MALAYSIAN CODE ON CORPORATE GOVERNANCE 2012

The MCCG 2012, like all corporate governance codes, advocates the adoption of standards that go beyond the minimum prescribed by regulation. The observance of the MCCG 2012 by companies is voluntary. Listed companies are however required to report on their compliance with the MCCG 2012 in their annual reports. The MCCG 2012 takes effect on 31 December 2012.

Where a company's financial year ends on 31 December 2012, disclosure will be required in relation to the financial year 1 January 2012 - 31 December 2012 and should be made in the annual report published in 2013. Where a company's financial year begins on 1 July 2012, disclosure will be required in relation to the financial year 1 July 2012 - 30 June 2013 and should be made in the annual report published in 2013.

The following, a commentary, is provided for Recommendation 6.1 and 6.2 of MCCG 2012. The commentaries seek to explain and provide some guidance for the recommendations.

PRINCIPLE 6: RECOGNISE AND MANAGE RISKS

The board should establish a sound risk management framework and internal controls system.

Recommendation 6.1

The board should establish a sound framework to manage risks.

Commentary

The board should determine the company’s level of risk tolerance and actively identify, assess and monitor key business risks to safeguard shareholders’ investments and the company’s assets. Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company’s internal controls system. Periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust. The board should disclose in the annual report the main features of the company’s risk management framework and internal controls system.

Recommendation 6.2

The board should establish an internal audit function which reports directly to the Audit Committee.

Commentary

The board should establish an internal audit function and identify a head of internal audit who reports directly to the Audit Committee. The head of internal audit should have the relevant qualifications and be responsible for providing assurance to the board that the internal controls are operating effectively. Internal auditors should carry out their functions according to the standards set by recognised professional bodies. Internal auditors should also conduct regular reviews and appraisals of the effectiveness of the governance, risk management and internal controls processes within the company. 

Risk Identification and Assessment

Risk Identification and Assessment

Effective risk identification and assessment helps your business achieve its business objectives by focusing on two key goals:

• Identify and categorize risks across the enterprise, and
• Measure the intensity of the elements that drive each risk and assess the business' exposure to these elements.

Comprehensive business and industry-specific risk inventories provide risk identification and assessment scaled for the mid-size clients we serve. This framework considers four global categories of enterprise risks:

• Strategy — Risks that could impede or prevent the achievement of "high-level" performance goals tied to business' mission statement, business plan, or organisational purpose.
• Operations — Risks that impede or prevent the effective use of resources to execute business strategy.
• Finance — Risks that prevent accurate financial reporting, both internal and external. However, ERM methodology includes the financial management reports used to make business decisions.
• Compliance — Risks that impede or prevent your business from meeting requirements under contracts, laws, regulations, and other generally accepted standards. These risks are specific to business' requirements.