Statement on Risk Management and Internal Control

INTRODUCTION

The Board of Directors of Oriental Holdings Berhad ("OHB" or "Company") ("Board") is pleased to provide this Statement on Risk Management and Internal Control ("SORMIC") which outlines the nature and scope of the Group's (collectively, OHB and its subsidiaries) risk management and internal control systems for the financial year ended 31 December 2025 (“FY2025”).

This SORMIC has been prepared in accordance with Paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad, Part II of Principle B of the Malaysian Code on Corporate Governance (“MCCG“), and the SORMIC Guide 2025: Guidelines for Directors of Listed Companies (“Guidelines”). The primary purpose of this Statement is to provide stockholders in understanding how the Board discharges its responsibilities in respect of governance, risk management, and internal control, and how these systems support the achievement of the Group’s strategies, objectives, and sustainable value creation.

The scope of this Statement covers the Group. It does not extend to associates or joint ventures, as the Board does not have direct control over their operations and risk management practices. Nevertheless, the Board ensures that appropriate governance structures are in place to safeguard the Group’s interests in these entities.

Certain disclosures within this Statement may be presented in general terms where the information is commercially sensitive, while still providing stakeholders with sufficient assurance on the effectiveness of the Group’s risk management and internal control systems.

BOARD’S RESPONSIBILITY

The Board affirms its overall responsibility for establishing, maintaining and reviewing the adequacy and effectiveness of the Group’s governance, risk management and internal control systems. The Board acts as the active risk steward, ensuring that risk management and internal control systems support the achievement of strategic objectives while safeguarding stockholder’s interests and the Group’s assets.

The Board has established an ongoing process for identifying, evaluating, and managing the Group’s material risks, including emerging risks such as climate change and cybersecurity. It provides leadership and oversight of the Group’s governance, risk management, and internal control framework by setting clear roles and delegated authority, defining the Group’s risk appetite, and ensuring that principal and emerging risks are managed in alignment with the Group’s strategies and long-term sustainability objectives.

The Board has delegated the oversight of the risk management and the internal control systems to its Audit Committee (“AC”) and Risk Management and Sustainability Committee (“RMSC”). In discharging its responsibilities, the Board regularly reviews the results of this process, including risk mitigating measures taken by Management to address key risks. This includes reviewing the adequacy and effectiveness of the system’s financial, operational, regulatory compliance and risk management procedures. The AC oversees assurance arrangements, engaging with internal and external auditors to support effective monitoring. The RMSC is tasked to review the Group’s risk and sustainability management system, processes, and strategies including the identification and management of material climate-related risks and opportunities. Through this structured approach, the Board ensures that risk-mitigating measures are implemented, controls remain effective, and continuous improvement is achieved via periodic reassessment of risk appetite, integration of sustainability considerations, and proactive review of emerging risks.

The Board affirms that this process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Group. Nevertheless, the Board acknowledges that risk management and internal control systems have inherent limitations. These systems are designed to manage risks within tolerance levels, not to eliminate them entirely. Accordingly, these systems provide reasonable, but not absolute assurance against material misstatement, financial losses, fraud and breaches of laws or regulations.

RISK MANAGEMENT

The Senior Management, RMSC and Board recognise that risk management is an integral part of business management. Risk management is embedded into the process of objective setting, the Organisation’s culture, performance optimisation, decision-making and long‑term value creation.

In this regard, the Group has established the Group’s Enterprise Risk Management (“ERM”) framework, which applies to all subsidiaries within the Group and clearly defines the risk management ownership. The Group’s ERM framework is adapted from the International Organisation for Standardisation (“ISO”) 31000 International Risk Management Standards. Key elements of the framework are to:

• establish risk management strategy and policy across all business segments of the Group;
• define risk organisation structure, governance, roles and responsibilities for the individuals and risk management units;
• set the process for risk identification, evaluation, mitigating controls, monitoring and reporting;
• align the Group’s risk appetite and parameters (qualitative and quantitative);
• ensure appropriate skills, resources and system infrastructure are in place for risk management; and
• promote strong risk management culture, practices and processes.

The framework is reviewed regularly by Key Senior Management and the RMSC. The updated ERM policy is approved by the Board on 16 April 2026. Any updates are communicated to relevant employees through formal briefings. Sustainability risks included climate-related risks are explicitly included in the Board’s risk oversight responsibilities. The Group has integrated processes of identifying, assessing, and managing climate-related risks and opportunities (“CRRO”) into overall ERM framework.

This includes conducting scenario analysis to assess the potential implications of transition and physical risks on the Group’s strategy, operations and financial performance.

While the Board is responsible to create a risk awareness culture and is accountable for overall risk management, responsibility for day-to-day risk management embedded in all levels of the Group.

The RMSC, chaired by an independent director, is responsible to identify key risks and communicate to the Board the present and potential risks, risk changes and mitigation plans while the Management has the overall responsibility for ensuring that the day-to-day management of the Group’s activities is consistent with its risk strategy, risk appetite and policies approved by the Board. The Management demonstrates, through its actions as well as its policies, the necessary commitment to competence, integrity and fostering a climate of trust within the organisation. A dedicated team of Risk Officers coordinates ERM activities across the Group which include supervising policy implementation, overseeing documentation at Group level, function as the central contact and provide guidance for ERM matters.

The Group’s risk management governance is supported by a formal risk organisational structure, operationalised through the Three Lines Model, as illustrated below and established to ensure effective risk management.

The Group is guided by the following risk management policy:

• to weigh business decisions against the philosophy that business risks would be deliberately incurred if the associated rewards are expected to enhance OHB Group’s shareholder value;
• to ensure risks which may have a significant impact upon OHB Group are identified in a manner which would result in their expeditious treatment;
• to provide reasonable assurance to OHB Group’s stakeholders that the probability of attaining OHB Group’s objectives would be enhanced by the establishment of an ERM framework;
• to establish an environment or platform whereby risk management activities may be effectively undertaken;
• to manage risks by adopting best practice methodologies for the identification, analysis, evaluation, reporting, treatment and monitoring of risks; and
• to provide an assurance regarding the extent of OHB Group’s compliance with regulatory requirements and the policies and guidelines contained within this document.

SUMMARY OF RISK MANAGEMENT ACTIVITIES DURING THE FINANCIAL YEAR

The Group maintains a register of key risks together with corresponding mitigating activities and risk ratings and grouped according to the nature of the risk which have been presented to the Board.

Throughout the financial year, the main risk management activities reported to RMSC were:

• RSMC reviewed the risk management strategy and approach with independent consultants prior to implementation;
• independent consultant conducted one (1) briefing session covering ERM, CRRO and Corruption Risk Management reporting process across the Group with Management identified personnel. This session served as the formal kick.off for the Group’s risk management activities and reinforced the Group’s approach to defining risk appetite and parameters, identifying key risks, and monitoring key risk indicators to strengthen governance and support sustainable value creation;
• Risk Officers together with the financial controller and the head of respective business segments/units in turn, assessed the overall risks faced by their business segments, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans taken to manage those risks to the desired level;
• strategic discussions were carried out by the independent consultants with the Executive Directors, RMSC Chairman, Group Chief Financial Officer and Group Accountant on key business and strategic level risks. This process aims to gather high level inputs and to identify key controls and action plans to address the risks faced by respective business segments/units. These activities are also to engender continuous and proactive risk management activities within the Group;
• convened two (2) RMSC meetings on 24 February 2025 and 19 November 2025 where significant risks of the Group and management action plans were presented for deliberations and approval. The Committee received and reviewed the bi-annual risk management reports for on-going monitoring and report to the Board any significant issues arising from the risk management activities including key risk profiles and corresponding mitigating actions taken by the Group. The Senior Management, RMSC and Board are aware of high risk areas in the operations and strategies of the Group. The risk report summarises the following:
  • top five (5) business risks identified by each business segment and overall risks as a Group;
  • top three (3) climate-related risks identified by each business segment and overall risks as a Group;
  • top three (3) climate-related opportunities identified by each business segment and overall risks as a Group;
  • top three (3) corruption risks identified by each business segment and overall opportunities as a Group;
  • key action plans to address the top risks;
  • insurance coverage and business continuity/disaster management;
  • cash transactions in the form of collection and payment;
  • results of key risk indicators for each risk on quarterly basis as an early warning mechanism to alert Management, RMSC and Board to significant changes in risk levels; and
  • mitigating actions taken by Management of each company to reduce the likelihood of a risk materialising.
  
  All discussions or deliberations at the Board and RMSC meeting in relation to the company’s risk management activities are properly recorded and minuted by the Company Secretary.
• the risk mitigating measures taken and/or to be taken by Management were reported and reviewed at the RMSC meetings. For each of the risks identified, the segmental head has been assigned to ensure appropriate action plans are carried out in a timely manner; and
• strategic discussions were carried out by the independent consultant with the Executive Directors and the Group Chief Financial Officer on scenario analysis. The process involves identifying relevant climate-related scenarios aligned with internationally recognised frameworks, gathering insights on business exposures, and assessing CRRO under the selected scenarios. Both current and potential qualitative impacts, as well as quantitative impacts where applicable, were evaluated. Action plans were then formulated to address the risks and opportunities faced by the respective business segments.

Whilst the Board considers the risk management framework to be robust to meet the Group’s needs, it will still subject the framework to continuous improvement, taking into consideration better practices and the changing business environment.

INTERNAL AUDIT FUNCTION

The Group has an in-house Internal Audit function, which provides the Board, through the AC, with independent assurance on the efficiency and effectiveness of governance, application of the policies, processes, risk management and internal control systems. The Internal Audit function adopts the International Professional Practices Framework (“IPPF”) issued by The Institute of Internal Auditors and applies a risk-based internal audit methodology in reviewing key processes of the various business units in the Group and reporting directly to AC on the state of risk management and internal control of the various business units audited during the financial year.

Mr. Choo Mun Yew (“Mr. Choo”) is the Head of Internal Audit of OHB, a post he held since joining the Company in October 2001. Prior to joining the Company, Mr. Choo had a diverse experience in external and internal audit as well as accounting positions. He started his career with an international accounting firm for eight years and later a local banking institution for four years. Mr. Choo was also a member of an internal audit team responsible for the audit of Asia Pacific operations of a global multinational corporation prior to joining the Company. Mr. Choo is currently a member of Malaysian Institute of Accountants (”MIA”), Malaysian Institute of Certified Public Accountants (”MICPA”) as well as a chartered member of The Institute of Internal Auditors Malaysia (”IIAM”).

All members of the Internal Audit function provide an annual declaration of adherence to the Code of Ethics and Professional Conduct, confirming their compliance with all applicable Company policies.

The Internal Audit function will conduct annual review and periodic testing of the Group’s internal control and risk management framework. The Internal Audit function will perform root cause analysis and recommend action plans to improve on areas where control deficiencies are identified during the field audits. Action plans are taken by Management to address the findings and concerns raised in the Internal Audit reports and Internal Audit function will follow-up on Management’s implementation of action plans. Further details of the activities of the Internal Audit function are provided in the AC Report.

The AC has reviewed the Group Internal Audit Plan, which comprises the Internal Audit function’s budget and the experience profile of the Internal Audit team members. This review was conducted to ensure that the person responsible for internal audit has the relevant experience, sufficient standing, and authority to discharge their duties effectively; that the Internal Audit function has adequate resources and access to information to perform its role; and that the personnel assigned to Internal Audit possess the necessary competency, experience, and resources to carry out the function effectively.

During the financial year under review, the Internal Audit function executed its risk-based annual audit plan, which included evaluating the effectiveness and integration of ERM practices of 24 selected subsidiaries’ operations to ensure alignment with best practices and strategic objectives of the Group. Audit findings and the status of management action plans were reported to the AC on a regular basis. In addition, follow-up reviews on Management’s action plans and continuous improvement initiatives arising from previously raised internal audit findings were conducted and reported to AC to ensure effective monitoring.

In addition, Cybersecurity and data protection risks are recognised as significant emerging risks. Controls over information systems, data security and access management are implemented and reviewed periodically. In 2025, Internal Audit reviewed the IT internal controls for a subsidiary, with findings reported to the AC and remediation actions monitored by Management.

The AC has reviewed the performance of the in-house Internal Audit function and is satisfied with its performance based on the work performed and reports presented to the Committee. Notwithstanding this, the AC recognises that there are areas for continuous improvement and expects the Internal Audit function to continue enhancing its capabilities to better support the AC in overseeing the Group’s internal controls and risk management processes and systems.

INTERNAL CONTROL

The key elements of the Group’s internal control system as described below are relevant across the Group to provide for continuous assurance to the Management and the Board:

• limits of authority and responsibility
  Formally defined and documented lines of responsibility and delegation of authority have been established through the relevant charters/terms of reference, organisational structures and appropriate authority limits. Hierarchical reporting is also in place to enhance the Group’s ability to achieve its strategies and operational objectives as well as provide for documented and auditable trail of accountability;
• planning, monitoring, reporting and safeguarding
  • - established budgeting process requiring all business segments within the Group to prepare the annual budget, taking into consideration the strategic plans, capital and operating expenditure for the upcoming financial year for discussion and approval by the Executive Committee (“EXCO”);
  • - Performance Coordinating Team (“PCT”) comprising Management from each business segment reviews operational and financial Key Performance Indicators of their respective business segments and reports to the EXCO quarterly in order to assist EXCO in discharging their oversight role on the Group’s activities;
  • - the AC reviews the quarterly financial results and evaluates the explanations and reasons for significant unusual variances noted thereof;
  • - information, which includes quarterly reports covering all key financial and operational indicators, is provided to Management for monitoring of performance against budget and actions to be taken, where necessary; and
  • - Management meetings are held regularly to identify, discuss and resolve strategic, operational, and financial issues.
• policies and procedures

  Internal policies, standards, and procedures have been established to support compliance with internal control requirements and applicable laws and regulations. These documents are periodically reviewed and updated to ensure they remain current, relevant, and aligned with regulatory and operational changes. These include, but are not limited to, the following key policies and frameworks:

  • - established code of conduct to promote a strong ethical culture and sound control environment which sets out standards on integrity, professionalism, legal compliance, conflicts of interest, anti-bribery, confidentiality and proper use of Company assets. All Directors, managers and employees are required to provide an annual declaration of adherence, confirming compliance with the Code of Ethics and all applicable Company policies. Ethical standards are extended to key business partners through a Supplier Code of Conduct, which covers legal compliance, anti-bribery and corruption, human rights, labour practices, health and safety and environmental responsibility. Key suppliers are required to acknowledge and adhere to this Code as part of the Group’s supplier governance framework. These measures support the Board’s commitment to integrity, accountability and responsible business conduct across the Group and its supply chain, and form a key component of the Group’s system of internal control;
  • - established a whistleblowing channel to allow employees and external stakeholders to report concerns relating to unethical conduct, breaches of laws or regulations, and weaknesses in internal controls; and
  • - established business continuity, supported by divisional contingency arrangements and a Corporate Emergency Reporting Framework that establishes escalation protocols for major incidents to ensure timely management and Board-level response.
• Approval of the Annual Internal Audit Plan

  Internal audit activities are undertaken in accordance with the annual risk‑based internal audit plan, which is reviewed and approved by the AC and incorporates feedback from Executive Directors. For the financial year under review, the AC approved the plan covering identified priority areas, and periodic testing and evaluation of internal controls were carried out to assess their adequacy and effectiveness.

REVIEW OF THIS STATEMENT BY EXTERNAL AUDITORS

The External Auditors have reviewed this Statement pursuant to the scope set out in the Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants for inclusion in the Annual Report of the Group for the year ended 31 December 2025, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the Annual Report of the Group, in all material respects:

(a) has not been prepared in accordance with the disclosures required by Section 7 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers; or

(b) is factually inaccurate.

AAPG 3 does not require the External Auditors to consider whether this Statement covers all risks and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board and Management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the Annual Report will, in fact, remedy the problems.

REVIEW BY THE BOARD

As recommended by the Guidelines, the Board has received assurances in writing from the Executive Chairman, Group Managing Director, Deputy Group Managing Director, Executive Director and Group Chief Financial Officer, that the Group’s risk management and internal control system has been operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of this Statement.

Having regards to the assurances, the Board is of the view that the Group’s risk management and internal control system for the year under review and as at the date of this Statement for inclusion in the Annual Report is sound and sufficient to safeguard the stockholders’ investment as well as the Group’s assets. The Board recognises that the identification, evaluation and management of risks as well as the development of internal control system, are ongoing processes and will continue to take appropriate action to further enhance the Group’s system of internal controls.

This statement is issued in accordance with a resolution of the Directors dated 24 April 2026.