CAHYA MATA SARAWAK ANNUAL REPORT 2016

www.cmsb .com.my Section 06 Governance Cahya Mata Sarawak Berhad 76 The system has been successfully implemented at the Headquarters and four (4) of the major Divisions in 2016, and will gradually be rolled out to other Divisions going forward. d) Bottom-up Risk Management As part of the aim to make risk management relevant at all levels across the Group, the process of expanding the reporting framework such that risk reporting and risk management will not be confined to only the management level but also all executives and non-executives levels to further ensure and enhance the adequacy of our risk management framework, especially in relation to operational risk related matters. As reported in the previous financial year, the Group has successfully rolled out the bottom-up risk management approach to a selected Division and, given the positive feedback gathered, the Group will continue to fine-tune the framework from time-to-time. 6. Business Continuity Management Business continuity management is regarded as an integral part of the Group’s risk management process. As such, the Group has formulated a business continuity plan to minimise potential disruptions to business and operations due to, inter alia, business supply chain disruption, inaccessibility to the workplace, unavailability of key personnel and failure of critical systems and applications. The business continuity plan documents the strategies and/or actions to be undertaken during a crisis so that critical business functions are able to resume within a critical timeframe to fulfil statutory and regulatory requirements. During the financial year, the Group has engaged an external consultant to carry out a desktop testing to assess the effectiveness of the implemented BCP initiatives. The tests were successfully executed and the findings from these tests were presented to the GRC. Additionally, in order to ensure that the Group’s business continuity plan initiatives remained relevant, these plans will continue to be reviewed and updated periodically. 7. Limits of Authority The Group has an established Group Limits of Authority (“GLOA”) manual which sets out the authorisation limits for the Group’s management and staff and also those matters requiring Board approval to ensure accountability, segregation of duties and control over the Group’s financial commitments. The GLOA manual is reviewed and updated from time to time to be aligned with business, operational and structural needs and changes. 8. Internal Control System The key elements of the Group’s internal control system are described below: • Clearly defined delegation of responsibilities to Committees of the Board and management, including authorisation levels for all aspects of the businesses. Such delegation is subject to periodic review throughout the year as to their implementation and suitability. • Clearly documented internal procedures set out in the Group Financial Policies and Procedures Manual. • A detailed Group Procurement Policies and Procedures Manual to regulate procurement of goods and services in the Group. This includes the centralisation of competitive sourcing and evaluation of major purchases to leverage on the Group’s buying power and the establishment of a Central Tender Committee which has responsibility to review and endorse all high value purchases in the Group. • A detailed Group Human Resource Policies and Procedures Manual to regulate all aspects of employee engagement from conduct and discipline to benefits and entitlements. It provides a common and clear understanding and consistent practice of HR policies and procedures across the Group to effectively support the Group’s operations. • Where parts of the Group’s operations have received ISO certification for their products and/ or work processes, these operating units are committed to maintaining their certification by ensuring strict compliance with their respective ISO requirements which include periodic reviews from ISO. • A detailed strategic planning and budgeting process where operating units prepare business plans and detailed capital and operating budgets for the coming year. These plans are approved by the Board. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL