KENANGA ANNUAL REPORT 2017

6. Establishment of strong risk management governance with an enterprise risk management framework as a pillar for other risk guidelines and sound practices by Group Risk Management (“ GRM ”). The risk governance structure in the framework defines the roles and responsibilities throughout the organisation to ensure accountability and ownership; 7. Establishment of risk policies, tools and methodologies to identify, quantify and manage the risks. GRM is also responsible for establishing the risk measurement and monitoring process to ensure that the Group’s risk profile and portfolio concentration are reported to the various risk committees on a regular basis; 8. The risk management philosophy adopted by the Group is based on the three (3) lines of defence approach. The line management is the first line of defence and is primarily responsible for the day-to-day risk management by identifying the risks, assessing impact and taking appropriate actions to manage and mitigate risks. The second line of defence is the oversight functions which are GRM and Group Compliance. They perform independent monitoring of business units, reporting to management to ensure that the Group is conducting business and operations within internal guidelines and is regulatory compliant. The third line of defence is Group Internal Audit (“ GIA ”) which provides independent assurance to the Board on effectiveness and efficiency of system of internal controls, risk management and governance processes; 9. Establishment of a Group Approving Authority Framework to ensure that approving authorities are granted to appropriate individuals or committee and there is no significant concentration of authority given to a single person or committee; 10. Comprehensive internal credit analysis and evaluations based on a number of factors and sources of information such as due diligence investigation, credit checks, bankruptcy searches, evaluation of business financial performance and industry risk review are conducted to mitigate credit risks; 11. Under operational risk management, for the implementation of Risk Control Self-Assessment tool, each business unit undertakes regular self-assessment to identify and assess the effectiveness of the controls put in place for all material products, activities, processes and systems to manage the risks identified. This tool serves as an early warning signal to drive appropriate management actions before risks materialise into losses; 12. Establishment of a product development guideline for any new product or service that the Group intends to launch, to ensure that all material risks associated with the new product or service are identified, assessed and managed via appropriate risk management controls; 13. Compliance reviews and monitoring are undertaken by Group Regulatory and Corporate Services (“ Group Regulatory ”) using various tools and approaches based on the framework set by Group Regulatory. These reviews and monitoring are performed to assess the level of compliance with the relevant regulatory requirements and the respective companies’ internal policies and procedures. Any regulatory deviation or compliance breaches will be reported to the respective Boards and the relevant regulators. Appropriate corrective actions including disciplinary actions will be taken to address the breach with a view to pre-empt and prevent the occurrence of a similar breach. A list of identified laws, regulations and other regulatory instruments applicable to the Group is documented and maintained to facilitate compliance. Group Regulatory also provides timely, structured and comprehensive advice and support to the Group on matters relating to the laws and rules applicable to the Group. The Group also has a self-assessment framework in place to facilitate and promote regulatory compliance by the business lines units within the Group. The Board is satisfied that in 2017 the Group complied with the principles and recommendations of the “Malaysian Code on Corporate Governance” and the “Corporate Governance Guide”; and 14. GIA provides independent and objective assurance to the Board that the established internal controls, risk management and governance processes are adequate and are operating effectively and efficiently. To ensure independence and objectivity, the GIA reports independently to the Audit Committee and has no responsibilities or authority over any of the activities it reviews. Annual Report 2017 57 statement on risk management and internal control