74 Statement on Corporate Governance 80 Risk Management 86 Statement on Risk Management and Internal Control 90 Board Audit Commiee Report 93 Statement on Internal Audit 95 Statement on Investment Risk Management Check and Balance The Investment Panel Risk Committee must be able to identify situations of potential conflict of interest, given its independent role and structure. The members consist of professionals and independent directors with extensive experience who practice good ethical standards and highlight any potential area of conflict. Chairman, Investment Panel Risk Commiee Dato’ Sri Mohamed Nazir Abdul Razak
24
Embed
Lembaga Kumpulan Wang Simpanan Pekerja Annual …€¦ · Lembaga Kumpulan Wang Simpanan Pekerja ... Check and Balance ... businesses and investment today and EPF as
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
Sustainability and responsible investing has beenin the limelight in the investment communityin 2015 with the rise in corporate governanceissues in the region. Sustainability is shapingbusinesses and investment today and EPF asMalaysia’s largest pension fund is striving to betheforefrontinchampioningsustainableinvestingand incorporating Environmental, Social andGovernance in its investment consideration. TheEPF believes that a sound corporate governanceframeworkpromotesstrongleadershipbytheBoardofDirectorsandgoodmanagementpractices,whichwill in turn contribute to enhancing accountability,transparencyandlongtermsuccessofthecompanies.
The EPF continues to regard good governancepractices as integral to protect the interestof all stakeholders and the reputationof the Fund. As a trustee with assets of RM684.53 billion, sustainability is a key factorin fortifying the alignment of interests betweenthe EPF as a long-term investor with its fiduciaryduties, the Government in its supervisory anddevelopmentalrole,and itscontributingmembersas beneficiaries. With the continuous innovationand movement in corporate governance andsustainableinvesting,theEPFhasmovedintandemby getting involved in a number of initiatives inchampioningsoundcorporategovernance.Amongothers,engagementandactivevotingisbecomingan intrinsicpartofourequity investmentprocess.TheEPFwillengageandvoteonanyissueaffectingthelongtermsustainabilityofacompanywhichithasinvestedin.
During the year, theEPFhas alsobeen involved ineffortstoenhancecorporategovernanceawarenessand the adoption of good corporate governancepractices.Theinitiativesinclude:
forumsoncorporategovernanceinordertobeup-to-datewithcurrentpracticessuchastheASEANAnnualCorporateGovernanceSummitby the Malaysian Institute of CorporateGovernance(MICG).
• Institutional Investors Council and Working Group Committee of The Malaysian Code for Institutional Investors
TheEPFhasbeenplayinganactiveroleintheformationandestablishmentoftheMalaysianCode for Institutional Investors 2014 whichwaslaunchedon27June2014.Thisinitiativeaims to outline broad principles of effectivestewardship by institutional investors,accompaniedwith comprehensive guidelinestoimplementtheprinciples.In2015,theEPFwaspartoftheInstitutionalInvestorsCouncilandWorkingGroup committee. This aims toprovide a platform for Institutional Investorstodiscussissuesofcommoninterest.
• ESG Index In 2015, EPF pioneered its first in-house
Environmental, Social and Governance(ESG) corporate equity rating tool in orderto integrate the element of sustainability,governanceandintegrityintoourinvestmentprocesses. This rating mechanism does not
BoARd ANd INvEStMENt PANEL
Minister of finance(Government)
Board Investment Panel
Board Committee Investment Panel Committee
Management Management Investment Committee
Related Departments Investment Departments
only extend beyond the traditional focus oncorporategovernance,butalsoaimstocapturea more holistic picture of what and how acompany isperforming from theperspectiveofenvironmentalandsocialneeds.
• Corporate Integrity Pledge The EPF together with its wholly owned
subsidiary KWASA Land Sdn. Bhd. signed aCorporate Integrity Pledge on 7th December2015 as a continued effort to support bestpractices in business ethics, in line with thebestpracticesofglobalgovernance.
TheEPFcorporategovernancestandardsaredrawnfrom various best practices, particularly from thefollowingreferences:
The EPF Act 1991 provides for the establishment of an Investment Panel toprovide strategicdirectionon investment related issues.The InvestmentPaneldetermines and approves investment activities in linewith existing guidelines,policiesonriskcontrolandassetallocation.
The roles and responsibilities of the Chairman and CEO are kept separate inaccordance with best practices and to ensure appropriate balance of powerand supervision of the management, increased accountability and greaterindependence.
The Chairman leads and ensures effective and comprehensive discussion onmattersbroughttotheBoard,includingstrategicissuesandbusinessplans.TheChairmanensuresthattheBoard’sdecisionsaretranslatedintoexecutiveaction.
TheEPFcarriesoutBoardEffectivenessEvaluation(BEE)toassesstheperformanceof the Board, including the Chairman and CEO, the Investment Panel, AuditCommitteeandRiskManagementCommittee.Thisisinadditiontotheselfandpeerevaluationofthedirectors.BEEcomprisesofanoverallevaluationoftheeffectivenessoftheBoardandInvestmentPanel.Thereviewiscarriedoutonceineverytwoyearsbyanindependentprofessionalbody.
TheEPFbelieves that communicationwith stakeholders formsan importantpart of the corporate governance framework andacknowledges theneed tobetransparenttoitsstakeholders.TheEPFdisclosesquarterlyreportsonitsinvestmentactivitiescomprisinginformationonassetallocation,revenuegeneratedfromeachassetclass,totalfundsizeandoutlookforthefollowingquarter.Italsodisclosesthetop30equityinvestmentsonaquarterlybasistoensuretransparencyandprovidestakeholderswithinformationontheEPF’sholdingsinpubliclistedcompaniesinMalaysia.
As the EPF becomesmore active in overseeing its investments, the organisation has appointed nominees on the boards of listed and unlisted companies. Asat31December2015,theEPFhasnomineesinninelistedcompaniesand44unlistedcompanies.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
80
RISK MANAGEMENt
1.0 ovERvIEW
TheEPFembracesriskmanagementasanintegralcomponentofitsinvestments,operationsanddecision-makingprocess.With itscommitmentto implementsoundriskmanagementpracticesandgovernance,theEPF isabletosustainexcellentperformancein linewithitsMissiontoprovidethebestretirementsavingsscheme.Whethertheriskrelatestostrategy,credit,market, liquidityoroperations, theEPF continues to leverageon its robust riskmanagementculture and integrated risk management framework to take advantage ofpotentialopportunitiesinordertocounterallpossiblethreats.TheEPFadoptsaproactiveapproachinidentifyingandmanagingrisksinthefaceofuncertaintyintheoperatingenvironmentandvolatilitiesinthefinancialmarket.
“effective risk management is critical for the ePF to achieve sustainable returns and long term growth in
today’s globalised and interlinked macroeconomic and financial environment.”
The EPF adopts a ‘top-down’ and ‘bottom-up’ approach, whereby thedepartments, spokes and management continue to engage in healthydiscussions on key risk matters and processes, thus creating a robust riskpractisingculture.Supportingtheriskgovernancestructure,formalpolicyandproceduresaredevelopedtoaddressallkeyriskareas.
3.0 thE BoARd ANd thE INvEStMENt PANEL
The EPF’s risk management structure provides clear lines of responsibilityandaccountabilityfortheriskmanagementprocessesaswellasoutlinestheprincipalriskmanagementandcontrolresponsibilities:
the EPf Board hasoverallresponsibilityfortheorganisation’sriskmanagement,exceptforactivitiesrelatedtoinvestmentdecisions.
The Investment Panel (IP) is responsible for overseeing risk managementpertainingtotheEPF’sinvestmentdecisionmakinganddefinesthelevelofrisksthattheEPFiswillingtotoleratethroughitsRiskAppetiteStatements,whichformsthebasisoftheallocationoffundsforinvestment.
BoARd of thE EPf INvEStMENt PANEL
Board Risk Management Committee
Management OperationsRisk Committee
Management RiskCommittee
• Risk Management Department• Investment Compliance Department
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
81
RISK MANAGEMENt
3.1 thE BoARd RISK MANAGEMENt coMMIttEE ANd INvEStMENt PANEL RISK coMMIttEE
• The Board Risk Management Committee (BRMC) isresponsibleforassistingtheBoardinoverseeingalloperationalriskmanagementactivities except for activities pertaining to making investmentdecisionsandtoensurethattheriskmanagementprocessisinplaceandfunctioningeffectively.
• The Investment Panel Risk Committee (IPRC) is responsible forassistingtheIPinrecommendingtheriskappetiteandappropriateallocation of the risk ‘budget’. The IPRC is delegated with theresponsibilitytoreviewandapproveappropriateriskmeasurement,policies,processesandlimitstoensuretheircontinuedeffectiveness.
3.2 thE dEdIcAtEd coMMIttEES
• The Management Operations Risk Committee (MORC) isestablishedat theManagement level tooversee, implement andexecute the EPF’s operational risk management (which includesstrategies,culture,structure,peopleandprocesses)andtoensurethat the riskmanagement framework is implemented effectivelythroughouttheorganisation.
• The Management Risk Committee (MRC) isaManagement levelcommittee responsible for developing and reviewing risk policiesandappropriatelimitsformanagingtheEPF’sinvestmentrisks.
• The Management Investment Committee (MIC) isaManagement-level committee responsible for evaluating and recommendinginvestmentproposalstotheIP.Italsoevaluatesandrecommendsinvestment strategies and the performance of external fundmanagers.
• The Risk Management Department (RMD)supportstheMIC,MRC,MORC,IPRC,BRMCandIPinallriskmanagementmatterscoveringinvestment risk, operational risk, riskmeasurement, independentassessment,monitoringandreportingofriskexposures.
• The Investment Compliance Department is responsible formonitoringandcomplianceofall investmentrelatedriskpoliciesandlimits.
• The Business units, Spokes and Departments being the first lineof defence, are responsible for managing risks in their respectivefunctions on a day-to-day basis aswell as for escalating significantpotentialriskstotheMORCviatheRiskManagementDepartment.Amongtheprincipalrolesandresponsibilitiesofthebusinessunitsareto:
The Investment Risk Management Framework governs the EPF’sinvestmentprocessesandensuresthateffectiveriskmanagementcontrolsandproceduresareinplacewithregardtoinvestmentdecisionmaking.
Theframeworkprovidesanapproachtomanagingandanticipatingbothexistingandpotential risksarising in theEPF’s investmentportfolio,andenablestheEPFtohaveastructuredprocesstomeasure,assess,monitorandmanageitsportfoliorisks.ThisensurestheEPFoptimisesitsreturnsonrisk-takingactivitieswithintheriskappetitelevelasapprovedbytheBoard.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
82
RISK MANAGEMENt
4.2 MARKEt RISK MANAGEMENt
Marketriskistheriskoflossfromchangesinthevalueofportfoliosandfinancial instruments due tomovements in interest rates, foreignexchangeandequityprices.
The objective of market risk management is to ensure that riskexposuresundertakenbytheEPFarewithintheriskappetite.Thisis done through an annual review of various policies and limits,periodic reports tomonitormarket risk at portfolio level for eachassetclassandindependentvalidationperformedontheunderlyingriskmethodology:
• Value-at-risk (VaR) - a statistical measure of the potentiallosses that couldoccurasa resultofmovements inmarketratesandpricesoveraspecifiedtimehorizonwithinagivenconfidencelevel.
• Duration - tomanage the sensitivity of the price of a fixedincomeinvestmentarisingfrominterestratemovement.
• Tracking error - a standard deviation of the portfolio’sexcess returns relative to a benchmark in measuring andbenchmarkingtheperformanceoftheportfolio.
• Backtesting - a validation process performed to check theaccuracyoftheriskmethodologyusedincomputingVaRforbothfixedincomeandequityportfolios.
• Stresstesting-anexerciseconductedtocapturethepotentialmarket risk exposure of ‘what-if’ scenarios. It incorporatesfactorssuchascorrelation,volatilityandreturnsatdifferentlevels.
TheEPF’screditriskmanagementinvolvesthoroughcreditanalysisandprudentunderwritingstandards.TheEPFreviewsandupdatesits credit underwriting standards to commensurate with marketplacebestpractices.
• Independent risk assessment is conducted for every newinvestment proposal presented to the ManagementInvestment Committee and Investment Panel meetings fordecision.
• Close monitoring of changes to existing investments viaassessmentsonanad-hocaswellasperiodicbasis.
• Credit rating tool to measure the creditworthiness orprobabilityofdefault(PD)oftheobligors,asfollows:
i. CorporateRatingTemplatewhichprovidesinternalriskratingforcorporateobligors.
ii. Financial institution rating template which providesinternalriskratingforfinancialinstitutionobligors.
iii. Credit tool which measures the Expected DefaultFrequency(EDF)orProbabilityofDefault(PD)toprovideearlywarningsignalsfortheEPF’sclosemonitoringofrespectiveobligors.
• Allocating3%of itsasset’svalueforshort-terminstrumentsintheform of cash and placements in financial institutions in order tomeetmembers’withdrawalsandotherfinancialcommitmentsandobligations;and
• Diversifying its investment portfolio by setting the concentrationlimitsonname,sectorandassettype.
Over themediumand longer term, the EPF is able tomeet its liquidityrequirements through itsholdingsof liquid investments suchaspubliclytradedequitiesandavailableforsalefixedincomesecurities.ThematurityprofileoftheEPF’sassetandliabilityisalsomonitoredwithinastipulatedlevel. The Group and the EPF’s financial liabilities are categorised intorelevantmaturitygroupingsbasedontheremainingperiodattheStatementofFinancialPositiondatetothecontractualmaturitydate.
TheMSISO31000:2010RiskManagement–PrinciplesandGuidelines,a global risk management standard sets the policy, principles,processes and methodology in managing operational risks. EPFadoptsthestandardasamainpracticeguideinitsframeworkwhichisreviewedonaregularbasistoensureitscontinuedapplicationandrelevance.
5.2 oPERAtIoNAL RISK MANAGEMENt MEthodoLoGy ANd PRocESS
Communication and consultation: The two-waydialoguebetweenRiskManagementDepartmentandstakeholderswithregardstotheexistence,nature,form,severity,oracceptabilityofrisks.
The CRS is implemented through theOperational Risk (ORM) Systemwhichrecordstheownershipanddetailsofrisks,controls,managementactionsandincorporateschangestotheriskscorecard.Allbusinessunitsusetheriskscorecardasatooltomanagetheirriskseffectively.
Access to the ORM system is provided on an enterprise-wide basisso that all Risk Scorecard Owners, Risk Owners, Control Owners andManagement Action (MA) Owners can undertake RCSA activitieseffectively.Atotalof100riskscorecardswereinplacein2015,consistedofoneCEOriskscorecard,threeDCEOriskscorecards,28departmentriskscorecardsand68spokesriskscorecards.
RISK MANAGEMENt
Risks are monitored and managed through ownership from the linemanagement.ThroughtheCorporateDigitalAssurance(CDA)process,scorecard,risk,controlandMAownersarerequiredtoprovidedigitalassurance six times a year to theManagement that they have beenmanagingriskswithintheirprofilesappropriately.
The Risk Management Department reports and highlights riskmanagementrelatedissuesintheMORC,BRMCandtheEPFBoardfortheirinformationand/ordecisionmakingonaperiodicbasis.
Theperformancemanagement is integratedwith riskmanagement toidentifyandmonitorkeyrisksimpactingEPF’sbusinessobjectives.
coRPoRAtE RISK ScoREcARd MEthodoLoGy
The level of risk is determined upon the assessment of Gross Risk Rating Control effectiveness Rating and Nett Risk Rating. The risk score of each risk factor derived by adding the rating on possibility and impact.
Risk Scorecard
Risk Owner
Control Owners
MA Owners Note:MA =Management ActionKRI=Key Risk Indicator
Ownership is assigned for every scorecard, risk control and Management Action (MA) to ensure accountability and execution
KRI Owners
Risk Owner Risk Owner
Sources of Risk
•External•Regulatory&Legal
•CorporateGovernance
• Financial•Customers•Product&Services
•Suppliers•Operations•HumanCapital
establishing the context include considering internal and external parameters relevant to the organisation as a whole, as well as the background to the particular risks being assessed. All these contexts are described as “The 9 Sources of Risks”.
• Human Resource Readiness – this refers to the development ofknowledgeandskillsinmanagingdisasters.Implementationisthroughtraining on BCP readiness, tutorials, walkthroughs, call trees, crisissimulationsexerciseandBCMi-learning.
• Infrastructure Readiness – this refers to testing the system to ensureoptimalreadinessandfunctionalityintheeventofadisaster.Thisisdonethroughequipmentandsystemtestingwhichisperformedtwiceayear.
Activation of the BCP follows three disaster codes to signify the level of adisaster.Codegreenmeansthatthereisnodisaster.CodeYellowmeansthatanincidenthasoccurredandisunderinvestigation.CodeRedmeanstheBCPis activated and relevant teams will have to execute the relevant recoveryproceduresincludingactivationoftheRecoveryCentre.
7.0 KEy RISK MANAGEMENt INItIAtIvES IMPLEMENtEd IN 2015
• Introduced the Strategic Risk Culture Index as a KPI for the EPFCorporateScorecardtoemphasisetheimportanceofleadershipandtopmanagement’sroleinriskmanagementtoensureongoingeffectiveness.This strategic KPI complements the existing risk culture KPI in alldepartmentsandspokestofurtherenhanceriskawarenessandcultureintheEPF.
• Embarkedonriskvalidationinitiativetofacilitateinidentifyingemergingrisks and enhancing controls for departments and spokes. These willthenbeincorporatedintotheriskscorecardtoensurethatthescorecardremainsrelevantanddynamic.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
86
StAtEMENt oN RISK MANAGEMENt ANd INtERNAL coNtRoL
INtRodUctIoN
TheEPFhas issued thisStatement inaccordancewith the“StatementonRiskManagement & Internal Control - Guidelines for Directors of ListedIssuers”(theGuidelines)issuedbyanindustry-ledtaskforcesupportedbyBursaMalaysiaandtheSecuritiesCommissionMalaysia.Thisistopromotegood corporate governance, as theGuidelines are not a requirement fortheEPF.
The Guidelines are in line with Principle 6 of the Malaysian Code onCorporateGovernanceissuedinMarch2012,whichstatesthattheBoardshouldestablishasoundriskmanagementframeworkandinternalcontrolsystem.
RESPoNSIBILIty
The Board acknowledges its overall responsibility for the adequacy andeffectiveness of the EPF’s riskmanagement and internal control system.TheEPF’sriskmanagementframeworkisdesignedtoidentify,analyseandevaluatesignificantrisksthathindertheachievementoftheorganisation’spoliciesandobjectives.Accordingly,theinternalcontrolsystemisinplaceto manage rather than to eliminate those risks. It can, therefore, onlyprovidereasonableandnotabsoluteassurance.
Three committees have been delegated the responsibility for overseeingtheadequacyandeffectivenessoftheEPF’sriskmanagementandinternalcontrolsystem:
• The Board Audit Committee (BAC) on the internal controls, riskmanagementandgovernanceprocesses.
• The Investment Panel Risk Committee (IPRC) on investment riskmanagementmatterscoveringriskappetite,riskmeasurement,policiesand limits, except activities involving investment operations. Furtherinformation on IPRC is provided in the Statement on Investment RiskManagementintheAnnualReport.
• Designing, implementing and monitoring the risk managementframeworkandsystemof internal control inaccordancewith theEPF’sstrategicvisionandoverallriskappetite;and
The EPF has in place a sound risk management and internal controlframeworkaspartofgoodcorporategovernancepractice.
The key systems and processes that the Board has established forthe purpose of reviewing the adequacy and effectiveness of the riskmanagementandinternalcontrolsystemareasfollows:
Risk Management Framework
The Board has adopted an Operational Risk Management (ORM)FrameworkbasedontheMSISO31000:2010RiskManagement–Principlesand Guidelines, which outlines the principles, policies and processes inmanagingtheEPF’soperationalrisks.
The EPF has established clear lines of responsibility and accountabilityfortheriskmanagementprocessaswellasoutlinedtheprincipalriskandcontrolresponsibilitiesundertheriskmanagementstructure.
(a) The Board Risk Management Committee (BRMC) oversees alloperationalriskmanagementactivitiesandensuresthatappropriateriskmanagementprocessesareinplaceandfunctioningeffectively.TheCommitteereviewsandrecommendsriskmanagementstrategiesandassessestheadequacyoftheriskmanagementframework.
The second line of defence is the RiskManagement Department, whichdevelops the risk management framework, policy, methodologies andtoolsforthemanagementofkeyrisksintheorganisation.Adetailedscopeof work regarding the riskmanagement function is provided in the RiskManagementsectionintheAnnualReport.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
87
StAtEMENt oN RISK MANAGEMENt ANd INtERNAL coNtRoL
The InternalAuditDepartment, being the third lineof defence, providesthe Board Audit Committeewith independent and reasonable assuranceon the adequacy and effectiveness of the riskmanagement and internalcontrolsystem.
The Risk Management Governance Structure is provided in the RiskManagementsectionintheAnnualReport.
Internal Control Framework
The system and framework are based on the Committee of SponsoringOrganisations of the Treadway Commission (COSO) Internal ControlIntegrated Framework, an internationally recognised benchmark on riskmanagementandinternalcontrols.
TheBoardAuditCommitteeassiststheBoardinevaluatingtheeffectivenessof the internal controls, risk management (except risk managementactivities inmaking investmentdecisions,whichcomeunderthepurviewoftheInvestmentPanel)andgovernanceprocessesoftheEPF. Itreviewsinternal control issues identified in reports prepared by the internal andexternal auditors, and evaluates the effectiveness and adequacy of theinternal control system, operational risk management and governanceprocesses. It further reviews the internal audit function with particularemphasis on the internal audit’s independence, scope, resources andqualityofinternalaudits.
Details of the activities undertaken by the Committee are set out in theBoardAuditCommitteeReportoftheAnnualReport.
The Internal Audit Department reviews the key activities of the EPF’sbusinessesbasedontheannualinternalauditplanasapprovedbytheBoardAuditCommittee.AdetailedscopeofworkoftheInternalAuditFunctionisprovidedintheStatementonInternalAuditintheAnnualReport.
The control environment sets the tone of an organisation, influencingthe control consciousnessof its people. It is the foundation for all othercomponentsofinternalcontrol,providingdisciplineandstructure.Relevantkeyactivitiesinclude:
• Terms of Reference ClearlydefinedtermsofreferenceontherolesandresponsibilitiesofallBoardcommitteesandtheInvestmentPanel,asstatedintheStatementonCorporateGovernance.
• Organisational Structure The structure has clearly defined lines of accountability, delegation ofresponsibilityandlevelsofauthorisationforallaspectsofthebusiness.Managementcommitteesmeetonaregularbasistoidentify,discussandresolve operational, financial, investment and keymanagement issuesandperiodicallyreporttotheBoard,InvestmentPanelanditsrespectivecommittees.
• Human Resource Policies and Procedures Proper guidelines within the organisation for hiring and terminationof staff, staff trainingprogrammes, annual performanceappraisals andotherrelevantprocedurestoensurethatemployeesarecompetentandadequatelytrainedincarryingouttheirresponsibilities.
• Culture of Integrity Entrusted with managing members’ savings, various programmes andinitiatives are inplace to inculcateanduphold the cultureof integrity,suchastimelydeclarationsofassetsbystaff,declarationsofconflictofinterestinbothprocurementandinvestmentprocessesaswellasano-giftpolicy.TheIntegrityandGovernanceDepartmentistaskedtohandlemattersonintegrityandgovernance.
• Corporate Integrity Pledge TheCorporate IntegrityPledge,signedon7December2015,augmentsthe commitment by the EPF to uphold integrity, which is essential tocreateabusinessandoperatingenvironmentthat istransparentandinlinewithglobalbestpracticesingovernance.
• Corporate Risk Scorecard (CRS) The Corporate Risk Scorecard (CRS) methodology is a detailed riskmanagementapproachwhererisksareidentifiedbasedoninternalandexternalsources,andareanalysed,evaluated,treatedandmonitored.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
88
StAtEMENt oN RISK MANAGEMENt ANd INtERNAL coNtRoL
Control Activities
Control activities are the policies and procedures that help ensuremanagementdirectivesarecarriedouteffectively.Theyensurenecessaryactionsaretakentomitigatetherisksthathindertheachievementoftheorganisation’sobjectives.Relevantkeyactivitiesinclude:
• Business Performance Management TheEPFusestheBalancedScorecard(BSC)methodologytooperationaliseitsstrategies,alignedtoitsvisionandmissionandtodriveperformance.
• Annual Corporate Plan The 2015 Annual Corporate Plan has incorporated the pertinentoutcomes,keyprioritiesandstrategic initiativestobe implementedforthe next three (3) years tomeet both the immediate andmedium- tolong-termobjectivesof theorganisation. It is reviewedby therelevantmanagementcommitteesandapprovedbytheBoard.
• Strategic Risk Culture Index StrategicRiskCulture Index is incorporatedasaKPIwith theobjectivetowardsenhancingriskmanagementpracticesintheEPF.
• Policies and Procedures Policiesandprocedurestoensurecompliancewithinternalcontrols(suchassegregationofduties,independentchecks,verificationprocessesandsystemaccesscontrols)assetoutinoperationmanuals,guidelinesanddirectivesissuedbytheEPFareupdatedregularlyandsignedoffbytherespective Heads of Departments and the CEO. Policy guidelines anddelegated authority limits are also imposed on theManagement withregardstoday-to-dayoperations.
• ICT Security Policy An ICT Security Policy outlining appropriate policies and proceduresto ensure confidentiality, integrity and availability of information andsystem application has been put in place. Data Loss Protection (DLP),monitoring, hardening, assessment and other IT security controls arein place tomitigate the IT security risk. To further assess and improveIT security controls, a Cyber Security Maturity (CSM) assessment isinitiatedin2015toevaluateandfurtherstrengthentheInformationandTechnologysecuritypostureintheEPF.
• Chinese Wall Policy The Chinese Wall Policy and its procedures are issued to safeguardagainst any compromise on the tenets of integrity, transparency andaccountabilitybycontrolling,restrictingandmanagingtheflowofpricesensitiveinformation.
• Business Continuity Management (BCM) BCM plans and systems are continuously monitored, tested andcommunicatedtoalllevelstoensurethattheorganisationispreparedintheeventofacrisisordisaster.
• Insurance Coverage Adequate insurance coverageofmajor assets is in place to ensure theEPF’sassetsareprotectedagainst incidentthatcouldresult inmaterialloss.
Information and Communication
Information and Communication support all other control componentsbycommunicatingcontrol responsibilities toemployeesandbyprovidinginformation ina formandtimeframethatallowpeopletocarryouttheirduties.Relevantkeyactivitiesinclude:
• Fraud Control Management Plan TheFraudManagementCommitteeoverseestheEPF’soverallapproachon fraud control under the Fraud Control Management Plan, whichincludesAnti-FraudandWhistleblowerProtectionPolicies.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
89
StAtEMENt oN RISK MANAGEMENt ANd INtERNAL coNtRoL
• Communication of Operational Risk Management (ORM) ORMprinciples,frameworkandprocessesadoptedbytheEPFhavebeendisseminated to all employees at all levels for better understandingofthepracticesadopted.
Monitoring
Ongoingmonitoringandevaluationoftheeffectivenessofinternalcontrolare built into business processes at different levels of the organisation.Relevantkeyactivitiesinclude:
• Operational Risk Management System An integrated operational riskmanagement system is used tomonitorand manage the EPF’s risk exposure. Key risks are identified and theeffectivenessofinternalcontrolisassessedandelectronicallyconfirmedby the respective departments andbranches on a timely basis.Wherethe mitigated risks are not within acceptable levels, individual actionplansare identifiedandtheir implementationaremonitored to reducethegap.
• Regular reporting Adequateprocessesare inplace todiscuss issueson riskmanagementand internal control deficiencies, which are reported regularly to theManagement through various committees. TheManagement evaluatesandcommunicatestopartiesresponsiblefortakingcorrectiveactioninatimelymanner.
• Monitoring Activities by Internal Audit The results of all audit engagements are reported to the Board AuditCommittee (BAC)andcommunicated to theManagement.The InternalAudit Department maintains a follow-up process to monitor and helpensurethatalltheagreedauditobservationsandresolutionshavebeenpromptlyaddressed.
• Quality Management Standard AlltheEPF’scoreprocessescomplywiththeMSISO9001:2008standard.
ASSURANcE oN RISK MANAGEMENt ANd INtERNAL coNtRoL
The Board is of the opinion that the EPF’s riskmanagement and systemof internal control are sound and sufficient to safeguard the interests ofmembers.TheBoard’sreviewoftheeffectivenessoftheriskmanagementandsystemofinternalcontrolissupportedby:
• The Board Audit Committee, whichmeets aminimum of four times ayear and reviews the findings and recommendations of the internalauditorandtheAuditorGeneral.
• The Auditor General’s issuance of the annual audit certificate on thefinancialstatements.
• The Management’s assurance that the EPF’s risk management andinternal control system are operating adequately and effectively in allmaterialaspects.
This statement ismade inaccordancewith the resolutionofmembersoftheBoarddated1March2016.
ii. Dato’MatNoorNawiDatukAhmadBadriMohdZahir(AlternateMember)(appointedon 1May2014)Dato’SitiZauyahMohdDesa (AlternateMember)(completedserviceon 1May2014)
DeputyChairman–Government
iii. DatukAbangHajiAbdulKarimTunAbangHajiOpeng
Employers
iv. DatukLokYimPheng Employees
v. DatukThomasGeorge Professionals
2. MEEtINGS
TheBoardAuditCommitteeholdsmeetingsatleastfour(4)timesayear.Inaddition, itmeetswithexternalauditorsat least twiceayear in theabsenceoftheManagement.
TheBoardAuditCommitteeisgovernedbyitsowntermsofreference.A summaryof the latestBoardAuditCommittee’sTermsofReference,whichwasapprovedbytheBoardon16July2012,isasbelow:
a. To approve the Internal Audit Charter, definingthe authority, accountability and role given by theManagementtotheinternalauditorsinordertocarryouttheirwork.
b. Toreviewandapprovetheannualauditplanpreparedbytheinternalauditors.
c. To evaluate the internal control system throughreviews of the internal audit reports that highlightany weaknesses in accounting, organisational oroperationalcontrolsandrectificationscarriedoutbytheManagement.
d. To evaluate the effectiveness and efficiency of theInternalAuditDepartmentthroughperiodicmeetings.
e. To evaluate the annual performance of the internalauditorsbasedonthe implementationof theannualauditplanandotherassessmentsasinstructedbytheBoardAuditCommitteefromtimetotime.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
91
BoARd AUdIt coMMIttEE REPoRt
f. To review and consider the implementation of aqualityassurancereviewoftheinternalauditfunctionby qualified independent reviewers at least once ineveryfiveyears.Findings fromthequalityassurancereviewshallbereportedtotheBoard.
g. To supervise and direct special projects orinvestigations deemednecessary or as instructed bytheBoard.
3.1.2 Risk Management
Toprovideanindependentopinionandreasonableassuranceon the adequacy and effectiveness of risk management,exceptforriskmanagementactivitiesrelatedtoinvestmentdecision-making.
3.1.3 External Audit
a. To evaluate the internal control system throughreviews of the external audit reports that highlightany weaknesses in accounting, organisational oroperationalcontrolsandrectificationscarriedoutbytheManagement.
b. To review and consider the need for a specialmanagementauditbyexternalauditors, thefindingsofwhicharetobereportedtotheBoard.
3.1.4 Audit Reports
a. To review and analyse all audit findings and queriesraisedbytheinternalandexternalauditors.
b. TodeterminethescheduleofperiodicalreportsfromtheManagement,andinternalandexternalauditors,taking into consideration the impact of significantchanges,improvementsonaccountingtreatmentsandreportingrequirementsasproposedbytheaccountingbodiesand/oranyothersignificantissuesthroughanannualreview.
3.1.5 financial Reports
a. To evaluate and endorse the Quarterly and AnnualFinancialReportstotheBoard.
b. To analyse and report to the Board observationsraisedbytheexternalauditorsontheAnnualFinancialReport.
3.1.6 Policies
a. To review the effectiveness and adequacy of theEPF’s accountingpolicies, financialmanagement andproceduresthroughdiscussionsbetweentheinternaland external auditors together with the respectiveexecutives/Management.
b. ToreviewandendorsetotheBoardtheeffectivenessandadequacyofanysignificantchanges in theEPF’sInformationSecurityPolicies.
3.1.7 Related Party Transactions
Toreview,evaluateandreporttotheBoardanyrelatedpartytransactionorconflictofinterestwhichmightariseintheEPFor its subsidiariesor jointventurecompanies inwhich theEPFhascontroloverbusinessmanagement,proceduresandconductwhichmayjeopardisetheManagement’sintegrity.
3.1.8 Other Matters
a. To evaluate the effectiveness and adequacy of theFraudControlManagementPlan.
b. To prepare and establish reporting schedules to theBoard, summarising the Board Audit Committee’sperformanceindischargingitsresponsibilities.
c. TocarryoutanyotherfunctionsasrequestedbytheBoardfromtimetotime.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
92
BoARd AUdIt coMMIttEE REPoRt
4.1.3 Reviewedfindingsofinvestigationsandotherad-hocspecialreviews on specific areas of operations to ascertain therootcausesoftheissuesandtheeffectivenessofcorrectiveactionstakentoaddressidentifiedweaknesses.
During theyear,membersof theBoardAuditCommitteeattendedthefollowingtrainingprogrammes,conferencesandseminars:
No. (A)
course(B)
1. InternationalSocialSecurityConference2015
2. StrategyWorkshop
3. EPFInvestmentSeminar2015
6. INtERNAL AUdIt fUNctIoN
6.1 The internal audit function is carried out by the Internal AuditDepartmentwhichreportsdirectlytotheBoardAuditCommitteeonitsactivitiesbasedontheapprovedannualinternalauditplan.
6.2 The Internal Audit Department provides independent, objectiveassurance and consulting services designed to add value andimprove the EPF’s operations. The Internal Audit DepartmenthelpstheEPFtoaccomplishitsobjectivesbybringingasystematic,disciplinedapproachtoevaluateandimprovetheeffectivenessoftheriskmanagement,internalcontrolsandgovernanceprocesses.
6.3 Further details of the internal audit function are set out in theStatementonInternalAudit.
Annual Report 2015Lembaga Kumpulan Wang Simpanan PekerjaEmployees Provident Fund Board
93
1. ovERvIEW
TheInternalAuditDepartmentprovidesindependent,objectiveassuranceand consulting services designed to add value and improve the EPF’soperations.TheInternalAuditDepartmenthelpstheEPFaccomplishitsobjectivesbybringingasystematicanddisciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,internalcontrolandgovernanceprocesses.
2. INdEPENdENcE ANd oBJEctIvIty
TheHeadofInternalAuditDepartmentreportsfunctionallytotheBoardAuditCommitteeandadministrativelytotheChiefExecutiveOfficer.Theinternal audit activities are free from interference in determining thescopeofinternalauditing,performingworkandcommunicatingresults.
In the interest of protecting its independent status, the Internal AuditDepartment has no executive or managerial powers, authorities,functionsordutiesexceptthoserelatingtothemanagementofinternalaudit functions. The InternalAuditDepartment is also not responsibleforthedetaileddevelopmentorimplementationofnewsystems,plans,regulations,policiesorprocedures.
3. ScoPE of WoRK
3.1 The Internal Audit Department’s functions include audits of thefinancials, operations, compliance and management of the EPF.Itsscopeofwork,primarily,istodeterminewhethertheEPF’sriskmanagement, internalcontrolsystems,management informationsystemsandgovernanceprocesses,asdesignedandrepresentedbytheManagement,areadequateandfunctioninginamannertoensure:
3.1.1 risksareappropriatelyidentifiedandmanaged;
3.1.2 resources are acquired economically, and employedeffectivelyandefficiently;
3.1.3 assetsaresafeguarded;
StAtEMENt oN INtERNAL AUdIt
“Internal audit activities are governed by the ePF’s Internal Audit Charter which is approved by the Board Audit Committee and is in line with the Institute of Internal Auditors (IIA) Standards. The ePF’s Internal Audit Charter is assessed
at least once every five (5) years, to determine whether the role, authority, responsibilities, scope of work and other areas as incorporated in the Charter
3.2.3 participating as an observer in selected managementcommitteessetuptodeveloporimplementnewsystemsorprocesses.Suchparticipation is limited toprovidingadviceoncontrolmattersanddoesnotprecludetheInternalAuditDepartmentfromauditingthesystemsorprocesses.
3.3 The InternalAuditDepartmentdeveloped itsauditplanusinganEnhancedAuditRiskScoringModel,prioritisingtheinternalauditactivitiesaccordingtotheauditrisklevel.TheEnhancedAuditRiskScoringModel evaluates audit risks based on the assessment ofinherentrisks,controlrisksanddetectionrisksforeachoperation,functionandinformationtechnologysystem.
3.4 During the year 2015, 125 reportswerepresented to theBoard
AuditCommittee. 4. INtERNAL AUdIt RESoURcES
Asat31December2015,thetotalInternalAuditDepartmentheadcountstood at 89, of whom 11 auditors are professionally qualified in theirrespectivefield.TheBoardAuditCommitteereviewsandapprovestheInternalAuditDepartment’shumanresourcerequirementstoensurethefunctionisadequatelyequippedwithcompetentinternalauditors.
6.1 The Internal Audit Department has established and maintaineda quality assurance and improvement programme designed toevaluatetheoperationsofthefunction.Thisprogrammeincludesperiodic internal and external quality assessments and ongoinginternalmonitoring.
Internalassessmentsinclude:
6.1.1 ongoing reviews of the performance of internal auditactivities;and
6.1.2 peer reviews of the audit processes, procedures anddocumentationonaperiodicbasis.
6.2 The Internal Audit Charter stipulates that a Quality AssuranceReview by a qualified independent reviewer is required at leastonceeveryfive(5)years.ThelastQualityAssuranceReviewoftheInternalAuditDepartmentwascarriedoutin2014.
6.3 BasedonthereviewbyKPMGManagement&RiskConsultingSdn.Bhd.,theInternalAuditDepartmenthasgenerallyconformedwithallof the InternationalStandards for theProfessionalPracticeofInternalAuditing (IIA Standards) promulgatedby the InstituteofInternalAuditors.
6.4 The next Quality Assurance Review by a qualified independentreviewerisscheduledinyear2019.
The Risk Management Department supports the MRC, IPRC and IP in risk management related matters covering independent measurement and creditassessment,monitoringandreportingoftheEPF’sinvestmentriskexposures.