Home > Statement on Risk Management and Internal Control
Statement on Risk Management and Internal Control
The Board of Directors (“Board”) of Oriental Holdings Berhad (“OHB” or “the Company”) is committed to maintain a sound risk management and internal control framework to safeguard the stockholders’ investment as well as the Group’s assets. The Board’s Statement on Risk Management and Internal Control (“Statement”) outlines the nature and scope of the Group’s (OHB and subsidiaries, collectively) risk management and internal control during the financial year ended 31 December 2021 (“FY2021”). The Statement also takes into consideration the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers (“Guidelines”), a publication issued by Bursa Malaysia Securities Berhad (“Bursa Securities”) on the issuance of a statement about the state of risk management and internal control pursuant to Paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Securities.
The Board affirms its overall responsibility for the Group in maintaining a sound system of risk management and internal control. This includes reviewing the adequacy and integrity of the system’s financial, operational, regulatory compliance and risk management procedures. In view of the inherent limitations in any system, the Board ensures that the risk management and internal control framework is designed to manage the Group’s key risk areas within an acceptable risk profile, rather than to eliminate the risk of non-adherence to achieve the Group’s business and corporate objectives. The Board continually reviews the framework to ensure that the risk management and internal control framework provides a reasonable but not absolute assurance against the occurrence of any material misstatement of management and financial information and records, financial losses or fraud.
The Board has established an on-going process for identifying, evaluating and managing the relevant and material risk encountered by the Group. The Board, through its Audit Committee and Risk Management Committee (“RMC”), regularly reviews the results of this process, including risk mitigating measures taken by Management to address key risks identified. The Board confirms that this process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Group.
The Audit Committee and Risk Management Committee are to assist the Board to oversee the management of all identified material risks including review of the adequacy and effectiveness of the Group’s risk management and internal control system to ensure that appropriate measures are carried out by Management to obtain the level of assurance required by the Board. Excluded from this Statement are those associated companies in which the Group does not have control.
The Board has, through the RMC, established a Group risk management framework which is firmly embedded in all key processes. Management has the overall responsibility for ensuring that the day-to-day management of the Group’s activities is consistent with its risk strategy, risk appetite and policies approved by the Board. In addition, key responsibilities of the Management are to identify, evaluate, monitor and report the risks and internal control as well as provide assurance to the Board that it has done so in accordance with the adopted framework.
The Board believes that the following features of the Group’s risk management and internal control framework are integral to maintaining a sound system:-
- formalisation of Enterprise Risk Management (“ERM”) framework with reference to global standards and better practices of ISO 31000 Risk Management Guidelines;
- establishment of the RMC with the responsibility of identifying key risks and communicating to the Board the present and potential risks, risk changes and mitigation plans;
- the appointment of a team of dedicated Risk Officers reporting to the RMC to coordinate ERM activities across the Group which includes supervising policy implementation, overseeing documentation at Group level, function as the central contact and provide guidance for ERM issues;
- identification of key risk indicators to monitor the risk and Management’s deployment of internal controls to manage these risks; and
- articulation of the Group’s risk appetite and parameters (qualitative and quantitative) for the Group and individual business units so as to gauge acceptability of risk exposure.
SUMMARY OF RISK MANAGEMENT ACTIVITIES DURING THE FINANCIAL YEAR
The Risk Management Committee carried out its duties in accordance with its term of reference during the financial year.
Highlights of the activities undertaken during the year are as follows:
- the RMC, with the assistance from a firm of independent consultants and Management, continues to drive the risk management activities across all business segments of the Group on risk identification, evaluation, control, monitoring and reporting;
- Management of each company within the Group’s business segments, i.e. Automotive and related products, Hotels and resorts, Plantation, Plastic products, Investment holding, Healthcare and Investment properties and trading of building material products, identified the risks affecting their business by assessing the existing as well as emerging risks under the strategic, financial, operational and compliance categories. The Management reported the Company’s top five (5) risks and four (4) featured risks (included Pandemic risk, Corruption risk, IT risk and Regulatory compliance risk) to their segment’s risk coordinator for review;
- risk coordinators, in turn, assessed the overall risks faced by their business segments with the financial controller and the head of respective business segment/units, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans taken to manage those risks to the desired level;
- strategic discussions have been carried out by the independent consultants with the Executive Directors, RMC Chairman, Group Chief Financial Officer and Group Accountant on the key concerns and strategic top risks identified. The main objectives are to obtain the inputs and to confirm the completeness of top concerns as well as the key management controls put in place to address the risks by respective business segment/units. These activities are also to engender continuous and proactive risk management activities within the Group;
- compilation of the Group risk profile, considering the materiality of the business segment in relation to the Group risk parameters, with the top risks from each business segment selected by Management and feedback from Executive Directors on strategic risks, was carried out with assistance from consultants;
- reviewed corruption risk and controls as part of the Group ERM annual update;
- conducted one (1) virtual ERM briefing across the Group on 1 July 2021 for Key Management personnel focusing on alignment of strategic objectives through risk awareness, risk identification and key risk indicator monitoring;
- two (2) RMC meetings were conducted during the year on 24 February 2021 and 22 November 2021 where the significant risks of the Group and management action plans were presented for deliberations and approval. The final Group risk profile for year 2021 was presented in February 2022, detailing the top eight (8) principal risks of the Group and the top eight (8) or nine (9) principal risks of each business segment, based on the significance of evaluated risks to the segment’s results. Management of each segment/company in the Group shall continue to monitor and manage all risks at their level, as appropriate;
- the risk mitigating measures taken and/or to be taken by Management were reported and reviewed at the RMC meetings. For each of the risks identified, the segmental head has been assigned to ensure appropriate action plans are carried out in a timely manner; and
- the ERM Policy and Procedures have been updated and approved with the latest risk reporting framework, e.g. risk organisation structure, frequency and risk reporting documents for the Group.
Whilst the Board considers the risk management framework to be robust to meet the Group’s needs, it will still subject the framework to continuous improvement, taking into consideration better practices and the changing business environment.
In view of the critical global health crisis, the Board and the Group’s Management proactively monitors and manages the impact to businesses and operations arising from COVID-19 pandemic. In this respect, the Group actively engages with customers, suppliers, and other stakeholders to minimise movement disruptions. Various safety and health measures were implemented. The Group has in place business continuity plans to provide adequate support for its business and employees, and introduced new working arrangements for business continuity.
INTERNAL AUDIT FUNCTION
The Group has an in-house Internal Audit function, which provides the Board, through the Audit Committee, with independent assurance on the efficiency and effectiveness of governance, risk management and internal control systems. The Internal Audit function adopts a risk-based internal audit methodology in reviewing key processes of the various business units in the Group and reporting directly to Audit Committee on the state of risk management and internal control of the various business units audited during the financial year.
The Internal Audit function will perform root cause analysis and recommend action plans to improve on areas where control deficiencies are identified during the field audits. Action plans are taken by Management to address the findings and concerns raised in the Internal Audit reports and Internal Audit function will follow up on the Management’s implementation of action plans. Further details of the activities of the Internal Audit function are provided in the Audit Committee Report.
The key elements of the Group’s internal control system described below are relevant across the Group to provide for continuous assurance to the Management and the Board:
- limits of authority and responsibility
Formally defined and documented lines of responsibility and delegation of authority has been established through the relevant charters/terms of reference, organisational structures and appropriate authority limits. Hierarchical reporting is also in place to enhance the Group’s ability to achieve its strategies and operational objectives as well as provide for documented and auditable trail of accountability;
- planning, monitoring, reporting and safeguarding
- - established budgeting process requiring all business segments within the Group to prepare the annual budget, taking into consideration the strategic plans, capital and operating expenditure for the upcoming financial year for discussion and approval by the Executive Committee ("EXCO");
- - Performance Coordinating Team (“PCT”) comprising Management from each business segment who reviews operational and financial Key Performance Indicators of their respective business segments and reports to the EXCO quarterly in order to assist EXCO in discharging their oversight role on the Group’s activities;
- - the Audit Committee reviews the quarterly financial results and evaluates the explanations and reasons for significant unusual variances noted thereof;
- - information, which includes quarterly reports covering all key financial and operational indicators, is provided to Key Management for monitoring of performance against budget and actions to be taken, where necessary; and
- - Management meetings are held regularly to identify, discuss and resolve strategic, operational, financial and key Management issues.
REVIEW OF THIS STATEMENT BY EXTERNAL AUDITORS
The External Auditors have reviewed this Statement on Risk Management and Internal Control pursuant to the scope set out in the Audit and Assurance Practice Guide ("AAPG") 3, Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants (“MIA”) for inclusion in the Annual Report of the Group for the year ended 31 December 2021, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the Annual Report of the Group, in all material respects:
(a) has not been prepared in accordance with the disclosures required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers; or
(b) is factually inaccurate.
AAPG 3 does not require the External Auditors to consider whether this Statement covers all risks and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board and Management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the Annual Report will, in fact, remedy the problems.
REVIEW BY THE BOARD
The Board is of the view that the Group’s risk management and internal control system for the year under review and as at the date of this Statement for inclusion in the Annual Report is sound and sufficient to safeguard the stockholders’ investment as well as the Group’s assets. The Board recognises that the development of internal control system is an ongoing process and will continue to take appropriate action to further enhance the Group’s system of internal control.
As recommended by the Guidelines, the Board has received assurances in writing from Executive Chairman, Group Managing Directors and Group Chief Financial Officer that the Group’s risk management and internal control system has been operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of this Statement.
This statement is issued in accordance with a resolution of the Directors dated 25 April 2022.