Accountability & Audit
Risk Management Framework
Under its approved terms of reference, Enterprise Risk Management (“ERM”) Working Group (comprising an Executive Board Member as Chair and unit heads from all business units and support divisions) has been established as our second line of defense to coordinate and oversee risk management activities, whilst operational management remains the first line of defense. The Internal Audit Department, who reports directly to the Audit Committee on risk management and internal controls matters, acts as the third line of defense in this system.
The Company takes proactive measures to identify, evaluate, and manage significant risks arising from our business and from the constantly changing business environment at different levels within the organization. This integrated approach combines a top-down strategic view with a complementary bottom-up operational process as illustrated below:
A list of principal risks, covering both strategic and operational risks as identified by our risk assessment process, is complied with reference to their residual risk impact and likelihood. Action plans are developed, and risk ownership is assigned for each principal risk. The risk owners coordinate the mitigation measures to ensure proper implementation of these action plans. They are also required to continuously monitor, evaluate, and report on risks for which they bear responsibility. Mitigation controls are subject to internal audit review and testing.
The Board and Audit Committee reviewed the Company's top and emerging risks, and conducted an annual review on the effectiveness of the ERM framework. Taking into consideration the principal risks and mitigating actions, the Board believes that the Company has the ability to adequately respond to changes to our business and the external environment.
Internal Control Framework
Internal control system has been designed to monitor the Company's overall financial position, to safeguard its assets against major losses and misappropriation, to provide reasonable assurance against material fraud and error, and to efficiently monitor and correct non-compliance.
We have proper policies and procedures governing the activities of the Executive Committee, Board Members, executives and senior staff, such as delegation of authority, approval of annual and mid-year budgets for all capital, revenue, and expenditure items, etc.
Our Internal Audit Department is independent from our operations and accounting functions. The Internal Auditor reports directly to the Audit Committee. A risk-based internal audit program is approved by the Audit Committee each year. Based on the audit program, the Internal Auditor performs assessment of risks and testing of controls across all business and supports units of the Company in order to provide reasonable assurance that adequate controls and governance are in operation.
The Audit Committee holds four meetings with the external auditor in the absence of management every year, thereby exceeding the requirements of the Corporate Governance Code.