KENANGA ANNUAL REPORT 2019

H OW W E A R E G O V E R N E D 1 2 3 4 5 71 6 7 Risk Management Process and Infrastructure The risk management process is a combination of both bottom-up and top-down approaches to facilitate decision making based on available information known at the time and creating opportunities to refine inputs when new information is available. In addition to establishment of risk policies, tools and methodologies to identify, quantify and manage the risks, Group Risk Management is also responsible for establishing the risk measurement and monitoring process to ensure that the Group’s risk profile and portfolio concentration are reported to the various risk committees on a regular basis. Internal Policies and Procedures Policies and procedures which set out standard day-to- day operations and managing risks are formulated based on current regulatory requirements and industry best practices. The adequacy and compliance with regulatory requirements of the policies and procedures are assessed by independent control functions such as risk management, compliance and audit, prior to obtaining approval from the Board or relevant MC. Existing policies and procedures are reviewed regularly to ensure improvements and in consideration of emerging or changing risks profile, new products or services, as well as new or updated regulatory requirements. Annual Business Plans and Budgets The Board reviews and approves the business plans and budgets which are developed in line with the Group’s strategies and risk appetite. Actual performances against the approved budgets are escalated to the Management and Board on a monthly basis allowing responses and corrective actions to be taken. Human Capital Management The organisational structure, which is aligned to business and operational requirements are led by Heads of Departments with accountability in place. Human Resource’s policies and procedures are reviewed regularly to ensure they remain relevant to manage operational and people related risks. There are regular trainings and updates for employees on requirements/ guidelines of BNM, Bursa Securities and the SC, as well as on the importance of corporate governance, risk management and internal control. Various awareness programmes on operational risks, ethics and fraud are also conducted regularly. Business Continuity Management Business Continuity Plans and Disaster Recovery Plans are established to ensure non-disruption of business or efficient business resumption. Regular testing or drills are also conducted for the purpose of staff preparedness, readiness of disaster recovery site, effectiveness of communication, escalation and recovery procedures. For effective business continuity management (“ BCM ”), awareness training is held annually for BCM coordinators and key persons. Information Technology Security The use of information technology (“ IT ”) is essential and central to Group’s business. In order to ensure the reliability and resiliency of the business operations to meet the expectations of customers and all stakeholders, the Group has established the corporate IT Security Policy and implemented the necessary security procedures to protect the confidentiality, integrity and availability of information systems and data. With the increase in adoption of digitalisation and service delivery via cyberspace, the Group will continue to reinforce its IT security efforts and initiatives to be aligned with the Group’s current and envisaged operations, strategies and business environments. The IT security posture of the Group is also continuously reviewed and enhanced to mitigate the risks arising from new and emerging threats. In-house IT security training and security updates on the latest threats are constantly provided to all staff to ensure their awareness on the importance of IT security. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL