Book for participant

IVL ERM Page No. 21 of 23 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 6,4 RISK TREATMENT Risk treatment involves selecting one or more strategies to modify risk through implementation of mitigations. At a minimum, an entity shall treat all risk identified as critical risk (High, Very High, Time- bomb). 1. Selection of risk treatment strategy There are generally four (4) risk treatment strategies known as ‘MATA’ which are Minimize risk, Accept risk, Transfer risk and Avoid risk. Selecting the most appropriate risk treatment involves balancing costs and efforts of implementation against the benefits. When selecting risk treatment strategy, the entity should also consider the values and perception of stakeholders. 2. Risk Treatment Plan Risk treatment plan shall include prioritised risk mitigations, detail action items, mitigation owners as well as timeline for implementation and monitoring. Risk mitigations are formulated in line with the treatment strategy to address the risks based on the entity’s risk appetite and tolerance level. A mitigation is intended to minimise the likelihood of a risk from occurring as well as the impact of a risk if it occurs.

IVL ERM Page No. 22 of 23 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 6.5 RISK MONITORING AND REVIEW Monitoring and review is an important element in the risk management process to ensure risks are managed effectively. 1. Reporting and monitoring The complete risk profile shall be presented and endorsed by the Sites / Plants / Business Segments/ Corporate Head. The reporting & monitoring of a risk profile shall include but not limited to: • Principal risks • Status of mitigations • Key risk indicators (KRI) The risk reporting requirement and schedule is as follows: Report Level Report type Report to Frequency Quarterly Corporate: Group Risk Management Corporate GCFO Quarterly & BCM (GRMB) Risk Quarterly Profile Quarterly Corporate: Corporate Function Focus Area Respective Risk Area Risk Profile Oversight Report Committee Business Segments Business Respective Risk Profile Oversight Report Committee Sites / Plants Table 2 – RiSsRRkitieesRp/keoPPprlatroonrfttiilnegRequireRmeesnpteOCctovivmeermsigitthete 6.5.2 Risk information system An entity shall report its risks using the common risk information system to ensure principal risks, mitigations and key risk indicators are monitored and communicated accurately to management. This also ensures that the information captured in the system is up-to-date for comprehensive consolidation and analysis purposes. Monitoring of principal risks, risk mitigations and key risk indicators shall be done through risk focal person and approved by the respective risk owners through the system.

IVL ERM Page No. 23 of 23 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 6.6 CONTINUAL IMPROVEMENT Continual improvement is a process to review and enhance risk management practices. The activities shall include but not limited to the following: 1. Assurance Assurance is a process that provides a level of confidence that objectives will be achieved within an acceptable level of risk. An entity shall provide assurance on the following areas: i. Management of business risk • Identify and manage principal risks through the risk management process. • Assess effectiveness of risk mitigations as identified in risk treatment plan. ii. ERM system & implementation • Conduct a self-assessment to ensure adequacy of ERM Framework and compliance to the framework 2. System monitoring and review . An entity shall continuously review and report its ERM implementation, documentation and relevant activities to ensure an effective and sustainable ERM culture. The organization's monitoring and review processes should encompass all aspects of the risk management Progress in implementing ERM plans provides a performance measure. The results can be incorporated into the organization's overall performance management, measurement and external and internal reporting activities. The results of review should be recorded and reported as appropriate. It should also be used as an input to the review of the risk management framework. 3. Capability Building Capability building focuses on developing capability of risk practitioners and implementing Knowledge Management (KM) programs with the aim to enhance individual and organisational capability in risk management. All entities shall develop and implement capability development programs to develop the right skill and competencies for risk practitioners to perform effectively in their roles. IVL structured capability development programs established under risk management capability and culture shall be leveraged to provide guidance and opportunity for continuous learning and development of risk practitioners. All entities shall also implement Risk KM programs or leverage on existing programs such as knowledge sharing, knowledge portal or communities of practice to capture, retain, disseminate and deploy knowledge as part of building risk management capability within the organisation. These capability building activities will enable an entity to systematically improve its risk management and thus, positioning the entity at a competitive advantage. - END -

2. Business Continuity Management (BCM) Framework 54

GROUP RISK MANAGEMENT & BCM (GRMB) BUSINESS CONTINUITY MANAGEMENT (BCM) FRAMEWORK March 2021 INTERNAL USE © 2021 INDORAMA VENTURES (IVL) All rights reserved. No part of this content may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

Business Continuity Management Page No. 2 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 Record Details Business Continuity Management (BCM) Framework Record Title: Issue No: 1 Revision No: 0 Record Version: Record Status: GRMB-BCM-F-01-001 Record Reference Number Reviewed By: Approved By: Record Approval Prepared By: Name 1, Position 1, Section/Unit 1 Name 2, Name , Name , Position 2, Position, Position, Section/Unit 2 Section/Unit Section/Unit Date: Date: Date: RECORD SECURITY Record Classification X SECRET X CONFIDENTIAL INTERNAL USE OPEN or TERBUKA RECORD TYPE Policies, Frameworks and Guidelines Manuals, Procedures, Work Instructions and Records Legal, Commercial and Contractual Documents Forms and Reports Business and Financial Correspondences & Communication

Business Continuity Management Page No. 3 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 Revision History PAGE DATE AMENDMENT SHEET REVISED BY SIGNATURE NO. OF NATURE OF AMENDMENT/ CHANGE APPROVER

Business Continuity Management Page No. 4 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 TABLE OF CONTENT 1.0 INTRODUCTION 1.1 OBJECTIVE…………………………………………………………………………. 6 1.2 SCOPE……………………………………………………………………………….. 6 1.3 REFERENCES ………………………………………………………………………..6 2.0 TERMS AND DEFINITIONS………………………………………………………………………. 7 3.0 ABBREVIATIONS……………………………………………………………………………………9 4.0 IVL RESILIENCY MODEL………………………………………………………………………....10 5.0 IVL BCM FRAMEWORK……………………………………………………………………………11 5.1 GOVERNANCE………………………………………………………………………..12 5.2 RISK ASSESSMENT (RA)……………………………………………………………16 5.3 BUSINESS IMPACT ANALYSIS (BIA)……………………………………………..16 5.4 BUSINESS RECOVERY STRATEGY (BRS)………………………………………16 5.5 TESTING & EXERCISING (T&E)>…………………………………………………..17 5.6 CONTINUAL IMPROVEMENT…………………………………………………........17 FIGURE IVL Resiliency Model…………………………………………………………………..10 Figure 1 IVL BCM Framework…………………………………………………………………..11 Figure 2 IVL Risk Oversight Structure………………………………………………………….12 Figure 3 IVL BCM Operational Structure……………………………………………………….13 Figure 4

Business Continuity Management Page No. 5 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 1.0 INTRODUCTION 1.1 OBJECTIVE This document sets forth the IVL BCM framework as the foundation for a clear and consistent BCM practices to ensure continuation of business during prolonged business disruption. The framework consists of governance, processes and continual improvement elements. 1.2 SCOPE This document, together with its guidelines shall apply to IVL and its subsidiaries (herein after refers to as Group) to establish their BCM practices. This document and the policy herein shall be owned and duly approved by the respective entity’s approving authority (AA) prior to implementation. Any changes made to this document shall be in consultation with Group Risk Management & BCM (GRMB) prior to approval. This document shall be reviewed and updated subject to changes in IVL business environment, coordinated by GRMB. 1.3 REFERENCES This document follows and makes reference to the following:-  ISO 22301 Business Continuity Management Systems, 2012  IVL Enterprise Risk Management (ERM) Framework, 2021

Business Continuity Management Page No. 6 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 2.0 TERMS AND DEFINITIONS Business Continuity Capability of the organization to continue delivery of products or services at acceptable predefined levels following business disruption. Business Continuity Management Holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective business resumption that safeguards the interests of its key stakeholders, reputation, brand and value- creating activities. Business Continuity Management Coordinators Designated personnel in respective Corporate/ Business Segments/ Sites & Plants responsible to organize, manage and carry out BCM programs. Business Continuity Plan Documented procedures that guide organizations to respond, recover, resume, and restore to pre-defined level of operation following business disruption. Business Impact Analysis Process of analysing activities and the effect that a business disruption might have upon them. Business Disruption A risk event that results in unplanned, outage or negative deviation from the expected delivery of products or services according to the organization’s objectives. Crisis Situation with high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. Critical Business Function Vital function which an organization cannot do without for a prolonged period, as it will result in serious financial, legal and reputation loss. Exercise Process to train for, assess, practise, and improve performance in an organization. Incident An abnormal or unplanned event that affects people, environment, asset and reputation, requires attention and has the potential to precipitate an emergency, crisis and/or business disruption.

Business Continuity Management Page No. 7 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 Interdependencies The reliance of an organization’s business functions, processes or systems with another party (internal or external). Minimum Resource Requirements Minimum level of resources (eg. people, equipment, assets, facilities, technology, vital records, interdependencies) required to resume Critical Business Function. Prolonged Business Disruption An extended business disruption that results in major adverse financial, operational, legal and reputational impact. Risk Assessment Process to systematically identify, analyse and evaluate risks that could cause business disruptions to the organization that eventually justify the need for BCP as recovery mitigation. Recovery Point Objective Point to which information used by an activity must be restored to enable the activity to operate on resumption. Recovery Time Objective Period of time following a business disruption within which:- • Product or service must be resumed, or • Activity must resumed, or • Resources must be recovered Testing & Exercising Process to train for, practise, evaluate and improve performance in an organization, via determining the presence, quality, or reliability of processes, systems and strategies.

Business Continuity Management Page No. 8 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 3.0 ABBREVIATIONS AWF Alternate Workforce AWS Alternate Worksite BCM Business Continuity Management BC Business Continuity BCP Business Continuity Plan BCT Business Continuity Team BIA Business Impact Analysis BRS Business Recovery Strategy BU Business Unit CBF Critical Business Function CMP Crisis Management Plan CMT Crisis Management Team CSA Critical System & Application DRP Disaster Recovery Plan ERP Emergency Response Plan EMP Emergency Management Plan GRMB Group Risk Management & BCM IT Information Technology IMC Indorama Management Council MRR Minimum Resource Requirements MTD Maximum Tolerable Downtime MTPD Maximum Tolerable Period of Disruption MTO Maximum Tolerable Outage RPO Recovery Point Objective RTO Recovery Time Objective T&E Testing & Exercising VO Virtual Office

Business Continuity Management Page No. 9 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 4.0 IVL RESILIENCY MODEL Figure 1: IVL Resiliency Model The IVL Resiliency Model was adopted in February 2021 to provide an integrated view on the overall strategy for managing risk in IVL focusing on three areas of business resilience namely: a) ERM is a structured and holistic approach to identify, assess, treat and monitor risks. The aim is to REDUCE the likelihood and impact of all identified risks to enhance the organization’s ability to achieve its strategic objectives. b) CM is a comprehensive set of processes that aims to prepare the organization to RESPOND and manage crises in the risk areas to protect and save people, environment, assets and reputation. c) BCM is a holistic management process that aims to build the capability of an organization to RECOVER and continue delivery of products or services at acceptable predefined levels following a prolonged disruptive incident. Over time, each area within the Resiliency Model has been implemented across the organization based on respective established frameworks and guidelines. In order to ensure effective coordination and alignment in operationalization of these three areas, there is a need to strengthen the governance in its implementation. To achieve this, Group Risk Management & BCM (GRMB) shall be the overall custodian working together with Corporate Function Risk Area consisting of relevant corporate functions responsible in managing group-wide identified risk areas. Risk Management Council, chaired by GRMB, with representation from key business heads and Corporate Function Risk Areas shall provide guidance and direction in the implementation and institutionalization of risk management in IVL.

Business Continuity Management Page No. 10 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 5.0 IVL BCM FRAMEWORK In supporting the IVL Resiliency Model, BCM is operationalized through the IVL BCM Framework as illustrated below: Figure 2: IVL BCM Framework The BCM Framework consists of 6 key elements comprising Governance, Risk Assessment, Business Impact Analysis, Business Recovery Strategy, Testing & Exercising and Continual Improvement. This framework makes up the basic requirements to implement and operate BCM for an entity. This framework aims to provide a standard and consistent approach across the organization in achieving the following key attributes in business continuity: I. Organizational preparedness is in place to manage business continuity. II. Effective recovery plans are in place to address and minimize impact of possible business disruptions and ensure timely resumption of essential business operations. III. Full accountability in managing business continuity at respective entity. IV. Safeguarding of IVL reputation. The elements in the BCM Framework will be elaborated in Section 5.1 – Section 5.6 below.

Business Continuity Management Page No. 11 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 5.1 GOVERNANCE Governance defines the organizational strategies in relation to business continuity. This element addresses the policy, standards, guidelines, structure and strategies. The acceptance of this element confirms the organization’s commitment to BCM. 5.1.1 INDORAMA VENTURES RISK POLICY STATEMENT “IVL is committed to become a risk resilient organization aimed at achieving sustainable business growth and profitability. IVL shall adopt risk management best practices by identifying, assessing, treating and monitoring risks to protect and create value within the set boundaries as well as effectively responding to crisis. In the event of prolonged disruption, business continuity practices shall be adopted to restore and ensure continuity of IVL’ key business activities. Risk based decision making shall provide a balanced and holistic view of exposures to achieve business objectives. Managing risk is everyone’s responsibility.” The purposes of the Risk Policy are as follows:- i. To clarify the goals and purpose of risk management. ii. To strengthen IVL’ commitment for risk management which encompasses Enterprise Risk Management (ERM), Crisis Management (CM) and Business Continuity Management (BCM). 5.1.2 IVL Risk Oversight Structure Risk organisation and structure describes how key ERM functions shall be organised within the Group to ensure risk management are institutionalized and become a culture. The organisation shall establish a risk reporting mechanism that ensures risk information flow is comprehensive and timely for the appropriate authority to manage risks effectively at all levels. All entities across the Group shall: i. Establish risk management unit or function at Corporate, Business and Sites & Plants level. ii. Have a clear line of risk reporting i.e. Risk Oversight Structure. Define clear risk management roles and responsibilities at respective management levels.

Business Continuity Management Page No. 12 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 The figure below illustrates the Risk Oversight Structure in IVL. Figure 3: IVL Risk Oversight Structure 5.1.3 IVL BCM Oversight and Operational Structure BCM oversight and operational structure describes how BCM strategies will be organized and implemented to ensure that business continuity practices and culture are institutionalized. The function of business continuity is also embedded in Crisis Management structure. In forming a formal structure to manage crisis and business continuity, IVL Group Contingency Plan needs to be referred. All entities across the Group shall: i. Establish BCM function at Corporate, Business and Sites & Plants level. ii. Have a clear line of BCM reporting i.e. BCM Operational Structure.

Business Continuity Management Page No. 13 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 Figure 4: IVL BCM Oversight and Operational Structure 5.1.4 Roles and Responsibilities in Business Continuity i. Risk Management Council (RMC) RMC is responsible for the following:- a) Provide guidance and direction in the implementation and institutionalization of IVL Resiliency for the Group. b) Review, deliberate and recommend decisions requiring Board c) and Management approval on Group policies and strategies on Enterprise Risk Management (ERM) and Business Continuity Management (BCM). d) Review and recommend ERM and BCM frameworks, methodologies, measurement and systems for Group implementation. e) Review and monitor Corporate Risk Profile that may affect the Group directly or indirectly and if deem required, recommend additional course of action to mitigate such risks. f) Promote effective implementation of ERM and BCM within established frameworks and guidelines; and monitor non- compliance within the Group. g) Promote sound resiliency practices and culture across the Group through sharing of information, best practices and lessons learnt for continuous improvement.

Business Continuity Management Page No. 14 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 ii. Group Risk Management & BCM (GRMB) GRMB is responsible for the following: a) Shape, lead and drive BCM implementation throughout Group. Custodian and regulator of BCM, Framework and Guidelines. Establish and regulate BCM process and methodologies for Group wide implementation. b) Provide advisory to IVL management on BCM matters. Establish and regulate IVL BCM reporting requirements which includes structure, frequency and line of reporting. c) Provide assurance to IVL Management and Board that BCM are effectively managed. d) Shape organizational BCM culture and institutionalise BCM capability building across the Group. iii. Emergency Management Team / Crisis Management Team / Business Continuity Team (EMT/CMT/BCT) In managing business continuity, EMT/CMT/BCT is responsible for the following: a) Declare business disruption and activate Business Continuity Plan (BCP) should there be a prolonged business disruption. Decide stand down and deactivation of BCP. b) Provide strategic stewardship during business disruption. Provide strategic guidance on business resumption and recovery issues. c) Provide strategic guidance in the development, implementation and continuous review / update of BCP. d) Ensure business continuity / strategic issues concerning people, stakeholders, assets and reputation are being managed by relevant parties. e) Ensure that relevant risks and threats have been identified, assessed and that mitigation plans shall be developed. iv. BCM Coordinators BCM Coordinators are designated personnel in respective Corporate/ Business Segments/ Sites & Plants responsible to organize, manage and execute BCM programs. v. Corporate/ Business Segments/ Sites & Plants/ Risk Management Units / Functions Corporate/ Business Segments/ Sites & Plants / Risk Management units/functions/ focuses are responsible for the following: a) Drive BCM programs implementation throughout respective Corporate/ Business Segments/ Sites & Plants and its constituents; aligned to BCM Framework by ensuring all six elements are addressed. b) Develop and implement respective Corporate/ Business Segments/ Sites & Plant’s BCP. c) Promote Business Continuity culture and capability throughout Corporate/ Business Segments/ Sites & Plants and its constituents through skill, structure, system and processes, network, leadership and mindset. d) Provide assurance reporting to GRMB on the status of BCM implementation.

Business Continuity Management Page No. 15 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 5.2 RISK ASSESSMENT (RA) Risk Assessment is a process to systematically identify, analyze and evaluate, risks that could cause business disruptions to the organization, and risk treatments that commensurate with business continuity objectives. The risk profiles and risk reports developed by Corporate/ Business Segments/ Sites & Plants could be an input to perform Risk Assessment. Risk Assessment shall be made in accordance with standard tools and methodologies as prescribed by IVL. 5.3 BUSINESS IMPACT ANALYSIS (BIA) Business Impact Analysis identifies Critical Business Functions, assesses the impact of unavailability of these functions over time, sets prioritized timeframes for resuming these functions and specifies Minimum Resource Requirements to be allocated to recover and resume these functions. The completed BIA shall be approved by respective approving authority. BIA should comprise of the following information: a) List of critical functions or processes (CBFs) b) Time required to resume business, i.e. Recovery Time Objective (RTO) c) Last backed up data after disaster, i.e. Recovery Point Objective (RPO) d) Minimum acceptable level of resources needed (MRR) to e) resume business f) List of internal and external dependencies to resume business 5.4 BUSINESS RECOVERY STRATEGY (BRS) Business Recovery Strategy is the process to determine appropriate strategies to resume and recover Critical Business Functions. The selection of recovery strategies shall be based on Business Impact Analysis and should take into account identified business disruptions, cost of implementation, Recovery Time Objective and business impact. From the identified business disruption scenarios and recovery strategies, Business Continuity Plan (BCP) shall be developed. Business Continuity Plan (BCP) BCP is a documented collection of procedures and information that is developed, compiled and maintained in readiness for use during prolonged business disruption (as prescribed by MTO/MTPD/MTD, RTO, defined thresholds) to enable an organization to continue to deliver its CBFs at an acceptable predefined level. The established BCP shall be approved by CEO or Head of Business Segments/ Sites & Plants /Corporate function/Division/ Corporate Function Risk Area. At minimum, the following shall be included when developing a BCP: a) Organization Structure in managing business continuity Business Recovery Call Tree b) Business Recovery Team c) List of Critical Business Functions and Minimum Resource Requirements d) List of specific recovery strategies

Business Continuity Management Page No. 16 of 16 (BCM) Framework Issue No. 1 Rev. No. Record ID: GRMB-BCM-F-01-001 Confidential Release Date: March 2021 5.5 TESTING & EXERCISING (T&E) Testing & Exercising involves a process to validate the components in Business Continuity Plan by simulating possible disaster scenarios to ensure consistency of recovery strategies, plans and procedures with business continuity objectives. Testing & Exercising aims to validate the effectiveness and robustness of recovery strategies identified in the Business Continuity Plan, maintain a high level of competence and readiness, and identify issues and areas of improvement for enhancement. The frequency of Testing & Exercising should be as per outlined in the Testing & Exercising Guideline. 5.6 CONTINUAL IMPROVEMENT Continual improvement is the process in monitoring, measuring, analysing and evaluating BCM implementation. 5.6.1 Assurance The organization shall provide assurance on BCM implementation through the following:- a) Conduct assessment on compliance to IVL BCM Framework and Guidelines. b) Conduct audit on compliance to IVL BCM Framework and Guidelines. 5.6.2 System Review & Monitoring An entity shall continuously review and report its BCM implementation, documentation and relevant activities to ensure an effective and sustainable BCM culture. The organization's monitoring and review processes should encompass all aspects of BCM. Progress in implementing BCM provides a performance measure. The results can be incorporated into the organization's overall performance management, measurement and external and internal reporting activities. The results of review should be recorded and reported as appropriate. It should also be used as an input to the review of the BCM framework. 5.6.3 Assurance Capability building focuses on developing capability of BCM practitioners and implementing Knowledge Management (KM) programs with the aim to enhance individual and organisational capability in BCM. All entities shall develop and implement capability development programs to develop the right skill and competencies for BCM practitioners to perform effectively in their roles. IVL structured capability development programs established under risk management capability and culture shall be leveraged to provide guidance and opportunity for continuous learning and development of BCM practitioners. All entities shall also implement BCM KM programs or leverage on existing programs such as knowledge sharing, knowledge portal or communities of practice to capture, retain, disseminate and deploy knowledge as part of building BCM capability within the organization. - END -



3. Business Continuity Plan (BCP) Guideline 72

GROUP RISK MANAGEMENT & BCM (GRMB) BUSINESS CONTINUITY PLAN (BCP) GUIDELINE March 2021 INTERNAL USE © 2021 INDORAMA VENTURES LIMITED (IVL) All rights reserved. No part of this content may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

Business Continuity Plan (BCP) Page No. 2 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 RECORD DETAILS IVL Business Continuity Plan (BCP) Guideline Record Title: Record Version: Issue No: 1 Revision No: 1 Record Status: Record Reference Number Approved RECORD APPROVAL GRMB-BCM-G-01-001 Prepared By: Reviewed By: Approved By: Kanchit Damkaew, Dhananjay Mohite, Wan Norashikin Mohd Nasir, Senior Manager AVP VP Global Risk Global Risk Global Head Management & BCM Management & BCM Risk Management & BCM Date: Date: Date:

Business Continuity Plan (BCP) Page No.3 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 RECORD CLASSIFICATION RECORD SECURITY SECRET X CONFIDENTIAL X INTERNAL USE OPEN SIGNATURE OF APPROVER RECORD TYPE Policies, Frameworks and Guidelines Manuals, Procedures, Work Instructions and Records Legal, Commercial and Contractual Documents Forms and Reports Business and Financial Correspondences & Communication REVISION HISTORY AMENDMENT SHEET PAGE NO. DATE NATURE OF REVISED AMENDMENT/ CHANGE BY

Business Continuity Plan (BCP) Page No. 4 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 TABLE OF CONTENT 1.0 INTRODUCTION....................................................................................................................... 5 1.1 OBJECTIVE................................................................................................................... 6 1.2 SCOPE .......................................................................................................................... 6 1.3 REFERENCES .............................................................................................................. 6 1.4 GLOSSARY OF TERMS ............................................................................................... 7 2.0 OVERVIEW OF BUSINESS CONTINUITY PLAN (BCP) ........................................................9 2.1 ROLES & RESPONSIBILITIES IN DEVELOPMENT OF BCP.................................... 10 3.0 BUSINESS DISRUPTION SCENARIOS .................................................................................11 3.1 WORKPLACE FAILURE ............................................................................................. 11 3.2 WORKFORCE FAILURE............................................................................................. 11 3.3 ICT FAILURE............................................................................................................... .11 3.4 KEY INTERDEPENDENCIES FAILURE..................................................................... 11 3.5 FACILITIES FAILURE ................................................................................................. 11 3.6 SUPPLY FAILURE ...................................................................................................... 11 3.7 OTHER BUSINESS DISRUPTION SCENARIOS.................................................. ……11 4.0 PHASES IN BCP DEVELOPMENT……................................................................................. 12 4.1 PLANNING PHASE ..................................................................................................... 12 4.2 DOCUMENTATION PHASE........................................................................................ 12 4.3 REVIEW PHASE ......................................................................................................... 13

Business Continuity Plan (BCP) Page No. 5 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 1.0 INTRODUCTION Business Continuity Plan (BCP) is part of the BRS component of BCM Framework, as shown in Figure 1 below. The objective of BCP is to provide detailed recovery plans in enabling an entity to continue to deliver its Critical Business Functions (CBFs) at an acceptable pre-defined level. CBFs, Minimum Resource Requirement (MRR) (established in Business Impact Analysis (BIA)) and recovery strategies selected (established in Business Recovery Strategy (BRS)) shall be documented in BCP. Figure 1: BCM Framework

Business Continuity Plan (BCP) Page No. 6 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 1.1 OBJECTIVE This guideline provides a structured and consistent approach in documenting BCP. This document, which complements the BCM Framework, covers the process and key information in documentation of BCP. It defines the baseline BCM requirements applicable to IVL and its subsidiaries; and to the extent practicable to suppliers and business partners. 1.2 SCOPE This guideline is generic for application in any business environment and shall apply to IVL and its subsidiaries. This guideline shall be read together with BCM Framework and its guidelines. Any deviation to the requirement defined in this document shall be in consultation and approved by GRMB. Changes to this document shall be reviewed, updated and coordinated by GRMB. 1.3 REFERENCES This document makes reference to the following: i. IVL Enterprise Risk Management (ERM) Framework. ii. IVL Business Continuity Management (BCM) Framework. iii. IVL Business Impact Analysis (BIA) Guideline. iv. IVL Business Continuity Plan (BCP) Guideline. v. IVL Testing & Exercising (T&E) Guideline. vi. IVL ERM Process Guideline. vii. International Standard ISO 22301 (Societal Security – Business Continuity Management Systems – Requirements).

Business Continuity Plan (BCP) Page No. 7 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 1.4 GLOSSARY OF TERMS 1.4.1 Terms and Definitions Business Continuity Capability of the organization to continue delivery of products or services at acceptable predefined levels following business disruption. Business Continuity Management Holistic management process that identifies potential threats and their impact to the organisation, and provides a framework for building resilience with the capability for an effective business resumption that safeguards the interests of its key stakeholders, reputation, brand and value- creating activities. Business Continuity Plan Documented procedures that guide organizations to respond, recover, resume, and restore to pre-defined level of operation following business disruption. Business Impact Analysis Process of analysing activities and the effect that a business disruption might have upon them. Business Disruption A risk event that results in unplanned, outage or negative deviation from the expected delivery of products or services according to the organization’s objectives. Crisis A significant business disruption which affects the organization's normal operations; impacting people, environment, assets and reputation. Critical Business Function Vital function which an organisation requires to remain viable. If the function is unavailable for a prolonged period, it will result in financial and non-financial loss (e.g. EHS, reputation, security, legal and operations). Exercising Process to train for, assess, practice, and improve performance in an organization. Note 1: Exercises can be used for: validating policies, plans, procedures, training, equipment, and inter-organizational agreements; clarifying and training personnel in roles and responsibilities; improving inter-organizational coordination and communications; identifying gaps in resources; improving individual performance; and identifying opportunities for improvement, and controlled opportunity to practice improvisation. Note 2: A test (refer to definition of “testing”) is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned.

Business Continuity Plan (BCP) Page No. 8 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 Incident An abnormal or unplanned event that affects people, environment, asset and reputation, requires attention and has the potential to precipitate an emergency, crisis and/or business disruption. Interdependencies The reliance of an organization’s business functions, processes or systems with another party (internal or external). Minimum Resource Requirements Minimum level of resources (eg. people, equipment, assets, facilities, technology, vital records, interdependencies) required to resume Critical Business Function. Prolonged An extended duration or period of time. Recovery Point Objective Point to which information used by an activity must be restored to enable the activity to resume operation. Recovery Time Objective Period of time following a business disruption within which supply of product or service or activities must be resumed, or resources must be recovered. Testing Procedure for evaluation; a means of determining the presence, quality, or veracity of something. Note 1: Testing may be referred to a “trial”. Note 2: Testing is often applied to supporting plans.

Business Continuity Plan (BCP) Page No. 9 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 1.4.2 Abbreviations AWF Alternate Workforce AWS Alternate Worksite BCM Business Continuity Management BCP Business Continuity Plan BCT Business Continuity Team BRS Business Recovery Strategy CBF Critical Business Function CSA Critical System & Application DRP Disaster Recovery Plan MRR Minimum Resource Requirements VO Virtual Office GRMB Group Risk Management & BCM GIT Group Information Technology 2.0 OVERVIEW OF BUSINESS CONTINUITY PLAN (BCP) BCP is a documented collection of procedures and information that is developed, compiled and maintained in readiness for use during prolonged business disruption to enable an entity to continue to deliver its Critical Business Functions (CBFs) at an acceptable pre- defined level. The established BCP shall be approved by Head of Business/CEO or Head of Function/Entity/Plant/Site. BCP is a key output of Business Continuity Management (BCM) and is developed based on the information and requirements identified from Business Impact Analysis (BIA) and selected Business Recovery Strategies (BRS). (Refer to BIA Guideline and BRS Guideline). BCP’s key components shall include:- i. Purpose and objectives ii. Activation procedures iii. Roles and responsibilities iv. Communication requirement and procedures v. Internal and external interdependencies vi. Resource requirement

Business Continuity Plan (BCP) Page No. 10 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 2.1 ROLES & RESPONSIBILITIES IN DEVELOPMENT OF BCP The roles and responsibilities in development of BCP are outlined in Table 1 below: GRMB BCM Coordinator Head of Business (Business Function/Entity/Plant/ Function/Entity/Plant/Si te) Site Roles • Facilitate BCP • Owner of BCP • Owner of BCP guideline development as and process per approved guideline Responsibilities • Facilitate • Coordinate • Ensure BCP is development and/or development of updated and BCP and obtain reviewed enhancement of BCP approval for business • Ensure BCP is function/entity/plant/ • Coordinate review communicated to all site (if required) and update of BCP relevant parties • Facilitate development of BCP • Provide BCM reporting to GRMB Table 1: Roles and Responsibilities in Development of BCP

Business Continuity Plan (BCP) Page No. 11 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 3.0 BUSINESS DISRUPTION SCENARIOS Development of BCP should consider business disruption scenarios that have: i. Major or catastrophic impact on the business in terms of financial, operational, regulatory and reputational. ii. Loss of any or combinations of critical asset, facilities, workforce, technology, key interdependencies, supply or other resources identified as critical. iii. Worst case scenario. BCP can be developed to address the following business disruption scenarios. 3.1 WORKPLACE FAILURE Workplace failure may be caused by incidents such as riot, terrorist attack, natural disaster, and bomb threat that can affect accessibility to the building for a prolonged period of time. The recovery strategies for workplace failure are twofold: i. Alternate Worksite (AWS) ii. Virtual Office (VO) 3.2 WORKFORCE FAILURE Workforce failure may be caused by incidents such as pandemic, mass resignation and others that can adversely impact the ability of IVL employees to resume critical business functions effectively. The recovery strategy for this failure is identification of Alternate Workforce (AWF) to ensure resumption of CBFs according to BCP. 3.3 ICT FAILURE ICT failure happens when data, systems, and applications are no longer available during business disruption. The recovery strategy is Disaster Recovery Plan (DRP) whereby Critical Systems & Applications (CSA) are backed-up at another location. The scenario of ICT failure shall be tested and monitored by GIT. 3.4 KEY INTERDEPENDENCIES FAILURE Key interdependencies failure may be caused by failure of suppliers, business partners, utilities providers, government agencies and other dependent parties in supplying critical goods and components or render critical services that can adversely impact resumption of CBFs. 3.5 FACILITIES FAILURE Facilities failure may be caused by fire, explosions, natural disaster, etc. which disrupt the operations of platforms, pipelines, terminals, depots, etc. that can adversely impact resumption of CBFs. 3.6 SUPPLY FAILURE Supply failure assumes disruption of supply to customers or from suppliers which affect CBFs. 3.7 OTHER BUSINESS DISRUPTION SCENARIOS Development of BCP should also consider combination of the above business disruption scenarios and other business disruption scenarios that are not listed above.

Business Continuity Plan (BCP) Page No. 12 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 4.0 PHASES IN DEVELOPING BCP BCP development involves three main phases, as depicted in Figure 2 below: 1. PLANNING 2. DEVELOPMENT 3. REVIEW • Gather relevant • • Review and information as critical • Compile and document update BCP, and input to BCP from BIA obtain and BRS. CBF and MRR management’s • Develop and document review and • Conduct BCP training approval implementation plan for accordingly recovery strategies selected • Develop and document BCM recovery team and call tree • Obtain management’s review and approval Figure 2: Phases in developing BCP 4.1 PLANNING PHASE i. Planning phase involves gathering relevant information that is critical as input to the BCP, which includes: a) Critical Business Functions (CBFs) and Minimum Resource Requirements (MRR) (i.e. people, equipment, technology, facilities/asset, interdependencies) already identified through BIA. b) Recovery strategies already selected through BRS. ii. BCM Coordinator to coordinate and facilitate training on development of BCP. 4.2 DEVELOPMENT PHASE i. This phase involves writing the BCP (Refer to APPENDIX 1: Guide to Complete BCP and APPENDIX 2: BCP Template) by documenting identified CBFs and MRR, and develop detailed strategies and communication procedures (call tree) to be used during business disruption. ii. At minimum, the following shall be included when developing a BCP: a) CBFs and MRR (i.e. people, equipment, technology, facilities/asset, interdependencies). b) Detailed recovery strategies and their implementation plan.

Business Continuity Plan (BCP) Page No. 13 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-001 Confidential Release Date: March 2021 c) Business Continuity Team (BCT) structure and process flow for BCP activation and deactivation. d) BCM Recovery Team structure and call tree (communication protocol). e) Procedure for return to normal. f) Key attachments to support business resumption, e.g. Standard Operating Procedure (SOP), Limits of Authority (LOA), etc. if applicable. iii. Once completed, the BCP requires management’s review and approval. 4.3 REVIEW PHASE i. BCP should be reviewed and updated annually or upon changes that have major impact to the business function/entity/plant/site, such as (but not limited to): a) Major changes in the, such as business model and business focus b) Changes on regulatory/operating requirements c) Changes in risk profile d) Changes in key personnel, CBF staff, BCT members, BRT members, etc. e) Changes in call tree and communication protocol f) Changes in recovery strategy g) Changes in key business functions/activities h) Lessons learnt from past experience, gaps from Testing & Exercising, etc. ii. Once completed, the BCP requires management’s review and approval. - END -

4. Business Impact Analysis (BIA) Guideline 86

GROUP RISK MANAGEMENT & BCM (GRMB) IVL BUSINESS IMPACT ANALYSIS (BIA) GUIDELINE March 2021 INTERNAL USE © 2021 INDORAMA VENTURES LIMITED (IVL) All rights reserved. No part of this content may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

IVL Business Impact Analysis (BIA) Page No. 2 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 RECORD DETAILS IVL Business Impact Analysis (BIA) Guideline Record Title: Issue No: 1 Revision No: 1 Record Version: Record Status: Approved Record Reference Number GRMB-BCM-G-01-002 RECORD APPROVAL Reviewed By: Approved By: Prepared By: Kanchit Damkaew, Dhananjay Mohite, Wan Norashikin Mohd Nasir, Senior Manager AVP VP Global Risk Global Risk Global Head Management & BCM Management & BCM Risk Management & BCM Date: Date: Date:

IVL Business Impact Analysis (BIA) Page No. 3 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 RECORD CLASSIFICATION RECORD SECURITY SECRET X CONFIDENTIAL INTERNAL USE OPEN RECORD TYPE X Policies, Frameworks and Guidelines Manuals, Procedures, Work Instructions and Records Legal, Commercial and Contractual Documents Forms and Reports Business and Financial Correspondences & Communication REVISION HISTORY PAGE NO. DATE AMENDMENT SHEET NATURE OF AMENDMENT / REVISED BY SIGNATURE OF APPROVER CHANGE

IVL Business Impact Analysis (BIA) Page No. 4 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 TABLE OF CONTENT 1.0 INTRODUCTION ........................................................................................................................5 1.1 OBJECTIVES ................................................................................................................... 6 1.2 SCOPE ............................................................................................................................. 6 1.3 REFERENCES ................................................................................................................. 6 1.4 GLOSSARY OF TERMS .................................................................................................. 7 2.0 OVERVIEW OF RISK ASSESSMENT ....................................................................................... 9 3.0 OVERVIEW OF BUSINESS IMPACT ANALYSIS (BIA) ..........................................................10 3.1 ROLES AND RESPONSIBILITIES IN BIA..................................................................... ...10 4.0 PHASES IN BIA.........................................................................................................................11 4.1 PLANNING PHASE ....................................................................................................... 12 4.2 EXECUTION PHASE..................................................................................................... 12 4.3 REVIEW PHASE............................................................................................................ 13

IVL Business Impact Analysis (BIA) Page No. 5 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 1.0 INTRODUCTION Business Impact Analysis (BIA) is the 3rd component of BCM Framework, as shown in Figure 1 below. The objective of BIA is to identify criticality of individual business function(s) in an organisation and determine Minimum Resource Requirements (MRR) to be allocated for Critical Business Functions (CBFs) recovery and resumption. Figure 1: BCM Framework

IVL Business Impact Analysis (BIA) Page No. 6 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 1.1 OBJECTIVES This guideline provides a structured and consistent approach in completing BIA. This document, which complements the BCM Framework, covers the process and elements in the completion of BIA. It defines the baseline BCM requirements applicable to IVL and its subsidiaries; and to the extent practicable to suppliers and business partners. 1.2 SCOPE This guideline is generic for application in any business environment and shall apply to IVL and its subsidiaries. This guideline shall be read together with BCM Framework and its guidelines. Any deviation to the requirement defined in this document shall be in consultation and approved by GRMB. Changes to this document shall be reviewed, updated and coordinated by GRMB. 1.3 REFERENCES This document makes reference to the following: i. IVL Enterprise Risk Management (ERM) Framework. ii. IVL Business Continuity Management (BCM) Framework. iii. IVL Business Impact Analysis (BIA) Guideline. iv. IVL Business Continuity Plan (BCP) Guideline. v. IVL Testing & Exercising (T&E) Guideline. vi. IVL ERM Process Guideline. vii. International Standard ISO 22301 (Societal Security – Business Continuity Management Systems – Requirements).

IVL Business Impact Analysis (BIA) Page No. 7 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 1.4 GLOSSARY OF TERMS 1.4.1 Terms and Definitions Business Continuity Capability of the organization to continue delivery of products or services at acceptable predefined levels following business disruption. Business Continuity Management Holistic management process that identifies potential threats and their impact to the organisation, and provides a framework for building resilience with the capability for an effective business resumption that safeguards the interests of its key stakeholders, reputation, brand and value- creating activities. Business Continuity Plan Documented procedures that guide organizations to respond, recover, resume, and restore to pre-defined level of operation following business disruption. Business Impact Analysis Process of analysing activities and the effect that a business disruption might have upon them. Business Disruption A risk event that results in unplanned, outage or negative deviation from the expected delivery of products or services according to the organization’s objectives. Critical Business Function Vital function which an organisation requires to remain viable. If the function is unavailable for a prolonged period, it will result in financial and non-financial loss (e.g. EHS, reputation, security, legal and operations). Interdependencies The reliance of an organization’s business functions, processes or systems with another party (internal or external). Minimum Resource Requirements Minimum level of resources (e.g. people, equipment, assets, facilities, technology, vital records, interdependencies) required to resume Critical Business Function. Prolonged An extended duration or period of time.

IVL Business Impact Analysis (BIA) Page No. 8 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 Risk Assessment Overall process of risk identification, risk analysis and risk evaluation. Recovery Point Objective Point to which information used by an activity must be restored to enable the activity to resume operation. Recovery Time Objective Period of time following a business disruption within which supply of product or service or activities must be resumed, or resources must be recovered. 1.4.2 Abbreviations Business Continuity Plan BCP Business Impact Analysis BIA Critical Business Function CBF Approving Authority AA Information Communication & Technology ICT Minimum Resource Requirements MRR Recovery Point Objective RPO Recovery Time Objective RTO

IVL Business Impact Analysis (BIA) Page No. 9 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 2.0 OVERVIEW OF RISK ASSESSMENT Risk Assessment is a 2ndcomponent of BCM Framework before Business Impact Analysis is conducted. Risk assessment in business continuity management involves the process of identifying key risks and the worst case business disruption scenarios that could severely impact an entity in carrying out its minimum level of services and/or products that is acceptable to achieve its business objectives. Common business disruption scenarios include the following: i. Workplace failure ii. Workforce failure iii. ICT failure iv. Interdependencies failure v. Facilities failure vi. Supply failure The list above is not exhaustive and other business disruption scenarios can be identified as appropriate. Also, business disruption scenarios can be from any combination of the above. The main context of risk assessment for business continuity is to focus on what would be the likely scenarios and magnitude of the impact that would affect the entity in fulfilling its obligations to stakeholders. With this assessment, the requirement for business continuity plan will be established to reduce the impact and ensure continuity of business operation. For entities that have existing risk profiles, these profiles can also be used as references or be further reassessed. These profiles will provide an overview of key risks that could pose severe operational impact to the business in meeting its business objectives. Adequacy of existing mitigation in addressing the risks will also be evaluated in risk treatment process. Requirement for development of business continuity plan will be established as a recovery mitigation to minimise the impact of risk and ensure continuity of business operation. For details on Enterprise Risk Management (ERM) process, please refer to ERM Process Guideline.

IVL Business Impact Analysis (BIA) Page No. 10 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 3.0 OVERVIEW OF BUSINESS IMPACT ANALYSIS (BIA) Development of BIA is undertaken after Risk Assessment process has identified BCP as a mitigation. BIA identifies Critical Business Functions (CBFs), assesses the impact of unavailability of these functions over time, sets prioritised timeframes for resuming these functions and specifies Minimum Resource Requirements (MRR) to be allocated to recover and resume these functions. The completed BIA shall be approved by respective approving authority. BIA summary report entails the following: i. List of critical functions ii. Time required to resume functions, i.e. Recovery Time Objective (RTO) iii. Last backed up data required after disaster iv. MRR that specify minimum level of resources, i.e. people, equipment, technology and assets required to support resumption of CBFs v. List of internal and external interdependencies, i.e. parties that rely on or be dependent upon (e.g. other departments, vendors, service provider, government, etc.) that support resumption of CBFs Challenge session with management shall be conducted prior to BIA approval to ensure it meets the business needs and is aligned with BCM requirement. BIA results shall be used to develop recovery strategies and business continuity plans. It is important to emphasise that the quality of information in BIA will affect the comprehensiveness of Business Continuity Plan (BCP). 3.1 ROLES AND RESPONSIBILITIES IN BIA In the development of BIA, roles and responsibilities of the parties involved are described in Table 1 below. BCM Coordinator refers to personnel in respective business function/entity/plant/site who is responsible to organize, manage and carry out BCM programs. These personnel could be appointed from risk management department/function or other department/function (e.g. planning, finance, human resource, etc.) BIA Respondent refers to parties identified who have experience, knowledge and understanding of business functions in the respective business function/entity/plant/site, to provide input for complete assessment of criticality of these business functions to be conducted.

IVL Business Impact Analysis (BIA) Page No. 11 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 Roles GRMB BCM Coordinator BIA Respondent (Business (Business • Owner of BIA Function/Entity/ Function/Entity/ guideline and Plant/Site) Plant/Site) process • Facilitate • Resource person Responsibilities • Facilitate training • and upskill BCM development of BIA for BIA Coordinators at respective development proficiency business function/entity/pl • Attend BIA Review and ant/site communicate training changes on BIA • Conduct BIA training guideline • Complete BIA and upskill proficiency • Obtain BIA • Facilitate BIA approval from AA, where review and applicable. completion • Submit BIA to • Review and BCM consolidate BIA Coordinators outcome • Obtain BIA approval Table 1: BIA Development – Roles & Responsibilities 4.0 PHASES IN BIA BIA process shall be completed in three (3) phases as schematically shown in Figure 2 below: 1. PLANNING 2. EXECUTION 3. REVIEW • Seek business • Identify CBF, RTO and • Conduct BIA periodic review function/entity/plant/ MRR via BIA Template site Management’s • Obtain management’s commitment on • Challenge and validate approval development of BIA BIA results • Gather information to • Consolidate BIA results understand business • Obtain management’s approval function/entity/ plant/site • Attend BIA Figure 2: BIA Phases

IVL Business Impact Analysis (BIA) Page No. 12 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 4.1 PLANNING PHASE Activities to be completed by BCM Coordinators/BIA Respondent from business function/ entity/plant/site during BIA planning include: i. Understand the main purpose of conducting BIA exercise and how the information will feed into Business Continuity Plan (BCP). ii. Syndicate with Head of Business or Head of Function/Entity/Plant/Site or other relevant Approving Authority to ensure full participation from identified key personnel and all business functions are well represented in the exercise. iii. Gather information/background search of the business function/entity/plant/site, i.e. Organisational Chart and Job Description. Attend BIA training to have a better understanding on how to complete the BIA template. 4.2 EXECUTION PHASE Activities to be completed by business function/entity/plant/site BCM Coordinators/BIA Respondent during BIA execution include: i. Complete BIA Template (Refer to APPENDIX 1: Guide to Complete BIA Template) where Minimum Resource Requirements (MRR) of the CBF are identified through requirement of: a) People b) Equipment c) Technology d) Asset e) Interdependencies Cost implication should be considered in identifying CBF to prevent over estimation of CBF as well as MRR. In prioritising management of resources, business functions are group into 3 categories; Priority 1, 2 and 3 based on its criticality. The criticality of business functions are assessed based on time required to resume functions, i.e. Recovery Time Objective (RTO) and the severity of impact to business should the function fail to resume in time. The categorisation of RTO by criticality is depicted in Figure 3 (next page)

IVL Business Impact Analysis (BIA) Page No. 13 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 (eg. EHS, reputation, Security, legal, operations) Figure 3: Categorisation of RTO by Criticality It is important to understand and differentiate between the criticality of business functions during crisis versus business as usual. Functions which are not identified as critical during disaster do not mean they are less important during business as usual. ii. Conduct challenge session (Refer to APPENDIX 2: Guide to BIA Challenge Session) together with Head of Business or Head of Function/Entity/Plant/Site to finalise BIA results upon completing the BIA Template in order to evaluate its completeness and accuracy. iii. Consolidate BIA results, if there is more than one BIA in a particular business function/entity/plant/site. iv. Obtain approval from appropriate approving authority. 4.3 REVIEW PHASE Activities to be completed by BCM Coordinators/BIA Respondent by business function/ entity/ plant/ site during BIA review phase include: i. Conduct BIA periodic review The approved BIA shall be updated and reviewed when there are internal or external changes, which include but not limited to, the following elements: a) Organisational context b) Risk and levels of risk c) Effectiveness of risk treatments d) Business processes e) Key personnel f) Interdependencies with other organisations g) Obtain approval from appropriate approving authority. - END -

5. Business Recovery Strategy (BRS) Guideline 100