership, and delegation
structure (number ”1” in Exhibit 35.6).
As mentioned earlier, the Rollout step is performed in three
phases over the aforementioned three- to four-month period,
using most of the 60 person-days of AOL's ERM Team.
Phase I uses approximately 30 person-days of AOL's ERM Team
and starts with awareness training sessions. The JET enters into
the information gathering activity (number ”2” in Exhibit 35.6),
organizing the first risk workshop with the SMT. This part of
Phase I uses a top-down approach. The JET members discuss
the industry and business challenges of the company with the
SMT. The workshop will produce a laundry list of risks, and
they ask the SMT, as an initial assessment, to rank them simply,
using their best judgment, as low, medium, or high.
This is then followed by the interviews stage. They may
interview up to one-third of the organization (for example, 100
out of a total of 300 employees) from the bottom up. Based on
the company's objectives, they ask participants what their
objectives and targets are, what may impede them from meeting
their objectives (these become their risks), their causes, and the
risk treatments and/or controls that are already in place. The
JET also uses the high-level risk list from the SMT workshop to
prompt and facilitate discussions if necessary. The AOL ERM
Team calls this the Level 1, or ground level, risk identification.
At this level, risks are neither screened nor validated (they are
not yet what they call “sanitized”).
Then, the JET interviews Level 2 managers, who are the direct
supervisors of Level 1 interviewees. As with the previous stage,
they perform first a zero-based risk identification discussion
with Level 2 managers. This is followed by discussions on the

13. list of risks and causes as identified during the Level 1
analysis/results. The JET looks for agreements and
disagreements and tries to balance them out.
Based on Level 1 and Level 2 results, the JET “sanitizes” the
risks and causes, which means that they regroup some risks and
eliminate others that seem out of place based on the JET's
business judgment and experience in risk management. They
then bring the “sanitized” and prioritized risk list to the
company's SMT. At this point, the risk register is constituted of
only a one-dimensional rating (low, medium, or high), together
with the causes of risks and treatments and controls in place.
This is the end of Phase I, and the AOL ERM Team gives the
investee company a period to consider, analyze, and think about
both the top-down risk list and the bottom-up one, before
starting Phase II.
Phase II uses approximately 20 person-days of AOL's ERM
Team. Combining the top-down and bottom-up results, the JET
typically finds that 75 percent of the risks are common and 25
percent may be different. The JET and SMT reconcile them
through what AOL calls a “dispute/validation” workshop. The
investee company's risk register is then agreed to. Next, the JET
asks the SMT to assign, among themselves, a risk owner for
each of the identified risks.
Depending on the nature and size of the business, there may be
between 10 to 20 risks for each investee company. Those risks
are managed by the investee company, and AOL has oversight
of the process. The JET and SMT use the overall rating of low,
medium, and high to determine the company's top 10 risks.
The JET then commences the risk profile development activity
(number ”3” in Exhibit 35.6). The team members discuss each
risk with its owner individually. During the meeting, they
address the risk's causes, its probability of occurrence, and the
impact (or “consequence” in ISO 31000 terminology) if it
materializes, taking into consideration the existing risk
treatments and controls already in place as the case may be. To
identify the root causes of the risk, the team drills down to a

14. reasonable depth. This process requires judgment and
experience. As an indication, they may go as far back as three
years in terms of data history, but not much more, as they find
that drilling further down tends to bring diminishing returns
compared to the expense and effort involved. The JET and risk
owner also look at the strength of each of the controls in place,
asking themselves: “Is it sufficient or not?” In other words, they
use a binary decision method. If the JET and risk owner find
that control is lacking, the JET works with the risk owner to
determine what should be done and to establish action plans to
treat the risk accordingly. This is the end of Phase II.
The JET populates the risk profile, including the risk map, and
sends them back to risk owners with their action plans.
Following the end of this phase, the JET and risk owners enter a
two-week period of follow-up and challenges. The JET
encourages risk owners to think outside the box while also
considering the costs of their existing treatments, controls, and
key action plans.
Phase III uses approximately 10 person-days of AOL's ERM
Team. This phase starts with a third SMT risk workshop. The
company's risk profile, including the risk map and the key risk
action plans, are reviewed collectively and challenged. Again,
this is a validation workshop. The validation process allows the
SMT, for instance, to ensure that one action plan does not
duplicate or contradict another action plan or existing treatment
and/or control. Once the key risk action plans have been
validated by the SMT, the JET meets again with risk owners
individually to revise those action plans and reassess their
cost/benefit analyses as required. The JET returns to the SMT
with the risk map and action plans, including their cost/benefit
analyses. The SMT provides final validation of the risk profile,
including risk map, action plans, costs or budgets needed, and
the time line to implement the action plans.
Finally, the Sustainability step is performed on a continuous
basis (number ”4” in Exhibit 35.6). It consists of monitoring the
risk profile of the investee company and reporting it to the

15. board (see Exhibit 35.7).
Exhibit 35.7 Reporting and Monitoring Structure
The risk owners selected by the investee company will then
implement key action plans by project-managing the
deliverables. The action plans are broken down into key action
steps and target dates for completion. The ERM Framework
(see Exhibit 35.8) is handed over to the local ERM Team, which
consists of the local members of the JET and must include at
least two persons who have been trained by AOL's ERM Team.
Exhibit 35.8 AOL's Risk Management Process
The Vice President of Enterprise Risk Management (VPERM) of
AOL's ERM Team, serves as a liaison between the operating
company's ERM Team and the SMT to ensure that everyone is
on the same page in understanding what is expected in terms of
risk management. AOL's VPERM undertakes reviews with the
investee company (and all other companies in the portfolio)
every six months by meeting and discussing with the CEO, the
SMT, and the local ERM team, to monitor the risk management
process at a high level.
In between those reviews, there are monthly meetings and a
comprehensive formal quarterly review by a representative of
the AOL's ERM Team, the local ERM team, and the risk owners
to monitor the execution of the action plans, revisions required
for the risk profile, and reporting on risks.
Once action plans for a risk have been completed, they become
treatments or controls. The ERM team monitors the
effectiveness of these controls and if they are working
effectively, it contributes to the establishment of the risk's trend
in ranking—stable, up, or down—as part of the regular
reporting process.
Emerging risks are also considered regularly. Once a key
emerging risk has been identified and considered significant, an
assessment process similar to the rollout described earlier,
including phases I, II, and III, is performed for that risk.

16. RISK PROFILE: RISK MAP AND ACTION PLANS
As explained earlier, the investee company's risk profile
includes its risk map and set of assessments and action plans for
each key risk. As shown in Exhibit 35.8, AOL's risk map is
represented using a 4 × 4 matrix of impact versus
likelihood/probability, with scales ranging from 1 to 4, “4”
representing the highest probability or impact. When two risks
are symmetrically placed in the matrix vis-à-vis its diagonal, for
instance, one with ratings of probability “2” and impact “3” and
the other with ratings of probability “3” and impact “2,” a
higher priority is given to the risk with the higher impact.
Exhibit 35.9 illustrates how AOL tracks its summary risk
profile on risk maps, identifying the inherent or gross risk
rating (the level of risk that would prevail in the absence of
treatments), the residual or net risk rating (the actual level of
risk given the existing treatments in place), and the target risk
rating (the appetite for that risk, which will be achieved through
the execution of the key action plans).
Exhibit 35.9 Risk Map Displaying Inherent/Gross, Residual/Net,
and Target Risk Ratings
To give these concepts more concrete meaning, consider a
hypothetical investee company of AOL, Trex Radio, operating
in the Socialist Republic of Vietnam. To simplify matters, let's
assume it focuses on six key risks, as displayed on the summary
risk map of Exhibit 35.10, where risks are displayed on a net
basis (residual risks).
As can be seen from Exhibit 35.10, AOL uses a numbering
system whereby the first number represents the likelihood (or
probability), and the second one the potential impact if the risk
materializes. This map shows simply the existing risks, but as
the legend at the bottom of the chart indicates, AOL can also
highlight existing risks that have been redefined and/or
reranked, as well as new/ emerging risks.
Exhibit 35.10 Risk Map of Trex Radio, Vietnam, a Hypothetical

17. AOL Investee Company
For illustration purposes only, Exhibit 35.11 shows what this
means concretely for one hypothetical yet realistic key risk, that
of R2, the ability to develop creative and compelling content.
Exhibit 35.11 Detail of Risk Profile—R2
This example considers a typical key risk that any media
company faces, which is the ability to develop creative and
compelling content that attracts and retains a target audience. In
this illustration, we consider the radio programming of the
hypothetical Vietnam subsidiary, Trex Radio. To better
understand the following considerations, the reader should note
that the key radio period for listenership in Vietnam is the
morning breakfast time period.
As can be seen from the Risk Explanation section, Trex Radio
needs to acquire/develop and protect unique quality content that
will differentiate itself from the competition and sustain or
increase listenership and advertising revenues. One of the
potential causes that may put this ability at risk has been
identified as “Changing listeners' trends and preferences” that
would not be matched by the company. Without any risk
treatment, Trex Radio has determined that the gross risk rating
is “4,3,” which means probability 4, impact 3, which lies in the
“red zone” (upper right area in chart).
The existing treatments/controls are also explained: Trex Radio
commissions traditional market research and online surveys, and
it nurtures its own talent to differentiate itself. With these
treatments in place, the current net risk rating is “4,2,” which
means that the existing treatments do not reduce the probability
that the risk will occur, but will reduce its impact if it does
occur—yet not sufficiently to move it from the “red zone.”
The appetite for that risk, the target risk rating, is “2,2” (which
would bring the risk in the “green zone,” lower left area in
chart). Some key action plans have been identified and selected
to bring the probability down two notches, and they are listed in
the exhibit. One of them is: “Key shift producers to be migrated

18. into employment contracts and away from vendor relationship.”
How would this action reduce the probability of the risk that
changing listeners' preferences creates a mismatch between their
needs and the company's programming? The answer is that by
enticing key shift producers to become employees as opposed to
freelancers (for instance, by revising their pay and reward
upward—see next key action in the list of the exhibit), the
company will be in a better position than its competitors to
quickly anticipate the programming changes necessary to keep
in line with potential shifts in its audience's needs. Also,
another action plan geared toward increasing emotional
attachment of the producers to the station is: “Introduce a KPI
for producers to track the increase in audience listenership by
100 percent from current standing through direct engagement
over radio, social media, mobile apps, and phone listenership.”
This action plan is geared toward building loyalty, and
producers are rewarded accordingly for meeting the set targets.
Of course, all of these treatments and action plans have a cost.
As explained previously, a cost/benefit analysis of these actions
must be performed and a budget justified and approved.
Exhibit 35.12 illustrates a hypothetical yet realistic action plan
for another typical risk for a radio company, Trex Radio's R5
risk: the ability to expand and improve broadcast coverage.
Exhibit 35.12 Detailed Action Plan—R5
As explained previously, action plans are broken down into key
action steps featuring “Action by,” “Target date,” “Status,” and
“Remarks” columns. In this case, key action number 1 to reduce
the risk R5 (ability to expand and improve broadcast coverage)
is to contract the telecom company Vietnam Telecom to upgrade
and improve Trex Radio's transmission in key markets for 10
years. It has been broken down into six action steps, from a)
Liaise with General Counsel to f) Commissioning and handover.
The Status column has four possible states: (1) a check mark
when the action step has been completed, (2) a green circle
when it is on target, (3) a yellow circle when it is at risk of

19. delay, and (4) a red circle when it is overdue. This is to ensure
that the agreed action plan is project-managed and delivered on
a timely basis. Note: Since the exhibit is printed in grayscale,
green appears as the lightest shade in the exhibit, yellow as the
middle shade, and red as the darkest shade.
THE INVESTMENT PERFORMANCE DASHBOARD
As is appropriate for a book on ERM cases, we have focused
much of the chapter on AOL's ERM Framework. But since our
goal is to show how it is used in practice to make risk-based
investment decisions on a portfolio of foreign investee
companies, we now turn our attention to the investment side of
the equation. Exhibit 35.13 illustrates AOL's formula to build
its investment performance dashboard.
Exhibit 35.13 Investment Performance Dashboard Formula
The investment performance dashboard is a matrix that allows
comparing the operating entities in the portfolio to one another
using their current investment value on one axis and their total
investment performance score (TIPS) on the other (see Exhibit
35.13). The former is obtained through recognized valuation
methodologies such as the discounted cash flow (DCF) method,
while the latter is the sum of two risk scores: the qualitative
investment risk score and the quantitative financial risk score.
The qualitative investment risk score is obtained by using the
risk map of the top 10 risks of the investee company. AOL's
approach to obtain this score is to multiply the probability by
the impact for each of the top 10 risks and to add them up. A
lower score means a safer investment with a lower risk profile
(safer from an investment standpoint). The maximum score
possible is 10 × 4 × 4 = 160.
The quantitative financial risk score is obtained by looking at
the deviations from the plan of four financial metrics: gross
revenue; profit after tax and minority interests (PATMI);
earnings before interest, taxes, depreciation, and amortization
(EBITDA); and free cash flow. For each metric, a score is
derived from the variance between its budgeted amount and the

20. actual number realized. The score can range from 0 (when there
is a positive variance or no variance) to 10 (when the variance
is –50 percent). A lower score is indicative of a more robust
financial management and means a safer investment from a
financial point of view.
As stated earlier, the investment performance dashboard
(Exhibit 35.14) allows AOL to compare its portfolio of
operating companies based on their value on the vertical axis
and their total investment performance score on the horizontal
axis. In the matrix, the higher the value of the investment, the
more sensitive AOL is to its risk score. Investments of low
value (bottom row) are in the green zone as long as they don't
reach the 240 TIPS point. Conversely, investments of USD 50
million or more are never in the green zone and require a
regular monitoring of their risk score—from both an ERM and a
financial variance point of view. Note: Since the exhibit is
printed in grayscale, yellow appears as the lightest shade in the
exhibit, green as the middle shade, and red as the darkest shade.
Exhibit 35.14 Investment Performance Dashboard
Exhibit 35.14 places the hypothetical AOL investee company,
Trex Radio (investee company B1 in the chart), alongside eight
others on the investment performance dashboard for comparison
purposes. We can see that Trex Radio is in the green zone and
that AOL would probably track more closely other subsidiaries
such as B9 (TV Manila), B4 (Channel 2 HK), and B5 (IPTV
Dubai).
As the legend states, the color-coding of the dashboard is based
on:
· The value of AOL's investment
· The financial performance and risk management of the
investee company
· The effectiveness and timeliness of key risk action plans
The green zone (the lightest shade of gray) represents investee
companies where the potential impact on AOL is low due to the
size of the investment and/or there are adequate controls in

21. terms of risk management and financial performance. The
yellow zone (the middle shade) indicates a medium potential
impact due to the investment's size and/or deficiencies in
management (e.g., not meeting targets or delays in completion
of plans). The red zone (darkest shade) indicates a need for
urgent attention because of a high potential impact due to the
size of the investment and/or performance is far below
expectations—the company cannot produce results and suffers
major delays in the completion of action plans.
Of course, these are simplified guidelines that need to be
filtered through sound business acumen. A large investment that
performs impeccably might not require urgent attention but
consistent monitoring and review, while a smaller one that
performs poorly may fall in the red zone instead of the yellow
one. These guidelines have proved useful over time in assisting
with the management of AOL's portfolio of investee companies.
AOL tracks its portfolio's investment performance dashboard on
a quarterly basis (see Exhibit 35.15). Exhibit 35.16 displays a
hypothetical variation from one quarter to the next. AOL's ERM
Team is able to explain the variations in terms of either the
valuation of the investment, the financial risk variance, or the
investment risk score. It should be noted that a reduction in
value of the investment is considered positive insofar as it is
voluntary, for instance, when AOL sells a portion of its
participation. If the reduction in value happens without a
change in AOL's stake in the company, further investigation is
required to determine the risk associated with such a negative
change and to make adequate investment recommendations to
the board of directors, as will be shown in the next exhibit.
Exhibit 35.15 Investment Performance Dashboard Comparison
Exhibit 35.16 Investment Performance Dashboard—Quarterly
Movements
HELPING THE BOARD MAKE INVESTMENT DECISIONS
Exhibit 35.17 shows how AOL's ERM Framework ultimately

22. assists its board of directors in making key investment decisions
about its portfolio of foreign investee companies.
Exhibit 35.17 Assisting the Board in Making Key Decisions
Horizontal movements in the investment performance dashboard
represent a change in the performance score. On that front, an
increase in the performance score requires more attention. But a
decrease in the performance score (financial or risk scores) may
also call for further analysis, because, as we know from the
risk/return relationship, a reduction in the risk profile may also
mean a corresponding decrease in profitability that, if sustained,
would mean a relative stagnation in AOL's investment value in
the future. Possible strategic decisions for that axis of the
dashboard range from reviewing the business model, the
strategies, or the financial processes, the capital required to
sustain or grow the business or to simply divest it.
Vertical movements in the investment performance dashboard
represent a change in investment value. As explained earlier, a
reduction in value indicates a lower risk in the matrix as long as
it is a result of selling a portion of the business. Otherwise, a
decrease in valuation is obviously a negative sign. The possible
actions are similar to those above: review with a view to
maintain or to divest.
CONCLUSION
This case study illustrates how a structured and diligent
approach to ERM implementation, monitoring, and reporting
can add value not only to the investee company adopting it, but
also to the parent company having to make investment decisions
for its portfolio of direct foreign investments. For this case
study, we showed how the investment performance dashboard
could allow a company to compare investment value to total
investment risk score and compare profitability to overall risk.
Without being fully quantitative, this approach brings the
management of a portfolio of direct investments closer to the
risk/return management of a portfolio of financial investments.
QUESTIONS

23. 1. Identify some reasons why risk management practices might
not take off and/or be embedded effectively in an investee
company.
2. Who should participate in the ERM process to ensure
successful implementation of this on-going program?
3. What should the CEO's role be for the successful
implementation and on-going performance of an ERM process?
4. How will senior management benefit from supporting ERM
implementation?
5. Does ERM require reporting to executive management? If so,
what types of reports are most suitable for executive
management?
6. What do you think is the best approach in ensuring a
successful implementation of ERM? Please provide a few
different elements.
NOTES
1 BBC News Asia-Pacific, May 23,
2013. www.bbc.co.uk/news/world-asia-pacific-
15367879.2 Tourism Malaysia, November 17,
2013. www.tourism.gov.my/en/my/Web-Page/About-
Malaysia.3 National Geographic, November 18,
2013. www.travel.nationalgeographic.com/travel/
countries/malaysia-facts.4Financial Times, November 18,
2013. www.ft.com/intl/markets/currencies.5 Astro Malaysia
Holdings Berhad's Annual Report 2013.6 Ibid.; Corporate
Governance on Asia, Asian Roundtable on Corporate
Governance, OECD, 2011.7 Malaysian Code on Corporate
Governance 2012, Securities Commission Malaysia, March
2012.8 “ASEAN Corporate Governance Scorecard, Country
Reports and Assessments 2012–2013,” Joint Initiative of the
ASEAN Capital Markets Forum and the Asian Development
Bank, Asian Development Bank, 2013.9 Astro Malaysia
Holdings Berhad's, “Go Beyond: Annual Report 2013,”
48.10 Ibid., 55.11 Ibid., 55.12 Ibid., 56.13 Internet Protocol
television is a system through which television services are
delivered using the Internet Protocol suite over a packet-

24. switched network such as the Internet, instead of being
delivered through traditional terrestrial, satellite signal, and
cable television formats.
REFERENCES
1. Asian Development Bank. 2013. “ASEAN Corporate
Governance Scorecard, Country Reports and Assessments 2012–
2013,” Joint Initiative of the ASEAN Capital Markets Forum
and the Asian Development Ban.
2. Astro Malaysia Holdings Berhad. 2013. “Go Beyond: Annual
Report 2013.”
3. Securities Commission Malaysia. 2012. Malaysian Code on
Corporate Governance.
ABOUT THE CONTRIBUTORS
Patrick Adam Kanagaratnam Abdullah is the Vice President of
Enterprise Risk Management (ERM) for Astro Overseas Limited
(AOL). He specializes in the implementation of ERM practices
across AOL's investments, which are located primarily in Asia
Pacific. He has over 21 years of experience in safety and crisis
management and 17 years in risk management that includes
ERM and Business Continuity planning. He is also responsible
for statutory compliance monitoring and reporting for AOL
group of companies. He has a BSC (Hons) in Environmental
Management from the Science University of Malaysia (USM).
He also has an Accredited Safety Auditor Certification from
Edith Cowan University, Western Australia. He represent
Malaysia as a Board member of Pan-Asia Risk and Insurance
Management Association (PARIMA) which has been set up to
promote professionalism and a high and efficient standard of
competence for risk management practices in Asia. When
required, he also presents ERM and Business Continuity
planning papers at conferences, and facilitates work group
discussions on risk management practices.
Ghislain Giroux Dufort is President of Baldwin Risk Strategies
Inc., a consulting firm advising boards of directors and
management teams on risk governance and ERM. He has 25
years of experience in management, risk, international business,

25. and consulting, including at Transcontinental, Willis, Hydro-
Québec International, the Mathematical Research Center, and
Export Development Canada. He headed an international
business program and taught at the HEC Montreal Business
School. He is a graduate of the London Financial Times Non-
Executive Director Diploma, has an MBA from McGill
University, and an M.Sc. in Applied Mathematics and a B.Sc. in
Physics from the University of Montreal. He is a member of the
Strategic Risk Council of the Conference Board of Canada, of
the London-based Institute of Risk Management (including its
Global Education Advisory Board and Panel of Judges for its
Global Risk Awards), and of the Institute of Risk Management
of South Africa. He writes on risk and participates in
international risk conferences as chair and speaker.