IHH Healthcare Berhad
l
Annual Report 2014
088
StatementonRiskManagement
andInternalControl
The Board of Directors of IHH Healthcare Berhad (“IHH or the Company”), together with that of its subsidiary companies (“the Group”), is committed
to maintaining a sound system of risk management and internal control. In accordance with Paragraph 15.26(b) of the Listing Requirements of Bursa
Malaysia Securities Berhad (Bursa Malaysia), the Board is pleased to provide the following Statement on Risk Management and Internal Control
prepared in accordance with the “Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers”.
Board Responsibility
The Board in discharging its responsibilities is fully committed to maintaining a sound system of risk management and internal control as well as for
reviewing its adequacy, integrity and effectiveness to safeguard shareholders’ investment and the Group’s assets.
The system of risk management and internal control by its nature is designed to manage key risks that may hinder the achievement of the Group’s
business objectives within an acceptable risk profile. In view of the limitations inherent in any system of risk management and internal control, these
systems put in place can only manage risks within tolerable and knowledgeable levels, rather than eliminate the risk of failure to achieve business
objectives completely.
Control Structure
The Board is assisted by the Audit and Risk Management Committee (“ARMC”), which consists of four non-executive members of the Board, with its
chairperson being an Independent Non-Executive Director. The Board, through the ARMC, maintains risk oversight within the Group to ensure that
the implementation of the approved policies and procedures on risks and controls are as intended. The approved policies and appropriate key internal
controls have been put in place to mitigate the key risk areas which have been identified and assessed by the respective departments in charge for
the year under review and up to the date of approval of this statement for inclusion in the annual report.
Each major operating subsidiary has its own ARMC, functioning in the equivalent manner, which directly reports to the Group’s ARMC or the Board.
Control Environment
The operating structure includes defined delegation of responsibilities to the management of operating subsidiaries. The limit of authority is clearly
defined and set out in the Group’s policies. These policies and procedures are meant to be reviewed regularly and updated when necessary.
The Group places an emphasis on the quality and calibre of its employees and as such, a variety of training and development opportunities are actively
encouraged. This is implemented through various schemes and programmes that align with the needs and cultures of the operating subsidiaries and
encompasses a widely extended geography.
A Whistleblowing Policy is in place within the Group’s major operating subsidiaries. This policy encourages employees to report any wrongdoing by
any person in the Group to the proper authorities so that the appropriate action can be taken immediately.
The system of risk management and internal control covers not only financial controls but operational, risk and compliance controls as well. These
systems are designed to manage, rather than eliminate, the risk of failure arising from non-achievement of the Group’s policies, goals and objectives.
Such systems provide reasonable, rather than absolute, assurance against material misstatement or loss.
Risk Management
The Group recognises that risk is an integral and unavoidable component of its business and is characterised by threats and opportunities. The
Group works on fostering a risk-aware corporate culture across the geographic group. Through skilled application of high quality, integrated risk
analysis and management, the Group continues to work on enhancing opportunities, reducing threats and sustaining its competitive advantage. The
Group is committed to an effective system of enterprise risk governance which provides for the sound and prudent management of the organisation
in meeting the business goals and objectives within acceptable level of risk. The Group recognises that Enterprise Risk Management (ERM) is a
proactive management tool for anticipating emerging risks and putting in place pre-emptive actions so that the effect of uncertainty on the success
of the organisation is minimised.
The Board ERM governance structure is in place in each major subsidiary. Each major subsidiary’s ARMC, supported by the Risk function, receives
updates on its ERM framework including material risks, emerging risks, key risk exposures and risk mitigation plans. These updates are consolidated
and analysed for monitoring and reporting to Group’s ARMC on a quarterly basis.
The ERM process is a structured, practical set of three steps – Evaluate, Respond and Monitor (the E-R-M process) that enables management to
identify and assess those risks, determine the appropriate response and then monitor the effectiveness of the risk response and any changes to the
Group enterprise risk profile are reported to Group’s ARMC every quarter.
