KENANGA ANNUAL REPORT 2019

H OW W E A R E G O V E R N E D 1 2 3 4 5 69 6 7 STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL INTRODUCTION Pursuant to Paragraph 15.26(b) of the Main Market Listing Requirements (“ MMLR ”) of Bursa Malaysia Securities Berhad (“ Bursa Securities ”), a listed issuer must ensure that its Board of Directors (“ Board ”) includes in its annual report a statement about the state of its risk management and internal controls as a group. In addition, the Malaysian Code on Corporate Governance also stipulates that the Board should maintain a sound system of internal controls, including a review of its effectiveness to safeguard shareholders’ investments and the Group’s assets. Set out below is the Board’s Statement on Risk Management and Internal Control in compliance with the MMLR of Bursa Securities. BOARD RESPONSIBILITY The Board is committed to maintaining a sound system of internal controls and has instituted a risk management framework, as well as good corporate governance measures to monitor the Group’s effectiveness in safeguarding shareholders’ investments and the Group’s assets. The Board is responsible for determining key strategies and policies for significant risks and control issues, whereas functional management is responsible for the effective implementation of the Board’s policies by way of identifying, monitoring and managing risks. However, as any system of internal controls will have its inherent limitations, the system has been designed to manage risks rather than provide absolute assurance against material misstatement, fraud or loss. The Board has also received reasonable assurance from the Group Managing Director and Group Chief Financial and Operations Officer that the Group’s risk management and internal control system is operating adequately and effectively, in all material aspects. RISK MANAGEMENT AND INTERNAL CONTROL SYSTEM The Board and Management of the Group are committed to the implementation of an internal control system to manage those risks that could affect the Group’s continued growth and financial viability. Measures are taken to continuously evaluate changes in the risk profile of the Group and business complexities to assist the Board and Management to anticipate and manage all potential risks and protect shareholders’ value. The key elements of the Group’s internal control system include the following: Risk Management Framework The risk governance structure in the Enterprise Risk Management Framework defines the roles and responsibilities throughout the organisation to ensure accountability and ownership. It sets out the principles of sound corporate governance to assess and manage risks to ensure that risk taking activities are aligned with the Group’s capacity to absorb losses and its long-term viability. The risk management philosophy adopted by the Group is based on the three (3) lines of defence approach. The line management is the first line of defence and is primarily responsible for the day-to-day risk management by identifying the risks, assessing impact and taking appropriate actions to manage and mitigate risks. The second line of defence is the oversight functions comprising Group Risk Management and Group Regulatory & Corporate Services (“ GRCS ”). They perform independent monitoring of business units, reporting to Management and Board to ensure that the Group is conducting business and operations within internal guidelines and is regulatory compliant. The third (3 rd ) line of defence is Group Internal Audit (“ GIA ”) which provides independent assurance to the Board on the effectiveness and efficiency of system of internal controls, risk management and governance processes. Governance The Board, through its appointed board committees such as the Group Board Risk Committee (“ GBRC ”) and Group Board Digital Innovation & Technology Committee (“ GBDITC ”), ensures that the Group’s activities are consistent with its approved risk appetite, strategies and policies.