ESR Group Limited Annual Report 2022 79 The Company implemented the following risk management and internal control structures and measures to identify, assess, monitor and report key risks: • Enterprise Risk Management (“ERM”) Framework is based on the ISO 31000 International Risk Management Standards, COSO Internal Control-Integrated Framework and the Task Force on Climate-Related Financial Disclosures (“TCFD”) recommendations for identifying, assessing, monitoring and reporting of risks. The Framework consists of tools such as risk governance, risk policies and risk parameters which are dynamic and adaptable to the changing business environment. It also provides a holistic and systematic approach for the identification, assessment, monitoring and reporting of key risks to management, Audit Committee and the Board. • As the risk profile changes from time to time, management performs periodic risk assessment by monitoring risk changes and trends as well as the effectiveness of the related control mechanisms and/or control activities within the overall risk profile on an as-needed basis, or at least once a year to ensure that they remain relevant. In addition, the Group Risk Management department works closely with the management to review and enhance the risk management system in accordance with market practices and regulatory requirements, under the guidance and direction of the Audit Committee and the Board. • The Company has an internal audit function to carry out an analysis and independent appraisal of the adequacy and effectiveness of the systems. Any material non-compliance or failure in internal controls and recommendations for improvements are reported to Audit Committee and the Board. • Stringent internal policies and processes are in place to prevent the misuse of inside information and avoid conflicts of interest, including having a whistleblowing policy, information security policy and Conflicts of Interest (“COI”) policy in place. To reinforce a culture of good business ethics and governance, the Company has adopted a whistleblowing policy, which allows employees and outside third parties that have business relationships with the Company to raise any concerns about improprieties, malpractices and misconduct through a well-defined and trusted channel. The objective of this policy is to encourage the reporting of such matters with confidence and employees or external parties making such reports will be treated fairly and be protected from reprisal. All whistleblowing reports will be reviewed by the Group Compliance Director and the General Counsel. The ensuing investigation reports will be sent to the Audit Committee for further action. Refer to “Risk Management” on pages 64 to 69 of this annual report for further details of the Group’s risk management programme. In addition, the Company has adopted a disclosure control policy which provides a general guide to Directors, management and employees on the handing and dissemination of inside information and responding to enquiries in accordance with the Inside Information Provisions under Part XIVA of the Securities and Futures Ordinance and the Listing Rules. For the Year, the Board has conducted an annual review of the effectiveness of the Group’s risk management and internal control systems, which covered all material controls, including financial, operational, technology and compliance controls. The Board has received confirmation from the management on, and is satisfied with, the effectiveness and adequacy of the systems. No significant areas of concern are brought to the attention of the Board. Internal Audit The Group Internal Audit department is responsible for providing independent assurance regarding the existence of adequate and effective internal control environment adopted by the Company. The Group Internal Audit department has direct access to the Audit Committee and has free and unrestricted access to information and management of the Company when carrying out its duties. The Group Internal Audit department adopts a risk-based audit approach in reviewing and monitoring the adequacy and effectiveness of the Group’s risk management and internal control systems. An internal audit plan is discussed and approved by the Audit Committee on an annual basis, and a summary of major audit findings, recommendations and remediation are reported to the Audit Committee by the Group Internal Audit department on a regular basis. The internal audit findings and the remedial actions taken by the relevant departments form part of the Board’s assessment of the Group’s risk management and internal control systems. STRATEGIC REPORT CORPORATE GOVERNANCE FINANCIAL STATEMENT
RkJQdWJsaXNoZXIy MTIwODcxMw==