ENRA Group Berhad | Annual Report 2022 64 RISK MANAGEMENT The Board reviewed the risk management processes in place within the Group with the assistance of the ERMC and the Internal Audit Department. The ERMC meets on a quarterly basis to deliberate on risks identified, controls and risk mitigation strategies arising from the risk assessment process conducted. The key elements of the Group’s risk management framework are as follows: • The ERMC, which is chaired by the President & Group Chief Executive Officer, and comprises the Executive Directors as members and the Head of Internal Audit as the risk coordinator. The ERMC is entrusted with the terms of reference and the responsibility to identify and communicate to the Board the key risks the Group faces, their changes, and Management’s actions and plans to manage such risks. • The Risk Management policy guide and manual, which outlines the corporate policy and framework on risk management for the Group and offers practical guidance on risk management issues. Pursuant to the said policy, the Risk Management Units (“RMUs”) at the subsidiary/operational level were set up to report quarterly to the ERMC. • The Enterprise Risk Management (“ERM”) framework, which is defined as methods and processes used by an organisation to manage risks and seize opportunities related to the achievement of their objectives. The key feature of this framework is a risk governance structure comprising three lines of defence with established and clear functional responsibilities and accountabilities of the management of risk. The process owners and heads of various business units and supporting functions are the first level of defence and are accountable for all risks assumed under their respective areas of responsibility in line with the Risk Management policy and guidelines. The RMUs with the oversight by the ERMC provides the second line of defence. Quarterly updates on risk management are given by the heads of the various business units and certain supporting functions to the RMUs, which in turn reports the ERMC. The ERMC provides direction and has an oversight role in the risk management process. At its scheduled quarterly meetings, the ERMC appraises and assesses the efficiency of the controls and progress of actions plans taken to mitigate and monitor the risk management exposure of the Group. The ERMC also monitors the progress and status of the risk management activities, as well as raises issues of concern for Management’s attention. The Internal Audit function provides the third line of defence. The function reports directly to the ARMC and provides independent assurance of the adequacy and reliability of risk management processes and system of internal control and ensures compliance with risk related requirements. • Within the framework, there is an established and structured process for the identification, assessment, communication, monitoring as well as continual review of risks and effectiveness of risk mitigation strategies and controls of the business units and supporting functions with regular communication between business units and the RMUs that in turn reports to the ERMC. The current methodology is adopted from the elements of Risk Management ISO 31000 (2015). The level of risk tolerance is expressed through the use of a risk impact and likelihood matrix with an established risk parameter boundary set by the ERMC and approved by the Board. The parameters define risks that are deemed to exceed or are close to exceeding the risk tolerance, and those which are not. There is an established risk treatment guidance on the action to be taken for the relevant risks. • The Group’s activities are exposed to a variety of risks, including operating, financial, strategic management, human resource, information technology, procurement, political, sales and marketing and safety, health and environmental risk. The Group has relevant policies and guidelines on risk reporting and disclosure that cover those risks. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL
RkJQdWJsaXNoZXIy NDgzMzc=