Roles and Responsibilities Risk Management Department • Assess and monitor the effectiveness of the Group’s risk management processes and supporting systems • Prepare and submit quarterly risk management guidelines and risk appetite recommendations to the RMSC for review • Review key risks identified across the Group’s operations and evaluate their potential impact • Report significant or pervasive risk matters exceeding established risk appetite to the RMSC • Support Business/Operation Heads in identifying, evaluating, and managing key operational risks • Track the implementation and progress of action plans established to mitigate identified risks Risk Owners (Heads of Department/ Heads of Division) • Execute the risk management processes approved by the Board within their respective areas of responsibility • Provide semi-annual risk register updates to the Risk Management Department for consolidation and submission to the RMSC for review and evaluation • Identify and assess potential and emerging risks within their operational areas, record these risks in the risk register, and recommend appropriate mitigation measures Three Lines of Defence The Group further adopts a structured approach to assigning roles and responsibilities for risk management in line with the Institute of Internal Auditors’ (“IIA”) Three Lines Model. The first line of defence is led by the Group Chief Executive Officer and Deputy Group Chief Executive Officer, who provide leadership and oversight over actions, including the management of risk and the effective application of resources to achieve the Group’s objectives. The second line of defence comprises personnel from the Risk Management Department, with oversight from the RMSC, who are collectively responsible for monitoring key risks and supporting business units in their application of risk management processes. The third line of defence is provided by the Internal Audit function and the Audit Committee, and encompasses the provision of objective and independent assurance on the adequacy and effectiveness of the Group’s risk management and internal control framework. AR 2025 | GOVERNANCE 220
RkJQdWJsaXNoZXIy NDgzMzc=