GROUP RISK MANAGEMENT AND INTERNAL CONTROL SYSTEM (Cont’d) 1. RMC (Cont’d) The salient features of the RMC process are as follows: t $&0T PG UIF TVCTJEJBSJFT #VTJOFTT )FBET BOE )FBET of Department are tasked to update their respective risk profiles on a half yearly basis and confirm to the Risk Department that reviews had been conducted and risks related to their areas had been assessed; and also include action plans which are to be implemented in order to manage the risks that had been identified; t 5IF SJTLT UIBU had been identified are consolidated and tabled to the RMC for its deliberation and monitoring; t )FBE PG (*" BUUFOET UIF RMC meetings as observer to provide an independent assessment of the adequacy and reliability of the risk management processes and compliance with risk policies; t 5IF 3.$ TIBMM meet at least twice a year to review significant risks and the progress on the implementation of the mitigating actions; t " DPQZ PG UIF 3.$ NFFUJOH NJOVUFT JT TVCNJUUFE to the ARC for review and deliberation; and t 5IF 3.$ members, i.e. Group CEO, Group CFO and Group CRO are invited to the ARC meeting to brief the ARC on any existing risks and/or new risks faced by the Group with the corresponding mitigation plans. 2. Risk Identification, Evaluation and Ranking Business Heads, Heads of Department and the management of each Business Unit, in establishing its business objectives, are required to identify and document all possible risks that can affect their business and the Group, taking into consideration the effectiveness of controls that are capable of mitigating such risks. Risk identification process shall also take into consideration of the following: t 3JTLT TQFDJmD to the achievement of business objectives t 3JTLT UIBU IBWF UIF potential impact on the success and continuity of the business. Thereafter, identified risks are evaluated as follows: o Probability or likelihood of occurrence; o Significance of the risk; and o Review and assess the adequacy of the risk management policies and framework in identifying, measuring, monitoring, and controlling risks. 3. Risk Reporting and Monitoring Each Business Unit’s risks together with the controls and processes used to manage such risks are identified and tabulated in a risk assessment report. Significant risks of Business Units and projects are presented to the RMC for their deliberation. Risk monitoring is an ongoing process in which the RMC monitors the Group’s business risks as part of their annual assessment for proper disclosure in the Annual Report. 4. Merchant Risk The Group Risk monitors the merchants’ performance risks in its Transaction Payment Acquisition (“TPA”) businesses in Malaysia, Thailand, and the Philippines. The Group Risk performs this function by firstly determining the risk acceptance criteria; followed by measuring, classifying, and monitoring merchant activities at a transactional level using predetermined risk rules; and finally instituting remedial and exit procedures for errant merchants. This approach is documented in the Group’s Credit Policy manual and automated in the Group’s M-Cube Risk Management system. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL CONT’D 62 GHL SYSTEMS BERHAD 199401007361 (293040-D)
RkJQdWJsaXNoZXIy NDgzMzc=