Investor Relations
Home > Statement on Risk Management and Internal Control

Statement on Risk Management and Internal Control


The Board of Directors (“Board”) of Oriental Holdings Berhad (“OHB” or “the Company”) is committed to maintain a sound risk management and internal control framework to safeguard the stockholders’ investment as well as the Group’s (OHB and subsidiaries, collectively) assets. The Board’s Statement on Risk Management and Internal Control (“Statement”) outlines the nature and scope of the Group’s risk management and internal control during the financial year ended 31 December 2022 (“FY2022”). The Statement also takes into consideration the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers (“Guidelines”), a publication issued by Bursa Malaysia Securities Berhad (“Bursa Securities”) on the issuance of a statement about the state of risk management and internal control pursuant to Paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Securities.


The Board affirms its overall responsibility for the Group in maintaining a sound system of risk management and internal control. This includes reviewing the adequacy and integrity of the system’s financial, operational, regulatory compliance and risk management procedures. In view of the inherent limitations in any system, the Board ensures that the risk management and internal control framework is designed to manage the Group’s key risk areas within an acceptable risk profile, rather than to eliminate the risk of non-adherence to achieve the Group’s business and corporate objectives. The Board continually reviews the framework to ensure that the risk management and internal control framework provides a reasonable but not absolute assurance against the occurrence of any material misstatement of management and financial information and records, financial losses or fraud.

The Board has established an on-going process for identifying, evaluating and managing the relevant and material risk encountered by the Group. The Board, through its Audit Committee (“AC“) and Risk Management Committee (“RMC”), regularly reviews the results of this process, including risk mitigating measures taken by Management to address key risks identified. The Board confirms that this process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Group.

The AC and RMC are to assist the Board to oversee the management of all identified material risks including review of the adequacy and effectiveness of the Group’s risk management and internal control system to ensure that appropriate measures are carried out by Management to obtain the level of assurance required by the Board. Excluded from this Statement are those associated companies in which the Group does not have control.


The Board has, through the RMC, established a Group risk management framework which is firmly embedded in all key processes. Management has the overall responsibility for ensuring that the day-to-day management of the Group’s activities is consistent with its risk strategy, risk appetite and policies approved by the Board. In addition, key responsibilities of the Management are to identify, evaluate, monitor and report the risks and internal control as well as provide assurance to the Board that it has done so in accordance with the adopted framework.

The Board believes that the following features of the Group’s risk management and internal control framework are integral to maintaining a sound system:-

  • formalisation of Enterprise Risk Management (“ERM”) framework with reference to global standards and practices of ISO 31000 Risk Management Guidelines;
  • establishment of the RMC with the responsibility of identifying key risks and communicating to the Board the present and potential risks, risk changes and mitigation plans;
  • the appointment of a team of dedicated Risk Officers reporting to the RMC to coordinate ERM activities across the Group which includes supervising policy implementation, overseeing documentation at Group level, function as the central contact and provide guidance for ERM issues;
  • identification of key risk indicators (“KRI“) to monitor the risk and Management’s deployment of internal controls to manage these risks; and
  • articulation of the Group’s risk appetite and parameters (qualitative and quantitative) for the Group and individual business units so as to gauge acceptability of risk exposure.

The RMC carried out its duties in accordance with its term of reference during the financial year.

Highlights of the activities undertaken during the year are as follows:

  • the RMC, with the assistance from a firm of independent consultants and Management, continued to drive the risk management activities across all business segments of the Group on risk identification, evaluation, control, monitoring and reporting;
  • Management of each company within the Group’s business segments, such as Automotive and related products, Hotels and resorts, Plantation, Plastic products, Investment holding, Healthcare as well as Investment properties and trading of building material products, has identified the risks affecting their business as by assessing the existing as well as new or emerging risks across the strategic, financial, operational and compliance categories. The Management reported on their respective companies' top five (5) risks and three (3) featured risks (included Corruption risk, Non-compliance with related party transaction policy and Climate change risk);
  • Risk Officers together with the financial controller and the head of respective business segments/units in turn, assessed the overall risks faced by their business segments, the potential impact and likelihood of those risks occurring, the control effectiveness and the action plans taken to manage those risks to the desired level;
  • strategic discussions were carried out by the independent consultants with the Executive Directors, RMC Chairman, Group Chief Financial Officer and Group Accountant on key business and strategic level risks. This process aims to gather high level inputs and to identify key controls and action plans to address the risks faced by respective business segments/ units. These activities are also to engender continuous and proactive risk management activities within the Group;
  • compilation of the Group risk profile, considering the materiality of the business segments in relation to the Group risk parameters, with the top risks from each business segment selected by Management and feedback from Executive Directors on strategic risks, was carried out with the assistance from the independent consultants;
  • reviewed corruption risk and controls as part of the Group’s ERM annual update;
  • conducted three (3) ERM briefings across the Group on 4 and 5 August 2022 for Management personnel focusing on alignment of strategic objectives through risk awareness, risk identification and key risk indicator monitoring;
  • two (2) RMC meetings were convened on 22 February 2022 and 23 November 2022 where significant risks of the Group and management action plans were presented for deliberations and approval. The Group risk profile for year 2022 was presented in February 2023, detailing the eight (8) principal risks of the Group and the top principal risks of each business segment, based on the significance of evaluated risks to the segment’s results. Management of each segment/ company in the Group shall continue to monitor and manage all risks at their level, as appropriate;
  • KRI were identified for each risk and the results being monitored by independent consultants on bi-annual basis. Mitigating actions were taken by Management of each company to reduce the likelihood of a risk materialising. A summary of the KRI and the results was presented at the two (2) RMC meetings;
  • the risk mitigating measures taken and/or to be taken by Management were reported and reviewed at the RMC meetings. For each of the risks identified, the segmental head has been assigned to ensure appropriate action plans are carried out in a timely manner; and
  • the ERM Policy and Procedures have been updated and approved with the latest risk reporting framework, such as risk organisation structure, frequency and risk reporting documents for the Group.

Whilst the Board considers the risk management framework to be robust to meet the Group’s needs, it will still subject the framework to continuous improvement, taking into consideration better practices and the changing business environment.


The Group has an in-house Internal Audit function, which provides the Board, through the AC, with independent assurance on the efficiency and effectiveness of governance, risk management and internal control systems. The Internal Audit function adopts a risk-based internal audit methodology in reviewing key processes of the various business units in the Group and reporting directly to AC on the state of risk management and internal control of the various business units audited during the financial year.

The Internal Audit function will perform root cause analysis and recommend action plans to improve on areas where control deficiencies are identified during the field audits. Action plans are taken by Management to address the findings and concerns raised in the Internal Audit reports and Internal Audit function will follow up on the Management’s implementation of action plans. Further details of the activities of the Internal Audit function are provided in the Audit Committee Report.


The key elements of the Group’s internal control system as described below are relevant across the Group to provide for continuous assurance to the Management and the Board:

  • limits of authority and responsibility
    Formally defined and documented lines of responsibility and delegation of authority have been established through the relevant charters/terms of reference, organisational structures and appropriate authority limits. Hierarchical reporting is also in place to enhance the Group’s ability to achieve its strategies and operational objectives as well as provide for documented and auditable trail of accountability;
  • planning, monitoring, reporting and safeguarding
    • - established budgeting process requiring all business segments within the Group to prepare the annual budget, taking into consideration the strategic plans, capital and operating expenditure for the upcoming financial year for discussion and approval by the Executive Committee (“EXCO”);
    • - Performance Coordinating Team (“PCT”) comprising Management from each business segment reviews operational and financial Key Performance Indicators of their respective business segments and reports to the EXCO quarterly in order to assist EXCO in discharging their oversight role on the Group’s activities;
    • - the AC reviews the quarterly financial results and evaluates the explanations and reasons for significant unusual variances noted thereof;
    • - information, which includes quarterly reports covering all key financial and operational indicators, is provided to Management for monitoring of performance against budget and actions to be taken, where necessary; and
    • - Management meetings are held regularly to identify, discuss and resolve strategic, operational, and financial issues.

The External Auditors have reviewed this Statement pursuant to the scope set out in the Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to Report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants for inclusion in the Annual Report of the Group for the year ended 31 December 2022, and reported to the Board that nothing has come to their attention that cause them to believe that the statement intended to be included in the Annual Report of the Group, in all material respects:

(a) has not been prepared in accordance with the disclosures required by paragraphs 41 and 42 of the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers; or

(b) is factually inaccurate.

AAPG 3 does not require the External Auditors to consider whether this Statement covers all risks and controls, or to form an opinion on the adequacy and effectiveness of the Group’s risk management and internal control system including the assessment and opinion by the Board and Management thereon. The auditors are also not required to consider whether the processes described to deal with material internal control aspects of any significant problems disclosed in the Annual Report will, in fact, remedy the problems.


As recommended by the Guidelines, the Board has received assurances in writing from Executive Chairman, Group Managing Directors and Group Chief Financial Officer that the Group’s risk management and internal control system has been operating adequately and effectively, in all material aspects, during the financial year under review and up to the date of this Statement.

Having regards to the assurances, the Board is of the view that the Group’s risk management and internal control system for the year under review and as at the date of this Statement for inclusion in the Annual Report is sound and sufficient to safeguard the stockholders’ investment as well as the Group’s assets. The Board recognises that the development of internal control system is an ongoing process and will continue to take appropriate action to further enhance the Group’s system of internal control.

This statement is issued in accordance with a resolution of the Directors dated 25 April 2023.