A list of principal risks (including ESG-relate risks), covering both strategic and operational risks as identified by our risk assessment process, is complied with reference to their residual risk impact and likelihood (after considering mitigation actions and controls). Action plans are developed, and risk ownership is assigned for each principal risk. The risk owners coordinate the mitigation actions to ensure the proper implementation of these action plans. They are also required to continuously monitor, evaluate, and report on risks for which they bear responsibility. Mitigation controls are subject to internal audit review and testing.
Through this integrated top-down and bottom-up risk review process, which enables the identification and prioritization of risks throughout the Company, we maintain effective lines of communication to ensure timely escalation of potential risks and the initiation of mitigation actions to manage them.
Internal Control Framework
The Board is responsible for maintaining an effective internal control system. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss.
Specifically, our internal control system monitors the Company's overall financial position and ensures it is accurately reflected in our financial and management reporting while safeguarding our assets against major losses and misappropriation; providing reasonable assurance against material fraud and error; and efficiently identifying and correcting non-compliance.
To ensure efficient and effective operations in our expanding business units and functions, relevant internal control policies and procedures, committees, and working groups are in place to achieve, monitor, and enforce internal controls. These policies and procedures are periodically reviewed and updated when necessary. All employees are made aware of the policies and procedures, with comprehensive staff communications and training programs in place to ensure understanding and awareness.
The Audit Committee supports the Board to oversee the effectiveness of internal controls, while management is responsible for designing, implementing, and maintaining an effective internal control system with reference to the COSO principles. In particular, appropriate policies and procedures governing the activities of the Executive Committee, Board Members, executives and senior staff, such as delegation of authority, approval of annual and mid-year budgets for all capital, revenue, and expenditure items, etc., have been put in place. Management also continually reviews, updates, and refines the internal control system to anticipate future challenges
Our Internal Audit Department is independent of our operations and accounting functions. The Deputy Director (Head of Corporate Audit) reports directly to the Audit Committee.
A risk-based internal audit program is approved by the Audit Committee each year. Based on the audit program, the Internal Auditor performs an assessment of risks and testing of controls across all business and supports units of the Company in order to provide reasonable assurance that adequate controls and governance are in effect. In line with the Company’s zero tolerance for fraud and bribery, the Internal Auditor is responsible for the conduct of relevant investigations should fraud or irregularities be uncovered or suspected.
The Audit Committee meets quarterly to discuss internal audit issues with the Internal Auditor and to discuss financial and internal control matters with the External Auditor. The Audit Committee holds four direct discussions with the External Auditor in the absence of management every year. The Audit Committees reports any key issues arising from these meetings to the Board.