We take a considered approach to everything we do
Risk Management & Internal Control


The risk management and internal controls system is to help the Group achieve its long-term vision and mission by identifying and evaluating the Group's risks and by formulating appropriate mitigating controls to protect our business, stakeholders, assets and capital. Risk management and Internal Control Systems are embedded in our business functions and we believe that it enhances long-term shareholder value. The risks the Group is subject to are directly linked to the Group's strategy.

The Board has overall responsibility for the Group's system of internal controls and the assessment and management of risks. The primary responsibility for detailed risk identification and management lies with the respective business heads. The Risk Management Committee ("RMC"), reporting to the Audit Committee, is responsible for strengthening the Group's risk management culture, ensuring the overall framework of risk management is comprehensive and responsive to changes in the business, and managing the internal audit function. It regularly reviews the completeness and accuracy of risk assessments, risk reporting and the adequacy of risk mitigation efforts.

The Group has in place a risk management and internal control framework that is consistent with the COSO (the Committee of Sponsoring Organisations of the Treadway Commission) framework and has the following five components:

Control Environment

Defined organisational structures are established. Authority to operate various business functions is delegated to respective management within limits set by head office management or the Executive Directors. The Board meets on a regular basis to discuss and agree business strategies, plans and budgets prepared by individual business units. The performance of the Group is reported to the Board on a monthly basis.

Risk Assessment

The Group identifies, assesses and ranks the risks that are most relevant to the Group's success according to their likelihood, financial consequence and reputational impact.

Control Activities

Policies and procedures are set for each business function which includes approvals, authorisation, verification, recommendations, performance reviews, asset security and segregation of duties.

Information and Communication

The Group documents operational procedures of all business units. The risks identified and their respective control procedures are documented in risk registers by the RMC and reviewed by the Audit Committee at least annually.


The Group adopts a control and risk self-assessment methodology, continuously monitoring its business risks by way of internal review and communication of key control procedures to employees.

Principal Risks

See Strategy Delivery & Risk section in 2016 Annual Report