Book for participant

RISK LEADERSHIP PROGRAM Embracing Risk Mindset; Pinning Risk at Forefront KANCHIT D. REFERENCE DECK LEAD-IT 1



LWEeAlDco-ImT e to Minor AccelerateE m b r a c i n g R i s k M i n d s e t ; P i n n i n g R i s k a t F o r e f r o n t Program Welcome To Risk Capability & Culture Leadership Program This Logbook belongs to 3



LWEeAlDco-ImT e to Minor AccelerateE m b r a c i n g R i s k M i n d s e t ; P i n n i n g R i s k a t F o r e f r o n t Program “ Defying convention to co-create and deliver unique customers solution requires one to perform thorough risk assessment balancing customer needs with operational, regulatory, human capital and technology risks. Mr. Aloke Lohia Group Chief Executive Officer 5



Contents Page Topic Part 1: Indorama’s Risk Capability & Culture 11 Leadership Program: Overview 17 21 Part 2: Scanning the Environment: 25 Megatrends 2040 29 Part 3: Looking in IVL: Risk Conversation Part 4: Reflections: Understanding Risk Tools & Personality Part 5: Inspire Others: Let’s Lead- IT! Appendices: Framework & Guidelines 31 1.Enterprise Risk Management (ERM) Framework 33 2.Business Continuity Management (BCM) Framework 57 3.Business Continuity Plan (BCP) Guideline 75 4.Business Impact Analysis (BIA) Guideline 89 5.Business Recovery Strategy (BRS) Guideline 103 6.Testing and Exercising (T&E) Guideline 129 7



COHORT 3 Participants 9



RISK Part MYOPIA 1 WHAT IS RISK MYOPIA? Program Overview Time Activities 0830 – 0900 Registration 0900 – 0930 Part 1 – Introduction 0930 – 1100 • GCEO Welcoming Remarks • Ice Breaking 1100 – 1115 1115- 1250 Part 2 – Scanning the Environment 1250 – 1400 • Megatrends 2040 1400 – 1515 • Risk and Fall of Companies 1515 – 1530 Coffee Break 1530 – 1605 1605 – 1650 Part 3 – Looking in: IVL • Emerging Risk 2022 Lunch Part 4 – Discovery • The Apple Tree • The Most Unlikely Threat Coffee Break Part 4 – Reflection • What About Me? Part 5 – Inspire Others 1700 END 11

Part 1 LWEeAlDco-ImT e RIStKoLMEiAnDoErRAScHcIePlePrRaOteGRAM Program Embracing Risk Mindset; Pinning Risk at Forefront Learning Objectives • To embed the right risk thinking & mindset in leaders to ensure SUSTAINABILITY OF RISK PRACTICES and AGILITY to meet changes in business environment. 12

Part 1 Resiliency Culture & Mindset Primary focus on the leaders as LEADERS CREATES CULTURE and can effectively influence the masses Target Group of 80+ Top Leaders in IVL phased between 2021-2022 Elevating Risk Credibility & Competency Leaders as source of inspiration and will create risk mindset and culture Strengthen Business Risk Position Risk as key feature in Leader’s business conversation Integrate Risk in Business Conviction on effective risk management in supporting business decision making & achievement of target objectives 13

Part 1 14

Reflection: Part 1 1. Do you treat risk reactively rather than proactively? _____________________________________________________ _____________________________________________________ 2. Are risk awareness and risk management aligned with your organizational strategy? _____________________________________________________ _____________________________________________________ 3. Do you treat risk management as a discrete event rather than continuous process? _____________________________________________________ _____________________________________________________ 4. Does your organization focus more on internal rather than external risks? _____________________________________________________ _____________________________________________________ 5. Who owns risk management? _____________________________________________________ _____________________________________________________ 15

Notes Part 1 16

Part 2 Scanning the Environment Megatrends 2040 The Rise & Fall Look ahead and scan future environment

Part 2 Megatrends A major movement, pattern or trend emerging in the macroenvironment; an emerging force likely to have a significant impact on the kinds of products consumers will wish to buy in the foreseeable future. Megatrends evident today include a growing interest in health, leisure, lifestyle and environmental issues. Understanding megatrends provide companies to be anticipative of future opportunities and emerging risks. Characteristics of MEGATRENDS The four characteristics of megatrends are: • duration • ubiquity • globality and • Complexity Reflections: What are today’s megatrends? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ Which MEGATREND(s) do you think would likely impact INDORAMA? How? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________

Notes Part 2 19

Notes Part 2 20

Part 3 Emerging Risks Reflections: What are the risks inherent in our business strategies and objectives? _________________________________________________________________ _________________________________________________________________ _________________________________________________________________ 21

Notes Part 3 22

Notes Part 3 23

Notes Part 3 24

How do we manage risks in Part Indorama? 4 INDORAMA VENTURES RISK POLICY STATEMENT IVL is committed to become a risk resilient organization aimed at achieving sustainable business growth and profitability. IVL shall adopt risk management best practices by identifying, assessing, treating and monitoring risks to protect and create value within the set boundaries as well as effectively responding to crisis. In the event of prolonged disruption, business continuity practices shall be adopted to restore and ensure continuity of IVL’ key business activities. Risk based decision making shall provide a balanced and holistic view of exposures to achieve business objectives. Managing risk is everyone’s responsibility. 3-PRONGED integrated approach to drive BUSINESS RESILIENCY across the Group RISK RESILIENCY POLICY Risks Enterprise Risk Risk in Strategic Risk Assessment in Management Planning Guideline Decision-Making Enterprise Risk Framework Guideline Management (ERM) Enterprise Risk REDUCE likelihood and Management Crisis Management (CM) impact of all identified risks Process Guideline RESPOND to immediate risk Risk Risk Library Risk events Quantification Appetite Crisis Crisis Management Management Framework Guideline Business Continuity RECOVER from prolonged Business Continuity Business Impact Management (BCM) disruption to meet business Management Analysis Guideline obligations Framework 25Testing & Exercising Business Continuity Busines Recovery Management Strategy Guideline Guideline Guideline

Part 4 Notes

Part 4 Risk Tools Reflections: What risk tools are you familiar with and what is their purpose? ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________

Part 4 Notes

Key Learning & Reflections Part 5 What is risk? What does it mean to me as a leader? __________________________________________________________________________ __________________________________________________________________________ Why is it important to know and manage risks? __________________________________________________________________________ __________________________________________________________________________ How do we manage risks? THINK RISK, THINK IAMS __________________________________________________________________________ __________________________________________________________________________ What shift do we need to make in managing risk as an organization? __________________________________________________________________________ __________________________________________________________________________ What is my specific ask to my staff? __________________________________________________________________________ __________________________________________________________________________

Part 5 Notes

Appendix (Framework & Guidelines) 31



1. Enterprise Risk Management (ERM) Framework 33

GROUP RISK MANAGEMENT & BCM (GRMB) IVL ENTERPRISE RISK MANAGEMENT (ERM) FRAMEWORK March 2021 CONFIDENTIAL © 2021 INDORAMA VENTURES (IVL) All rights reserved. No part of this content may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

IVL ERM Page No. 2 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 RECORD DETAILS IVL Enterprise Risk Management (ERM) Framework Record Title: Issue No: 1 Revision No: Record Version: Record Status: Draft Record ID GRMB-ERM-F-01-001 Prepared By: Reviewed By: Approved By: Date: Date: Date: RECORD SECURITY RECORD CLASSIFICATION √ SECRET √ CONFIDENTIAL INTERNAL USE OPEN RECORD TYPE Policies, Frameworks and Guidelines Manuals, Procedures, Work Instructions and Records Legal, Commercial and Contractual Documents Forms and Reports Business and Financial Correspondences & Communication

IVL ERM Page No. 3 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 REVISION HISTORY PAGE DATE AMENDMENT SHEET SIGNATURE OF NO. NATURE OF AMENDMENT APPROVER -

IVL ERM Page No. 4 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 TABLE OF CONTENT 1.0 INTRODUCTION 5 5 1.1 Objective 5 1.2 Scope 5 1.3 References 6 2.0 TERMS & DEFINITIONS 7 3.0 ABBREVIATION 8 4.0 IVL RESILIENCY MODEL 9 5.0 OVERVIEW OF ERM 9 5.1 Definition of ERM 9 5.2 Corporate Governance 11 12 6.0 IVL ERM FRAMEWORK 19 20 6.1 Governance 21 6.2 Context Setting 22 6.3 Risk Assessment 23 6.4 Risk Treatment 6.5 Risk Monitoring & Review 5 13 6.6 Continual Improvement 17 FIGURES IVL Resiliency Model 18 Figure 1 IVL ERM Framework 25 Figure 2 IVL Risk Oversight Structure Figure 3 TABLES List of Risk Associates Risk Reporting Requirement Table 1 Table 2

IVL ERM Page No. 5 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 1. INTRODUCTION 1. Objective This document sets forth IVL ERM governing elements and processes as the foundation of ERM practices to assess, treat, monitor and review risk. It serves to provide a common understanding of risk management and consistent approach in managing risk in IVL. 2. Scope This document, together with its guidelines shall apply to IVL and its subsidiaries (herein after refers to as Group) to establish their risk management practices. This document and the policy herein shall be owned and duly approved by the respective entity’s approving authority (AA) prior to implementation. Any changes made to this document shall be in consultation with Group Risk Management & BCM (GRMB) prior to approval. This document shall be reviewed and updated subject to changes in IVL business environment, coordinated by GRMB. 3. References This document follows and makes reference to the following:-  ISO 31000 Risk Management Standard, 2009  ISO 22301 Business Continuity Management Systems, 2012  IVL Business Continuity Management (BCM) Framework 2021  IVL Risk Management Process Guideline 2021

IVL ERM Page No. 6 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 1. TERMS AND DEFINITIONS Corporate Governance Process and structure used to direct and manage the business and affairs of the company towards enhancing business prosperity and corporate accountability with the ultimate objective of realizing long term shareholder value, whilst taking into account the interests of other stakeholders. Critical Business Functions Vital functions which an organization cannot do without for a prolonged period as it will result in serious financial, legal and reputation loss. Key Risk Indicator KRI is defined as a measurable metric or indicator that tracks: - risk exposure escalation; and - how imminent a risk event is to happen Potential Loss Total amount of loss which an organization and/or stakeholders is subject to a risk. Principal risk Risks which are identified and approved by management as pertinent risk to the entity and requires close monitoring. Risk Effect (positive/negative) of uncertainty on objectives. Risk Appetite Amount and type of risk that an organization is willing to pursue or retain, over an extended period of time to pursue its strategic business objectives. Risk Assessment Overall process of risk identification, risk analysis and risk evaluation. Corporate Function Risk Area Corporate Function Risk Area is a corporate function thatmanages Group Wide focus risk area which are critical to the business. Risk Criteria Terms of reference against which the significance of a risk is evaluated.

IVL ERM Page No. 7 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 Risk Management Coordinated activities to direct and control an organization with regard to risk in accordance with stakeholder’s view of balance between risk and reward. Risk Management Process Systematic application of management policies, procedures and practices to the activities of communication, consulting, establishing the context, and assessing, treating, monitoring and reviewing risk. Risk Owner Person or entity with the accountability and authority to manage risk. Risk Profile A record that describes any set of risks as an output from risk assessment, risk treatment and risk monitoring & review. Risk Reporting Form of communication intended to inform particular internal or external stakeholders by providing information regarding the current state of risk and its management. Risk Treatment Process to modify risk i.e. minimize risk, accept risk, transfer risk, avoid risk. 3.0 ABBREVIATION SRMC Sustainability & Risk Management Committee ERM Enterprise Risk Management GRMB Group Risk Management & BCM RMC Risk Management Council

IVL ERM Page No. 8 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential 4.0 IVL RESILIENCY MODEL Release Date: March 2021 Figure 1: IVL Resiliency Model The IVL Resiliency Model was adopted in 2021 to provide an integrated view on the overall strategy for managing risk in IVL focusing on three areas of business resilience namely: a) ERM is a structured and holistic approach to identify, assess, treat and monitor risks. The aim is to REDUCE the likelihood and impact of all identified risks to enhance the organization’s ability to achieve its strategic objectives. b) CM is a comprehensive set of processes that aims to prepare the organization to RESPOND and manage crises in the risk areas to protect and save people, environment, assets and reputation. c) BCM is a holistic management process that aims to build the capability of an organization to RECOVER and continue delivery of products or services at acceptable predefined levels following a prolonged disruptive incident. Over time, each area within the Resiliency Model has been implemented across the organization based on respective established frameworks and guidelines. In order to ensure effective coordination and alignment in operationalization of these three areas, there is a need to strengthen the governance in its implementation. To achieve this, Group Risk Management & BCM (GRMB) shall be the overall custodian working together with Corporate Function Risk Areas consisting of relevant corporate functions responsible in managing group-wide identified risk areas. Risk Management Council, chaired by GRMB, with representation from key business heads and Corporate Function Risk Areas shall provide guidance and direction in the implementation and institutionalization of risk management in IVL.

IVL ERM Page No. 9 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 5.0 OVERVIEW OF ERM 5.1. ERM ERM is a structured approach of aligning strategy, processes, people, system, and knowledge with the purpose of evaluating and managing the uncertainties an organization faces. It involves identifying, assessing, treating and monitoring risk which aims to reduce the likelihood and impact of all identified risks. 5.2 Corporate Governance Corporate governance is defined as the process and structure used to direct and manage the business and affairs of the company towards enhancing business prosperity and corporate accountability with the ultimate objective of realising long- term shareholder value, whilst taking into account the interests of other stakeholders. In supporting the Sustainability & Risk Management (SRMC) requires the Board and management to ensure that the risk management and control framework is embedded into the culture, processes and structures of the company. SRMC propagates the approach of Governance, Risk Management and Control to be embedded in the governance framework as illustrated below; Risk Owner/ Risk Focal & Corporate Function Risk Area Risk Owner/ Risk Focal & Corporate Function RiskArea

IVL ERM Page No. 10 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 1. ERM supports Corporate Governance in IVL through: I. Safeguarding business interest from major risks that will impede achievement of business strategy and objectives. II. Enabling IVL Businesses to enhance its value creation and growth by identifying opportunities from risks. III. Providing assurance to stakeholders that risks are managed effectively. 2. An effective ERM can support management by: I. Having a clearly defined risk policy to clarify the rationale of ERM and demonstrates commitment of management in managing risk. II. Having a clearly defined accountability, expectations and reporting requirements for all stakeholders. III. Establishing appropriate risk information flow across the organization on a timely basis, and that there are processes in place to escalate risk issues. IV. Establishing commonly understood language for risk that complements the organization’s culture and business practice.

IVL ERM Page No. 11 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential 6.0 IVL ERM FRAMEWORK Release Date: March 2021 In supporting the IVL Resiliency Model, ERM is operationalized through the IVL ERM Framework as illustrated below: Governance ERM FRAMEWORK Figure 2 – IVL ERM Framework Mandate and commitment from management is an important element in ensuring the risk management’s effectiveness and sustainability. The management shall plan and strategise to achieve commitment at all levels. The ERM Framework consists of 6 key elements comprising Governance, Context Setting, Risk Assessment, Risk Treatment, Risk Monitoring & Review and Continual Improvement. It is a cyclical system that includes planning and governance, risk management process (Context setting, Risk Assessment, Risk Treatment and Monitoring & Review – Risk Management Process Guideline) as well as continual improvement. This framework makes up the minimal requirement to implement and operate ERM for an entity. This framework aims to provide a standard and consistent approach across the organization in achieving the following key attributes in risk management: i. Full accountability in managing risk at respective entity. ii. Application of risk management in decision making. iii. Continuous communication with external and internal stakeholders, including comprehensive and frequent reporting on risk management performance. iv. Risk management as part of organization’s management processes and culture in achieving the organization’s objective. The elements in the ERM Framework will be elaborated in Section 6.1 – Section 6.6.

IVL ERM Page No. 12 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 6.1.GOVERNANCE Governance describes the overall management approach in directing and controlling the organisation’s risk management activity. It defines the boundaries within the organisation on ERM operation and standardises the ERM practices. 6.1.1 Policy & Intent Policy and intent comprise of general principles and guidelines for action which influence decisions. It is also intended to provide a clear communication of management’s expectations in relation to ERMpractices throughout the organization. INDORAMA VENTURES RISK POLICY STATEMENT “IVL is committed to become a risk resilient organization aimed at achieving sustainable business growth and profitability. IVL shall adopt risk management best practices by identifying, assessing, treating and monitoring risks to protect and create value within the set boundaries as well as effectively responding to crisis. In the event of prolonged disruption, business continuity practices shall be adopted to restore and ensure continuity of IVL’ key business activities. Risk based decision making shall provide a balanced and holistic view of exposures to achieve business objectives. Managing risk is everyone’s responsibility.” The purposes of the Risk Policy are as follows:- i. To clarify the goals, purpose and commitment on risk management. ii. To emphasize that management of risk encompasses Enterprise Risk Management (ERM), Crisis Management (CM) and Business Continuity Management (BCM).

IVL ERM Page No. 13 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 6.1.2 Risk Organisation and Structure Risk organisation and structure describes how key ERM functions shall be organised within the Group to ensure risk management are institutionalised and become a culture. The organisation shall establish a risk reporting mechanism that ensures risk information flow is comprehensive and timely for the appropriate authority to manage risks effectively at all levels. All entities across the Group shall: I. Establish risk management unit or function at Corporate, Business and Site/ Plant level. II. Have a clear line of risk reporting i.e. Risk Oversight Structure adopting the Three Lines of Defense Model. III. Define clear risk management roles and responsibilities at respective management levels. IVL adopts the Three Lines of Defense Concept which propagates clear demarcation or roles, responsibility & accountability in IVL. 1st (first) line of defense are the risk owners; 2nd (second) line of defense is the risk management function; 3rd (third) line of defense is the internal audit

IVL ERM Page No. 14 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential The figure below illustrates the Risk Oversight Structure in IVL Release Date: March 2021 Figure 3 – IVL Risk Oversight Structure

IVL ERM Page No. 15 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Corporate Function Risk Area identified for the Group includes:- Release Date: March 2021 No Focus Risk Area Corporate Function Risk Area 1 Finance Head of Corporate Finance 2 Direct Procurement Head of Direct Procurement 3 Human Resource Head of Human Resource 4 Corporate Comms & CSR Head of Global Corporate Comms & CSR EHS Head of EHS 5 6 IT Head of IT Digital Head of Digital 7 8 Legal Head of Legal Strategic Planning & IR Head of Strategic Planning & IR 10 11 Sustainability Head of Sustainability Logistics Head of Logistics 12 Head of Insurance 13 Insurance Table 1 – List of Corporate Function Risk Area

IVL ERM Page No. 16 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 3. Roles & Responsibilities in managing risk in IVL i. Sustainability & Risk Management Committee (SRMC) SRMC is responsible for the following:- a) Review the policies and practices with respect to risk assessment and risk management. b) Review principal risks and oversee the adequacy of the systems in place to effectively monitor and manage those risks. ii. Risk Management Council (RMC) RMC is responsible for the following:- a) Review and recommend frameworks, methodologies, measurement and systems for Group implementation. b) Review, deliberate and recommend decisions requiring Management or Board approval on Group policies and strategies on risk management. c) Provide guidance and direction in the implementation and institutionalization of risk management practices for the Group. d) Review and monitor Corporate Risk Profile that may affect the Group directly or indirectly and if deem required, recommend additional course of action to mitigate such risks. e) Promote and provide guidance on the sustainability of risk management culture and continuous improvement in risk management practices across the Group. f) Promote sound risk management practices and sharing of information, best practices and lesson learnt to internalize risk culture across the Group. g) Promote effective implementation of risk management within established risk framework and guidelines; and monitor non- compliance through other assurance bodies within the Group

IVL ERM Page No. 17 of 27 Framework Issue No. 1 Rev. No. Record ID: GRMB-ERM-F-01-001 Confidential Release Date: March 2021 iii. Group Risk Management & BCM (GRMB) GRMB is responsible for the following: a) Custodian and governor of Risk Policy, ERM Framework and Guidelines. b) Govern, shape, lead and drive ERM implementation throughout Group. c) Establish risk management process and methodologies for Group wide implementation. d) Provide advisory to IVL management on risk management matters. e) Establish and regulate IVL risk reporting requirements. f) Provide assurance to IVL Management and Board that risks are effectively being managed. g) Shape organizational risk management culture and institutionalise risk management capability across the Group. iv. Business Segment Business Segment Risk focal is responsible for the following:- a) Lead and drive ERM implementation throughout respective Business segment its constituents. b) Implement approved risk management process and methodologies throughout Business segment and its constituents. c) Provide advisory to management on risk management matters. d) Implement IVL risk reporting requirements and govern its constituents. e) Provide assurance to Management that risks are effectively being managed. f) Drive risk management capability throughout Business segment and its constituents.