KUB Malaysia Berhad Annual Report 2021

Statement on Risk Management and Internal Control INTRODUCTION The Board of Directors (‘Board’) is pleased to provide the Statement on Risk Management and Internal Control (‘the Statement’) pursuant to the Main Market Listing Requirement (‘MMLR’) of Bursa Malaysia Securities Berhad (‘Bursa Malaysia’) with regards to the Group’s risk management and internal control practices aligned with the Malaysian Code on Corporate Governance 2017 (‘MCCG 2017’). The Statement outlines practices and processes adopted by the Board in reviewing the adequacy and integrity of Risk Management and Internal Control System of the Group (‘the System’). The Statement, however exclude the System at associated companies where the Group does not have control over its respective operation. RESPONSIBILITY AND ACCOUNTABILITY Board of Directors The Board is responsible to provide the assurance that the overall Group’s risk management and internal control system functioned effectively and form part of the corporate culture that safeguards the stakeholders’ interests and the Group’s assets as prescribed by the MCCG 2017. The Board discharges their stewardship role with the identification of risks, implementation of appropriate internal controls and review of the adequacy and integrity of the internal control system. The Board ensures the adoption of strategic plans for the Group, oversees the conduct of its business, reviews the financial performance, ensures the compliance of operation with the applicable laws and sound corporate governance through effective interaction with the Management, internal auditors and external auditors. Board Risk Management Committee (‘BRMC’) and Board Audit Committee (‘BAC’) The BRMC assists the Board by undertaking the responsibilities in supervising and monitoring the Group’s principal risks. The BRMC recommends to the Board appropriate risk management policies, risk tolerance level and risk management processes, quarterly updates the Board on the status of significant risks, the progress and the effectiveness of agreed action plans and recommends additional risk management strategies and mitigation plans for the Board’s approval to mitigate or minimise the impact of the identified risks. The BAC on the other hand reviews the risk management and internal control issues highlighted by the internal and external auditors and evaluates the effectiveness and adequacy of the internal control system. The BAC has unrestricted access to both internal and external auditors and actively oversees the independence, scope of work and resources of the audit function. The BAC meets on a regular basis and has the right to convene meetings with the auditors without the presence of other Directors and the Management team. The key matters discussed at the BRMC and BAC meetings are tabled to the Board. Risk and internal control related matters that warrant the attention of the Board are presented by the BRMC and BAC to the Board for deliberation and recommendation for approval and matters or decisions made within the BRMC and BAC’s purview are updated to the Board for notation. Management The Management is responsible to implement the Board-approved risk related frameworks and policies that support the System. The Management acknowledges on the responsibility to ensure the System operates adequately and effectively in achieving its established business goals and objectives. RISK MANAGEMENT Risk management establishes effective and sound management practices, ensures informed decision- making process and increases the confidence level of the stakeholders on the performance of the Group. It has been in place up to the date of approval of the annual report and financial statements. It is periodically reviewed and guided by the Statement on Risk Management and Internal Control Guidelines for Directors of Listed issuers (‘SRMICG’) Risk Management Framework The System is guided by the established Enterprise Risk Management Framework (‘the Framework’) which adopted the principles and process outlined in the MS ISO 31000; Risk Management – Principles and Guidelines (‘the Principle’). The Principle is broad but appropriately adopted for the Group’s risk management and internal control practices respectively. The Framework is developed to facilitate the Group in facing the changing and challenging business environment and shall be continuously improved to implement, monitor, review and improve the overall risk management activities. Other objectives of the Framework are: (a) To provide guidance in managing risks to ensure that organisational capabilities and resources are employed in a most efficient and effective manner to manage both opportunities and threats; 36 KUB MALAYSIA BERHAD