The risk management and internal controls system is to help the Group achieve its long-term vision and mission by identifying and evaluating the Group's risks and by formulating appropriate mitigating controls to protect our business, stakeholders, assets and capital. Risk management and Internal Control Systems are embedded in our business functions and we believe that it enhances long-term shareholder value. The risks the Group is subject to are directly linked to the Group's strategy.
The Board has overall responsibility for the Group's system of internal controls and the assessment and management of risks. The primary responsibility for detailed risk identification and management lies with the respective business heads. The Risk Management Committee ("RMC"), reporting to the Audit Committee, is responsible for strengthening the Group's risk management culture, ensuring the overall framework of risk management is comprehensive and responsive to changes in the business, and managing the internal audit function. It regularly reviews the completeness and accuracy of risk assessments, risk reporting and the adequacy of risk mitigation efforts.
The Group has in place a risk management and internal control framework that is consistent with the COSO (the Committee of Sponsoring Organisations of the Treadway Commission) framework and has the following five components:
Defined organisational structures are established. Authority to operate various business functions is delegated to respective management within limits set by head office management or the Executive Directors. The Board meets on a regular basis to discuss and agree business strategies, plans and budgets prepared by individual business units. The performance of the Group is reported to the Board on a monthly basis.
The Group identifies, assesses and ranks the risks that are most relevant to the Group's success according to their likelihood, financial consequence and reputational impact.
Policies and procedures are set for each business function which includes approvals, authorisation, verification, recommendations, performance reviews, asset security and segregation of duties.
Information and Communication
The Group documents operational procedures of all business units. The risks identified and their respective control procedures are documented in risk registers by the RMC and reviewed by the Audit Committee at least annually.
The Group adopts a control and risk self-assessment methodology, continuously monitoring its business risks by way of internal review and communication of key control procedures to employees.