Summary
Overview
Work History
Education
Skills
Timeline
Generic
HAFEZZA MOHD ANAFIAH

HAFEZZA MOHD ANAFIAH

Shah Alam

Summary

Senior risk leader with over 20 years of experience in shaping enterprise risk strategy, cybersecurity governance, and organizational resilience across diverse sectors, including oil and gas, energy, utilities, fabrication, and digital/ICT. Established a proven track record in transforming risk functions into value-driven, intelligence-based capabilities that inform Board-level decision-making through tenures at PETRONAS, Malakoff, Tabung Haji Heavy Engineering, and other major organizations. Expertise includes enterprise risk management, cybersecurity risk, crisis and business continuity management, risk appetite development, integrated assurance, and complex project risk governance. Committed to turning complex risk landscapes into actionable insights that enable C-suite leaders to navigate uncertainty effectively while protecting critical assets and fostering resilience in an ever-evolving threat environment.

Overview

25
25
years of professional experience

Work History

Manager Enterprise Risk Management Methodology

PETRONAS DIGITAL SDN BHD
08.2019 - Current
  • Subject Matter Expert for Cyber Security Risk Management across PETRONAS. Conceptualized, formulated, developed, and managed Cyber Security Risk Management
  • Custodian of Cyber Security Risk Management Methodology based on ISO 31000 and aligned with PETRONAS Enterprise Risk Management Framework
  • Custodian of L2/L3 Cyber Security Risk Management Guidelines and Procedures based on ISO 31000, NIST and aligned with PETRONAS Governance Management Framework
  • Custodian of Cyber Security Risk Management Process Workflow for overall Cyber Security Risk Management principal activities for identifying and assessing the Cyber Security Risk within PETRONAS. The principal activities such as Business Impact Assessment, Legal and Regulatory Assessment, Business Risk Acceptance and Findings Management and it was implemented within all Cyber Security functions.
  • Custodian of Cyber Security Risk Management Process Workflow for end-to-end Project Management phase starting from Proposal & Solution Development stage until Execution and Control staged aligned with existing Project Delivery Excellence Model (DEX) in Group Digital.
  • Custodian of PETRONAS Integrated Assurance adoption and implementation for Cyber Security, CS IT and OT Functional Checklist, CS Annual Assurance Masterplan, and other IAP matters.
  • Custodian of Cyber Security Digital Risk Management system for Cyber Security Risk Management activities implemented across PETRONAS.
  • Custodian of Cyber Security Risk Skillsets Contract with Accenture Company
  • Custodian of PETRONAS Data Extraction Procedure across PETRONAS
  • Influenced and drive the ECSGF Deployment Program through strategic activities such as planned syndication/engagement sessions with entities’ Leadership Team, conceptualized the High-Level Communication and Change Management Plan to ensure awareness and adoption are completed for all Malaysia and International entities within PETRONAS.
  • Custodian of Enterprise Cyber Security Governance Framework Training and Upskilling Strategic Initiatives across PETRONAS
  • Lead and drives the Findings Management portfolio comprises of risk remediation and mitigation plans for all PETRONAS entities. The number of mitigations plans as of 31 December 2020 were closed to 600+ mitigation plan identified to remediate Cyber Security.
  • Established the Cyber Security Business Impact Assessment aligned with PETRONAS Risk Impact levels and implemented to PAC contractors, Third Party, and others.
  • Custodian of PETRONAS Resiliency Model implementation Cyber Security through:
  • Facilitated the Cyber Security Risk Assessment Workshop in identifying, assessing, and evaluating the Cyber Security Risk Profile for 2023 and approved by CDIO and reported on quarterly basis to Group Digital Leadership Team meeting.
  • Acted as the SME for Cyber Security risk areas and managed the PETRONAS Corporate Risk Profile reporting to PETRONAS Board on quarterly basis.
  • Custodian of Cyber Security Risk Appetite for 2023 and approved by PETRONAS Board in Q2 2023. Monitored and performed quarterly reporting to Group Risk.
  • Custodian of Risk Assessment Decision Making (RADM) paper for Cyber Security Enterprise Governance Deployment, Ransomware Paper, Cyber Security Adoption Strategy and Cyber Security Intune Deployment for ELT submission.
  • Established and managed the Statement of Risk Management Internal Control (SORMIC) and Letter of Assurance (LOA) for Cyber Security
  • Custodian for Department’s Budget

Manager, Risk Management & Assurance

PETRONAS ICT Sdn. Bhd.
02.2015 - 08.2019
  • Lead and drive the implementation of PETRONAS Resiliency Model to Group ICT (HCU) and PET-ICT (OPU) as follows:
  • Acted as Subject Matter Expert for ICT focus risk areas to PETRONAS fraternities.
  • Acted as Subject Matter Expert for Risk Management to PET-ICT (OPU)
  • Lead the implementation of PETRONAS Resiliency Model comprises of Enterprise Risk Management, Crisis Management and Business Continuity Management for both Group ICT and PET-ICT
  • Lead the formulation and operationalization of PETRONAS ICT Risk Appetite
  • Lead the development of Statement of Risk Management and Internal Control (SORMIC) and Letter of Assurance for PETRONAS ICT focus risk area
  • Incorporated the implementation of Risk Assessment Decision Making papers within Group ICT and PET-ICT
  • Lead in the development of the Risk Oversight Structure for Group ICT and PET-ICT
  • Lead the formation of 7 PETRONAS ICT Risk Categories comprises of all ICT critical functions such as information security, ICT operations, enterprise data, enterprise architecture and etc.
  • Lead and facilitated the Annual Risk Review initiatives with Head of Departments of Group ICT and PET-ICT
  • Lead and facilitated the Risk Assessment and Profiling sessions and discussion with Head of Departments and risk focal within Group ICT and PET-ICT
  • Manage the quarterly monitoring and reporting of Group ICT and PET-ICT Principal Risks’ mitigation plans and key risk indicators to CIO Council and PET-ICT Board of Directors
  • Lead and drive the PETRONAS Resiliency Model Self-Assessment for Group ICT and PET-ICT
  • Lead and conceptualized the development of Crisis Management Plan for Group ICT and PET-ICT
  • Collaborated and participated in the development of ICT Business Continuity Plan
  • Acted as SME for development of PETRONAS Integrated Assurance Standards & Guidelines
  • Conceptualized and developed the Cyber Security Assurance Programs (CSAP) initiatives
  • Reviewed the Group ICT Information Security Standards and Guidelines
  • Acted as a Project Manager for PET-ICT Cyber Maturity Assessment initiatives
  • Acted as the Business System Owner for SAP GRC and developed the risk management functional requirements for SAP GRC systems
  • Conceptualized and developed the System Criticality Assessment for PETRONAS critical systems and applications
  • Lead and developed a Lesson Learnt from 2 international cases; Bangladesh Central Bank Heist and Panama Papers Leak and mapped it with current PETRONAS information security controls
  • Lead the alignment of PET-ICT DEX PM4 Project Risk Management Process with ERM Framework and Project Risk Assessment Framework
  • Lead in development of ICT crisis scenarios and thresholds for PETRONAS Downstream Business in collaboration with RADAR
  • Participated in the Disaster Recovery Testing & Exercising in PET-ICT
  • Acted as one of PETRONAS Corporate Change Agent
  • Conceptualized and facilitated the PET-ICT Brownbag and Awareness Training sessions all PET-ICT employees and risk focal

Asst. Manager, Corporate Risk Management

TABUNG HAJI Heavy Engineering Berhad
11.2013 - 12.2014
  • Lead and drive the implementation of Corporate Risk Management initiatives:
  • Advised the THHE Board of Directors, Risk and Investment Committee (RIC) and Risk Management Executive Committee (RMEC) on risk management related matters
  • Lead and drive the development of THHE Enterprise Risk Management Framework and Guidelines
  • Formalized the RMEC and established the Terms of References for RMEC members.
  • Lead and managed the Risk Assessment Workshops for all THHE functional departments
  • Lead and manage the quarterly monitoring and reporting of the risk profiles to THHE Board, RIC and RMEC
  • Facilitated the Risk Management Awareness Training for Head of Departments and Risk Focal
  • Conceptualized and designed the blueprint of Risk Management System
  • Lead and performed risk assessment during project bidding stage upon received an Invitation to Bid from relevant Petroleum Arrangement Contractor (PAC)
  • Facilitated the Project Risk Assessment Workshop for Project FPSO Layang and the participants were from NIPPON, Malaysia Petroleum Management (MPM) and MTHHE Project Team.
  • Coordinated and participated in the Project Risk Opportunity Management Training by THHE JV Partner McDermott Asia Pacific
  • Developed the relevant Terms and Conditions of EPCC Contract with PETRONAS Carigali Sdn. Bhd in collaboration with THHE Legal Team.
  • Lead in Project’s Commercial Risk assessment for relevant Third-Party Contracts includes liquidated damages, termination, suspension, downtime, insurance etc. The clients are JX Nippon, CPOC, PCSB, HESS Exploration & Production Malaysia and others.
  • Lead and performed Due Diligence for legal and commercial contracts and documents for FSO Federal II Vessel owned by Federal International (2000) Ltd Singapore
  • Lead and facilitated the Project Risk Assessment (PRA) Workshop for PERMAS Topside Fabrication Project with Murphy Oil Corporation and Layang FPSO with NIPPON
  • Participated in the Project Lessons Learned (PLL) sessions for Fabrication of West Desaru Wellhead Support Structure with Aquaterra Energy Ltd. (UK)

From Junior Executive to Asst. Manager, MD/CEO’s Office

MALAKOFF Corporation Berhad
07.2001 - 11.2013
  • Acted as the Malakoff Risk Management Committee (RMC) secretariat function
  • Managed the quarterly reporting to Malakoff RMC, Malakoff Board of Directors, Malakoff Audit Committee and MMC Group Risk Committee.
  • Acted as Malakoff Risk Consult to oversee, manage and coordinate the risk management process within Risk Management Unit (RMU) comprises of relevant Subject Matter Experts named as Primary Risk Management Unit (PRMU) and Secondary Risk Management Unit (SRMU).
  • Implemented and operationalized the Enterprise Risk Management Policy and Procedures to all divisions and departments as per the current organization structure.
  • Lead and facilitated the Risk Assessment Workshops for all corporate departments and manage the Strategic, Financial and Reputational Risks
  • Lead and facilitated the Risk Assessment Workshops for all Engineering and Operational risk areas comprises of Mechanical, Electrical, Control & Instrumentation, Safety and Operational risks surrounding Coal Fired Power Plant and Gas Fired Power Plant.
  • Lead in development and implementation of Q Radar System for risk management activities.
  • Lead in monitoring and reporting for all mitigation plans and Key Risk Indicator status on quarterly basis
  • Lead and managed the capability development pertaining to risk management comprises of internal or external training.
  • Lead, conducted and managed the Group Risk Consolidation Initiatives that involved all Subject Matter Experts of Mechanical, Electrical and Control & Instrumentation focus risk areas in Tg. Bin Power Plant, Lumut Power Plant and Prai Power Plant. The initiatives were to streamline and standardized the risk assessment strategy for all power plants.
  • Lead conducted and managed the Group Risk Synchronization Initiatives for all divisions and departments involved. This initiative was to synchronize and incorporate the findings and outcome from relevant internal and external audit reports to the existing risk profiles.
  • Lead, conducted and managed the Group Risk Challenge Initiatives in collaboration with Secondary Risk Management Unit (SRMU). This initiative was to challenge the integrity and accuracy of existing risk profiles.
  • Lead assessor for Safety Risk area during Tg. Bin Power Plant Engineering Risk Assessment Program (ERAP).
  • Lead assessor for Human Resources risk area during Lumut Power Plant Operational Risk Assessment Program (OpRAP)
  • Lead and developed the ERAP and OpRAP Assessors Profiling comprises of professional achievements and technical competencies for Mechanical, Electrical, Control & Instrumentation technical functions.
  • Managed and organised the ERAP and OpRAP Assessors Training with Idhammar Asia Sdn Bhd and emphasized on the auditing techniques.
  • Acted as one of the Malakoff Environment, Safety, Security and Health Committee Members
  • Conceptualized and developed proposal paper for Process Safety Risk Management Framework
  • Acted as Project Manager for Corporate Initiatives:
  • Launching of Malakoff Community Partnerships which was officiated by YB Datuk Seri Shahrizat Ismail, Minister of Women, Family and Community Development
  • Launching of Empowerment for Life which was officiated by Yang Berbahagia Dato’ Dr. Noorul Ainur Mohd, Deputy Secretary General (Policy) Minister of Women, Family and Community Development. This initiative was done in collaboration with Women’s Aids Organization Malaysia.
  • Malakoff Charity Ride 2010 Program which participated by 100 road cyclists and 50 support crews. The ride raised a whopping of RM140k to benefit 9 welfare organisations.
  • Production of Malakoff Annual Report 2008, 2009, 2010
  • Launching of Malakoff Shared Values and coordinated the planned initiatives & training for all employees.
  • Acted as Corporate Finance Executive:
  • Monitor and fulfill the compliance for all debt covenants for interest payment, commercial papers, private placements, sinking fund accounts, trust deed and RAM rating review
  • Participated in legal and financial due diligence for Segari Energy Ventures Refinancing exercise
  • Participated in the bid submission and project financing process for Bahrain, Shoaiba and Sumatera Selatan

Education

BBA - Finance

Universiti Tenaga Nasional
Kuala Lumpur
07-2001

MBA - Enterprise Risk Management

Asia E University
Selangor
12-2018

Ph.D. - Risk Resilience

Universiti Teknologi MARA
Selangor
03-2027

Skills

  • Risk Management
  • Work Planning and Prioritization
  • Cross-functional team management
  • Stakeholder management
  • Negotiation and conflict resolution
  • Process improvement

Timeline

Manager Enterprise Risk Management Methodology

PETRONAS DIGITAL SDN BHD
08.2019 - Current

Manager, Risk Management & Assurance

PETRONAS ICT Sdn. Bhd.
02.2015 - 08.2019

Asst. Manager, Corporate Risk Management

TABUNG HAJI Heavy Engineering Berhad
11.2013 - 12.2014

From Junior Executive to Asst. Manager, MD/CEO’s Office

MALAKOFF Corporation Berhad
07.2001 - 11.2013

BBA - Finance

Universiti Tenaga Nasional

MBA - Enterprise Risk Management

Asia E University

Ph.D. - Risk Resilience

Universiti Teknologi MARA

Similar Profiles

  • Danielle DolphinDanielle Dolphin

    Enterprise Risk Manager, Enterprise Risk Management (ERM) Framework Governance at Comerica bankEnterprise Risk Manager, Enterprise Risk Management (ERM) Framework Governance at Comerica bank

  • Siddhartha JainSiddhartha Jain

    Deputy Manager , Enterprise Risk Management at Future Generali India Life InsuranceDeputy Manager , Enterprise Risk Management at Future Generali India Life Insurance

  • Ema SojkicEma Sojkic

    Enterprise Risk Management Intern at MEDIOBANCA Private BankingEnterprise Risk Management Intern at MEDIOBANCA Private Banking

  • Kari DixonKari Dixon

    Director – Enterprise Risk Management at Blue Shield of CaliforniaDirector – Enterprise Risk Management at Blue Shield of California

CREATE PROFILE
HAFEZZA MOHD ANAFIAH