1. Purpose
IIX adopts a rigorous approach to understanding and proactively managing the risks we face in our business. IIX recognizes that making business decisions which involve calculated risks, and managing these risks within sensible tolerances is fundamental to creating long-term value for stockholders and meeting commitments to IIX’s employees and stakeholders, including its partners, beneficiaries and customers.
IIX’s risk appetite is the degree to which we are prepared to accept risk in pursuit of our strategic objectives. The Board of Directors has determined that IIX will maintain a balanced risk profile to ensure we remain a sustainable business in both the short and long terms.
We will take commercial risks where we have the capability to manage those risks. Risk tolerances are documented for material risks which support decision making processes. IIX conducts risk assessments at critical decision points during our business processes to identify, manage and monitor risks.
IIX innovates solutions in women’s empowerment, climate action and community resilience, often in high-risk environments. The risks of failing to act often outweigh the risks of engagement and therefore, decisions are based on a thorough analysis and the application of risk management strategies as detailed in section 4 below. When it comes to protecting our beneficiaries, partners, employees and resources, IIX has a low risk appetite. Furthermore, IIX’s Impact Assessments mitigate risks by giving voice to beneficiaries and enabling them to have a greater stake in decision-making.
We are committed to providing a safe and healthy working environment for everyone who works with us or attends our workplaces, and health, safety and environmental management is a business priority.
IIX recognizes the importance of building and fostering a risk-aware culture, such that every individual takes responsibility for risks and controls in their area of authority. This Policy outlines our approach to risk management.
2. Scope
This Policy applies to IIX as a whole and all its employees, contractors, and workers (“employees”). IIX’s approach to risk management, including this Policy, and the risk management framework are influenced by ISO 31000:2018 and other applicable regulatory standards.
3. Policy principles
Effective management of risk is vital to the continued growth and success of IIX. For risk management to be effective, all operations must apply the following principles to the context of their particular business and its objectives:
3.1 Risk management must create and protect value.
3.2 Risk management is integrated into decision-making and organizational processes.
3.3 Explicit risk management helps decision-makers make informed choices.
3.4 Risk management is focused on the sources of uncertainty which may impact the achievement of objectives.
3.5 Risk management must be tailored to the context and fit for purpose.
3.6 Risk management is dynamic, iterative and responsive to change.
4. The Two Lines of Defense
IIX’s risk management assurance process involves “Two Lines of Defense”:
4.1 First Line of Defense: All employees are responsible for managing risk through identification, assessment, and treatment of risks. This includes the implementation, active management and compliance with appropriate processes, procedures, checklists and other controls, and monitoring those controls to ensure they are, and remain, effective. Employees are responsible for reporting to their immediate supervisor any real or perceived risks that IIX’s operations may face.
4.2 Second Line of Defense: The Executive Management, comprising of the CEO, the COO, and the MD of Portfolio Management, assists the First Line of Defense, and are responsible for developing the Risk Management Policy and for adapting it to changes in the business and the external environment in which IIX operates (including physical and regulatory changes which might impact our social and environmental performance). The Executive Management’s responsibilities include:
- Identification and reporting of key risks;
- Promoting and facilitating a standardized approach to effective risk and compliance management;
- Building risk management capabilities throughout the business through actively engaging with employees in risk management processes and supporting training initiatives;
- Reporting to the Board of Directors regularly on material risks and issues;
- Supporting the business in identifying and implementing risk and compliance management improvement processes;
- Keeping abreast of factors in the internal and external environments that may affect the achievement by IIX of its strategic objectives and/or operating targets; and
- Maintaining and reviewing the IIX Risk Management Policy.
4.3 The Board of Directors provides overall oversight of our risk management framework in respect of the matters set out in their charter. They are responsible for periodically reviewing the group’s risk profile and fostering a risk-aware culture. More specifically, the Board of
Directors is responsible for:
- Promoting IIX’s Risk Management Policy and expectations for the management of risk;
- Provision and support of appropriate resources to manage risk in accordance with the Risk Management Policy as determined by the Executive Management;
- Monitoring compliance, investigating breaches, recommending and/or approving improvement opportunities, as applicable.
4.4 External Audit provides regular and independent assessment on the effectiveness of financial controls and processes in connection with the preparation of financial statements, statutory and governance disclosures. External Audit also provides an opinion on the accuracy, validity and reliability of disclosed data and information.
5. Reporting
Major incidents and risks are to be promptly reported to the Executive Management who will, in turn, assess the appropriate escalation required to members of the Board of Directors. The Executive Management will otherwise determine what reporting is appropriate to assure the adequacy and effectiveness of IIX’s risk management framework.
6. Compliance
Practices established and used for the management of risk should demonstrate alignment and consistency with the principles and requirements in this Policy Compliance with this Policy may be periodically assessed. Each area of the business is accountable for managing risks.
7. Review
This Policy should be reviewed every two years or earlier if required by a change in circumstances. Changes to the Policy require approval from the Board of Directors.