Risk information and treatment plans are captured and updated into
a risk register which is maintained by the respective OpCos and the
Group. The information is then consolidated to provide an enterprise
overview of material risks faced by the Group and the associated risk
mitigation plans, tracked and reviewed.
• Control Self Assessment (CSA)
CSA is an effective process used by the Group for improving
business internal controls and processes. It allows employees of
the Group to identify the risks involved in achieving the business
objectives, to evaluate the adequacy and effectiveness of the
controls in place and activities designed to manage those risks.
CSA was performed on selected areas in Celcom and Robi in
2015.
3.0 Control Activities
Control activities are the policies, procedures and practices that ensure
management objectives are achieved and risk mitigation strategies are
carried out. Key activities within the Group are as follows:
3.1 Policies and Procedures
•
Financial and Operational Policies and Procedures
The Group currently maintains two policies, i.e. Limits
of Authority and Group Policies encompassing both the
Group and OpCo levels, which sets the framework for
the development of the respective procedures covering
financials and controls. The documented procedures include
management accounting, financial reporting, procurement,
information systems security, compliance, risk management
and business continuity management.
Internal control is embedded into these policies to ensure
consistent application throughout the Group. This serves as
a preventive control mechanism whilst allowing the Group
to promptly identify and respond to any significant control
failures.
•
Budgeting Process
A comprehensive annual budgeting process is in place to
evaluate the feasibility and viability of the Group’s businesses
and to ensure that the Group’s OpCos business plans are in
line with the Group’s future strategic plans. Annual budgets
are prepared by the OpCos and deliberated with their
respective Boards. They are then presented and discussed
during the Axiata Board Retreat for approval before the
commencement of a new financial year.
Upon approval of the budget, the Group’s performance is
periodically monitored and measured against the approved
budget and ongoing business forecast, which is cleared by
the President & GCEO and supported by the SLT. The Group’s
performance is also reported to the BAC and the Board.
Reporting systems which highlight significant variances
against plan are in place to track and monitor performance.
The results are reviewed on a quarterly basis by the Board
to enable them to gauge the Group’s overall performance,
compared to the approved budget and prior periods, and to
take remedial action where necessary. Similar performance
reviews at OpCos Board level take place on a monthly or
quarterly basis.
•
Whistleblower Policy and Procedures
The Group has a whistleblower policy which enables
employees to raise matters in an independent and unbiased
manner. As part of this whistleblower policy and procedures,
there is an anonymous ethics and fraud e-mail, under the
administration of the GCIA, as a mechanism for internal and
external parties to channel their complaints or to provide
information in confidence on fraud, corruption, dishonest
practices or other similar matters by employees of the Group.
The objective of such an arrangement is to encourage the
reporting of such matters in good faith, with the confidence
that employees or any parties making such reports will be
treated fairly, their identity remains anonymous and are
protected from reprisal.
•
Insurance and Physical Safeguard
The Group has an insurance programme in place to ensure
that its assets are sufficiently covered against any damages
that will result in material losses. The Group also ensures that
its major assets are physically safeguarded.
3.2 Security (Application and IT Network)
•
Business Continuity Management
The Board is cognisant of the importance of an effective
Business Continuity Management (BCM) programme in
ensuring the ability of business operations to recover after
a crisis. At the same time, the BCM programme provides a
framework for the Group in building organisational resilience
that safeguards the interests of its stakeholders whilst
incorporating sufficient flexibility to allow for enhancement
as technology evolves.
A Group BCM framework, which is benchmarked against
ISO 22301:2012 Business Continuity Management System
has been implemented, at which key processes such as
incident escalation and declaration have been formalised
and standardised across the Group. At the same time, our
versatile framework allows for customisation, in accordance
to each OpCo’s requirements and operating environment.
Each OpCo develops andmaintains its own BCM programme,
while Location Business Recovery Plans are also developed
for the site offices within each OpCo’s operations region. The
Location Business Recovery Plans documents the necessary
recovery strategies, steps, personnel, systems and resources
required for that location to continue or restore its services
during a crisis.
Currently, BCM has been implemented at Celcom, Dialog,
XL and Robi while Corporate Centre and Smart are in the
process of being established.
STATEMENT ON RISK MANAGEMENT
AND INTERNAL CONTROL
axiata group berhad | annual report 2015
078
