Integrated Annual Report 2021

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL GOVERNANCE RISK GOVERNANCE STRUCTURE The Group’s risk governance structure facilitates the flow of information and effective oversight on the implementation of risk management practices across its businesses. Risk management activities are undertaken at corporate, business/service units and subsidiaries and their risk reports are reviewed by the RMC prior to deliberation at the BGRC for subsequent approval by the Board. Each appointed and dedicated risk focal person has the responsibility for risk management activities in their units and subsidiaries to ensure consistent implementation of risk management processes across the Group. The RMC holds quarterly meetings to review the key risks and at the same time ensure that mitigation plans are in place to manage such risks. The adequacy and effectiveness of the controls and the robustness of the mitigation actions are also addressed. These are then further deliberated at the BGRC and finally reported to the Board on a quarterly basis. RISK POLICY MISC’s Risk Policy guides the overall best practice of identifying, evaluating, managing, reporting and monitoring the ever-changing risks faced by the Group and specific measures to mitigate these risks. The emphasis is to effectively reduce the impact of risks, respond to immediate risk events and recover from prolonged business disruption to ensure continuity and sustainability of key business activities as well as delivery of business objectives. • Reviews the adequacy and effectiveness of MISC’s Risk Management Framework and on-going activities for identifying, evaluating, monitoring and mitigating risks • Reviews the Group’s risk tolerance level Provides a reasonable level of assurance to the BGRC that the Group’s risks are being managed appropriately Responsible for implementing risk management processes at respective units Responsible for the overall oversight of MISC Group risk management system and activities Board of Directors RMC Risk Owners BGRC Corporate Planning (CP) • Reviews and monitors risk reporting quarterly • RMC secretariat Business unit/ Service unit/ Subsidiary Management level Board level Risk Oversight Structure MISC is committed to become a risk-resilient organisation. MISC shall continuously strive to implement: • Risk management best practices to protect and create value within the set boundaries; and • Risk-based decision-making by providing a balanced and holistic view of exposure to achieve business objectives. Managing risk is everyone’s responsibility. The RMC was established to review and monitor the Group’s risk management practices. It is primarily responsible for driving the implementation of the risk management framework and acts as the central platform for the Group. RISK MANAGEMENT COMMITTEE Assist the management in identifying principal risks at Group level and providing assurance that the Enterprise Risk Management (ERM) is implemented group-wide to protect and safeguard MISC’s interest Review and recommend policies and frameworks specifically to address risks inherent in all business operations and environment pertaining to the Group Review, deliberate and recommend mitigation actions to ensure that the Group’s risks are being mitigated effectively Provide a reasonable assurance to the BGRC that the Group’s risks are being managed appropriately RISK MANAGEMENT FRAMEWORK The Group’s risk management framework is used to identify, evaluate and manage the principal risks of the Group as described in Our Risks and Mitigation Strategies on pages 78 to 85 of this Integrated Annual Report. Appropriate internal control systems are also implemented to manage these risks, details of which are set-out in the following pages. Risks across the Group are being managed on an integrated basis within stipulated and approved Limits of Authority (LOA). Evaluations of those risks are incorporated into the decision-making process. The Board adopts the PETRONAS Resiliency Model which provides an integrated view for managing risks and is also guided by international best practice as per ISO 31000. Crisis Management defines the structure and processes for managing emergencies including crises at both domestic and international operations. Business continuity practices ensure a structured recovery of business operations and business continuity in the event of a crisis or prolonged business disruption. ERM process is an integral part of managing business that provides a guide to systematically identify, assess, treat, monitor and review risks. It aims to improve the ability to reduce the likelihood and impact of identified risks that may affect the achievement of business objectives. Enterprise Risk Management (ERM) Crisis Management (CM) Business Continuity Management (BCM) PETRONAS Resiliency Model MISC Berhad 272 Integrated Annual Report 2021 MISC Berhad Integrated Annual Report 2021 273