BOARD'S RESPONSIBILITY
The Board of WCT Holdings Berhad (the Group and the Company) affirms the overall responsibility for maintaining a sound system of internal controls and has instituted a risk management framework, as well as good corporate governance measures to safeguard shareholders’ investments and the Group’s assets. The system of risk management and internal control is designed to manage, but may not totally eliminate the risk of failure to achieve business objectives. Accordingly, such systems can only provide reasonable, and not absolute, assurance against material errors, misstatements or losses.
The Board is responsible for determining key strategies and policies for significant risks and control issues, whereas Management is responsible for the effective implementation of the Board’s policies by way of identifying, monitoring and managing risks. The Board confirms that there is an ongoing process of identifying, evaluating and managing all significant risks faced by the Group that has been in place for the year and up to the date of approval of this Statement for inclusion in the Annual Report. The process is regularly reviewed by the Board and is in accordance with the Statement on Risk Management and Internal Control: Guidance for Directors of Listed Issuers and the Group’s Risk Management Policies and Procedures.
The Board has also received reasonable assurance from the Group Managing Director and Director of Finance & Accounts that the Group’s risk management and internal control system is operating adequately and effectively, in all material aspects. All internal control weaknesses identified during the period under review have been or are being addressed, and there were no major internal control weaknesses that require disclosure in the Annual Report. The Management continues to review and take measures to strengthen the risk management and internal control environment.
RISK MANAGEMENT
The Board has put in place a Risk Management Framework (“RMF”) that provides the foundation for managing risks across the Group where internal controls are designed to address and manage the risks identified. Applying the RMF and relevant practices set out in the Malaysian Code on Corporate Governance (as at 28 April 2021) ensures that there is an on-going process of identifying, evaluating and managing risk exposure. Management is accountable to the Board for risk management and internal control and has implemented processes to identify, evaluate, monitor and report risks in a timely manner. Management promptly mitigates risks through the design and implementation of effective and relevant controls and action plans.
a. Board Risk and Sustainability Committee (“BRSC”)
All of the BRSC members are Independent Non-Executive Directors appointed by the Board. The BRSC is responsible for, amongst others:
b. Risk Management Committee (“RMC”)
The composition of the RMC comprises heads of business units i.e. engineering & construction (“E&C”), property, mall, hotel, business aviation, finance & accounts and legal and undertakes the following responsibilities:
c. Risk Management Process
The following diagram depicts the risk management approach of the Group:
During the year under review, all registered risks of the Group were presented and deliberated in the RMC and BRSC meetings. Each unit is responsible for taking ownership and managing its risks. Group Risk Management Department (“GRMD”) helps to facilitate each unit in discharging its risk management responsibilities. GRMD helps in the risk assessment process of risk identification and risk rating determination by the respective process owners. GRMD also provides guidance and support in the development of risk action plans and monitors the risk mitigation action effectiveness and status.
The risk owners are responsible for identifying, analysing and evaluating risks, as well as developing, implementing and monitoring risk action plans and reporting all risks to the RMC and BRSC. During RMC and BRSC meetings, members and invitees would take note of risks, the potential impact and likelihood of risks occurring, the effectiveness of existing controls and the risk action plans that have been or are being taken to manage the risks to the desired levels.
KEY INTERNAL CONTROL FEATURES
1. DELEGATION OF RESPONSIBILITIES
The Board has delegated its responsibility to several board committees and to the Management to implement and monitor designated task. At Management level, organization charts are used to establish a clear line of reporting and delineation of responsibilities.
The Board has delegated the responsibility of risk management oversight and control to the BRSC while the RMC is responsible for overseeing the implementation and compliance of a robust risk management process and the relevant internal controls system.
The Audit Committee (“AC”) performs regular risk management assessments and through the Internal Audit function, reviews the internal control processes and evaluates the adequacy and effectiveness of the risk management and internal control system.
2. PLANNING, MONITORING AND REPORTING
For the current year’s business plan and budget, the Group has prepared an annual business plan and budget for all business divisions. The performance of each business is monitored at quarterly Management Committee meetings and subsequently presented to the AC and the Board for deliberation.
Quarterly Board and Board Committee Meetings including the AC, BRSC and RMC are being conducted to review business performance, discuss strategic matters and deliberate on key risks and matters brought up by the management as well as by the internal and external auditors.
3. DISCRETIONARY AUTHORITY LIMIT
Discretionary Authority Limits duly approved by the Board are prescribed to govern the authority limits granted to designated personnel who are duly authorised to carry out their respective job responsibilities as well as to represent the Group in all official correspondences and documentation on behalf of the Group covering capital expenditures, procurements, payments, investments, acquisitions and disposals.
4. QUALITY ASSURANCE AND QUALITY CONTROL (“QAQC”)
To ensure that the products delivered to its customers meet the expectation and quality required, the following entities of the Group are certified with Quality Management System, ISO 9001: 2015:
|
Issued to |
Certification no |
Valid until |
|
WCT Berhad (including WCT Construction Sdn Bhd) |
QMS 00887 |
8 Apr 2028 |
|
WCT Land Sdn Bhd and its subsidiaries |
QMS 01306 |
2 Sept 2025 |
5. SAFETY, HEALTH AND ENVIRONMENT (“SHE”)
In ensuring employees work in a safe environment and the effect from the Group’s operations towards the environment are adequately monitored, the following entities of the Group are certified with the following necessary certification.
|
Type |
Ref |
Certification No |
Valid until |
|
|
Occupational Health & Safety Management System |
ISO 45001: 2018 |
OHS 00221 |
WCT Berhad (including WCT Construction Sdn Bhd) |
8 Apr 2028 |
|
OHS 00227 |
WCT Land Sdn Bhd and its subsidiaries |
2 Sept 2025 |
||
|
Environmental Management System |
ISO 14001: 2015 |
EMS 00520 |
WCT Berhad (including WCT Construction Sdn Bhd) |
8 Apr 2028 |
6. INTERNAL AUDIT
Group Internal Audit Department (“GIAD”) provides independent and objective assurance to the Board on the integrity and effectiveness of the Group’s system of internal controls.
To ensure independence and objectivity, GIAD reports independently to the AC and has no responsibilities or authority over any of the activities it reviews. GIAD’s scope of work and activities are guided by the Internal Audit Charter, mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework and relevant regulatory guidelines.
An Annual Audit Plan based on the appropriate risk-based methodology has been developed and approved by the AC. On a quarterly basis, audit reports and the status of internal audit activities, including the sufficiency of GIAD resources, are presented to the AC for review.
Periodic follow-up reviews are conducted to ensure adequate and timely implementation of Management’s action plans. Further information on the activities of GIAD can be found in the AC Report.
7. GROUP INTEGRITY UNIT Group Integrity Unit (“GIU”), which reports directly to the BRSC, plays the role of overseeing anti-bribery and corruption efforts in ensuring the integrity of the organisation. Key functions of the GIU includes:
8. ANTI-BRIBERY MANAGEMENT SYSTEMS
The Group is committed to mitigating the risks of bribery and corruption in all its business transactions by implementing an anti-bribery management system. The processes undertaken to mitigate the possibility of bribery and corruption were conducted according to T.R.U.S.T principles outlined in the Guidelines on Adequate Procedures issued by the Prime Minister’s Department:
a. Top level commitment
The Group has established an Anti-Bribery and Anti-Corruption (“ABAC”) policy and ABAC Standard Operating Procedures (“ABAC-SOP”) since 1 June 2020, as a commitment to prevent all forms of bribery and corruption in its daily business activities consistent with the Group’s core values to promote good governance. A copy of the ABAC policy is published on the Company’s website.
b. Risk assessment
The Group recognises the importance of adopting a corruption risk assessment (“CRA”) into its existing business processes. CRA is a risk-based management tool that guides the development of corruption risk profiles and risk action plans that effectively minimise the exposure to bribery and corruption. For the period under review, one hundred ninety (190) bribery / corruption related risks were identified and assessed, which assisted the Group in developing an effective anti-bribery program, ensuring legal compliance [e.g., Malaysian Anti-Corruption Commission (“MACC”) Act 2009], preventing severe reputational damage, and mitigating financial losses from fines or prosecutions.
c. Undertake control measures
Throughout the year, the GIU perform integrity due diligence for service providers, employee background checks via Sistem Tapisan Keutuhan of MACC for new recruits, and obtains declarations of integrity from employees and service providers.
d. Systematic review
On 31 August 2025, E&C division of the Group obtained certification for ISO 37001: 2016 – Anti- Bribery Management Systems from SIRIM QAS International Sdn Bhd. This is part of the Group’s commitment to establish a proactive and zero-tolerance culture of integrity, enabling the organization to effectively prevent, detect, and address bribery, foster transparency, reduce legal and reputational risks, and ensure ethical business practices across the E&C division.
e. Training and communication
Throughout the year, the GIU conducts ABAC training for new and existing employees, disseminates ABAC pamphlets and ABAC posters at various locations (e.g. office, project site office, sales office, sales gallery). In addition, the appointed consultant and representative from QESH Department conduct ISO 37001: 2016 – Anti- Bribery Management Systems awareness training for all employees of the E&C division.
9. WHISTLEBLOWING PROCEDURES
The Group strives to conduct its business with integrity, competence and professionalism while achieving the highest level of effectiveness and excellence. To uphold this aspiration, the Group must detect and deal with improper conduct. One way of detecting this is through whistleblowers.
The Group has established a whistleblowing (“WB”) policy to provide a clear direction for whistle-blowers to raise concerns with regard to improper conduct. The WB policy provides assurance to whistle-blowers who are employees of the Group that they will be protected against reprisal and/or retaliation from their immediate superiors or heads of departments/divisions, in line with the Whistleblower Protection Act 2010. The GIU is responsible for managing complaints (received from various channels available, including e.g. WB official e-mail address, WB online form, and letters to the Chairman of AC). A copy of the WB policy is published on the Company’s website.
REVIEW OF THE STATEMENT BY EXTERNAL AUDITORS
As required by Paragraph 15.26(b) of the Main Market Listing Requirements (“MMLR”) of Bursa Malaysia Securities Berhad (“Bursa Securities”), the external auditors of the Company have reviewed this Statement on Risk Management and Internal Control prepared by the Company for the financial year ended (“FYE”) 2025. Their limited assurance review was performed in accordance with the Malaysian Approved Standard on Assurance Engagements, ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information and Audit and Assurance Practice Guide (“AAPG”) 3 and Guidance for Auditors on Engagements to report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants.
AAPG 3 does not require the external auditors to form an opinion on the adequacy and effectiveness of the risk management and internal control system of the Group. The review by the external auditors was made solely for the benefit of the Board in connection with the compliance with the MMLR of Bursa Securities by the Company. The external auditors do not assume responsibility to any person other than the Board in respect of any aspect of their review.
Conclusion
Having considered all aspects of the Group’s risk management and internal control system in place as set out in this Statement, the Board is generally satisfied with the adequacy and effectiveness of the Group’s risk management and internal controls during the FYE2025 and the period up to the date of issuance of this Statement on Risk Management and Internal Control.
(This Statement on Risk Management and Internal Control is made in accordance with the resolution of the Board dated 23 April 2026)
