The Corporate Governance Guide (Pull-Out II: Guidance on Effective Audit and Risk Management) provides guidance to Malaysian companies on establishing effective risk management and internal control systems as part of good corporate governance.
It emphasises that risk management and internal controls complement entrepreneurship, as they help companies pursue objectives while managing risks.
The Guide outlines responsibilities under the Companies Act 2016 and Bursa Listing Requirements for boards to establish risk management and internal control systems.
It recommends integrating risk management into strategy setting, business planning and culture.
According to the Corporate Governance Guide, the essential requirements relating to risk management and internal controls under the Companies Act 2016 and Bursa Securities Listing Requirements are:
Companies Act 2016:
Directors must establish a system of internal control that provides reasonable assurance that assets are safeguarded, transactions are properly authorised and recorded, and financial statements are true and fair (Section 246(1)).
Bursa Securities Listing Requirements:
Listed companies must establish an audit committee, which is required to review the adequacy of internal audit functions and internal controls (Para 15.12(1)).
Listed companies must ensure the external auditor reviews the board's statement on risk management and internal control and reports the results to the board (Para 15.23).
Listed companies must include in the annual report a statement about the state of risk management and internal control of the group (Para 15.26(b)).
In summary, Malaysian listed companies are required by law and listing rules to have internal controls and disclose the state of their risk management and internal controls annually.
The audit committee plays a crucial role in overseeing the effectiveness of internal controls.
Recognised Frameworks
Some examples would be:
ISO 31000 - International standard on risk management principles and guidelines published by International Organization for Standardization
COSO Framework - Developed by the Committee of Sponsoring Organizations of the Treadway Commission for designing, implementing and evaluating internal controls
Enterprise Risk Management Framework - Developed by professional services firms like KPMG, PwC, etc.
These frameworks provide a structured and systematic methodology for companies to identify, assess, manage and monitor risks. They represent global best practices and are often regarded as authoritative guidance on risk management.
Adopting such a recognised framework brings credibility and ensures risk management is not done in an ad-hoc manner. It demonstrates the company's commitment to managing risks professionally.
In summary, "recognised frameworks" refers to established risk management standards and methodologies developed by authoritative bodies and widely accepted globally. This provides a systematic approach for Malaysian companies compared to informal or ad-hoc risk management.
Robust Yet Balanced: Key Takeaways for Managing Risks and Controls
For Malaysian businesses, key takeaways include:
Boards should review the effectiveness of the risk management framework and internal control system annually.
Adopt a systematic approach to risk management using recognised frameworks.
Align risk appetite with strategy and culture.
Assign accountability for risk management.
Avoid common pitfalls like siloed thinking and lack of monitoring.
Disclose risk management and internal controls transparently in annual reports.
Establishing robust yet balanced risk management and internal control systems tailored to the company's circumstances is crucial for Malaysian businesses seeking sustainable growth.
コメント