KENANGA ANNUAL REPORT 2020

72 3 1 2 4 5 6 7 HOW WE ARE GOVERNED STATEMENT ON RI SK MANAGEMENT AND INTERNAL CONTROL Risk Management Process and Infrastructure The risk management process is a combination of both bottom-up and top-down approaches to facilitate decision making based on available information known at the time and creating opportunities to refine inputs when new information is available. In addition to establishment of risk policies, tools and methodologies to identify, quantify and manage the risks, GRM is also responsible for establishing the risk measurement and monitoring process to ensure that the Group’s risk profile and portfolio concentration are reported to the various risk committees on a regular basis. Internal Policies and Procedures Policies and procedures which set out standard day-to-day operations and managing risks are formulated based on current regulatory requirements and industry best practices. The adequacy and compliance with regulatory requirements of the policies and procedures are assessed by independent control functions such as risk management, compliance and audit, prior to obtaining approval from the Board or relevant management committee. Existing policies and procedures are reviewed regularly to ensure improvements and in consideration of emerging or changing risks profile, new products or services, as well as, new or updated regulatory requirements. Annual Business Plans and Budgets The Board reviews and approves the business plans and budgets which are developed in line with the Group’s strategies and risk appetite. Actual performances against the approved budgets are escalated to the Management and Board on a monthly basis allowing responses and corrective actions to be taken. Human Capital Management The organisational structure, which is aligned to business and operational requirements are led by Heads of Departments with accountability in place. Human Resources’ policies and procedures are reviewed regularly to ensure they remain relevant to manage operational and people related risks. There are regular trainings and updates for employees on requirements/guidelines of BNM, Bursa Malaysia and the SC, as well as, on the importance of corporate governance, risk management and internal control. Various awareness programmes on operational risks, ethics and fraud are also conducted regularly. Business Continuity Management Business Continuity Plans and Disaster Recovery Plans are established to ensure non-disruption of business or efficient business resumption. Regular testing or drills are also conducted for the purpose of staff preparedness, readiness of disaster recovery site, effectiveness of communication, escalation and recovery procedures. For effective business continuity management ( “BCM” ), awareness training is held annually for BCM coordinators and key persons. Information Technology Security The use of information technology ( “IT” ) is essential and central to the Group’s business. In order to ensure the reliability and resiliency of the business operations to meet the expectations of customers and all stakeholders, and in line with the guidelines of regulators such as BNM’s Risk Management in Technology, the Group has established the corporate IT Security Policy and implemented the necessary security procedures to protect the confidentiality, integrity and availability of information systems and data. With the increase in adoption of digitalisation and service delivery via cyberspace, the Group will continue to reinforce its IT security efforts and initiatives to be aligned with the Group’s current and envisaged operations, strategies and business environments. The IT security posture of the Group is also continuously reviewed and enhanced to mitigate the risks arising from new and emerging threats. In-house IT security training and security updates on the latest threats are constantly provided to all staff to ensure their awareness on the importance of IT security. Compliance Function The Board is unreservedly committed and always strives to adopt the principles and recommendations of the MCCG issued by the SC Malaysia, as well as, other relevant regulatory requirements relating to corporate governance. Compliance reviews and monitoring are undertaken by GRCS using various tools and approaches based on the framework set by Group Compliance, a department of GRCS. These reviews and monitoring are performed to assess the level of compliance with the relevant regulatory requirements and the respective companies’ internal policies and procedures. Any regulatory deviation or compliance breaches will be reported to the respective Boards of operating entities within the Group and the relevant regulators. Pursuant to this, appropriate corrective actions including disciplinary actions will be taken to address the breach with a view to pre-empt and prevent the occurrence of a similar breach.