Statement on Risk Management and Internal Control

INTRODUCTION

The Board of Directors (“Board”) of Oriental Holdings Berhad (“OHB” or “the Company”) is pleased to provide this Statement on Risk Management and Internal Control which outlines the nature and scope of the Group’s risk management and internal controls for the financial year ended 31 December 2023 (“FY2023”). This statement is prepared in accordance with paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad and Principle B of the Malaysian Code on Corporate Governance 2021, with guidance from the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers (“Guidelines”).

BOARD’S RESPONSIBILITY

The Board takes overall responsibility for oversight and is committed to maintaining a sound system of internal controls and effective risk management practices. The Board has established an on-going process for identifying, evaluating and managing the relevant and material risk of the Group. In discharging its responsibilities, the Board through its Audit Committee (“AC”) and Risk Management Committee (“RMC”), regularly reviews the results of this process, including risk mitigating measures taken by Management to address key risks. This includes reviewing the adequacy and integrity of the system’s financial, operational, regulatory compliance and risk management procedures.

The Board affirms that this process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Group.

The risk management and internal controls system is designed to manage and mitigate risks with significant adverse impact on the achievement of OHB’s business objectives and therefore, can only provide a reasonable and not absolute assurance against material misstatements, financial losses or fraud. Excluded from this Statement are those associated companies in which the Group does not have control.

RISK MANAGEMENT

The Group’s Enterprise Risk Management (“ERM”) framework is adapted from the International Organization for Standardization 31000 International Risk Management Standards. Key elements of the framework are to:

• establish risk management strategy and policy across all business segments of the Group;
• define risk organisation structure, governance, roles and responsibilities for the individuals and risk management units;
• set the process for risk identification, evaluation, mitigating controls, monitoring and reporting;
• align the Group’s risk appetite and parameters (qualitative and quantitative);
• ensure appropriate skills, resources and system infrastructure are in place for risk management; and
• promote strong risk management culture, practices and processes.

While the Board is responsible to create a risk awareness culture and is accountable for overall risk management, responsibility for day-to-day risk management embedded in all levels of the Group.

The RMC is responsible to identify key risks and communicate to the Board the present and potential risks, risk changes and mitigation plans while the Management has the overall responsibility for ensuring that the day-to-day management of the Group’s activities is consistent with its risk strategy, risk appetite and policies approved by the Board. A dedicated team of Risk Officers coordinate ERM activities across the Group which include supervising policy implementation, overseeing documentation at Group level, function as the central contact and provide guidance for ERM matters.

The Group is guided by the following risk management policy:

• to weigh business decisions against the philosophy that business risks would be deliberately incurred if the associated rewards are expected to enhance OHB Group’s shareholder value;
• to ensure risks which may have a significant impact upon OHB Group are identified in a manner which would result in their expeditious treatment;
• to provide reasonable assurance to OHB Group’s stakeholders that the probability of attaining OHB Group’s objectives would be enhanced by the establishment of an ERM framework;
• to establish an environment or platform whereby risk management activities may be effectively undertaken;
• to manage risks by adopting best practice methodologies for the identification, analysis, evaluation, reporting, treatment and monitoring of risks; and
• to provide an assurance regarding the extent of OHB Group’s compliance with regulatory requirements and the policies and guidelines contained within this document.

SUMMARY OF RISK MANAGEMENT ACTIVITIES DURING THE FINANCIAL YEAR

The Group maintains a register of key risks together with corresponding mitigating activities and risk ratings which are grouped according to the nature of the risk. These have been presented to the Board. The table below summarises the Group’s top 5 key risks which are inherent and typical to its business nature:

The main activities undertaken by RMC during the financial year were:

• reviewed the risk management strategy and approach with independent consultants prior to implementation;
• conducted two (2) risk awareness briefings across the Group with Management personnel to kick off the ERM activity and to align the strategic objectives through risk awareness, risk identification and key risk indicator monitoring;
• Risk Officers together with the financial controller and the head of respective business segments/units in turn, assessed the overall risks faced by their business segments, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans taken to manage those risks to the desired level;
• strategic discussions were carried out by the independent consultants with the Executive Directors, RMC Chairman, Group Chief Financial Officer and Group Accountant on key business and strategic level risks. This process aims to gather high level inputs and to identify key controls and action plans to address the risks faced by respective business segments/units. These activities are also to engender continuous and proactive risk management activities within the Group;
• convened two (2) RMC meetings on 27 February 2023 and 22 November 2023 where significant risks of the Group and management action plans were presented for deliberations and approval. The Committee received and reviewed the bi-annual risk management reports for on-going monitoring and report to the Board any significant issues arising from the risk management activities including corresponding mitigating actions taken by the Group. The risk report summarises the following:
  • reviewed the risk management strategy and approach with independent consultants prior to implementation;
  • key action plans to address the top risks;
  • anti-bribery and anti-corruption risks relating to the Group;
  • insurance coverage and business continuity/disaster management;
  • results of key risk indicators for each risk on quarterly basis; and
  • mitigating actions taken by Management of each company to reduce the likelihood of a risk materialising.
• the risk mitigating measures taken and/or to be taken by Management were reported and reviewed at the RMC meetings. For each of the risks identified, the segmental head has been assigned to ensure appropriate action plans are carried out in a timely manner.



Whilst the Board considers the risk management framework to be robust to meet the Group’s needs, it will still subject the framework to continuous improvement, taking into consideration better practices and the changing business environment.

INTERNAL AUDIT FUNCTION

The Group has an in-house Internal Audit function, which provides the Board, through the AC, with independent assurance on the efficiency and effectiveness of governance, risk management and internal control systems. The Internal Audit function adopts a risk-based internal audit methodology in reviewing key processes of the various business units in the Group and reporting directly to AC on the state of risk management and internal control of the various business units audited during the financial year.

The Internal Audit function will perform root cause analysis and recommend action plans to improve on areas where control deficiencies are identified during the field audits. Action plans are taken by Management to address the findings and concerns raised in the Internal Audit reports and Internal Audit function will follow up on the Management’s implementation of action plans. Further details of the activities of the Internal Audit function are provided in the Audit Committee Report.

INTERNAL CONTROL

The key elements of the Group’s internal control system as described below are relevant across the Group to provide for continuous assurance to the Management and the Board:

• limits of authority and responsibility
  Formally defined and documented lines of responsibility and delegation of authority have been established through the relevant charters/terms of reference, organisational structures and appropriate authority limits. Hierarchical reporting is also in place to enhance the Group’s ability to achieve its strategies and operational objectives as well as provide for documented and auditable trail of accountability;
• planning, monitoring, reporting and safeguarding
  • - established budgeting process requiring all business segments within the Group to prepare the annual budget, taking into consideration the strategic plans, capital and operating expenditure for the upcoming financial year for discussion and approval by the Executive Committee (“EXCO”);
  • - Performance Coordinating Team (“PCT”) comprising Management from each business segment reviews operational and financial Key Performance Indicators of their respective business segments and reports to the EXCO quarterly in order to assist EXCO in discharging their oversight role on the Group’s activities;
  • - the AC reviews the quarterly financial results and evaluates the explanations and reasons for significant unusual variances noted thereof;
  • - information, which includes quarterly reports covering all key financial and operational indicators, is provided to Management for monitoring of performance against budget and actions to be taken, where necessary; and
  • - Management meetings are held regularly to identify, discuss and resolve strategic, operational, and financial issues.

REVIEW OF THIS STATEMENT BY EXTERNAL AUDITORS

The External Auditors have reviewed this Statement pursuant to the scope set out in the Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants for inclusion in the Annual Report of the Group for the year ended 31 December 2023, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the Annual Report of the Group, in all material respects:

(a) has not been prepared in accordance with the disclosures required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers; or

(b) is factually inaccurate.

AAPG 3 does not require the External Auditors to consider whether this Statement covers all risks and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board and Management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the Annual Report will, in fact, remedy the problems.

REVIEW BY THE BOARD

As recommended by the Guidelines, the Board has received assurances in writing from Executive Chairman, Group Managing Directors and Group Chief Financial Officer that the Group’s risk management and internal control system has been operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of this Statement.

Having regards to the assurances, the Board is of the view that the Group’s risk management and internal control system for the year under review and as at the date of this Statement for inclusion in the Annual Report is sound and sufficient to safeguard the stockholders’ investment as well as the Group’s assets. The Board recognises that the development of internal control system is an ongoing process and will continue to take appropriate action to further enhance the Group’s system of internal control.

This statement is issued in accordance with a resolution of the Directors dated 25 April 2024.