RISK MANAGEMENT FRAMEWORK
RISK MANAGEMENT POLICY
1. POLICY STATEMENT
This Policy covers P.I.E. Industrial Berhad and its subsidiaries (“P.I.E. Group”).
The P.I.E. Group is committed to integrating good risk management practices into all business processes and operations to drive consistent, effective and accountable action, decision making and management practice.
2. P.I.E. GROUP RISK CONTEXT
The P.I.E. Group is involved in the following business activities:
|Pan-International Electronics (Malaysia) Sdn Bhd (“PIE”)||Contract electronics manufacturing, cable assembly and PCB assembly|
|Pan-International Wire & Cable (Malaysia) Sdn Bhd (“PIW”)||Manufacturing of cables and wires for electronic devices and cable moulding compounds|
|Pan-International Electronics (Thailand) Co., Ltd (“PIT”)||Manufacturing of cables and wire harness for computers, communication and consumer electronic industry|
|Pan-International Corporation (S) Pte. Ltd. (“PIS”)||
Marketing and trading of electronic and telecommunication components and equipment
We appreciate that to continue to strengthen our position we need to understand the opportunities and challenges our business is faced with, now and into the future.
Embedding risk management principles and practices into strategy development and day to day business processes is critical to achieving robust and proactive commercial outcomes – a balance between mitigating threats and exploiting opportunity.
Just as risk is inherent in our operations, risk management is also inherent in all decision making and management processes. Risk management is essential to good corporate governance and is a fundamental component of good management practice.
This policy sets out the objectives and accountability of the management of risk within the Group such that it is structured, consistent and effective.
3. P.I.E. GROUP RISK MANAGEMENT OBJECTIVES
Effective risk management within the P.I.E. Group has a number of objectives:
• Promote an enterprise wide approach, thereby:
• including risk management as a component of strategy development and evaluation;
• providing consistency in methodology, assessment and management;
• Allow the recognition of external factors and anticipate future occurrences that may affect the achievement of our strategy.
• Provide confidence in operations, management decisions and certainty regarding expected outcomes.
• Generate assurance to shareholders, counterparts, customers, employees and the community.
• Provide an understanding of the nature of risk to effectively mitigate downside whilst optimising and realising upside.
• Sponsor innovation and maximise value from assets, ventures and opportunities.
• Recognise that risk is embedded in all our activities and that the underlying risk appetite is key to effective decision making.
• Provide appropriate, consistent and transparent ownership and accountability structures.
• Enable the design and implementation of controls that:
• are structured to promote effective realisation of objectives;
• provide appropriate assurance; and
• are cost effective.
• Recognise that timely and accurate monitoring, review, communication and reporting of risks is critical to:
• providing early warning mechanisms for the effective management of risk occurrences and consequences;
• providing assurance to management, the Board and shareholders;
• providing a solid platform for growth; and
• generating and maintaining a sound corporate history.
4.1. Board of Directors
The Board is ultimately responsible for overseeing the performance of the P.I.E. Group in achieving its objectives. The Board’s roles include ensuring that the risk management and internal control systems are adequate and effective.
To assist it in discharging its responsibilities the Board has established the Audit Committee and the Risk Management Committee.
4.2. Audit Committee
The Audit Committee comprises majority of independent directors.
The function of the Audit Committee is to assist the Board in fulfilling its responsibilities to provide shareholders with timely and reliable financial reports and to protect the assets of the company and interests of shareholders through effective risk management and internal control systems.
4.3. Risk Management Committee
The Risk Management Committee is formed at the holding company level. It reports to the Board.
The functions of the Risk Management Committee are to identify risks, quantify the risk impact and formulating risk mitigation strategies at each business unit.
The Management of each subsidiary is responsible for leading the operation and executing the strategies in achieving the goals set for the subsidiary.
In carrying its duties, the management will ensure that employees comply with the policies and procedures. It shall escalate risk issues to the Risk Management Committee.
Employees are to carry out their duties according to their respective job descriptions.
In carrying out their individual duties, they shall comply with the company’s policies and procedures. They shall also report perceived risks to the management.
4.6. Internal Audit
Internal Audit is an independent appraisal function established to provide assurance to the Board about the adequacy and effectiveness of the risk management and internal control systems.
RISK MANAGEMENT METHODOLOGIES
The risk management methodologies cover the following areas and activities of the risk management:
1. Risk appetite
2. Risk Management Committee
3. Risk management process
4. Internal audit
1. RISK APPETITE
(A) Quantitative measure
The risk appetite for the Group and each subsidiary is defined as follow:
(B) Qualitative measure
The Group has low risk appetite for the following matters:
• Safety and health of employees and workplace
• Compliance with the Listing Requirements of Bursa Malaysia and Companies Act 1965
• Compliance with income tax and custom regulations
This risk appetite is reviewed annually.
Risks that are beyond the risk appetite of the Group shall be brought to the attention of the Audit Committee and Board of Directors.
2. RISK MANAGEMENT COMMITTEE (RMC)
The RMC is made up of the following persons:
Chairman : Chairman of the Audit Committee
Member : Heads of Department or representative from each major business units to be identified by the Management from time to time
Secretary : Internal Auditor (Risk Management Coordinator)
In the absence of the Committee Chairman, the remaining members present shall elect one of their members to chair the meeting.
Members of the RMC may relinquish their membership in the RMC with prior written notice to the Chairman of the RMC and/or the office of a member shall become vacant upon the member’s resignation / retirement / removal or disqualification as an Employee of the Company.
(B) Terms of reference
The terms of reference of the RMC are to:
a. Identify risks
b. Quantify risks
c. Choose the method of risk response
d. Develop risk mitigating controls
f. Develop the risk profile
g. Reporting to the Board
(C) Frequency of meeting
The RMC meets at least once a year.
DUTIES, POWERS AND RESPONSIBILITIES
1. The RMC is authorised by the Board to have direct communication channels with and unrestricted access to the Group management, including without limitation, its information, records, reports, properties and personnel.
2. The RMC shall have the authority to obtain external legal or other independent professional advice as necessary.
3. The RMC is not authorised to implement its recommendations on behalf of the Board but shall make recommendations to the Board on risk related matters for its consideration and implementation.
4. The duties and responsibilities of the RMC shall include, but not limited to the following:-
Provide oversight, direction and counsel to the Group risk management process which includes:
• Monitoring the Group and Divisional level risk exposures and management of the significant risks identified.
• Evaluating new risks identified.
• Reviewing the Group Risk Profile and ensuring that significant risks are being responded in appropriate manner.
• Reviewing the status of the implementation of management action plans in mitigate significant risks identified.
5. Establish Group risk management guidelines and policies and ensure implementation of the objectives outlined in the policies and compliance with them.
6. Recommend for the AC and Board’s approval the Group’s risk management policies, strategies and risk tolerance levels, and any proposed changes thereto.
7. Evaluate the effectiveness of the risk management processes and support system to identify, assess, monitor and manage the Group’s key risks.
8. Review investment proposals considered significant including:
• Diversification of business (defined as businesses outside existing sectors, expansion across industry value chains within current sectors and new franchises); or
• New territories and countries (defined as expansion of existing businesses into new markets/territories).
9. The RMC shall report to the Board at its forthcoming meeting or at least once in financial year on its proceedings on all matters within its duties and responsibilities. The Committee shall make whatever recommendations to the Board it deems appropriate on any area within its remit where action or improvement is needed.
10. Comprehensive risk assessment yearly for corruption and fraud.
MEETINGS AND PROCEEDINGS
1. The RMC shall meet at least once in financial year to discuss and deliberate on the significant risks affecting the Group. Meetings should be organized so that attendance is maximized. A meeting may be called, at any other time, by the Chairman of the RMC or any member of the RMC. Any Director or management may be invited to the meetings.
2. During the meetings, all risks facing each operation and department are discussed in detail within the context of the business objectives and strategy. Status of corrective actions is tabled for comments by the relevant staff. Various ideas and suggestions are tabled for improvement of areas of concern.
3. The meetings of the RMC may be conducted by means of telephone conferencing or other methods of simultaneous communication by electronic or telegraphic means and the minutes of such a meeting signed by the Chairman shall be conclusive of any meeting conducted as foresaid.
4. The quorum of meeting for the RMC shall be any three members.
5. Minutes of meetings shall be taken by the Secretary. Minutes of all meetings shall be confirmed by the Chairman of the meeting.
3. RISK MANAGEMENT PROCESS
(A) Identifying risks
Risk is defined as an event which will cause the Group to suffer financial or non-financial losses in the short-term or long-term. From another perspective, a risk may also be in the form of a missed opportunity to earn more profit.
In the risk identification process, all potential events that could adversely impact the achievement of business objectives are identified by the RMC.
The risks can typically be categorised into the following four of the organisation’s objectives:
• Strategic – high level goals, aligned with and supporting Group’s mission
• Operation – effective and efficient use of resources
• Reporting – reliability of financial reporting
• Compliance – compliance with applicable laws and regulations
(B) Quantify risks
The risks which are identified are quantified for their impact on the Group.
The potential impact of a risk event is the combination of the likelihood (probability) which the risk will happen and the impact (gravity) which it will cause if the risk does happen.
A score of (1) to (5) will be assigned for likelihood and impact respectively.
Consequently, a risk event may have a combined score of (1) up to (25) depending on its likelihood and impact scores. A risk with a high rating poses more serious threat to the Group than a low rating risk. The risk will be mapped into the following risk heat-chart:
L = low risk M = medium risk H = high risk
(C) Responses to risks
For each risk identified, the management will have one or more of the following response options:
• AVOID the risk by not proceeding with an activity which generates the risk.
• TREAT the risk by applying controls to minimize the likelihood or impact of the risk.
• TRANSFER the risk by sharing the impact of the risk with outside parties such as insurance or joint venture.
• TOLERATE the residue (balance) risk if it is within the Group’s risk appetite.
(D) Risk control strategies
For each of the type of risk response chosen, the relevant control strategies are identified.
If an existing control falls short of its effectiveness or if there is no existing control in managing a significant risk, then new control strategies must be developed to manage the risk so that the residue risk is reduced to an acceptable level.
(E) Monitoring of risks and controls
Ongoing risk monitoring is conducted to review the effectiveness of the control strategies in respect of the risks identified and that corrective actions are taken where necessary.
(F) Periodic review
The risk profile of the Group changes with the internal and external developments. An event regarded as low risk today may become high risk in the future. Therefore, an effective risk management project is not a one-time exercise but an ongoing process which forms part of the operation of the Group. In this regard, the risk profile and control processes will be continually updated on a regular basis, at least yearly.
4. INTERNAL AUDIT
The internal audit function plays an independent role in the risk management system. It will regularly review the effectiveness of the risk management and internal control processes. If the internal auditors find a shortcoming during audit, they will make a recommendation to the management for improvement.
These terms of reference may from time to time be amended as required, subject to the approval of the Board.