MISC Annual Report 2019

Statement on Risk Management & Internal Control The Board is pleased to provide the Company’s Statement on Risk Management and Internal Control which outlines the nature and scope of risk management and internal controls within the MISC Group for the financial year ended 31 December 2019. This statement is made in accordance with Paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad (Bursa Securities) which requires the board of directors of public companies to publish a statement about the state of internal control of the listed issuer as a Group. Accountability of the Board The Board recognises its principal responsibility of establishing an effective risk management and internal control framework which includes regular review of the adequacy and effectiveness of the framework, as manifested in the Malaysian Code on Corporate Governance 2017. Accordingly, the Board has entrusted the responsibility of risk management and internal control oversight to the MISC Board Audit & Risk Committee (BARC). The responsibilities of the BARC are outlined on pages 212 to 219 of this annual report. In discharging its responsibilities, the BARC is supported by the MISC Risk Management Committee (RMC), which comprises Management Committee members and Heads of Divisions, to reflect the prominence and focus by management on the oversight of internal control and risk management of the MISC Group. The Board, via BARC, periodically reviews the efficiency and effectiveness of the Group’s internal control systems to ensure viability and robustness of the system. Group Internal Audit (GIA) with its risk-based approach supports the BARC in ensuring the said internal control systems are in place and effective in dealing with risks. The Board understands that it is not always possible, cost-effective nor practical to eliminate risk altogether. Accordingly, these internal control systems can only provide reasonable assurance against material misstatement or loss. Thus, the Board adopts a cost-benefit approach to ensure that the expected returns outweigh the cost of risk mitigation. Risk Management Framework The Company’s risk management framework is used to identify, evaluate and manage the principal risks of the Group as described on pages 60 to 63. Appropriate internal control systems are also implemented to manage these risks, details of which are set-out in the following pages. The Board adopts the PETRONAS Resiliency Model (PRM) which provides an integrated view for managing risks and is also guided by international best practice as per ISO 31000. The PRM focuses on three frameworks namely: i. Enterprise Risk Management (ERM) ERM process is an integral part of managing business that provides a guide to systematically identify, assess, treat, monitor and review risks. It aims to improve the ability to reduce the likelihood and impact of identified risks that may affect the achievement of business objectives. ii. Crisis Management (CM) Crisis Management defines the structure and processes for managing emergencies including crises at both domestic and international operations. iii. Business Continuity Management (BCM) Business continuity practices ensure a structured recovery of business operations and business continuity in the event of a crisis or prolonged business disruption. In November 2019, the Board approved the adoption of the enhanced Risk Policy. The enhancement to risk management was crucial to ensure alignment with the Group’s aspiration for the future and the evolving industry landscape. The enhancement is anchored on the following key considerations: • Providing overarching philosophy in managing risk for the organisation; • Emphasising risk-based decision-making; • Requiring a holistic and integrated view of risk; • Inculcating stronger risk culture across the organisation; and • Driving risk ownership across the organisation. The enhanced MISC Risk Policy states that: MISC shall continuously strive to implement: • Risk management best practices to protect and create value within the set boundaries; and • Risk based decision making by providing a balanced and holistic view of exposure to achieve business objectives. MISC is committed to become a risk-resilient organisation. Managing risk is everyone’s responsibility. The Group has implemented risk management best practices in the form of ERM framework which ensures all business risks are prudently identified, evaluated, treated and managed accordingly to achieve MISC’s strategic objectives. The ERM framework comprises the following key elements: • Risk Management MISC’s Risk Policy guides the overall best practice of identifying, evaluating, managing, reporting and monitoring the ever-changing risks faced by the Group and specific measures to mitigate these risks. The emphasis is to effectively reduce the impact of risks, respond to immediate risk events and recover from prolonged business disruption to ensure continuity and sustainability of key business activities as well as delivery of business objectives. • Risk Governance Structure The Group’s risk governance structure facilitates the flow of information and effective oversight on the implementation of risk management practices across our businesses. Responsible for overall oversight of MISC Group risk management system and activities Reviews the adequacy and effectiveness of MISC’s Risk Management Framework and on-going activities for identifying, evaluating, monitoring and mitigating risks Reviews the Group’s risk tolerance level Provides a reasonable level of assurance to the BARC that the Group’s risks are being managed appropriately Responsible for implementing risk management processes at respective units Board of Directors Corporate Planning Reviews and monitors risk reporting quarterly RMC secretariat Board Audit and Risk Committee (BARC) Risk Management Committee (RMC) Business Unit/ Subsidiary Governance Flow Reporting Flow 221 220 OUR GOVERNANCE MISC BERHAD PEOPLE. PASSION. POSSIBILITIES ANNUAL REPORT 2019