Statement On Risk Management and Internal Control

The Board is pleased to present its Statement on Risk Management and Internal Control for the financial year ended 31 December 2014.  This Statement is prepared pursuant to paragraph 15.26(b) of the Main Market Listing Requirements (“Listing Requirements”) of Bursa Malaysia Securities Berhad (“Bursa Securities”) and as guided by the latest “Statement on Risk Management and Internal Control – Guidelines for Directors of Listed Issuers” (“Guidelines”) issued by the Task Force on Internal Control with the support and endorsement of Bursa Securities.





The Board recognises the Group’s business involves the taking of appropriate risks.  This is intended to achieve a proper balance between risks incurred and potential returns to shareholders.  The Board therefore ensures that there are systems in place which effectively monitor and manage these risks.


The risk management processes in identifying, evaluating and managing significant risks facing the organisation are embedded into operating and business processes.  These processes are undertaken by all Executive Directors and the management team members in their course of work.  Key matters covering the financial performance, operation and market are reviewed and deliberated in the EXCO meetings of the Company and in HeveaPac Sdn. Bhd.  During these EXCO Meetings, causes and reasons for performance achievement are discussed in order to identify the appropriate measures to manage risks effectively.  Summaries of minutes of EXCO meetings outlining the key issues are presented in the quarterly board meetings for the knowledge and information of all board members when considering the overall performance of the Group.  


Financial forecast are used as performance targets for management.  In addition, management has implemented a whistle blowing channel and reward system for reporting of employees’ misbehaviours.  Annually, a risk workshop is held and facilitated by the Internal Auditors.  This workshop is attended by the representatives of the executive and non-executive board members and the senior management personnel.  During this workshop, existing risks are re-assessed while new risks are identified, discussed and measured.  In addition, the status of the existing risk management action plans is reviewed and new action plans are discussed and identified to strengthen the existing action plan when needed or to mitigate new risk exposures.


HeveaBoard Berhad continues to be certified under the quality management systems of ISO 9001:2008 and ISO14001:2004 and the environment management systems of OSHAS 18001 and MS 1722.  These management systems form the guiding principles for the operational procedures.  Internal quality audits are carried out and annual surveillance audits are conducted by external certification body to provide assurance of compliance with the ISO requirements. 


During the financial year, the Company has obtained further certifications on sustainable forest and energy management systems.  These certifications are:


           i)      the Programme for the Endorsement of Forest Certification (“PEFC”) on production of timber and non-timber forest products meetings the ecological,
                   social and ethical standard requirements; and


           ii)     ISO 50001:2011 Certification for Energy Management System governing  organizations in using energy more efficiently through effective energy
                   management system. 

                   The implementation of this management system is recognised regionally.  The Company was the sole Malaysian company who has received the
                   2014 ASEAN Best Practices Awards for Energy Management in Buildings and Industries (for the industry special submission category). 





There are two levels of review of systems of risk management and internal control in the organisation.  The first level of the review is undertaken by the line and senior management while the second level constitutes the independent review performed by the Audit Committee.  The internal audit function supports these reviews of by conducting periodic audits to assess the effectiveness of the systems of risk management and internal control, recommending actions to management for improvement and reporting the status of management control procedures to the Audit Committee. 


Besides reviewing the systems of internal control, the Audit Committee also reviews the financial information and reports produced by management.  In this case, the Audit Committee in consultation with management deliberates the integrity of the financial results, annual report and audited financial statements before recommending to the Board for approval. 





In accordance to the Guidelines, management is responsible to the Board for identifying risks relevant to the business of the Group’s objectives and strategies, implementing and maintaining sound systems of risk management and internal control and monitoring and reporting significant control deficiencies and changes in risks that could significantly affect the Group achievement of its objective and performance. 


The Board has received assurance from the Group Managing Director and Chief Financial Controller that, to the best of their knowledge that the Group’s risk management and internal control systems are operating adequately and effectively, in all material aspects.





The Board confirms that there is an ongoing process for identifying, evaluating and managing significant risks faced by the Group.  For the financial year under review, the Board is satisfied that the existing level of systems of risk management and internal control are effective to enable the Group to achieve its business objectives and there were no material losses resulted from significant control weaknesses that would require additional disclosure in the Annual Report.  Nonetheless, the Board recognises that the systems of risk management and internal control should be continuously improved in line with the evolving business development.  It should also be noted that all risk management systems and systems of internal control could only manage rather than eliminate risks of failure to achieve business objectives.  Therefore, these systems of risk management and internal control in the Group can only provide reasonable but not absolute assurance against material misstatements, frauds and losses. 





The External Auditors have reviewed this Statement on Risk Management and Internal Control for inclusion in this Annual Report for the year ended 31st December 2014 and have reported to the Board that nothing has come to their attention that causes them to believe that this Statement is inconsistent with their understanding of the process the Board has adopted in the review of the adequacy and integrity of the systems of risk management and internal control of the Group.