Fraser & Neave Holdings Bhd Annual Report 2019

WWW . F N . C O M . M Y 114 F R A S E R & N E A V E H O L D I N G S B H D STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL THE ENTERPRISE RISK MANAGEMENT (“ERM”) PROCESS The ERM process involves a systematic application of the risk management methodology to facilitate risk identification, assessment, reporting as well as monitoring and review as described below: RISK IDENTIFICATION AND ASSESSMENT • The ERM process begins with the business strategies and objectives setting and/or review prior to the commencement of every financial year, which is also aligned to the Group’s vision and mission. Subsequently, risks arising from the business strategies and objectives to be pursued are identified. • A consistent approach in determining the risk likelihood and risk impact is adopted across the Group to reflect the risk appetite approved by the Board. • Risks identified are assessed to determine their likelihood of occurrence and potential impact on the relevant business strategies/objectives. The outcome of the risk assessment process at respective functional or business unit levels will then be consolidated at the Group level in a Corporate Risk Scorecard which enables subsidiaries within the Group to report risks and risk status using a common platform. RISK REPORTING AND REVIEW Annual Review • Risk appetite and risk tolerance statements, which set out the nature and extent of risks that the Group is willing to accept or retain in pursuit of its goals and objectives, are reviewed by the SRMC and approved by the Board annually. • Impact parameters, upon which the risk ratings are measured against the likelihood, are reviewed and updated annually. Quarterly Review • On a quarterly basis, the risk profiles of the key subsidiaries are tabled to the Management Risk Committee and the SRMC in a heat map, which set out the priority and focus for risk mitigation strategies based on risk ratings at gross and net levels. The net risk level is determined after taken into consideration the effectiveness of existing controls and risk treatment plans. The risks identified and assessed are reported under the following categories: • Key Risk Indicators (“KRIs”), presented in the form of Key Risk Dashboard, are also established to monitor risks and mitigating measures for risks that are material to the Group and included as part of the quarterly risk reporting. • Changes to risk profiles and emerging risks are also identified and promptly brought to the attention of the Board and Board Committees. For discussion on assessment of key risk areas and the controls in place to mitigate or manage those risks, refer to Management Discussion & Analysis section of the Annual Report. ASSURANCE RECEIVED FROM MANAGEMENT At the end of the financial year, the Board receives assurance from the CEO and Chief Financial Officer (“CFO”) that the risk management and internal control system in place for the Group is adequate and effective to address risks which the Group considers relevant and material to its operations through the ERM Validation Report and Comfort Matrix. The ERM Validation Report summarises the risk management activities conducted and implementation of ERM Policy during the financial year whilst the Comfort Matrix sets out the key financial, compliance, operational, and information technology risks of the Group and presented against how strategies, policies, people, processes, systems, mechanisms and reporting processes that have been put in place, in addressing these risks. Both ERM Validation Report and Comfort Matrix are tabled at the SRMC and Audit Committee meetings respectively prior to recommendations to the Board on an annual basis. In addition, the risk management process in the Group is reviewed on a periodic basis by Internal Audit, according to its annual audit plan approved by the Audit Committee. Corporate & Strategic Compliance Operational Financial Information Technology Reputational