ANNUAL REPORT 2025 102 GOVERNANCE RISK MANAGEMENT & INTERNAL CONTROL SYSTEMS Generally, the Group’s risk management and internal control systems are guided by the ISO 31000 Risk Management - Principles and Guidelines and the Committee of Sponsoring Organisations of the Treadway Commission (“COSO”) Framework respectively. The key features of the Group’s risk management and internal control system are the three lines of defence model with established functional responsibilities and accountabilities for the management of risks and internal controls of the Group as depicted below:- RISK MANAGEMENT Risk Management Framework and Activities The Group’s risk management framework and methodology is guided by the ISO 31000 Risk Management - Principles and Guidelines represented in brief, as follows: - Additionally, the Standard Operating Procedures (“SOP”) governing risk management processes and reporting procedures are in place to support and outline the policies and procedures for the implementation of the ERM Framework. The efforts to implement formal risk management reviews and reporting as outlined in the ERM Framework continued to improve on a progressive basis and on-going. • Own, manage and control risks by implementation of internal controls in the business operations and activities. • Provided by the Executive Directors, the Management and Heads of Department. • Coordinate and facilitate risk management activities routinely among the various business units and/or support & administration functions, including monitoring progress of risk mitigation plans. • Provided by Risk and Governance Unit. • Performs regular reviews of the Group’s operations and system of internal controls and risk management. Provide independent assurance on the adequacy and effectiveness of the controls processes implemented by business process owners and Management. • Provided by the Corporate Assurance Department. FIRST LINE OF DEFENCE SECOND LINE OF DEFENCE THIRD LINE OF DEFENCE Statement on Risk Management and Internal Control (Cont’d) Establish context Communication and consultation Monitoring and review Risk assessment Risk Identification Risk analysis Risk evaluation Risk treatment
RkJQdWJsaXNoZXIy NDgzMzc=