GHL System Berhad Annual Report 2018

a n n u a l r e p o r t 2 0 1 8 45 STAT EMENT ON R I SK MANAGEMENT AND I NT ERNA L CONTROL C O N T ’ D KEY INTERNAL CONTROL PROCESSES (cont’d) 5. Risk Management (cont’d) a. Risk Management Committee (“RMC”) (cont’d) The Head of Internal Audit was invited to attend meetings of the RMC as an observer to provide the ARC with an independent assessment of the adequacy and reliability of the risk management processes and compliance with risk policies. The RMC shall meet at least twice a year to conduct a formalised annual risk assessment and report the findings to the ARC. On a quarterly basis, the RMC Chairman, i.e. Group CEO, and the Group CFO are invited to the ARC meeting to formally brief the ARC of any risks related events and/or new risks faced by the Group with the corresponding action plans taken to mitigate the risks. b. Risk Framework Risk Management activities are guided by the Group’s Enterprise Risk Management Framework. The risk universe covers a span of activities to determine the risk profile inherent from the nature of business which would compromise the business objectives if addressed improperly. c. Risk Identification, Evaluation and Ranking The Management of each Business Unit, in establishing its business objectives, is required to identify and document all possible risks that can affect their achievement taking into consideration of the effectiveness of controls that are capable of mitigating such risks. Country Managers or Heads of Departments are responsible to identify risks that may have impact in meeting their unit’s business objectives. Risk identification process shall also take into consideration of the following:- • Risk specific to the achievement of business objectives; and • Risks that have the potential impact on the success and continuity of the business. Thereafter, identified risks are evaluated as follow:- • Probability or likelihood of occurrence; • Significance of the risk; and • Review and assess adequacy of risk management policies and framework in identifying, measuring, monitoring and controlling risks. d. Risk Reporting and Monitoring Each Business Units and Projects identified risks together with the controls and processes used to manage risks are tabulated in a risk assessment report. Significant risks of Business Units and Projects are presented to the RMC for their deliberation. Risk monitoring is an ongoing process in which the RMC monitors the Group’s business risks as part of their annual assessment for proper disclosure in the Annual Report. e. Merchant Risk The Group Risk Department currently monitors merchants’ performance risks of its active Transaction Payment Acquisition (“TPA”) businesses in Malaysia, Thailand and Philippines. The Group Risk Department performs this function by firstly determining the risk acceptance criteria; followed by measuring, classifying and monitoring merchant activities at a transactional level using predetermined risk rules; and finally instituting remedial and exit procedures for errant merchants. This approach is embodied in the Group’s Credit Policy manual and is heavily automated in the Group’s M-Cube Risk Management system.