|The Board should, at least annually, review the adequacy and effectiveness of the company's risk management and internal control systems, including financial, operational, compliance and information technology controls. Such review can be carried out internally or with the assistance of any competent third parties.|
This Guideline describes the requirement for an annual review of the risk management and internal control systems.
In carrying out its role of governing risk, the Board ensures that management has a sound system of risk management and internal controls. To that end, the Guideline calls for the Board to conduct an assessment of these systems, at least annually, and paying special attention to their:
- “Adequacy”, meaning the systems of risk management and internal controls are well-designed to achieve the risk objectives.
- “Effectiveness”, meaning the systems of risk management and internal controls are operating as they are designed.
Regular assessment allows the Board to identify areas for improvement. It also serves as a basis for the Board to opine – in the company's annual report as required by SGX MR 1207(10) and Guideline 11.3 of the Code – on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems.
The SGX-ST Listing Manual specifically requires that three risk categories of internal controls be considered: financial, operational and compliance risks. This Guideline recommends the additional consideration of information technology (IT) controls.
Many companies consider IT risks to be part of operational risks. However, with the increasing dependence on, and importance of, IT in many companies, the Code has emphasised IT as a key area of focus.
Of course, risk categories vary from company to company. What is important is that the company has a clear and common understanding of the relevant categories and risk types.
The Guideline further recognises that the assessment of risk management and internal controls may be conducted internally or, if reviewing more complex situations, the Board may engage the help of external professionals.
B. SGX Disclosure Guide
C. Related Rules and Regulations
D. CG Guides
- Board Guide 4.5: Risk Management [Board Duties].
- BRC Guide 3.5: Risk Categories [Risk Universe].
- BRC Guide 3.6: Strategic Risks [Risk Universe].
- BRC Guide 3.7: Financial Risks [Risk Universe].
- BRC Guide 3.8: Operational Risks [Risk Universe].
- BRC Guide 3.9: Information Technology Risks [Risk Universe].
- BRC Guide 3.10: Compliance Risks [Risk Universe].
- BRC Guide 5.2: Adequacy and Effectiveness Review [Sources of BRC Assurance].
- BRC Guide 5.10: Adequacy and Effectiveness Disclosures [Sources of BRC Assurance].
- BRC Guide Appendix 5C: Key Attributes of a Sound Risk Management and Internal Control Systems [Sources of BRC Assurance].
- BRC Guide Appendix 5D: Sample Questions for the Review of Risk Management and Internal Control Systems [Sources of BRC Assurance].
E. Related Articles
- “Risk management: Where lies the board?” by Jerry Koh and Daniel Seow. (82KB)
- “Best practices in enterprise risk management” by Dennis Lee. (79KB)
- “How to deal with Rule 719(1) and 1207(10) of the SGX listing manual” by Mike Gray. (124KB)
- “Taking the right risks - risk governance defined” by Ng Siew Quan and Alvin Chiang. (194KB)