CONTRO

CONTROL L COSO CONTROL CONTROL

RISK TESTING
ACTIVITIES CATEGO COMPONENTS ATTRIBUTES CLASSIFICATION
RY

Impact/Likelihood

Control Activities

Effectiveness
Test Results

Operational
Frequency
Man/Auto

Classified
Recorded
Number

K(Y/N)

Pre/Det

Timely

Posted

(Y/N)
Risk

Real
RA

CA
CE

I/C
Notes

M
C1 Cybersecurity - Ayala invested in
technological solution which
- cyber- reviews and strengthens its IT
attacks and data policies and manuals; security
security breaches, awareness to its subordinates
as well as the through monthly release of
increased digital Security Bulletins and
access. Briefings.
Control Blocks malware

Monthly
Entity communications and
- Strengthen architecture- X A P X X X
Environmen decreased outbound
level and application-level
t malware traffic.
controls, to limit access to
information systems and
servers

- Regularly review
information security measures
employed by third-party
contractors
C2 Data Protection - The company established
Internet Perimeter defense and
- critical standard gateway policies
Acquisition of Anti-
information may were updated, implementation
advanced Persistent
result to financial of desktop lockdown, cloud
Control Threat Solution
losses and storage for backup of personal

Always
Entity (APT), SEIM service,
damaged computers. X M P X X X
Environmen deployment of Mobile
reputation
t Device Encryption
- Strengthen architecture-
Advance Protection
level and application-level
and etc.
controls, to limit access to
information systems and
servers

List of acronyms used in the chart: Control Attributes:

COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect
 C3 Political & - Ayala Regulatory Council
Regulatory regularly identifies and
Change monitors new policy issues
across sectors and industries
- the lack of and makes recommendations
ability to to the Management Control
anticipate changes Committee on how to address Entity
in the political & regulatory issues Environmen

Regularly
regulatory t
X M P X X X X
landscapes that - Corporate services
may affect the compliance unit under AG Control
group’s capacity Legal handles regulatory Social &
to shield compliance Relations
profitability and
brand value - Set aside political
connections of key employees
in formulating business
strategy
C4 Business -Review & test the adequacy
Continuity/ Crisis and effectivity of crisis
Response management & IT disaster
recovery plans
AC focuses on Crisis
- the inability to Control

Regularly
Communications
restore normal -Assess effectiveness of the Entity
X M P X X X X X Training, workshops
operations due to continuity plan through testing Environmen
and drills as part of
disasters and or simulation t
the program.
failures thereby
causes revenue
loss and impact
customers

List of acronyms used in the chart: Control Attributes:

COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect
 C5 Data & New - Ayala established a unit
Technology called Ayala Innovation,
mandated to constantly be on
the lookout for trends and help
Maximize
build future-ready businesses,
investments, improve
and to nurture the group’s
infrastructure
network to foster collaboration
reliability, and
and find synergies.
enhance productivity.
Control
Helps some of its

Annually
- Training programs aimed at Entity
smaller subsidiaries
inculcating curiosity, Environmen X A P X X X X
by providing them
meaningful risk-taking, and t
with technology
grit.
resources that are
supported by Ayala
- Launched an Innovation
IT staff.
Learning Program in
partnership with the Global
Innovation Management
Institute to develop disruptive
solutions to persistent
challenges

List of acronyms used in the chart: Control Attributes:

COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect
 C6 Third Party -Ayala established Company’s
Related Party Transactions
policy, a mechanism to ensure
- analyzing and that related party transactions
controlling risks are at arms-length, the terms
associated with are fair, and that they inure to
outsourcing to the best interest of the
third-party Corporation and all of its
vendors or service shareholders.
providers.
-Define related party
relationships and transactions

-The Corporation strictly

monitored, reported, and
disclosed related party
Control
transactions as well as inter- The policy should
Entity
company transactions. also explain checks
Environmen

Regularly
and balances that are
t
- Promote the objectives of the X M D X X X being put in place to
Securities and Exchange avoid abusive related
Control
Commission (SEC) Rules on party transactions and
Social &
Material Related Party potential conflicts.
Relations
Transactions for Publicly-
Listed Companies.

- RPTs shall be disclosed,

reviewed and approved in
accordance with the Policy
consistent with the principles
of transparency and fairness.

- Launched Investor Relations

mobile application, through
which users can access the
company’s financial,
operating, and stock
information from their mobile
devices.

List of acronyms used in the chart: Control Attributes:

COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect
 C7 Talent -Ayala Talent Net is a group
Management of HR Recruitment members
from the Ayala Group of Corporate talent
-Manage the Companies, which supports management

Annually
ability, the overall Talent attraction Control
software, includes
competency, and and acquisition for the whole Social & X X M P X X
web-based tools for
power of Ayala conglomerate. Relations
collaboration and
employees within knowledge-sharing.
an organization.

C8 Culture - In order to protect AC’s

reputation, its employees,
- keeping a pulse especially members of its Have a clear
on the Management Team, are corporate culture for
performance of expected to conduct all HR processes—

Regularly
the organization's themselves properly and Control recruitment and
culture consistently with the Social & X X M P X X X selection, orientation,
Company’s values. Relations policy development,
training, and
-Measuring the impact of the performance
culture on morale and management.
productivity

C9 Board - All employees are provided

Information with the Code of Conduct and
Ethics handbook. An
- critical orientation on the Code of
information that Conduct and Ethics is part of
may affect the on-boarding program of all
company’s newly hired employees to
Control
decision-making keep them informed in the
Entity
process same manner that the existing
Environmen

Regularly
employees, as well as the
t
directors, chairman, and senior X M P X X X
management, are aware and
Control
informed.
Social &
Relations
- Ayala expects its employees
to conduct business in
accordance with Philippine
laws and regulations. Any
suspected criminal violations
will be reported to the
appropriate authorities.

List of acronyms used in the chart: Control Attributes:

COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect
 C1 Data Ethics - Ayala’s Data Privacy Office
0
works closely with all the
- continuing business units to regularly
commitment to review the physical, technical
uphold the data and organizational measures
privacy of all adopted by the Company for
stakeholders the protection of personal Control
data. This is to ensure the Entity
Environmen

Regularly
integrity, confidentiality and
availability of the personal t
X M P X X X X Adhered to changes.
data that the Company collects
and processes, and protect Control
these against natural and Social &
human dangers, such as Relations
accidental loss or destruction,
unauthorized access,
fraudulent misuse, and
unlawful alteration.

C1 Sustainability - The Group Risk

1
Management and
- transformation Sustainability Unit supports
path that leads to the CRO by conducting
a meaningful and activities that will enhance the
lasting impact risk-aware culture and
improve the risk management The company aligns
program in the organization. its objectives with the
national development
Control
- Adheres the five principles goals, and recognizes

Always
Entity
Outside-in, Bold Leadership, X M P X X X X X the importance of
Environmen
Impact at Scale, Focus, and interdependence
t
Public-Private Partnerships between business and
society.
- Ayala deliberately
incorporated sustainability in
risk identification and
evaluation, considering the
sustainability megatrends
introduced to the corporation’s
top and middle management

References:
List of acronyms used in the chart: Control Attributes:
Table 1. Risk and Control Matrix
COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect
https://annualreport.ayala.com/2019integratedreport/our-value-creation/risk-management/

https://annualreport.ayala.com/2019integratedreport/our-value-creation/

https://annualreport.ayala.com/2019integratedreport/our-corporate-governance/

List of acronyms used in the chart: Control Attributes:

COSO Components: 3. CA: control activities 6. K: key control
1. CE: control environment 4. I/C: information and communication 7. Man/Aut: manual or automatic
2. RA: risk assessment 5. M: monitoring 8. Pre/Det: prevent or detect