Max Myanmar believes that risk management and control are not seen as burden on business, rather the means by which business opportunities are maximized and potential losses associated with unwanted events reduced.
Throughout this guidance, where reference is made to ‘company’ it should be taken, where applicable, as referring to Max Myanmar and its subsidiaries. For subsidiaries of Max Myanmar, the review of effectiveness of internal control and the report to the shareholders should be from the perspective of the group as a whole.
Objectives of Risk Management and Internal Control
- Reflect sound business practices whereby risk management and internal control systems are embedded in business processes by which a company pursues its strategic and operational objectives.
- Remain relevant over time in the continually evolving business environment.
- Enable each company to apply this guidance in a manner which is suitable to it and takes company specific circumstances into account.
- A company’s risk management and internal control systems have key roles in the management of risks that are significant to the fulfillment of its business objectives. A sound system of internal control contributes to safeguarding the shareholders’ investment and the company’s assets.
- Enterprise risk management enables management to identify, assess, and manage risks in the face of uncertainty, and is integral to value creation and preservation. Enterprise risk management is most effective when these mechanisms are built into the entity’s infrastructure and are part of the essence of the enterprise. By building in enterprise risk management, an entity can directly affect its ability to implement its strategy and achieve its mission.
- Risk management and internal control systems are an integral part of enterprise risk management. This enterprise risk management framework encompasses internal control, forming a more robust conceptualization and tool for Max Myanmar’s management.
- Internal control facilitates the effectiveness and efficiency of operations of Max Myanmar and its subsidiaries and it also helps ensure the reliability of internal and external reporting and assists compliance with laws and regulations.
- The objectives of Max Myanmar Group, its internal organization and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. Sound risk management and internal control systems therefore depend on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. Since profits are, in part, the reward for successful risk-taking in business, the purposes of risk management and internal control systems are to help manage and control risk appropriately rather than to eliminate it.
Framework for Risk Management
A framework for risk management will typically include the following elements:
- Identification of internal and external matters which influence an enterprise’s achievement of objectives
- Determination of risk appetite and risk management policy
- Design of the Risk Management function and organization as well as areas of responsibility
- Establishment of internal and external communication and reporting structures
- Allocation of resources to the function.
Risk management and Internal Control Procedures
- The organization defines its risk strategy and appetite. The Chief Executive appoints a Risk Manager or related position. Risk owners are identified for all significant risks.
- Risk owners determine meaningful and measurable objectives and control mechanisms which are accepted throughout the organization.
- A centralized Risk Management function is responsible for establishing and maintaining the risk management processes. It provides the Max Myanmar with a formal risk management framework and appropriate training programs aimed at improving the risk management culture and promote a common risk terminology and concepts applicable to the whole organization.
- Executive Management regularly reviews reports showing the development of significant risks as well as the status of actions taken to treat risks. Management provides the Board and if appropriate the Audit Committee with regular relevant, comprehensive and timely information.
- Critical, new and emerging risks are brought to the attention of the appropriate level of management as soon as they are identified.
Reviewing Effectiveness of Risk Management and Internal Control Systems
- The management board of Max Myanmar cannot, however, rely solely on the embedded monitoring processes within the company to discharge its responsibilities. It should regularly receive and review reports on internal control. In addition, the management board should undertake an annual assessment for the purposes of making its public statement on risk management and internal control systems to ensure that it has considered all significant aspects of internal control for the company for the year under review and up to the date of approval of the annual report.
- An effective risk assessment process addresses both financial risks such as credit, market and liquidity risk and non-financial risks such as operational, legal and environmental risk. Furthermore, the process should include an evaluation of the risks to determine which are controllable by the company and which are not.
- The reports from management to the management board should, in relation to the areas covered by them, provide a balanced assessment of the significant risks and the effectiveness of risk management and internal control systems in managing those risks. Any significant control failings or weaknesses identified should be discussed in the reports, including the impact that they have had, could have had, or may have, on the company and the actions being taken to rectify them. It is essential that there be openness of communication by management with the management board on matters relating to risk and control.
- The management board’s annual assessment should, in particular, consider:
- a. the changes since the last annual assessment in the nature and extent of significant risks, and the company’s ability to respond to changes in its business and the external environment;
- b. the scope and quality of management’s ongoing monitoring of risks and of the system of internal control, and, where applicable, the work of its internal audit function and other providers of assurance;
- c. the extent and frequency of the communication of the results of the monitoring to the management board which enables it to build up a cumulative assessment of the state of control in the company and the effectiveness with which risk is being managed;
- d. the incidence of significant control failings or weaknesses that have been identified at any time during the period and the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the company’s financial performance or condition; and the effectiveness of the company’s public reporting processes
- All employees of Max Myanmar have some responsibility for internal control as part of their accountability for achieving objectives. They, collectively, should have the necessary knowledge, skills, information, and authority to establish, operate and monitor the system of internal control. This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces.