ENRA Group Berhad Annual Report 2018

37 A N N U A L R E P O R T 2 0 1 8 Paragraph 15.26(b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad (“Bursa Securities”) requires the Board of Directors of a public listed company to include in its annual report a statement about the state of risk management and internal control of the listed issuer as a group. The Bursa Securities’ Statement on Risk Management & Internal Control (Guidelines for Directors of Listed Issuers) provides guidance for compliance with these requirements. The Malaysian Code on Corporate Governance issued by the Securities Commission Malaysia requires the Board to establish a sound risk management framework and internal control system. ENRA Group Berhad’s (“ENRA”) Board of Directors (“Board”) is pleased to provide the following statement that is prepared in accordance with the “Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers” endorsed by Bursa Securities which outlines the nature and scope of the Risk Management and Internal Control of ENRA during the financial year under review. BOARD RESPONSIBILITY The Board acknowledges the importance of sound internal controls and risk management practices to safeguard various stakeholders’ interest and to address all key risks, which the Board considers relevant and material to ENRA and its subsidiaries (“Group”) operations. The Board affirms its overall responsibility for the Group’s system of internal control and risk management process, which includes the establishment of an appropriate control environment and framework. The Board is also responsible for reviewing the effectiveness, adequacy and integrity of those systems. These systems are designed to manage rather than to eliminate any risk that may impact the Group arising from non-achievement of the Group’s policies, goals and objectives. Such system provides reasonable but not absolute, assurance against material misstatement or loss. The Group has in place an on-going process for identifying, evaluating, monitoring and managing the operating and financial controls affecting the achievement of its business objectives throughout the financial reporting period. The Group Internal Audit Department plays a role in this respect. The process is quarterly reviewed by the Audit and Risk Management Committee (“ARMC”). The Board maintains ultimate responsibility over the Group’s system of internal control and risk management process that it has delegated to the Executive Committee for implementation. The Internal Audit function is to provide reasonable assurance that the designed controls are in place and are operating as intended. RISK MANAGEMENT FRAMEWORK The Board reviewed the risk management processes in place within the Group with the assistance of the Executive Risk Management Committee (“ERMC”) and the Internal Audit Department. The ERMC meets on a quarterly basis to deliberate on risks identified, controls and risk mitigation strategies arising from the risk assessment process conducted. The key elements of the Group’s risk management framework are as follows: • The ERMC, which is chaired by the President & Group Chief Executive Officer and comprises the Executive Committee as members and the Head of Internal Auditor as the risk coordinator. The ERMC is entrusted with the terms of reference and the responsibility to identify and communicate to the Board the key risks the Group faces, their changes, and management’s actions and plans to manage the risks. • The Risk Management policy guide and manual, which outlines the corporate policy and framework on risk management for the Group and offers practical guidance on risk management issues. Pursuant to the said policy, the Risk Management Units (“RMUs”) at the subsidiary/operational level were set up to report quarterly to the ERMC. • The Enterprise Risk Management (“ERM”) framework which is defined as methods and processes used by an organization to manage risks and seize opportunities related to the achievement of their objectives, the key feature of which is a risk governance structure comprising three lines of defense with established and clear functional responsibilities and accountabilities of the management of risk. The process owners and heads of various business units and supporting functions are the first level of defense and are accountable for all risks assumed under their respective areas of responsibility in line with the Risk Management policy and guidelines. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL