6. RISK MANAGEMENT
The Group has an ongoing process for identifying, evaluating and managing key risks in the context of its business objectives. These processes are embedded within the Group’s overall business operations and guided by operational manuals, policies and procedures.
The Board, assisted by management, regularly reviews, identifies, evaluates, monitors and manages the principal risks faced by the Group.
a. Risk Management Governance
Risk management governance consists of a risk oversight structure that reflects the systematic approach that is being used by the Group to escalate risk reporting from the respective business units all the way to the Board level as depicted below:
b. Risk Management Policy and Risk Management Framework
The risk management policy establishes the scope, policies and processes that describe how risks are managed. It also defines clear roles and responsibilities of the individuals or units involved in the entire risk management process. The Group has established the Risk Management Framework to provide guidelines for the effective management of risks through the application of Enterprise Risk Management (“ERM”) processes at varying levels and within the Group. The framework ensures that the risk-related information derived from the ERM process is adequately reported and used as a basis for decision-making and is accounted for at all relevant organisational levels. The framework shall be continuously assessed and improved to ensure its adaptability to the changing business environment.
c. Economic, Environmental and Social (“EES”) Risk
During the year under review, the EES risk assessment for all five main divisions of the Group (i.e. engineering & construction, property, shopping malls, hotel, and business aviation) was conducted based on eighteen (18) sustainability material matters identified for the Group's Sustainability Development Goals.
d. Corruption Risk Management (“CRM”)
The Group recognises the importance of adopting CRM into its existing business processes. CRM is a risk-based management tool that guides the development of corruption risk profiles and risk action plans that effectively minimise the exposure to bribery and corruption. The Group Integrity Unit (“GIU”) will identify any structural weaknesses in the existing business processes that may give room for bribery and corruption and register the risks in the corruption risk register.
e. Risk Management Process
The following diagram depicts the risk management approach in the Group:
As depicted in the Risk Management Policy, identified individual risk events under the broad risk categories have undergone comprehensive reviews in line with the Group’s risk management methodology.
During the year under review, the significant risks of the Group were presented and deliberated in the RMC and BRSC meetings. Each unit is responsible for taking ownership and managing its risks. Group Risk Management Department (“GRMD”) helps to facilitate each unit in discharging its risk management responsibilities. GRMD helps in the risk assessment process of risk identification and risk rating determination by the respective process owners. GRMD also provides guidance and support in the development of risk action plans and monitors the risk mitigation action effectiveness and status.
The risk owners are responsible for identifying, analysing, and evaluating risks, as well as developing, implementing, and monitoring risk action plans and reporting all risks to the RMC and BRSC. During RMC and BRSC meetings, members and invitees would take note of risks, the potential impact and likelihood of risks occurring, the effectiveness of existing controls and the risk action plans that have been or are being taken to manage the risks to the desired levels.
During the year under review, cybersecurity threat emerged as a significant risk to the Group. To mitigate this risk, the Group has appointed a service provider to provide the following: -
1. Security Perimeter Management & Analytic Services to monitor all networks and computer activities of the Group to detect and prevent any unauthorised or suspicious hacking threats in the network 24x7x365.
2. Perimeter Access Management to safeguard identities with special access or capabilities beyond regular users, e.g., Domain Controller ID and Accounting System Admin ID.
7. ANTI-BRIBERY MANAGEMENT SYSTEMS
The Group is committed to mitigating the risks of bribery and corruption in all its business transactions by implementing an Anti-Bribery Management System (“ABMS”). The GIU is responsible for implementing and monitoring the ABMS. The internal control systems that have been established with regard to ABMS include the following:
a. Anti-Bribery and Corruption Policy (“ABAC”)
The Group has established an ABAC policy and ABAC Standard Operating Procedures (“ABAC-SOP”) since 1 June 2020 in line with the requirements set out in Section 17A of the Malaysian Anti-Corruption Commission (Amendment) Act 2018 as a commitment to prevent all forms of bribery and corruption in its daily business activities consistent with the Group’s core values to promote good governance. The ABAC Policy applies to all directors and employees of the Group and business associates who are performing works or services for or on behalf of the Group. The ABAC policy and ABAC-SOP are available on the Company’s website at
www.wct.com.my.
b. Whistleblowing Policy
The Group has established a whistleblowing (“WB”) policy to provide a clear direction for whistle-blowers to raise concerns with regard to any suspected wrongdoing, bribery or corruption. The WB policy provides assurance to whistle-blowers who are employees of the Group that they will be protected against reprisal and/or retaliation from their immediate superiors or heads of departments/divisions, in line with the Whistleblower Protection Act 2010. The GIU is responsible for managing complaints (received from various channels available, i.e., WB official e-mail address, WB online form and letter to the Chairman of AC). The WB online form is available on the Company’s website at
www.wct.com.my
8. ASSURANCE TO THE BOARD
The Group Managing Director and the Director of Finance and Accounts have provided the Board with assurance that the Group risk management and internal control system are operating adequately and effectively. All internal control weaknesses identified during the period under review have been or are being addressed. There were no major internal control weaknesses that require disclosure in the Annual Report. The Management continues to review and take measures to strengthen the risk management and control environment.
9. REVIEW OF THE STATEMENT BY EXTERNAL AUDITORS
As required by Paragraph 15.26(b) of the MMLR of Bursa Securities, the external auditors of the Company have reviewed this Statement on Risk Management and Internal Control prepared by the Company for the FYE2023. Their limited assurance review was performed in accordance with the Malaysian Approved Standard on Assurance Engagements, ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information and Audit and Assurance Practice Guide (“AAPG”) 3, and Guidance for Auditors on Engagements to report on the Statement on Risk Management and Internal Control included in the Annual Report issued by the Malaysian Institute of Accountants.
AAPG 3 does not require the external auditors to form an opinion on the adequacy and effectiveness of the risk management and internal control system of the Group. The review by the external auditors was made solely for the benefit of the Board in connection with the compliance with the MMLR of Bursa Securities by the Company. The external auditors do not assume responsibility to any person other than the Board in respect of any aspect of their review.
Conclusion
Having considered all aspects of the Group’s risk management and internal control system in place as set out in this Statement, the Board is generally satisfied with the adequacy and effectiveness of the Group’s risk management and internal controls during the FYE2023 and the period up to the date of issuance of this Statement on Risk Management and Internal Control.
(This Statement on Risk Management and Internal Control is made in accordance with the resolution of the Board dated 23 April 2024)