CORPORATE GOVERNANCE REPORT (CONTINUED)
ACCOUNTABILITY AND AUDIT (Continued)
Risk Management and Internal Controls (Continued)
The Group has established an organisational structure with defined levels of responsibility and reporting procedures. The Audit Committee supports the Board in design, implementation and monitoring of the risk management and internal control systems. The operating units of the Group are responsible for the identification, assessment and mitigation of risks at business unit level and across functional areas. The Internal Risk Management Team, composed of nominated department heads and executives, facilitates the implementation of the risk management framework. The Internal Audit Department assists the Audit Committee in the review of the effectiveness of the Group's risk management and internal control systems on an ongoing basis. The Directors, through the Audit Committee, are kept regularly apprised of significant risks that may impact on the Group's performance.
The process of risk management involves:
understanding of organisational objectives;
identifying the risk associated with achieving organisational objectives and assessing the likelihood and potential impact of particular risks;
developing programmes to address the identified risks;
and
ongoing monitoring and evaluating the risks, internal control and the arrangements in place to address them.
The risk management of the Group combines a top-down strategic view with a complementary bottom-up operational process.
The Board, by the top-down approach, has a particular focus on determining the nature and extent of significant risks it is willing to take in achieving the strategic objectives of the Group. The Audit Committee supports the Board to review all significant risks in order to ensure that the activities of the business remain within agreed risk appetite tolerances.
The operating units of the Group are responsible for identifying their own risks and designing, implementing and monitoring the relevant risk management and internal control systems. The setting of business objectives and annual budgeting is one of their key control activities, which shall be refined to take into consideration risk factors. The operating units of the Group consult the Group General Manager on setting the business objectives which are pursuant to the Board's strategic objectives and are consistent with its risk appetite. The process involves the maintenance of risk assessment reports setting out particulars of material risks together with the control strategies as reported by the operating units of the Group. This bottom-up approach is embedded in the operations of the Group and complements the top-down strategic view by identifying the principal risks and ensuring the significant risks to be considered by the Board in determining the risk appetite.
The Internal Audit Department collects the risk assessment reports from the operating units of the Group and then compiles a risk register for review at the meeting of Internal Risk Management Team which is held at least 4 times a year (2 meetings are held before the holding of the Board Meeting to review the interim and annual results of the Group). The Internal Risk Management Team coordinates risk management activities and assesses the effectiveness of the related system of internal control in managing the significant risks, having regard, in particular, to any significant failings or weakness in internal control that have been reported.
The Internal Audit Department adopted a risk-based approach which included all significant risks in each year's annual audit plan and performed audits to evaluate the proper functioning of the risk management and internal control systems for the financial year ended 31 December 2018. It is intended to carry out this evaluation process on an ongoing basis. Key audit findings and recommendations have been shared with the Internal Risk Management Team. The Audit Committee, after reviewing and considering the risk management findings submitted by the Internal Audit Department, reported to the Board of the Company and confirmed to the Board that the risk management and internal control systems are effective and adequate.
Hong Kong Ferry (Holdings) Company Limited Annual Report 2018