This Statement on Risk Management and Internal Control (“Statement”) which is prepared for inclusion in the 2019 Annual Report of WCT Holdings Berhad (“WCT” or “Company”) serves to outline the nature and scope of risk management and internal control system of the Company and its subsidiaries (“Group”) for the financial year ended 31 December 2019 (“FYE2019”) in compliance with the requirements under Paragraph 15.26(b) of the Main Market Listing Requirements (“LR”) of Bursa Malaysia Securities Berhad (“Bursa Securities”).
The Board of Directors of the Company (“Board”) recognises the importance of having in place a sound system of internal controls and risk management framework with the objective to safeguard the assets of the Group as well as to protect shareholders’ interest and investment.
In view of inherent limitations in any system of risk management and internal control, such a system put into effect by Management can only manage and minimise risks to an acceptable level, but may not eliminate all risks which the Group faces that may impede the achievement of the Group’s business objectives and financial results. Therefore, the system can only provide reasonable but not absolute assurance against the occurrence of any material misstatement, loss or malpractices.
RISK MANAGEMENT AND INTERNAL CONTROL FRAMEWORK
1. RISK MANAGEMENT
The Board has delegated the responsibility of risk management oversight and control to the Board Risk & Sustainability Committee (“BRSC”). The BRSC reviews the Group’s enterprise wide risk management framework and ensures that an effective process to identify, evaluate, control, report and manage risks is created, implemented and maintained by the Group.
The Group’s risk management activities are governed by the Risk Management Policy and Risk Management Framework approved by the Board, to provide a common understanding and approach in the application of risk management process across the Group. The Group Risk Management Committee (“GRMC”) comprising senior management personnel of the Group is responsible for developing, executing and maintaining an effective risk management system, including the continual review process of identified risks and the effectiveness of mitigation strategies and controls.
At operating unit level, risk owners are responsible for identifying risks that may have an impact on achieving their operational/financial and other business objectives. The identified risks are assessed using qualitative and quantitative aspects against their likelihood (based on risk appetite approved by the Board) and their impact thereof. Thereafter, gross risks are ranked accordingly, after taking into consideration of gross likelihood and gross impact should the risks occur, before they are ranked according to the residual risks, after taking into consideration the effectiveness of controls and action plans taken or proposed to be taken to mitigate such identified risks. Detailed action plans would then be implemented in order to manage such risks to an acceptable level.
Roles and Responsibilities
- To provide oversight of the Group's enterprise wide risk management framework
- To approve the Group's enterprise wide risk management framework
- To set the risk appetite for the Group
- To review the Group's enterprise wide risk management framework
- To oversee and monitor the adequacy and effectiveness of risk management system
- To report to the Board on the Group's risk exposure
- To review and advice the Board on potential risk strategies
- To provide guidance in respect of risk management to the Management
- To champion enterprise-wide risk assessment and ensure that risk management framework is embedded throughout the Group
- To ensure that the risk management framework is consistently adopted throughout the Group and is within the parameters established by the Board
- To identify and prioritise risks and participate in the Company's risk identification and assessment process
- To ensure risks are frequently managed and controls are operating effectively
- To provide regular update on risks management report and key risk indicators measuring the extent of the risks
During the FYE2019,
- the BRSC was constituted by the Board on 30 May 2019, comprising of four (4) Independent Non-Executive Directors of the Company, which is responsible for providing an independent oversight of the implementation and operation of the Group’s enterprise wide risk management framework.
- the GRMC had reviewed, appraised and assessed the risks identified by the respective risk owners of the Group together with the controls and action plans undertaken or proposed to be undertaken to mitigate and manage the identified risk exposure. Where applicable, the GRMC had also raised other issues of concerns and recommended additional mitigation actions to further mitigate the risk exposure. The GRMC then reported to the BRSC on a quarterly basis the key risks and mitigations actions which have been deliberated and recommended to be implemented. After due deliberation, the BRSC would then present a summary of the key risks and mitigations actions and its recommendation to the Board for final endorsement.
i. The Group Internal Audit Department (“GIAD”)
The GIAD, which reports directly to the Audit Committee of the Company, performs internal audits on various operating units within the Group based on an audit plan approved by the Audit Committee at the beginning of the financial year. The GIAD performed checks for due compliance by the respective operating units with Group’s policies and procedures as well as the effectiveness and adequacy of the internal control systems and accordingly highlighted material audit findings, together with recommendations and proposed action plans. Detailed internal audit reports are prepared by the GIAD on a quarterly basis or if require on an adhoc basis and such reports are submitted for deliberation by the Audit Committee during the Audit Committee meetings held throughout the financial year. Details of the GIAD’s functions and activities are set out in the Audit Committee Report as contained in the Company’s 2019 Annual Report.
During the FYE2019,
ii. External auditors
The external auditors’ audit plan, scope of work, and audit procedures to be adopted in relation to the financial statements of the Group for the financial year have been reviewed by the Audit Committee. The review also includes a review on the suitability, objectivity and independence of the external auditors.
iii. Quality, Environmental and Safety & Health (“QESH”) Management Systems
During the FYE2019,
- the GIAD had performed thirty-two (32) internal audits on the adequacy and operating effectiveness of the Group’s internal controls which have been duly reviewed by the Audit Committee. Audit findings reported by the GIAD and actions taken or proposed to be taken by the operating units to address the findings were deliberated at Audit Committee meetings. The minutes of the Audit Committee meetings held to deliberate the internal audit reports were subsequently escalated to the Board for notation.
i. both the Quality Management Systems (“QMS”) and Environmental Management Systems (“EMS”) was upgraded to ISO 9001: 2015 and ISO 14001: 2015 on 12 March 2019 and 6 March 2019 respectively.
ii. the Occupational Health and Safety Management Systems (“OHSMS”) underwent an upgrading exercise from OHSAS 18001:2007 to ISO 45001: 2018 which was obtained on 20 February 2020.
iii. The systems i.e. QMS, EMS and OHSMS underwent scheduled internal / external audits and the results of these audit were reported to the Management.
3. AUTHORITY AND RESPONSIBLITY
The Group operates under an organisation structure with clearly defined reporting lines, areas of responsibilities and delegated authority limits by the Board.
The following board and management committee have been established to assist the Board to discharge its duties: -
The Audit Committee is responsible to review the internal control procedures and processes of the Group and evaluate the adequacy and effectiveness of the Group’s internal controls system. The Audit Committee also seeks assistance from the GIAD and input from the external auditors of the Group, whenever required. The terms of reference of the Audit Committee are available in Company’s official website at www.wct.com.my.
The BRSC is responsible for providing an independent oversight of the implementation and operation of the Group’s enterprise wide risk management framework.
The GRMC comprising senior management personnel from various business divisions and support services is responsible for monitoring and performing regular reviews on the Group’s risk management processes and for ascertaining if the enterprise wide risk management framework approved by the Board is properly implemented throughout the Group’s business and operations. The GRMC reports directly to the BRSC.
Nomination & Remuneration Committee
This Committee assists the Board to,
- establish formal and transparent procedures for the appointment of new directors to the Board;
- identify, consider, assess and recommend new directors to the Board;
- annually review the effectiveness of the Board as a whole (in relation to its size and composition);
- develop the Group’s remuneration policy and determine the remuneration package for the Company’s directors holding executive positions; and
- review and recommends the appropriate remuneration payable to each Director for their services at the Board level as well as at the respective committees of the Board.
- The terms of reference of the Nomination & Remuneration Committee are available in Company’s official website at www.wct.com.my.
The Option Committee is responsible for administering the offering, granting and dealing of the share options and new ordinary shares issued under the Group’s employees share option scheme (“ESOS
”) in accordance with relevant rules and regulations as well as the approved by-laws governing the ESOS.
Management Committee (‘MC”)
The MC comprising key senior management personnel reports to the Board and is responsible for the development and effective implementation of strategic business plans for the Group in line with the strategic directions approved by the Board. The MC reports regularly to the Board on the progress of the execution of the strategic business plans approved by the Board with periodic financial and operational performance of the various business divisions as well as other strategic, financial and operational matters.
4. POLICIES, PROCEDURES AND VALUES
- The Group’s policies, procedures and guidelines are properly documented and made accessible to all employees of the Group to ensure that all employees are aware of and will comply with them. These policies, procedures and guidelines are subject to periodic review and improvements.
- Discretionary Authority Limits (“DAL”) duly approved by the Board are prescribed to govern the authority limits granted to the designated personnel who are duly authorised to carry out their respective job responsibilities as well as to represent the Group in all official correspondences and documentations on behalf of the Group covering procurement, payments, investments, acquisitions and disposals. The DAL is periodically reviewed and is made accessible to all employees for effective implementation.
- Proper guidelines for recruitment and termination of personnel and a performance appraisal system are in place. Employee’s performance is regularly monitored, appraised and rewarded accordingly. Training programmes are identified and regularly scheduled for the Group’s employees with the objective of continuously upgrading their skills, broadening their knowledge, improving their competency as well as sharing their experience to keep them proficient and competent in handling their day-to-day job functions, as well as to meet the current business requirements and future business needs.
- The Group’s Vision, Mission and Core Values, are shared and communicated to all levels of employees of the Group and are accessible on the Company’s official website and intranet. The Code of Conduct & Ethics for Employees, Code of Ethics for Company Directors, as well as procedures for whistle blowing are also available on Company’s website at www.wct.com.my.
- Centralised controls of selected key functions of the Group include: -
- Finance & Accounts (including Tax and Treasury);
- Legal & Company Secretarial;
- Tender, Procurement & Budget;
- Quality, Environment, Safety & Health (“QESH”);
- Human Resource & Administration;
- Sales & Marketing;
- Project Management (including Planning & Design, Contracts, Liaison with authorities);
- Mall Management (including Leasing & Promotions);
- Corporate Affairs; and
- Information Technology;
The centralisation of these key functions enables the Management to have a more effective and efficient control over of the Group’s operations, whilst monitoring and managing the risks associated therewith.
5. INFORMATION, COMMUNICATION AND MONITORING
- A financial system is in place to ensure all financial transactions of the Group are timely and properly captured in the accounting system to generate a periodic management financial report for performance review and decision making by the Management and the Board.
- Annual strategic business plans and financial budgets are prepared by all key business units and are being monitored at quarterly Management Committee meetings and subsequently presented to the Audit Committee and Board for deliberation. The Audit Committee and the Board also review the operational and financial results of the Group on a quarterly basis before the Group’s quarterly interim financial results and annual financial results are released to Bursa Securities for public announcement.
- Directors and Senior Management conduct regular visits to the Group’s project sites and offices as well as key investment properties and regularly engage with the Group’s customers, suppliers, bankers and other business associates in order to gain better insight and first-hand knowledge of the Group’ operations, challenges faced as well as industry dynamics and changes.
- The Group’s operating performance and financial results are communicated to the Company’s shareholders, stakeholders and the general public on a quarterly basis via the release of interim quarterly financial reports as well as on an annual basis via the Company’s annual report. In addition, once a year, the Company would convene an Annual General Meeting whereby the Board would be able to brief the shareholders of the Company on the operational and financial performance of the Group. Company briefings for financial analysts and institutional investors are also conducted regularly to keep the investment community abreast with the development and latest financial results of the Group.
As an entity with a diversified business portfolio, the Group faces exposure to various form of risks. Where possible, all such insurable risks relating to the Group’s business operations, assets and employees are adequately insured in order to minimise any adverse financial impact.
The Group Managing Director and the Director of Finance and Accounts have provided the Board with assurance that the Group risk management and internal control system are operating adequately and effectively. All internal control weaknesses identified during the period under review have been or are being addressed. There were no major internal control weaknesses that require disclosure in the Annual Report. The Management continues to review and take measures to strengthen the risk management and control environment.
Review of the Statement by External Auditors
As required by Paragraph 15.26(b) of the LR of Bursa Securities, the external auditors of the Company have reviewed this Statement on Risk Management and Internal Control prepared by the Company for the FYE2019. Their limited assurance review was performed in accordance with Malaysian Approved Standard on Assurance Engagements, ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information and Audit and Assurance Practice Guide (“AAPG”) 3, Guidance for Auditors on Engagements to report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants.
AAPG 3 does not require the external auditors to form an opinion on the adequacy and effectiveness of the risk management and internal controls system of the Group. The review by the external auditors was made solely for the benefit of the Board in connection with the compliance with the LR of Bursa Securities by the Company. The external auditors do not assume responsibility to any person other than the Board in respect of any aspect of their review.
Having considered all aspects of the Group’s risk management and internal control system in place as set out in this Statement, the Board is generally satisfied with the adequacy and effectiveness of the Group’s risk management and internal controls during the FYE2019 and the period up to the date of issuance of this Statement.
(This Statement on Risk Management and Internal Control is made in accordance with the resolution of the Board dated 11/06/2020)