Investor Relations
Home > Statement on Risk Management and Internal Control

Statement on Risk Management and Internal Control


The Board is committed to maintain a sound risk management and internal control framework to safeguard the stockholders’ investment as well as the Group’s assets. The Board’s Statement on Risk Management and Internal Control (“Statement”) outlines the nature and scope of the Group’s risk management and internal control during the year. The Statement also takes into consideration the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers, a publication issued by Bursa Malaysia Securities Berhad (“Bursa Securities”) on the issuance of a statement about the state of risk management and internal control pursuant to Paragraph 15.26(b) of the Listing Requirements of Bursa Securities.


The Board affirms its overall responsibility for the Group’s system of risk management and internal control. This includes reviewing the adequacy and integrity of the system’s financial, operational, regulatory compliance and risk management procedures. In view of the inherent limitations in any system, the Board ensures that the risk management and internal control framework is designed to manage the Group’s key risk areas within an acceptable risk profile, rather than to eliminate the risk of non-adherence to achieve the Group’s business and corporate objectives. The Board continually reviews the framework to ensure that the risk management and internal control framework provides a reasonable but not absolute assurance against the occurrence of any material misstatement of management and financial information and records, financial losses or fraud.

The Board has established an on-going process for identifying, evaluating and managing the relevant and material risk encountered by the Group. The Board, through its Audit Committee and Risk Management Committee, regularly reviews the results of this process, including risk mitigating measures taken by Management to address key risks identified. The Board confirms that this process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Group.

The Audit Committee and Risk Management Committee are to assist the Board to oversee the management of all identified material risks including review of the adequacy and effectiveness of the Group’s risk management and internal control system to ensure that appropriate measures are carried out by Management to obtain the level of assurance required by the Board. For the purpose of this Statement, the associated companies in the Group are excluded which the Group does not have control.


The Board has, through its Risk Management Committee (“RMC”), established a Group risk management framework which is firmly embedded in all key processes. Management has the overall responsibility for ensuring that the day-to-day management of the Group’s activities is consistent with its risk strategy, risk appetite and policies approved by the Board. In addition, key responsibilities of the Management are to identify, evaluate, monitor and report the risks and internal control as well as provide assurance to the Board that it has done so in accordance with the adopted framework.

The Board believes that the following features of the Group’s risk management and internal control framework are integral to maintaining a sound system:-

  • formalisation of Enterprise Risk Management (“ERM”) framework with reference to global standards and better practices of ISO 31000 Risk Management Guidelines;
  • establishment of a RMC with the responsibility of identifying key risks and communicating to the Board the present and potential risks, risk changes and mitigation plans;
  • the appointment of a team of dedicated Risk Officers reporting to the RMC to coordinate ERM activities across the Group which includes supervising policy implementation, overseeing documentation at Group level, function as the central contact and provide guidance for ERM issues;
  • identification of key risk indicators to monitor the risk and Management’s deployment of internal controls to manage these risks; and
  • articulation of the Group’s risk appetite and parameters (qualitative and quantitative) for the Group and individual business units so as to gauge acceptability of risk exposure.

The Risk Management Committee carried out its duties in accordance with its term of reference during the financial year.

Highlights of the activities undertaken during the year are as follows:

  • the Risk Management Committee, with the assistance from a firm of independent consultants and Management, continues to drive the risk management activities across all business segments of the Group on risk identification, evaluation, control, monitoring and reporting;
  • Management of each company within the Group’s business segments, i.e. Automotive and related products, Hotels and resorts, Plantation, Plastic products, Investment holding, Healthcare and Investment properties and trading of building material products, identified the risks affecting their business by assessing the existing as well as emerging risks under the strategic, financial, operational and compliance categories. The Management reported the Company’s top five risks to their segment’s risk coordinator for review;
  • risk coordinators, in turn, assessed the overall risks faced by their business segments with the financial controller and the head of respective business segment/units, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans taken to manage those risks to the desired level;
  • strategic discussions have been carried out by the independent consultants with the Executive Directors, Group Chief Financial Officer and Group Accountant on the key concerns and strategic top risks identified. The main objectives are to obtain the inputs and to confirm the completeness of top concerns as well as the key management controls put in place to address the risks by respective business segment/units. These activities are also to engender continuous and proactive risk management activities within the Group;
  • compilation of the Group risk profile, considering the materiality of the business segment in relation to the Group risk parameters, with the top risks from each business segment selected by Management and feedback from Executive Directors on strategic risks, was carried out with assistance from consultants;
  • reviewed insurance risk for sufficiency of insurance coverage against any mishap that could result in material loss. Established an insurance reporting template to facilitate review on an annual basis;
  • rolled out three enterprise risk management workshops across the Group for key management personnel focusing on alignment of strategic objectives through risk awareness, risk identification and key risk indicator monitoring;
  • conducted corruption risk assessment according to the 5 principles of the Guidelines on Adequate Procedures ("GAP"), pursuant to Section 17A(5) of the Malaysian Anti-Corruption Act 2009 and any of its amendments or re-enactments;
  • established a Group Emergency Reporting framework to facilitate reporting of all life-threatening emergencies immediately to OHB Corporate Office for attention and support;
  • three (3) Risk Management Committee meetings were conducted during the year on 21 February 2019, 23 August 2019 and 26 November 2019 where the significant risks of the Group and management action plans were presented for deliberations and approval. The final Group risk profile for year 2019 was presented in February 2020, detailing the top five (5) principal risks for each business segment, based on the significance of evaluated risks to the segment’s results. Management of each segment/ company in the Group shall continue to monitor and manage all risks at their level, as appropriate;
  • the risk mitigating measures taken and/or to be taken by Management were reported and reviewed at the Risk Management Committee meetings. For each of the risks identified, the divisional head has been assigned to ensure appropriate action plans are carried out in a timely manner; and
  • the Enterprise Risk Management (“ERM”) Policy and Procedures have been updated and approved with the latest risk reporting framework, e.g. risk organisation structure, frequency and risk reporting documents for the Group.

In view of the recent outbreak of COVID-19, the Group has implemented several measures to minimize the impact of these factors on the business of the Group. These measures include enabling employees to work from home and remote access to office email to ensure the day-to-day operation of the Group remain active and at the same time remain in contact with the stakeholders through online meetings and email communications. On 6 April 2020, the Group Chief Financial Officer had briefed the EXCO members on the need to carry out an impact assessment by the respective business segment as well as utilising the flash report issued under the Group Risk Management Policy and Procedures to update any significant risks and its impact of COVID-19 that may cast significant doubt on any entity’s ability to continue as a going concern. The outcome of the impact assessment will be compiled and reviewed by the EXCO members collectively. In addition, meetings of the Board of Directors and the Board Committees will be conducted via virtual meeting rooms, utilizing the available technology, as and when necessary.


The Group has an in-house Internal Audit department, which provides the Board, through the Audit Committee, with independent assurance on the efficiency and effectiveness of risk management and internal control systems. The internal audit function adopts a risk-based internal audit methodology in reviewing key processes of the various business units in the Group and reporting directly to Audit Committee on the state of risk management and internal control of the various business units audited during the financial year.

The internal audit function will recommend action plans to improve on areas where control deficiencies are identified during the field audits. Action plans are taken by Management to address the findings and concerns raised in the internal audit reports and internal audit function will follow up on the Management’s implementation of action plans. Further details of the activities of the internal audit function are provided in the Audit Committee Report.


The key elements of the Group’s internal control system described below are relevant across the Group to provide for continuous assurance to the Management and the Board:

  • limits of authority and responsibility

    Formally defined and documented lines of responsibility and delegation of authority has been established through the relevant charters/terms of reference, organisational structures and appropriate authority limits. Hierarchical reporting is also in place to enhance the Group’s ability to achieve its strategies and operational objectives as well as provide for documented and auditable trail of accountability;
  • planning, monitoring, reporting and safeguarding
    • - established budgeting process requiring all business segments within the Group to prepare the annual budget, taking into consideration the strategic plans, capital and operating expenditure for the upcoming financial year for discussion and approval by the Executive Committee;
    • - Performance Coordinating Team (“PCT”) comprising Management from each business segment who reviews operational and financial Key Performance Indicators of their respective business segments and reports to the EXCO quarterly in order to assist EXCO in discharging their oversight role on the Group’s activities;
    • - the Audit Committee reviews the quarterly financial results and evaluates the explanations and reasons for significant unusual variances noted thereof;
    • - information, which includes quarterly reports covering all key financial and operational indicators, is provided to key Management for monitoring of performance against budget and actions to be taken, where necessary; and
    • - Management meetings are held regularly to identify, discuss and resolve strategic, operational, financial and key management issues.

The external auditors have reviewed this Statement on Risk Management and Internal Control pursuant to the scope set out in the Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants (“MIA”) for inclusion in the annual report of the Group for the year ended 31 December 2019, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the annual report of the Group, in all material respects:

(a) has not been prepared in accordance with the disclosures required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers; or

(b) is factually inaccurate.

AAPG 3 does not require the external auditors to consider whether the Directors’ Statement on Risk Management and Internal Control covers all risks and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board of Directors and management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the annual report will, in fact, remedy the problems.


The Board is of the view that the Group’s risk management and internal control system for the year under review and as at the date of this statement is sound and sufficient to safeguard the stockholders’ investment as well as the Group’s assets. The Board recognises that the development of internal control system is an ongoing process and will continue to take appropriate action to further enhance the Group’s system of internal control.

As recommended by the Statement on Risk Management and Internal Control-Guidelines for Directors of Listed Issuers, the Board has received assurances in writing from Executive Chairman, Group Managing Directors and Group Chief Financial Officer that the Group’s risk management and internal control system has been operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of this Statement.

This statement is issued in accordance with a resolution of the Directors dated 21 May 2020.