Home > Statement on Risk Management and Internal Control
Statement on Risk Management and Internal Control
The Board recognises the importance of a sound risk management and internal control framework to safeguard stockholders’ investment and assets of the Group. The Board’s Statement on Risk Management and Internal Control (“Statement”) outlines the nature and scope of risk management and internal control of the Group during the year. The Statement also takes into consideration the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers, a publication issued by Bursa Malaysia Securities Berhad (“Bursa Securities”) on the issuance of a statement about the state of risk management and internal control pursuant to Paragraph 15.26(b) of the Listing Requirements of Bursa Securities.
The Board affirms its overall responsibility for adequacy and effectiveness of the Group’s system of risk management and internal control (the “system”). This includes reviewing the adequacy and integrity of financial, operational and compliance controls and risk management procedures. In view of the limitations inherent in any system of risk management and internal control, the Board ensures that the risk management and internal control framework is designed to manage the Group’s key areas of risk within an acceptable risk profile, rather than to eliminate the risk of failure to achieve the Group’s business and corporate objectives. The Board continually reviews the framework in ensuring that the risk management and internal control framework provides a reasonable but not absolute assurance against material misstatement of management and financial information and records or against financial losses or fraud.
The Board has established an on-going process for identifying, evaluating and managing the relevant and material risk encountered by the Group. The Board, through its Audit Committee and Risk Management Committee, regularly reviews the results of this process, including risk mitigating measures taken by Management to address key risks identified. The Board confirms that this process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Company.
The Audit Committee and Risk Management Committee are to assist the Board to oversee the management of all identified material risks including review of the adequacy and effectiveness of the Group’s risk management and internal control system to ensure that appropriate measures are carried out by Management to obtain the level of assurance required by the Board. For the purpose of this Statement, the associated companies in the Group are excluded which the Group does not have control.
The Board has, through its Risk Management Committee (“RMC”), established a risk management and internal control framework that was implemented throughout the Group, which is firmly embedded in the Group’s key processes. Management is overall responsible for ensuring that the day-to-day management of the Group’s activities is consistent with the risk strategy, including the risk appetite and policies approved by the Board. The key responsibilities of the Management in respect of risk management is to identify, evaluate, monitor and report of risks and internal control as well as provide assurance to the Board that it has done so in accordance with the policies adopted by the Board. Further assurance is provided by the Internal Audit function, which operates across the Group.
The Board believes that the following key elements of the Group’s risk management framework are integral to maintaining a sound risk management and internal control system:
- establishment of the Risk Management Committee with the responsibility of identifying and communicating to the Board the key risks (present and potential) faced by the Group, their changes and management action plans to manage the risks;
- formalisation of Enterprise Risk Management (“ERM”) Policy and Procedures, which outline the risk management framework for the Group and offer practical guidance to all employees on risk management issues;
- identification of principal risks (present and potential) faced by operating units in the Group and Management’s deployment of internal controls to mitigate or manage these risks;
- articulation of the Group’s risk appetite and parameters (qualitative and quantitative) for the Group and individual business units so as to gauge acceptability of risk exposure; and
- the appointment of a dedicated Risk Officer to coordinate the ERM activities within the Group, to supervise the ERM policy implementation and documentation at Group level and to act as the central contact and guide for ERM issues within the Group.
SUMMARY OF RISK MANAGEMENT ACTIVITIES DURING THE FINANCIAL YEAR
The Risk Management Committee carried out its duties in accordance with its term of reference during the financial year.
Highlights of the activities undertaken by the Committee are as follows:
- the Risk Management Committee, with the assistance from a firm of independent consultants and Management, continues to drive the risk management activities across all business segments of the Group on risk identification, evaluation, control, monitoring and reporting;
- management of each company within the Group’s business segments, i.e. Automotive and related products, Hotels and resorts, Plantation, Plastic products, Investment holding and financial services, Healthcare and Investment properties and trading of building material products, identified the risks affecting their business by assessing the existing as well as emerging risks under the strategic, financial, operational and compliance categories. The management reported the Company’s top five risks to their segment’s risk coordinator for review;
- risk coordinators, in turn, assessed the overall risks faced by their business segments with the financial controller and the head of respective business segment/units, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans taken to manage those risks to the desired level;
- strategic discussions have been carried out by the independent consultants with the Executive Directors, Group Chief Financial Officer and Group Accountant on the key concerns and top risks identified. The main objectives are to obtain the inputs and to confirm the completeness of top concerns as well as the key management controls put in place to address the risks by respective business segment/units. These activities are also to engender continuous and proactive risk management activities within the Group;
- the top five (5) principal risks for each business segment, based on the significance of evaluated risks to the segment’s results, were reported to the Risk Management Committee. Nonetheless, Management of each segment/ company in the Group continues to monitor and manage all risks at their level, as appropriate;
- compilation of the Group risk profile, considering the materiality of the business segment in relation to the Group risk parameters, with the top risks from each business segment selected by Management and feedback from Executive Directors on strategic risks, was carried out with assistance from consultants;
- two (2) Risk Management Committee meetings were conducted during the year on 7 April 2017 and 21 November 2017 where the significant risks of the Group and management action plans were presented for deliberations and approval. On 21 November 2017, the outcome from the interim review of 2017 risk profiles was presented and the Risk Management Committee has provided feedback on the significant risks and action plans for Management’s further considerations and actions. The Management is required to update the top risks and management action plans in the subsequent meeting;
- on 1 March 2018, the top risks for the Group was presented to the Risk Management Committee for further deliberations;
- the risk mitigating measures taken and/or to be taken by Management were reported and reviewed at the Risk Management Committee meetings. For each of the risks identified, the divisional head has been assigned to ensure appropriate action plans are carried out in a timely manner; and
- the Enterprise Risk Management (“ERM”) Policy and Procedures have been updated and approved with the latest risk reporting framework, e.g. risk organisation structure, frequency and risk reporting documents for the Group.
Whilst the Board considers the risk management framework to be robust to meet the Group’s needs, it will still subject the framework to continuous improvement, taking into consideration better practices and the changing business environment.
INTERNAL AUDIT FUNCTION
The Group has an in-house Internal Audit department, which provides the Board, through the Audit Committee, with independent assurance on the efficiency and effectiveness of risk management and internal control systems. The internal audit function adopts a risk-based internal audit methodology in reviewing key processes of the various business units in the Group and reporting directly to Audit Committee on the state of risk management and internal control of the various business units audited during the financial year.
The internal audit function will recommend action plans to improve on areas where control deficiencies are identified during the field audits. Action plans are taken by Management to address the findings and concerns raised in the internal audit reports and internal audit function will follow up on the Management’s implementation of action plans. Further details of the activities of the internal audit function are provided in the Audit Committee Report.
The key elements of the Group’s internal control system described below are relevant across the Group to provide for continuous assurance to the Management and the Board:
- limits of authority and responsibility
Formally defined and documented lines of responsibility and delegation of authority has been established through the relevant charters/terms of reference, organisational structures and appropriate authority limits. Hierarchical reporting is also in place to enhance the Group’s ability to achieve its strategies and operational objectives as well as provide for documented and auditable trail of accountability;
- planning, monitoring, reporting and safeguarding
- - established budgeting process requiring all business segments within the Group to prepare the annual budget, taking into consideration the strategic plans, capital and operating expenditure for the upcoming financial year for discussion and approval by the Executive Committee;
- - Performance Coordinating Team (“PCT”) comprising Senior Management from each business segment who reviews operational and financial Key Performance Indicators of their respective business segments and reports to the EXCO quarterly in order to assist EXCO in discharging their oversight role on the Group’s activities;
- - the Audit Committee reviews the quarterly financial results and evaluates the explanations and reasons for significant unusual variances noted thereof;
- - information, which includes quarterly reports covering all key financial and operational indicators, is provided to key Management for monitoring of performance against budget and actions to be taken, where necessary; and
- - Management meetings are held regularly to identify, discuss, and resolve strategic, operational, financial and key management issues.
REVIEW OF THIS STATEMENT BY EXTERNAL AUDITORS
The external auditors have reviewed this Statement on Risk Management and Internal Control pursuant to the scope set out in the Audit and Assurance Practice Guide ("AAPG") 3, Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants (“MIA”) for inclusion in the annual report of the Group for the year ended 31 December 2017, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the annual report of the Group, in all material respects:
(a) has not been prepared in accordance with the disclosures required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers; or
(b) is factually inaccurate.
AAPG 3 does not require the external auditors to consider whether the Directors’ Statement on Risk Management and Internal Control covers all risks and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board of Directors and management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the annual report will, in fact, remedy the problems.
REVIEW BY THE BOARD
The Board is of the view that the Group’s risk management and internal control system for the year under review and as at the date of this statement is adequate and effective to safeguard the stockholders’ investment and the Group’s asset. The Board recognises that the development of internal control system is an ongoing process and will continue to take appropriate action to further enhance the Group’s system of internal control.
As recommended by the Statement on Risk Management and Internal Control-Guidelines for Directors of Listed Issuers, the Board has received assurances in writing from Executive Chairman, Group Managing Directors and Group Chief Financial Officer that the Group’s risk management and internal control system has been operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of this Statement.
This statement is issued in accordance with a resolution of the Directors dated 9 April 2018.