The Group instils and promotes a risk management culture to allow prudent risk-based decision-making by embedding core values, principles, compliance and dynamic internal control systems in its day-to-day operations. Ongoing communication, education, monitoring and mitigation are an integral part of the Group’s dynamic risk management culture and is adopted across all its business activities.
Investment assessments and due diligence exercises are carried out on prospective business opportunities to ensure that potential financial, operational and strategic risks are identified and mitigated prior to commitment. In addition, Fraud Risk Assessment is conducted across the Group as part of the Annual Internal Audit Programme to ensure consistency with the Group’s commitment to anti-corruption.
Half yearly and annual enterprise risk assessments are carried out to validate the existence and effectiveness of the controls in place, review the changes in risk profile, and update the existing controls if required.
The Enterprise Risk Management Framework provides a sound system of risk management and internal control, and is underpinned by a sound foundation of the Group’s strong corporate governance culture, supported by five pillars of management control system being: Policies and Procedures, Internal External Audits, Due Diligence Reviews, Compliance Monitoring Reporting and Enterprise Risk Assessments, all of which are overseen by the ARMC and the Board.
Risk-based internal audit is one of the main functions carried out by the Group’s Risk Management team to help the businesses to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes through the Enterprise Risk Management Framework, outlined as follows:
- identifying potential risks inherent within the Group and external risks which the Group faces in the pursuit of its corporate objectives;
- assessing and rating all the identified risks in a meaningful way in order for the Group to determine the extent of risks that it faces;
- treating all identified risks, as far as possible, through established controls or pending control plans;
- monitoring and updating any changes to the severity of the identified risks and any new risks that have emerged and;
- reporting key risks and the established controls (or pending controls plans) to the ARMC and the Board regularly.