About Us

INTRODUCTION

The Malaysian Code of Corporate Governance 2021 stipulates that the Board of Directors (“the Board”) of listed companies should maintain a sound risk management framework and internal control system to safeguard shareholders’ investments and the Group’s assets. Pursuant to paragraph 15.26(b) of the Main Market Listing Requirements (“MMLR”) of Bursa Malaysia Securities Berhad (“Bursa Securities”) and the “Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers” the Board is pleased to provide the following statement, which outlines the main features and adequacy of the Group’s risk management and internal control for financial year ended 31 December 2023 (“FYE2023”).

BOARD’S RESPONSIBILITY

The Board recognises the importance of maintaining a sound system of risk management and internal control within the Group and as such has reaffirmed its commitment and responsibility for the Group’s risk management and internal control systems covering not only financial controls but also operational, strategic and compliance controls, and for reviewing the adequacy of integrity in these systems.

The system of risk management and internal control is designed to identify and manage the Group’s risk within the acceptable risk tolerance, rather than to eliminate the risk of failure in achieving the Group’s business objectives in accordance with the Group’s strategy. Accordingly, it can only provide reasonable assurance but not absolute assurance against material misstatement, financial loss or fraud. The Group’s concept of reasonable assurance also recognises that the cost of control procedures should not exceed the expected benefits.

KEY INTERNAL CONTROL FEATURES

The Group has a structure which outlines accountability, authority and responsibility to the Board, its committees and Management. Key processes have been established in reviewing the adequacy and effectiveness of the risk management and internal control that include the following:

1. AUTHORITY AND RESPONSIBILITY

a. The Board
The Board is the pillar of the Group’s risk management and internal control practices. The Board is committed to maintaining a sound system of internal control and the overall responsibility for risk oversight, mirroring its overall responsibility for strategy.

The Board has delegated the responsibility of risk management oversight and control to the Board Risk and Sustainability Committee (“BRSC”) while the Risk Management Committee (“RMC”) is responsible for developing, executing, and maintaining an effective risk management system, including the continual review process of identified risks and the effectiveness of mitigation strategies and controls.

b. Audit Committee (“AC”)
The AC of the Group performs regular risk management assessments and through the Internal Audit function, reviews the internal control processes, and evaluates the adequacy and effectiveness of the risk management and internal control system. The AC also seeks the observations of the independent external and internal auditors of the Group. Further details are set out in the AC Report.

c. Board Risk and Sustainability Committee
The BRSC sets risk management policies and provides independent oversight of the risk appetite and the implementation and operation of the Group’s enterprise-wide risk management framework and integrity management framework.

d. Risk Management Committee
The RMC assists the BRSC in ensuring the establishment of sound and robust risk management framework, processes, and practices to achieve the Group’s strategic objectives and safeguard shareholders’ investments and the Group’s assets.

The RMC is responsible for the implementation of the approved framework, policies and procedures pertaining to risk management and internal control to ensure that business strategies and risk management are aligned.

2. PLANNING, MONITORING, AND REPORTING

For the current year’s business plan and budget, the Group has prepared an annual business plan and budget for all business divisions and subsidiaries. The performance of each business is monitored at quarterly Management Committee meetings and subsequently presented to the AC and the Board for deliberation.

3. DISCRETIONARY AUTHORITY LIMIT

Discretionary Authority Limits duly approved by the Board are prescribed to govern the authority limits granted to designated personnel who are duly authorised to carry out their respective job responsibilities as well as to represent the Group in all official correspondences and documentation on behalf of the Group covering capital expenditures, procurements, payments, investments, acquisitions, and disposals.

4. POLICIES AND PROCEDURES

Clearly documented policies and procedures of business processes have been set out in a series of Standard Operating Procedures under the Integrated Management System (“IMS”) and implemented throughout the Group. These policies and procedures are periodically reviewed and updated to reflect the changes in business structure, processes as well as changes in the external environment. The list of IMSs are as follows: -

Type	Ref	Certification No	Issued to	Valid until
Quality Management System	ISO 9001: 2015	QMS 00887	WCT Berhad (including WCT Construction Sdn Bhd)	8 Apr 2025
		QMS 01762	WCT Machinery Sdn Bhd	14 Dec 2026
		QMS 01306	WCT Land Sdn Bhd and its subsidiaries	2 Sept 2025
Occupational Health & Safety Management System	ISO 45001: 2018	OHS 00221	WCT Berhad (including WCT Construction Sdn Bhd)	8 Apr 2025
		OHS 00503	WCT Machinery Sdn Bhd	14 Dec 2026
		OHS 00227	WCT Land Sdn Bhd and its subsidiaries	2 Sept 2025
Environmental Management System	ISO 14001: 2015	EMS 00520	WCT Berhad (including WCT Construction Sdn Bhd)	8 Apr 2025
		EMS 00931	WCT Machinery Sdn Bhd	14 Dec 2026

5. INTERNAL AUDIT

The internal audit function of the Group, through the Group Internal Audit Department (“GIAD”), serves to offer an independent assurance provided by business operations and oversight functions. Through internal audit reviews, GIAD’s principal role is to evaluate and improve the effectiveness of internal control within the Group.

Regular reviews by GIAD are carried out based on the annual internal audit plan which encompasses the management of risk and governance, and the effectiveness and adequacy of the internal control procedures across the various business divisions within the Group. The corrective actions taken by Management with regard to the significant weakness in the internal control of audit recommendations are reported on a regular basis to the AC for their update, consideration and approval.

Further information on the activities of GIAD can be found in the AC Report.

6. RISK MANAGEMENT

The Group has an ongoing process for identifying, evaluating and managing key risks in the context of its business objectives. These processes are embedded within the Group’s overall business operations and guided by operational manuals, policies and procedures.

The Board, assisted by management, regularly reviews, identifies, evaluates, monitors and manages the principal risks faced by the Group.

a. Risk Management Governance
Risk management governance consists of a risk oversight structure that reflects the systematic approach that is being used by the Group to escalate risk reporting from the respective business units all the way to the Board level as depicted below:

b. Risk Management Policy and Risk Management Framework
The risk management policy establishes the scope, policies and processes that describe how risks are managed. It also defines clear roles and responsibilities of the individuals or units involved in the entire risk management process. The Group has established the Risk Management Framework to provide guidelines for the effective management of risks through the application of Enterprise Risk Management (“ERM”) processes at varying levels and within the Group. The framework ensures that the risk-related information derived from the ERM process is adequately reported and used as a basis for decision-making and is accounted for at all relevant organisational levels. The framework shall be continuously assessed and improved to ensure its adaptability to the changing business environment.

c. Economic, Environmental and Social (“EES”) Risk
During the year under review, the EES risk assessment for all five main divisions of the Group (i.e. engineering & construction, property, shopping malls, hotel, and business aviation) was conducted based on eighteen (18) sustainability material matters identified for the Group's Sustainability Development Goals.

d. Corruption Risk Management (“CRM”)
The Group recognises the importance of adopting CRM into its existing business processes. CRM is a risk-based management tool that guides the development of corruption risk profiles and risk action plans that effectively minimise the exposure to bribery and corruption. The Group Integrity Unit (“GIU”) will identify any structural weaknesses in the existing business processes that may give room for bribery and corruption and register the risks in the corruption risk register.

e. Risk Management Process
The following diagram depicts the risk management approach in the Group:

As depicted in the Risk Management Policy, identified individual risk events under the broad risk categories have undergone comprehensive reviews in line with the Group’s risk management methodology.

During the year under review, the significant risks of the Group were presented and deliberated in the RMC and BRSC meetings. Each unit is responsible for taking ownership and managing its risks. Group Risk Management Department (“GRMD”) helps to facilitate each unit in discharging its risk management responsibilities. GRMD helps in the risk assessment process of risk identification and risk rating determination by the respective process owners. GRMD also provides guidance and support in the development of risk action plans and monitors the risk mitigation action effectiveness and status.

The risk owners are responsible for identifying, analysing, and evaluating risks, as well as developing, implementing, and monitoring risk action plans and reporting all risks to the RMC and BRSC. During RMC and BRSC meetings, members and invitees would take note of risks, the potential impact and likelihood of risks occurring, the effectiveness of existing controls and the risk action plans that have been or are being taken to manage the risks to the desired levels.

During the year under review, cybersecurity threat emerged as a significant risk to the Group. To mitigate this risk, the Group has appointed a service provider to provide the following: -

1. Security Perimeter Management & Analytic Services to monitor all networks and computer activities of the Group to detect and prevent any unauthorised or suspicious hacking threats in the network 24x7x365.

2. Perimeter Access Management to safeguard identities with special access or capabilities beyond regular users, e.g., Domain Controller ID and Accounting System Admin ID.

7. ANTI-BRIBERY MANAGEMENT SYSTEMS

The Group is committed to mitigating the risks of bribery and corruption in all its business transactions by implementing an Anti-Bribery Management System (“ABMS”). The GIU is responsible for implementing and monitoring the ABMS. The internal control systems that have been established with regard to ABMS include the following:

a. Anti-Bribery and Corruption Policy (“ABAC”)
The Group has established an ABAC policy and ABAC Standard Operating Procedures (“ABAC-SOP”) since 1 June 2020 in line with the requirements set out in Section 17A of the Malaysian Anti-Corruption Commission (Amendment) Act 2018 as a commitment to prevent all forms of bribery and corruption in its daily business activities consistent with the Group’s core values to promote good governance. The ABAC Policy applies to all directors and employees of the Group and business associates who are performing works or services for or on behalf of the Group. The ABAC policy and ABAC-SOP are available on the Company’s website at www.wct.com.my.

b. Whistleblowing Policy
The Group has established a whistleblowing (“WB”) policy to provide a clear direction for whistle-blowers to raise concerns with regard to any suspected wrongdoing, bribery or corruption. The WB policy provides assurance to whistle-blowers who are employees of the Group that they will be protected against reprisal and/or retaliation from their immediate superiors or heads of departments/divisions, in line with the Whistleblower Protection Act 2010. The GIU is responsible for managing complaints (received from various channels available, i.e., WB official e-mail address, WB online form and letter to the Chairman of AC). The WB online form is available on the Company’s website at www.wct.com.my

8. ASSURANCE TO THE BOARD

The Group Managing Director and the Director of Finance and Accounts have provided the Board with assurance that the Group risk management and internal control system are operating adequately and effectively. All internal control weaknesses identified during the period under review have been or are being addressed. There were no major internal control weaknesses that require disclosure in the Annual Report. The Management continues to review and take measures to strengthen the risk management and control environment.

9. REVIEW OF THE STATEMENT BY EXTERNAL AUDITORS

As required by Paragraph 15.26(b) of the MMLR of Bursa Securities, the external auditors of the Company have reviewed this Statement on Risk Management and Internal Control prepared by the Company for the FYE2023. Their limited assurance review was performed in accordance with the Malaysian Approved Standard on Assurance Engagements, ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information and Audit and Assurance Practice Guide (“AAPG”) 3, and Guidance for Auditors on Engagements to report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants.

AAPG 3 does not require the external auditors to form an opinion on the adequacy and effectiveness of the risk management and internal control system of the Group. The review by the external auditors was made solely for the benefit of the Board in connection with the compliance with the MMLR of Bursa Securities by the Company. The external auditors do not assume responsibility to any person other than the Board in respect of any aspect of their review.

Conclusion
Having considered all aspects of the Group’s risk management and internal control system in place as set out in this Statement, the Board is generally satisfied with the adequacy and effectiveness of the Group’s risk management and internal controls during the FYE2023 and the period up to the date of issuance of this Statement on Risk Management and Internal Control.

(This Statement on Risk Management and Internal Control is made in accordance with the resolution of the Board dated 23 April 2024)