Setting a Policy as the Basis for C.2.4 Disclosure Statement

Our last note suggests an issuer can adopt a policy statement on risk management and internal control as the basis for preparing a disclosure statement in compliance with C.2.4 requirements. See JFU Approach 4(a)-(e), Risk Management and Internal Control Practice - Part 2 (4) dated 11 November 2015.

The following is prepared in a format as if the policy is fully implemented in practice with no modifications required for preparing the C.2.4 disclosure statement.

The risk management and internal control systems ("Systems")

To ensure compliance with the risk management and internal control code provisions, the Company (including its subsidiaries) has undertaken actions set out in Schedule A (referring to policy initiatives illustrated as "action pointers" in earlier JFU Notes). For the design and implementation of the Systems, the Company has used as reference the frameworks and guiding principles under COSO 2013 and ISO 31000 as illustrated in Schedule B (see diagrams below).

Processes used to identify, evaluate and manage significant risks - C.2.4(a)

The Company keeps a risk register, collects and collates risks from the person ("owner") responsible for a business unit, functional division or process assigned to the owner according to the documentation of the Systems. The risks returned are defined to facilitate risk management and assessment.

The risk management process is undertaken by a work group comprising senior members of the management drawn from finance, operations and legal functions. The risk management that the work group undertakes follows the principles, framework and process under ISO 31000, and COSO 2013 on risk assessment as illustrated in Schedule B.

In essence, the work group draws observations through communication and consultation with members from respective business units, functional divisions and entities (ISO 31000 Clause 5.2), establishes changes in the business and operating environment, and performs assessment on risks registered and issues arising. Risk assessment includes risk analysis to evaluate the likelihood of the occurrence of an event and determine impacts and possible responses. When performing risk assessment , the work group considers risks as well as potential for fraud most relevant to the achievement of the financial, operational and compliance objectives of the business units and functional divisions, and hence that of the Company as a whole. (ISO 31000 Clause 5.4, and COSO 2013 Principles 6-9)

The work group meets monthly and reports to the board for directions and comments as part of the board's monitoring and ongoing oversight function. (ISO 31000 Clause 5.6, and COSO 2013 Principles 16-17)

Main features of the Systems - C.2.4(b)

The Company adopts COSO 2013 as the basis for the design and implementation of the Systems, and also ISO 31000 for the risk management process as explained in the foregoing paragraph. The Systems apply to all activities of the Company's business units, divisions and entities that can be analyzed into four levels:

1. Governance
   

   Principal objectives of the governance are providing effective leadership, direction and control over the delivery of target performance by individual business units, functional divisions, and entities of the Company.

   The governance structure comprises the General Meeting of Shareholders, the Board of Directors, and various Committees including Independent Directors, Executive Appointment, Executive Compensation, Share-based Payment, Audit Committee, Internal Audit, Price Sensitive Information and Committee Evaluation.

   The Chairman of the Board ensures the effective running of the board and the committees with overall responsibility for governance, decisions on objectives and strategies, KPI setting, monitoring performance, audit and organization wide communication in risk and corporate control matters.

   [tailored specifics]

2. Management
   

   Principal objectives of the management are implementing the Company's strategies, and delivering target performance set for individual business units, functional divisions, and entities of the Company.

   The management structure is represented in the organization chart as attached. The management has allocated appropriate resources to respective business units, functional divisions and entities according to the targets and duties assigned with corresponding budgets prepared to facilitate management reporting, budgetary control, variances analysis, learning and follow up.

   The Chief Executive Officer is responsible for the effective management of the organization, efficient utilization of the resources allocated, monitoring performance of individual units, divisions and entities, following up variances, and refining business activities. A workgroup comprising senior members of the management is responsible for the design, setup and working of the Systems.

   [tailored specifics]

3. Special transactions or projects
   

   The Company initiates special transactions or projects to boost innovation, growth and development. Special transactions or projects are those new or ad hoc non recurrent transactions or projects, such as a new product release, capital raising, capital spending or merger and acquisition. All such transactions or projects are presumed to be risky and price sensitive. Accordingly they are subject to special attention and regulation of the board.

   In respect of each transaction or project, a transaction / project team is formed to provide support and control over the process of planning, evaluation, decision, execution, monitoring and reporting. The degree and format of control over communication and dissemination of information in the process is subject to the advice of the Price Sensitive Information Committee, and to the approval by the board.

   [tailored specifics]

4. Operations
   

   The Company's operation is organized into and run by various business units, functional divisions, and entities in a manner that the board and the management consider most efficient and effective. Activities are integrated and formed as seamless flows, processes and transaction cycles to achieve intended functional effects with appropriate control activities interposed to address potential errors or weaknesses, whether due to inadvertent mistakes or fraud.

   The following are key processes or significant transaction cycles to which the above applies:

   1. order entries, sales and accounts receivable cycles
   2. order placements, purchases and accounts payable cycles
   3. production planning and control cycles
   4. inventory movement, stocktaking, costing and valuation cycles
   5. capital asset addition, registration, maintenance and disposal cycles
   6. contractual commitment addition, registration and disposal cycles
   7. payroll, social insurance and return cycles
   8. bank account controls, payments, receipts and reconciliation cycles
   9. cash and disbursements cycles
   10. costing and pricing cycles
   11. bookkeeping, provisioning, adjustments and closing cycles
   12. management and financial reporting cycles
   13. taxation and compliance cycles

   [tailored specifics]