Frontken Berhad Annual Report 2019

32 Frontken Corporation Berhad (651020-T) ANNUAL REPORT 2019 Statement On Risk Management And Internal Control (cont’d) BOARD’S RESPONSIBILITY ON RISK MANAGEMENT AND INTERNAL CONTROL (cont’d) In applying Practice 9.1 of the MCCG, the Board has formalised an Enterprise Risk Management framework (“ERM Framework”) that encompasses relevant policies and guidelines to streamline the Group’s risk management imperatives in a structured and comprehensive manner to safeguard shareholders’ investment and the Group’s assets. This ERM Framework accords largely with the ISO31000:2018 Risk Management – Guidelines, which set out the key principles, framework and process on risk management. With this ERM Framework, the Board has established an on-going process to identify, evaluate, control, report and monitor significant business risks faced by the Group on an ongoing basis. The Board, through its Audit Committee, reviews the outcome of this process, including mitigating measures implemented by Management to address the key risks as identified. This process has been in place for the financial year under review and up to the date of approval of this Statement for inclusion in the Annual Report of the Company. RISK MANAGEMENT FRAMEWORK – EXTENT OF COVERAGE Risk management is embodied in the Group’s key business processes through the ERM Framework, which sets out, amongst others, an easy-to-understand step-by-step approach to identify and evaluate risks faced by business units and, by extension, the Group. To harmonise risk management initiatives and activities, the Board has formalised in writing relevant risk management policies and guidelines for adherence by business units across the Group. The ERM Framework comprises a structured assessment process, culminating in the compilation of specific risk profiles of key business units and companies in the Group by Risk Management Units (“RMUs”), including the semi-annual update of risk profiles to take into account the vagaries of evolving business environment as well as emerging risks. The individual risks are scored for their likelihood of occurrence and the impact thereof based on a ‘5 by 5’ risk matrix, deploying parameters established for each key business unit or company in the Group. The risk parameters comprise relevant financial and non-financial metrics for risks to be evaluated or quantified, as the case may be, in terms of likelihood of their occurrence and the impact thereof. The use of such metrics essentially articulates the Board’s risk appetite, i.e. the extent of risk the Group is prepared to take or seek in achieving its business objectives. Details of specific risks are documented in individual risk registers, covering the risk description, root causes, risk consequences, internal controls implemented by Management to address the root causes, Management’s assessment of the effectiveness of internal controls and the residual risk rating, i.e. the balance of risk after considering the effects of internal controls deployed to manage the exposure. The action plans that Management has taken and/or is taking to mitigate the risks to acceptable levels are reported by the RMUs to the Audit Committee and the outcome is documented in the Audit Committee meeting minutes, including any comments that the Audit Committee may have. The Audit Committee is tasked to brief the Board the outcome of the risk update and mitigating measures deployed, including any significant issues therefrom. For each of the business risks identified, a risk owner is entrusted to ensure appropriate actions are taken to mitigate the risk to an acceptable level within specified timeline. The Risk Coordinator of the Group, when reviewing the risk update carried out by business units, enquires into the status of action plans undertaken by Management of the business units concerned before reporting to the Audit Committee. During the financial year under review, there were two (2) risk updates conducted by the various business units and companies in the Group with the outcome reported by the Risk Coordinator to the Audit Committee and thereafter to the Board for further comments. The business risks as identified encompassed risks on strategies, finance, operations, regulatory compliance, reputation, cyber security and sustainability. INTERNAL CONTROL SYSTEM – THE SALIENT FEATURES Besides those internal controls implemented by Management to mitigate the risks as mentioned above, the Group’s internal control system also covers the following salient elements: • an organisation structure with clearly defined lines of responsibilities and appropriate levels of delegation and authority, including financial limits of authority in approving transactions and activities as well as mandate to operate bank accounts. This structure also sets out clear reporting lines and segregation of duties for key processes like strategic management, operations, sales and collections, procurement and payment, human resource management, capital expenditure, research and development, financial reporting, corporate affairs and investments;