Risk Management Principles And Framework

Guiding Principles – Risk Management


These guiding principles provide assistance to Board of Lii Hen Industries Bhd (“Board”)in the development of risk management frameworks. These principles support the Company’s risk management policies.

Managing Risk

The Board shall develop and implement an integrated risk management framework that addresses risk at the strategic, organisational and operational levels (Enterprise-Wide Risk Management).

Risk Management Committees

The Board shall establish a Risk Oversight Board with clear and concise roles and responsibilities in overseeing the risk management policies and internal control of the Company and appropriately appointed members, mainly risk owners (normally are heads of Department) as working group under, the Risk Management Working Committee (“RMWC”) to identify and manage the Group’s risk from operational perspective.

The internal audit consultants adopt risk-based approach and employs systematic audit methodology to provide an objective and independent audit assessment and effectiveness of the risk management and internal control framework.

Risk Management Frameworks

The Board’s risk management framework shall align with guidance with the key elements needed in maintaining a sound system of risk management as provided in the Statement on Risk Management & Internal control, Guidelines for Directors of Listed Issuers.

Enterprise-Wide Risk Management is the overall management of risk that an organisation takes and holds to achieve its strategic aims. It is the sum of the various risks the organisation takes in the various categories and focuses on optimising the balance and interaction of the different types of risks.

To achieve a sound system of risk management, the Board and management must ensure that the risk management framework is embedded into the culture, process and structures of the Group. The framework should be responsive to changes in the business environment and clearly communicated to all levels.

Control Environment

– Written communication of the Company’s values, the expected code of conduct, policies and procedures;
– Documentation vide Charters of the responsibilities and functions of the board, each of its committees, and the individual directors;
– Management’s risk attitude to be consistent with the risk appetite as approved by the Board and operating style;
– The Company’s organisational structure and methods of assigning authority and responsibilities;
– Clearly defined authority and responsibility for each employee;
– Managing conflict of interest situations; and
– Whistleblowing policy

Approach to Risk Management

– The Company adopts a decentralized approach to risk management, whereby all employees take ownership and accountability for risks at their respective levels;
– The process of risk management and treatment is the responsibilities of the heads of

Department(Owners of the risk factors); and

– Inherent risk factors arising from business operations are to be continuously identified.

Oversight Risk Management by Board

– Start with active participation in the objective and strategy-setting process to ensure that the risks  inherent in each option are considered; and
– Should subsequently receive sufficient and timely information concerning both performance and risk levels so that the management’s performance in achieving strategies and objectives can be  monitored.

Risk Management System

– To determine the Company’s risk appetite and tolerance;
– To identify risk factors and incorporated into risk register and individually rated;
– Owners of the risk factors to understand and ensure the risk management practices;
– Review the current level of risks in relation to risk appetite as an integral part of monitoring and measuring performance; and
– Owners of the risk factors to drive the implementation of risk mitigation measures towards achieving a residual risk that is within the acceptance tolerance.

Information and Communication

– Identify and define relevant, quality information to support functioning of risk management process and internal control; and
– Communicate information to support functioning of risk management process and internal control.

Monitoring Activities

– Conduct ongoing and separate evaluations to ascertain presence and functioning of risk management process and internal control;
– Evaluate and communicate internal control deficiencies in a timely manner.

Risk Rating and Definition

Risk tolerance rating categorization

Zero:        will not tolerate any variation
Low:         will allow a low level of variation
Medium: will accept a medium level of variation
High:        is willing to accept a high variation

Significant Risks

As depicted in the risk management framework above, risks are broadly categorized into

– Compliance risk
It is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a business may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its business activities.

– Financial Risk
It is associated with the financial structure and systems and the transactions a business makes. Identifying financial risk involved examining the daily financial operations, especially cash flow, recoverability of debts and etc.

Assessment of financial risk should also take into account of external factors such as level of borrowings, interest rates and foreign exchange rates.

– Operational Risks
These risks are associated with the business operational and administrative procedures and include:

  • all aspects of the business
  • staffing and management
  • supply chain and transportation
  • accounting control
  • IT systems
  • regulations board composition

Regular Review of the Effectiveness of Risk Management Process and Internal Control

To ensure that the policies and objectives of the risk management processes and internal control remain applicable and effective under changing market and regulatory environment, the regular reviews are conducted by:

  • The ROC to periodically review the Company’s risk management policies and oversee the operation of an enterprise-wide risk management framework and shall meet at least half yearly;
  • The Internal Audit Consultant to review processes on quarterly basis; and
  • The Audit Committee to conduct yearly evaluation of internal audit functions including risk  management updates and report to the Board.