CAHYA MATA SARAWAK ANNUAL REPORT 2016

www.cmsb .com.my Section 06 Governance Cahya Mata Sarawak Berhad 74 RISK RATING HEAT MAP 5 X 5 MATRIX Catastrophic Major Moderate Minor Insignificant Rare Significant Moderate Low Unlikely Moderate Likely Almost Certain STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL c) Treatment Risk treatment in CMSB entails three lines of control namely: (i) Preventive; (ii) Detective; and (iii) Corrective. Under the preventive control, the aim is to prevent and to reduce the chance or possibility of a risk happening through careful evaluation of risks and putting in place preventive control measures. As for the second line of control (i.e. detective), it involves a two-pronged approach. Firstly, it aims to reduce the chance or possibility of a risk happening through early detection of warning indicators or “red flags”. Secondly, early detection also aims to reduce the magnitude of impact or “damage” to the organisation. The last line of control, correction, aims to reduce the impact of risk on the organisation after it has occurred by taking corrective action. For any “Significant” risks after relevant risk treatments, appropriate management action plans may be developed, where applicable, to manage these risks to an acceptable level. This is done through detailed internal discussions and consultation with the respective risk owners. d) Monitoring Risk coordinators have been appointed in the respective Divisions to coordinate the risk review process. The risk coordinators and owners will continuously monitor the internal and external environment for potential changes to risks and ensure that risk responses continue to operate effectively and risk related matters are highlighted and reported on a timely basis. In addition, the monthly operations performance reviews forum which focuses on monitoring the achievement of financial objectives and other key performance indicators is also being used as an effective platform to identify and deliberate on risks and risk management issues. This has further enhanced the Group’s risk management and monitoring process making it more robust and more relevant. e) Reporting The major risks are aggregated and risk ratings reviewed by the GRMU and Group Managing Director before presentation to the GRC and the Board. The Divisions are also required to present the risk reports to their respective Boards periodically to assist them to discharge their governance and fiduciary duties. Likelihood