Statement On Risk Management and Internal Control

STATEMENT 0N RISK MANAGEMENT AND INTERNAL CONTROL

Pursuant to Paragraph 15.26 (b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad, the Board of
Directors hereby presents its Statement on Risk Management and Internal Control of the Group. This statement has been
prepared in accordance with the Malaysian Code on Corporate Governance and guided by the Statement on Risk Management
and Internal Control: Guidelines for Directors of Listed Issuers.


RISK MANAGEMENT AND INTERNAL CONTROL FRAMEWORK

The risk management processes in identifying, evaluating and managing significant risks facing the organisation are embraced
in the operating and business processes. These processes are driven by all Executive Directors and Senior Management team
members in their course of work. Key matters covering the financial and operation performances, changes in customers’
preference, suppliers, raw material prices, risks and market outlook are reviewed and deliberated in the EXCO meetings.
During these EXCO Meetings, causes and reasons for performances are discussed in order to identify the appropriate
measures to manage risks effectively. Key issues discussed in EXCO meetings are recorded in minutes and are presented in
the quarterly Board meetings in order for all Board members to review and consider the overall performance of the Group.

Annual risk assessment workshop, attended by Executive and Non-Executive Board members and Key Senior Management
personnel, is held to identify new risks, reassess the risk appetite of the Board as well as the possibility and impact of the
existing risks, consider the effectiveness of the existing controls; and to formulate new risk management mitigation action
plan. The application of this risk management processes is based on the principles of Committee of Sponsoring Organizations
of the Treadway Commission (“COSO”) Enterprise Risk Management framework as well as ISO 31000 on risk management
which are internationally recognised risk management frameworks. Based on the key risks identified, management then
proceeds to develop the necessary measures to minimise the possibility and impact of these risks.

The principal risks and challenges faced by the Group presently are fluctuation of prices of raw materials and foreign currency
exchange as well as risk associated with shortage of foreign workers. By managing these principal risks effectively, the Group
will be able to protect and improve its business competitiveness and quality of products and to meet the expectation and
demands of its local and international customers. As risk is dynamic, the risks mentioned in the foregoing do not reflect the
order of their priority.

 

HeveaBoard Berhad continues to maintain the following certifications. These management systems and certifications form

the guiding principles for the operational procedures. Internal quality audits are carried out and annual surveillance audits
are conducted by external certification bodies to ensure compliance with the respective certification bodies’ requirements.

i.     Quality Management Systems of ISO 9001:2008;

ii.    The Environment Management Systems ISO 14001:2004;

iii.    Occupational Safety and Health Management System OSHAS 18001 and MS 1722;

iv.    Sustainable Forest and Energy Management Systems under the Programme for the Endorsement of Forest Certification
       (“PEFC”);

v.     Energy Management System ISO 50001:2011 Certification in efficient and effective energy management system;

vi.    Singapore Green Label Certificate, Sirim Eco-Label Scheme Certification and MyHijau Certification for environmentally-
       friendly product; and

vii.   CARB (California Air Resources Board) Certification on compliance with applicable emission standard.

viii.  Japanese Industrial Standard (JIS) Mark Certification A5908:2015

 

In addition to the above, the fundamental controls and measures that have been put in place in the Group are:-

 

i.     Management organisation chart outlining the management responsibilities and hierarchical structure of reporting and
       accountability;

ii.    Approval and authority limits of the top executives and heads of department;

iii.    Insurances to protect the assets and interests of the Group;

iv.    Review of operation performance and segregation of duties in the management functions of the Group;

v.     Job descriptions are established providing understanding to employees of theirtasks in discharging their responsibilities;

vi.    Financial forecasts are used as performance targets;

vii.   Whistleblowing policy for reporting of employees’ misbehaviours; and

viii.  Audit Committee review of the quarterly financial reports, annual financial statements, related party transactions,
       external and internal audit reports.


THE REVIEW MECHANISM

There are two levels of review of systems of risk management and internal control in the organisation. The first level of the
review is undertaken by the Executive Directors and Senior Management while the second level constitutes the independent
review performed by the Audit Committee. The Internal Audit Function reports directly to the Audit Committee, conducts
periodic audits to assess the effectiveness of the risk management and internal control procedures; recommends actions to
management for improvement; and reports the status of management control procedures to the Audit Committee. The scope
of works of the Internal Audit Function are carried out based on the approved internal audit plan by the Audit Committee. 

The internal audit function has organised its work in accordance to the principles of the internal auditing standards covering
the conduct of the audit planning, execution, documentations, communication of findings and consultation with senior
management and Board on the audit concerns.


MANAGEMENT RESPONSIBILITIES AND ASSURANCE

In accordance to the Guidelines, management is responsible to the Board for identifying risks relevant to the business of the
Group‘s objectives and strategies, implementing and maintaining sound systems of risk management and internal control
and monitoring and reporting significant control deficiencies and changes in risks that could significantly affect the Group
achievement of its objective and performance. 

The Board has received assurance from the Group Managing Director and Chief Financial Officer that, to the best of their
knowledge that the Group's risk management and internal control systems are operating adequately and effectively, in all
material respects.


BOARD ASSURANCE AND LIMITATION 

The Board confirms that there is an ongoing process for identifying, evaluating and managing significant risks faced by the
Group. The Board continues to derive its comfort of the state of risk management and internal control of the Group from the
following key processes and information:- 

  •  Periodic review of financial information covering financial performance and quarterly financial results;
  •  Audit Committee’s review and consultation with Management on the integrity of the financial results, Annual Report
     and audited financial statements before recommending to the Board for approval;
  •  Audit findings and reports on the review of systems of internal control provided by the Internal Auditors and status of
     Management's implementation of the audit recommendations; and\
  •  Management’s assurance that the Group’s risk management and internal control systems have been operating
     adequately and effectively, in all material respects.

For the financial year under review, the Board is satisfied that the existing level of systems of risk management and internal
control are effective to enable the Group to achieve its business objectives and there were no material losses resulted from
significant control weaknesses that would require additional disclosure in the Annual Report. Nonetheless, the Board
recognises that the systems of risk management and internal control should be continuously improved in line with theevolving
business development. It should also be noted that all risk management and internal control systems could only manage rather
than eliminate risks of failure to achieve business objectives. Therefore, these systems could only provide reasonable but not
absolute assurance against material misstatements, frauds and losses.

 

REVIEW OF STATEMENT ON INTERNAL CONTROL BY EXTERNAL AUDITORS

Pursuant to Paragraph 15.23 of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad, the external auditors
have reviewed this Statement on Risk Management and Internal Control. Their assurance engagement was performed pursuant
to the scope set out in AAPG 3, Guidance forAuditors on Engagements to Report on the Statement on Risk Management and
Internal Control included in the Annual Report.

Based on their review, the External Auditors have reported to the Board that nothing has come to their attention that causes them
to believe that this Statement is inconsistent with their understanding of the process adopted by the Board in reviewing the
adequacy and integrity of the risk management and internal control systems of the Group. 

 

This Statement is made in accordance with the approval and resolution of the Board of Directors dated 30 March 2018.