Practice Guidance 9: Risk Management and Internal Controls

The Board is responsible for the governance of risk, including determining the nature and extent of the significant risks which the company is willing to take.

The Board oversees the company's risk management framework and policies, and ensures that Management maintains a sound system of risk management and internal controls.

The Board may delegate responsibility for risk governance to a board committee, such as the Audit Committee or a separate Board Risk Committee.

The Board, with the assistance of a board committee (where established), should review, at least annually, the adequacy and effectiveness of the company's risk management and internal control systems and comment4 on the same in the company's annual report. Such a review can be carried out internally or with the assistance of any competent third parties.

The Board's commentary in the company's annual report should include:

(a) information needed by stakeholders to make an informed assessment of the company's risk management and internal control systems;
(b) a description of the principal risks (including financial, operational, compliance and information technology risk categories) facing the company and how they are being managed or mitigated;
(c) an explanation of the company's approach towards identifying, measuring and monitoring its key and emerging risks, and an elaboration of its approach towards the governance and management of these risks; and
(d) an explanation of how the Board has assessed the prospects of the company, over what period it has done so, and why the Board considers it to be appropriate to use that period.

4 Refer to Rules 610(5) and 1207(10) of the SGX Listing Rules (Mainboard) / Rules 407(4)(b) and 1204(10) of the SGX Listing Rules (Catalist); Main Board Practice Note 12.2/ Catalist Practice Note 21B—Internal Controls and Risk Management Systems.