132 YINSON HOLDINGS BERHAD 2. Assessment of control effectiveness: Controls are assessed for design adequacy and operating effectiveness and are subject to enhancement where gaps are identified: • Effective: Fully address risk vulnerabilities and function consistently. • Moderately Effective: Address aspects of risk but require enhancement. • Ineffective: Provide minimal mitigation and necessitate significant improvement. 3. Implementation and testing: Controls are integrated into operational processes and subjected to regular testing to ensure functionality and reliability. 4. Review and adaptation: Regular assessments and updates of controls ensure alignment with evolving risks and organisational objectives. Risk treatment process Yinson's risk treatment process is an integral component of its ERM framework, aligned with globally recognised standards to ensure a systematic and effective approach to managing residual risks. The methodology is designed to evaluate and address risks in a manner that aligns with the Group's defined risk appetite and strategic objectives. Key risk treatment strategies 1. Avoidance Risks may be mitigated by discontinuing or refraining from activities that give rise to the identified exposure. Such decisions are evaluated in the context of the Group’s strategic objectives and approved risk appetite. 2. Acceptance Residual risks may be accepted where they fall within defined risk appetite thresholds, and where an evaluation of risk-return considerations support retention. 3. Modification Risks are mitigated by reducing their likelihood (pre-event measures) or impact (post-event measures), or both. Examples include the implementation of enhanced controls, adoption of new technologies or process improvements to strengthen resilience. 4. Sharing Risk exposure may be transferred or shared through mechanisms such as insurance, subcontracting, partnerships or contractual arrangements. Such measures are subject to commercial evaluation and governance oversight. Governance of residual risks Risks that exceed the Group’s approved risk appetite are subject to structured escalation and governance review. Where avoidance or transfer is not practical, such residual risks are evaluated against strategic objectives and risk-return considerations, with appropriate mitigation plans established and oversight provided by the MSC and BRSC as applicable. Continuous monitoring and periodic reporting ensure that these risks remain within defined tolerances or are formally reviewed where deviations occur. Monitoring and assurance The GRC department facilitates the development and periodic review of risk treatment action plans and monitors progress against agreed mitigation measures. Significant matters are escalated to the MSC and BRSC where required. Independent assurance over the effectiveness of internal controls is provided through the Group’s IA function and external assurance engagements, where applicable. This structured risk treatment and monitoring approach supports disciplined risk governance and reinforces the effectiveness of the Group’s risk management framework. GOVERNANCE
RkJQdWJsaXNoZXIy NDgzMzc=