Frontken Berhad Annual Report 2017

31 Frontken Corporation Berhad (651020-T) ANNUAL REPORT 2017 Statement On Risk Management And Internal Control (cont’d) RISK MANAGEMENT FRAMEWORK Risk management is embedded in the Group’s key business processes through its ERM framework, which provides, amongst others, an easy-to-understand step by step approach to identify and evaluate risks faced by business units and, by extension, the Group. To streamline risk management processes and activities, the Board has formalised in writing pertinent risk management policies and guidelines for adherence by business units across the Group. The ERM framework embodies a structured risk assessment process, which results in the compilation of specific risk profiles of key business units and companies in the Group by Risk Management Units (“RMUs”), including the semi-annual update of risk profiles to take into account the vagaries of changing business environment as well as emerging risks. The individual risks in the profile are scored for their likelihood of occurrence and the impact thereof based on a ‘5 by 5’ risk matrix deploying parameters established for each key business unit or company in the Group. The risk parameters comprise relevant financial and non-financial metrics for risks to be evaluated in terms of likelihood of their occurrence and the impact thereof – this feature essentially articulates the Board’s risk appetite, i.e. the extent of risk the Group is prepared to take or seek in achieving its corporate objectives. Details of specific risks are recorded in individual risk registers, covering the risk description, causes of risk, risk consequences, internal controls implemented by Management to address the causes of risk, Management’s assessment of the effectiveness of internal controls and the residual risk rating, i.e. the balance of risk after considering the effects of controls deployed to mitigate the risk. The action plans that Management has taken and/or is taking to mitigate the risks to acceptable levels are reported by the RMUs to the Audit Committee and the outcome is documented in the Audit Committee meeting minutes. The Audit Committee would thereafter brief the Board the outcome of the risk update, including any significant issues therefrom. For each of the business risks identified, a risk owner is entrusted to ensure appropriate actions are taken to mitigate the risk to an acceptable level within specified timeline. The Risk Coordinator of the Group, when reviewing the risk update by business units, enquires into the status of action plans undertaken by Management of the business units concerned. During the financial year under review, there were two (2) risk updates conducted by the various business units and companies in the Group with the outcome reported to the Audit Committee and the Board for further comments. The business risks as identified encompassed risks on finance, operations, regulatory compliance, reputation, cyber security and sustainability. INTERNAL CONTROL SYSTEM The Group’s internal control system comprises the following key elements: • an organisation structure with clearly defined lines of responsibilities and appropriate levels of delegation and authority, including financial limits of authority in approving transactions/activities as well as mandate to operate bank accounts. The structure also sets out clear reporting lines and segregation of duties for key processes like strategic management, operations, sales and collections, procurement and payment, human resource, capital expenditure, research and development, financial reporting, corporate affairs, and investments; • a process of hierarchical reporting which provides a documented and auditable trail of accountability, with appropriate sign-off by personnel entrusted with the responsibilities; • an annual budgetary exercise that requires all business units and companies in the Group to formulate financial budgets which are then consolidated into a Group budget, presented to the Board for comments and approval. Quarterly review of the Group’s performance against budget is carried out at Board meetings where explanations on significant variances are furnished by Management. Management meetings at operational level are conducted to review financial performance against business plans and monitor the respective business unit’s performance against budget; • significant changes in business development are reported by Management to the Board at scheduled meetings. This oversight review enables the Board to evaluate and monitor the Group’s business performance vis-à-vis its corporate objectives; • the Audit Committee, which is entrusted by the Board to oversee the Company’s financial reporting process, in particular the quarterly and annual announcements of the Group’s financial performance, meets at least quarterly to review the announcements, seeks clarification and explanations from Management before recommending the announcements to the Board for approval;