STATEMENT ON RISK MANAGEMENT
AND INTERNAL CONTROL
The Board of Directors is pleased to provide the following Statement on Risk Management and Internal Control, which is made pursuant to paragraph 15.26(b) and Practice Note 9 of the Bursa Malaysia Securities Board Main Market Listing Requirements, Principle 6 of the Code and guided by the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers.
The Board of Directors recognises the importance of a sound system of internal control and effective risk management practices to good corporate governance. During the financial year, the Board continues to enhance the system of internal control and risk management to safeguard shareholders’ investments and the assets of the Group.
The Board affirms its overall responsibility for maintaining sound systems of internal control within the Group covering financial control, operational control, compliance control and risk management, and reviewing the adequacy and effectiveness of such systems within the Group regularly. The Board, in the discharge of its stewardship responsibilities, is committed to identify key risks in which companies within the Group are exposed and will introduce appropriate systems progressively to manage such risks.
Notwithstanding that, there are, however, limitations inherent in any system of internal control, and such system is designed to manage rather than eliminate the risk that may impede the achievement of business objectives. The system of risk management and internal control can only provide reasonable but not absolute assurance against material misstatement of management or financial information or financial losses or frauds.
The internal audit adopts a risk-based approach in developing its audit plan which addresses the core auditable areas of the Group. Scheduled internal audits shall be carried out by the internal auditors based on the audit plan presented to and approved by the Audit Committee to provide independent and objective reports on the state of internal control of the operating units. The audit focuses on areas with risk as well as areas identified with inadequate controls to ensure the effectiveness of the controls in mitigating those risks. The internal auditors will follow up with the management in the implementation of action plans recommended to improve areas where control deficiencies identified during the internal audits.
The Board affirms that it is ultimately responsible for the adequacy and integrity of the Group’s systems of risk management and internal control, which includes the establishment of an appropriate control environment and reporting framework.
Internal Control Structure
The control environment sets the tones for the Group by providing fundamental discipline and structure. Key elements of the Group include:
Integrity and ethical values
The Board and Senior Management set the tone at the top corporate behaviour and corporate governance. All employees of the Group shall adhere to the policies and guidelines which set out the principles to guide employees in carrying out their duties and responsibilities when dealing with external parties.
Board Committees (ie. Audit Committee, Remuneration Committee and Nominating Committee)
Clear roles of the Board are stated under the Statement of Corporate Governance section of this Annual Report.
The “hands on” management style by the executive directors contributed to timely identification and rectification of risks and issues arising from business operations and other related issues to ensure that business strategies and profitability. Meetings of Board of Directors and respective Board Committees are scheduled on timely basis to review the performance of the Group, from financial and operational perspective.
An organisational structure with defined line of responsibilities, proper segregation of duties and delegation of authority limits are in place.
A process of hierarchical reporting has been established, which provides for a documented and auditable trail of accountability. The procedures include the establishment of limits of authority and are relevant across the Group’s operations and provide for continuous assurance to be given at increasingly higher levels of management, and finally to the Board.
Management is committed to employ suitable qualified staff to ensure operation efficiency.
Operation meetings are formal platforms for Management to set its tone on control culture and emphasise on Group’s strategic directions as agreed upon by the Board.
Training and development
Trainings are conducted at all levels in order all employees would be able to perform well in their present jobs and also to develop employees who are potential to perform duties with wider responsibilities. Management ensure that employees receive continuous training in various areas of work such as knowledge, compliances of rules and regulations, health and safety, technical training, leadership and new product development.
The Board and management are aware of its overall responsibility in managing the Group’s risk managementpolicy. The risk identification process is done on an ongoing-basis entails all key factors within the Group’s business operations.
Identifying, evaluating and managing any significant risks faced by the Group is undertaken by various parties such as management, internal and external auditors and Audit Committee, which assesses and analyses any findings of the internal and external audit and reports to the Board.
The Board’s function within the risk management policy is exercised and managed primarily by Executive Directors through their participation in the operations and regular meetings with managerial levels to ensure the efficiency of the system of internal control and risk management. The process of identifying and evaluating the significant risks affecting the business is carried out by all heads of departments on a continuous basis, and the controls and procedures by which these risks are managed accordingly.
The Group’s financial risk management policy seeks to ensure that adequate resources are available to mitigate risks including foreign currency risk, interest risk, credit risk and liquidity risk. The Board assumes overall responsibility for the Group’s risk management policy and formulates policies and procedures for the management of these risks.
Processes are continuously reviewed for relevancy to the business processes and activities as well as for uniformity and standardisation of practices across the Group.
Periodic and annual audit reviews by internal and external quality auditors were conducted to ensure compliance with and continuous improvement of the ISO Quality Standards certification as assurance to the quality standards of products and services provided by the Group.
Budgets are prepared to evaluate the feasibility and viability of the Group’s business and to ensure that the Group’s business plan is in line.
The Group’s performance is also reported to the Board on quarterly basis to highlight significant variances. The results are reviewed by the Board to enable them to gauge the Group’s overall performance and compared to the prior periods.
Information and Communication
Management promotes good working relationship at all levels of employees by ensuring information and communication channels are open and sinuous. Relevant information are shared both downwards (from Management to employees) and upwards (from employees to Management) for proper attention and further action.
Regular management meetings are conducted at the Group by all heads of departments to discuss and resolve issues or challenges faced with regard to operational and administrative matters. The proceedings of these meetings are minuted for further action and reference.
Board recognises the needs of communication across the Group and investors, more dialogue with investors and analysts as well as with the media moving forward. Investor relations activities are held at least on quarterly basis.
Management maintains close monitoring of the Group’s operations through submission of monthly reports and constant communication or regular meetings with the heads of department.
Management also constantly monitors the highlighted issues through the conduct of follow-up audits which show its commitment to improve on current processes and internal controls.
During the financial year, the Board and Audit Committee have diligently continued in its role as external overseers of internal controls and monitors performances of the Group’s quarterly financial results.
Internal audit function acts as an ongoing monitoring process, which provides a degree of assurance as to validity of the system of internal control. Planned corrective actions are independently monitored for timely completion.
Risk Management Policy
The Board recognises the need for an effective risk management practice and to maintain a sound system of internal control as all areas of the business activities of the Group involve certain risks. Hence, the Board has formalised and established the risk management policy, as an approach to identifying, assessing, reporting and monitoring risks faced by the Group.
The objectives of the risk management policy are:
To systemise a continuous process for identifying, evaluating and managing the significant risks faced by the Group;
To provide a platform for communication, of risk and control profiles and the management action plans to manage the risks, between Senior Management and the Board;
To nominate key management personnel to prepare action plans to address any risk and control issues;
To inculcate an organisation-wide culture of risk awareness and management and embed internal controls and risk management further into the operations of the Group’s business; and
To establish a documented process of control monitoring and improvement plans.
The Board has assigned the Group’s risk oversight function to Risk Management Committee (“RMC”), which comprises of Senior Management and Head of Departments of the Group. RMC is primarily responsible to identify, evaluate, and manage significant risks faced by the Group as well as report to the Board on a regular basis.
The following depicts the key parties and their principal risk management roles and responsibilities:
Board of Directors
Maintains a sound system of risk management and internal control;
Evaluate the adequacy of the system of risk management and internal control; and
Approve risk management policy and governance structure.
Risk Management Committee
RMC discuss and meet regularly to identify and manage risks to a manageable level;
Identify and evaluate the significant risks faced by the Group;
Assist the Board in implementing the objectives outlined in the risk management policy;
Establish, formulate, recommend and manage sound and best practice risk management programs for the Group;
Continuously monitor and execute appropriate actions to address any change in existing risks or new risks identified as part of an on-going proactive control measure;
Report to the Board on any major changes to the identified risk requiring immediate attention/ notification;
Inculcates risk awareness within the Group.
Head of Departments
Primarily responsible for managing risk on a day-to-day basis; and
Promote risk awareness within their operations and introduce risk management objectives into the business and operations.
The Board recognise that risk management can become a strategic competitive advantage if it is used to identify specific actions that enhance performance and optimise risk. It can also influence business strategy by identifying potential adjustments related to previously unidentified opportunities and risks. As much as risks give rise to the need for controls, we consciously look out for opportunities for improvement arising from risks and uncertainties. Risk management has been adopted also as a strategic tool in strategy formulation, investment and resource allocation.
The Board, throughout the financial year under review, has identified, evaluated and managed the significant risks faced by the Group through monitoring of the Group’s operational efficiency and performance at its Board Meeting. The Board has assigned to the Audit Committee the duty of reviewing and monitoring the effectiveness of the Group’s risk management processes. At operation levels, risks were discussed on ad hoc basis during the periodic management operations meetings.
Internal Audit Function
The Board recognises the need for an internal audit function, and has engaged the services of an independent professional accounting and consulting firm, Messrs TT Governance Sdn Bhd (“TTG”) to provide assurance on the efficiency and effectiveness as well as the adequacy and integrity of the Group’s internal control and risk management processes implemented by the management to manage key business risks and internal control system.
The internal auditors adopt a risk-based approach to the implementation and monitoring of internal controls. The monitoring process will also form the basis for continually improving the risk management process in the context of the Group's overall goals. Internal audit is performed based on the internal audit plans approved by the Audit Committee or any amendments thereof approved by the Audit Committee deemed necessary.
The internal auditors will provide the Audit Committee with an independent assessment of the effectiveness, efficiency and adequacy of the internal control systems of the Group. This will be done by reviewing and reporting on any material deviations and non-compliances of policies and control procedures implemented by management and the Board. The internal audit plan is developed based on management’s assessment of business processes and risks, and which is approved by Audit Committee or any amendments thereof approved by the Audit Committee deemed necessary.
In particular, internal auditors appraise and contribute towards improving the Group’s risk management and control systems and reports to the Audit Committee. Upon completion of the internal audit works based on detailed audit program, the internal audit report is presented to Audit Committee for review and consideration. The internal audit report includes the audit findings and internal auditors’ recommendations as well as management responses and actions plans for improvement and to resolve any issue. In assessing the adequacy and effectiveness of the system of internal control and risk management processes of the Group, the Audit Committee reports to the Board on its activities, significant audit results or findings and the necessary recommendations or actions needed to be taken by management to rectify those issues.
The internal audit work plan, which reflects the risk profile of the Group’s major business sectors is routinely reviewed and approved by the Audit Committee. The scope of internal audit function covers the audit and review of governance, risk assessment, compliance, operational and financial control across all business units.
Internal auditors assist the Audit Committee in discharging its duties and responsibilities. They continue to monitor the compliance with policies and procedures and the effectiveness of the internal control systems independently and highlight significant findings and corrective measures in respect of any non-compliance. They review the controls in the key activities of the Group’s business based on the annual internal audit plan and report audit findings to the Audit Committee for review annually. The management is responsible for ensuring that corrective actions on reported weaknesses are addressed within a specific time frame. The reported findings thus far were not material in nature and improvements are being carried out.
During the year under review, the Board is of the view that the systems of risk management and internal control is operating effectively and have not resulted in material losses, contingencies or uncertainties that would require separate disclosure in the Groups’ Annual Report. The monitoring, review and reporting arrangements are in place to give reasonable assurance that the structure and operation of controls are appropriate for the Group. The Board is of the view that the process of risk management and internal control system is sound and sufficient to safeguard the interest of shareholders and the Group’s assets.
This statement is made in accordance with a resolution of the Board dated 23 June 2016.