CORPORATE GOVERNANCE (NOMINATION AND REMUNERATION) COMMITTEE
As per the Code’s aspiration, the Corporate Governance Committee is chaired by an Independent Non-Executive Director whilst the members are Non-Executive Directors. The mandate of the Corporate Governance Committee is to devise the policy on Corporate Governance in accordance with the principles of the Code, to advise and make recommendations to the Board of Directors on all aspects of Corporate Governance and to report to shareholders on compliance with the provisions of the Code. The Corporate Governance Committee is also responsible for Nomination and Remuneration aspects of the Code and its functions are as follows:
In accordance with the Code, the Committee considers an Independent Director as one who:
The Committee met seven times during the financial year 2016-2017 to, inter alia:
The composition of the Risk Monitoring Committee is as follows:
As recommended by the Code, the Risk Monitoring Committee is chaired by an Independent Non-Executive Director. Its members comprise of an additional Independent Non-Executive Director and two Executive Directors, namely the Chief Executive Officer and the Group Finance Manager, the latter also acting as the Risk Officer.
The revised version of the Risk Monitoring Charter was approved by the Board in May 2017. The role of the Committee is to assist the Board in the discharge of its duties relating to the setting up and monitoring of the risk governance process, including setting the risk appetite and monitoring relevant risk portfolios and management’s performance against such risk appetite. The Committee is mainly responsible for the approval of risk management policies for recommendation to the Board, the review and assessment of the integrity of risk control systems and the assurance that the risk policies and strategies are effectively managed. The Committee shall also provide to the Board an independent and objective oversight of the financial, business and strategic risks of the Company and of the Group.
The key duties of the Risk Monitoring Committee include the monitoring of the Group’s risk portfolios against the risk appetite set by the Board, the review of the adequacy, implementation and overall effectiveness of the Group’s risk function including management and both internal and external auditors, the assessment of legal matters that could have a significant impact on the Group’s operations and the review of internal and external auditors’ reports on significant exposures to risk.
The Committee is also responsible for the review of key risks such as industry risks, operational risks, technology risks, country risks and financial risks. Operational risks include human resources risks, fraud risks, physical risks, business continuity risks and reputational risks.
The Committee has access to all relevant information it requires to fulfil its responsibilities and is authorized to seek professional advice, both inside and outside the Company, as considered necessary to perform its duties.
The Committee met four times during the financial year 2016-2017, mainly to:
The attendance record of Committee meetings for the year under review is as shown on page 63. A quorum of three members is currently required for a Committee meeting.
The remuneration of the Chairman and of each member of the Committee for the year ended June 30, 2017 amounted to Rs 75,000 (2016: Rs 75,000) and Rs 50,000 (2016: Rs 50,000) respectively
The internal audit function is responsible for providing independent, objective assurance to the Board regarding the implementation, operation and effectiveness of internal control systems and risk management. The objective is to ascertain the extent of compliance to procedures, policies, regulations and legislation, to facilitate proper risk management practices and to recommend improvements in control, performance and productivity within the Group.
In April 2015, Messrs BDO & Co. were engaged to assume the internal audit function within the Group. The 2-year internal audit plan, as approved by the Audit Committee, sets out the extent of coverage attributable to each business process cycle within the organisation depending on the degree of risk. The methodology used is based on the selection of specific business cycles, the identification of inherent risks, the verification of key controls in place in view of eliminating or reducing the risks to an acceptable level, the verification of the said controls to ensure they are operating satisfactorily, the performance of walkthrough tests on procedures and processes and the formulation of necessary recommendations.
This year again, no material financial problems were identified which would materially affect the figures reported in the financial statements. The recommendations are being implemented gradually by management under the close follow-up of our internal auditors.
Further to recommendations from the Audit Committee, the Board of Directors has reiterated its intention to have its own internal audit team to ensure a more extensive coverage of all business process cycles and better assess the effectiveness of recommended procedures and controls within the Group.
The Board of Directors recognises effective risk management as a core competency and is ultimately responsible for the setting up and monitoring of the risk governance process, including setting the risk appetite, and the adequacy and effectiveness of the internal control system which is designed to manage the risk of failure to achieve business objectives.
The Group promotes a risk culture, whereby the related set of objectives, policies and practices are shared across the organisation. The management is responsible for the implementation of internal control and risk management systems under the supervision of the Risk Monitoring Committee to ensure their effectiveness. Such systems must ensure that proper accounting records are maintained and that the strategies and policies adopted by the Board are being implemented. The Board relies on the internal and external audit functions to report on any weaknesses and to make recommendations via the Audit Committee and as relevant, to the Risk Monitoring Committee, the objective being to ensure the effective and efficient use of available resources and ascertaining the accuracy of information used in the preparation of financial statements.
The Board of Directors engaged Messrs BDO & Co. to implement an Enterprise Risk Management (ERM) framework and a Business Continuity Management (BCM) plan within the Group with a view to fully identify, measure, assess and mitigate our exposure to risks. The aim of this mission is to enable the Group to manage risks in an efficient and effective manner, to deliver increased shareholder value and to promote a performance culture and effective decision-making.
The Group followed “ISO 31000/2009 Risk Management Principles and Guidelines” in designing its ERM framework and strives to adopt a forward-looking, strategy-centric approach to managing the risks inherent in decision-making.
Messrs BDO & Co. conducted a strategic workshop with the Board of Directors and senior management to define the Group’s strategic objectives and determine a risk appetite for each of these objectives based on a group-wide approach by considering risks across all departments, functions and activities. A clearly defined risk appetite provides the Board, management and staff with a benchmark that facilitates the identification and management of both risks and opportunities. In so doing, a risk tolerance was determined on a scale of 1 to 25 for each of the five Board’s objectives as detailed below:
3rd Line of Defence
|Blue- Opportunities||The Group/Company is either taking too little risk, which might represent missing out on potential opportunities, or overdoing it in terms of controls. If the pointer falls in the blue region, the Company needs to take more risks or relax on controls. The risk is tolerable.|
|Green- Comfort Zone/Acceptable||The Group/Company is comfortable with the risks taken when in this region. The risk is acceptable.|
|Yellow/Amber- Warning Zone/ Tolerable||The Group/Company is taking risks that are slightly outside its risk tolerance level and needs to start taking actions to bring back its risk exposure within the green region. The risk is tolerable but may need a treatment plan.|
|Red- No-go Zone/ Intolerable||The Group/Company is adventuring far beyond its risk tolerance and needs to take immediate actions to get back in the yellow region. The risk is intolerable.|
As such, our risk appetite represents the types and aggregate levels of risk the Group is willing and prepared to take on to actively pursue its strategic objectives.
The Group’s risk management process operates to ensure a comprehensive evaluation of risks is performed and is subject to continuous improvement. The risk management cycle operates as follows:
In line with the above, the Group’s risk register was completed through interactive working sessions where a comprehensive list of threats and opportunities were identified and discussed based on those events that might enhance, prevent, degrade, accelerate or delay the achievement of Board’s objectives. In so doing, the following factors were taken into consideration:
Management was required to assess all risks which could have an impact on the current or future operation of their business and to document these risks in a standardised template. Risks are assessed in terms of their financial, operational, people and customer impacts should they occur and their likelihood of occurrence, using a defined risk scoring methodology.
Through the extensive risk identification and assessment phase, a list of 233 risks were identified for the Group. The key risks categories relevant to the Group, at this stage are as follows:
The Risk Monitoring Committee and the Audit Committee via the internal audit function ensures that the significant risks above are managed and kept at an acceptable level as follows:
In line with our ongoing focus on continuous process improvement, risks are assessed by management on an inherent basis (prior to existing controls) and a residual basis (post existing controls). Where the risk score is outside the Board’s tolerance level, appropriate mitigation strategies are implemented to bring the residual risk to a level which is within risk appetite. On a going forward basis, the Risk Monitoring Committee shall review the risk appetite and tolerance framework on an annual basis.
The Group acknowledges that risk management is a dynamic process resulting from the constantly changing external and internal environments. Consequently, the support of Messrs. BDO & Co. was sought for the initial ongoing monitoring and review of risks and the effectiveness and adequacy of existing controls, risk treatment plans and the implementation process management.
The Group’s monitoring and review processes encompass all aspects of the risk management process for the purposes of:
In terms of reporting, a quarterly reporting will be tabled to the Risk Monitoring Committee by the Chief Risk Officer. The contents of the report shall detail the top risks for the Group and the key concerns for the different units, the resultant Group Matrix and the status of risk treatment plans.
Linked with its risk management framework, the Company recognises that it is vital that, as an organisation, it should be able to ensure that the most critical services and functions are maintained and that resources are protected at a reasonable level during incidents and disruptions. Thus, the Business Continuity Management (BCM) plan was designed to assist the Group through disruptions in order to protect its staff, customers, resources, infrastructure and intellectual property. As part of the implementation process, the following was achieved:
Following its first cycle of Business Impact Analysis, the Group has developed a BCM plan and a Crisis Communication plan for each of the following functions/entities:
Recovery procedures were detailed with regards to two scenarios applied during the design of the BCM plans, namely, a complete loss of IT & telephony systems and the loss of our workshop services. Management is planning to test and validate the relevant plans in a near future.