STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL GOVERNANCE • ENTERPRISE RISK MANAGEMENT The Group has implemented risk management best practices in the form of ERM framework which ensures all business risks are prudently identified, evaluated, treated and managed accordingly to achieve MISC’s business objectives. The risk management process in MISC requires management to identify business risks at the strategic, operational and tactical levels, and assess these risks in terms of likelihood and magnitude of impact, as well as to identify and evaluate the adequacy of mechanisms in place to manage these risks. Key risks covering financials, operations (including project management), Health, Safety, Security and Environment (HSSE) incidents, legal and regulatory, information and communication technology and cybersecurity as well as human resource are monitored closely at the Company’s quarterly RMC and BGRC meeting. This process involves assessments at business/service units and subsidiaries before being examined at the Group for a more holistic and strategic view. In sustaining the achievement of business objectives, it is important to manage risks across the Group on an integrated basis with a balanced view of the risks taken against the rewards of business performance. The business/service units and key subsidiaries are required to perform an annual review of their risk profiles with the emphasis of linking these risks to MISC’s business objectives. In addition, Key Risk Indicators (KRIs) are reviewed and identified to monitor the movement of risks quarterly, thus enabling the management to act quickly and take the necessary measures in managing risks to ensure that the Group’s initiatives are implemented effectively, and business objectives are met. For the purpose of risk reporting, a breach of risk event is reported to the RMC and BGRC on a quarterly basis, complete with action plans to mitigate the relevant risks. In essence, the risk management processes are as follows: Discuss and deliberate key and significant risk events breaching thresholds as well as the proposed mitigations. Provide guidance to management to ensure the Group’s risks are being managed appropriately. Review, discuss and report all risk events breaching thresholds set. Review and discuss risk events breaching thresholds as well as the proposed mitigations. Shortlist of key and significant risk events breaching thresholds. Continous monitoring of risk level using the risk registers. The performance of key risks is monitored using KRI. Any change or movement in the KRIs, will provide an early warning. KRIs that breach set thresholds are reviewed by CP before presentation to RMC for discussion on a quarterly basis. Significant breaches and key risk issues are raised to the BGRC for discussion and deliberation. Mitigation to eliminate/minimise risk exposures are deliberated at RMC and BGRC. Identify risks and existing controls via risk assessment. Establish risk rating based on matrix and record into risk registers. Select appropriate risk treatment option. Risk Profiling Risk Monitoring Risk Reporting Corporate Planning RMC BGRC ERM FRAMEWORK Governance • Risk policy • Organisation structure • Roles & responsibilities Context Setting • External context • Internal context • Risk appetite • Risk criteria Risk Assessment • Risk identification • Risk analysis • Risk evalution Risk Treatment • Risk treatment strategy • Risk treatment plan Monitoring & Reporting • Risk reporting & monitoring • Risk information system Continual Improvement • System monitoring & review • Risk Assurance • ERM capability MISC Berhad 274 Integrated Annual Report 2021 MISC Berhad Integrated Annual Report 2021 275
RkJQdWJsaXNoZXIy NDgzMzc=