Risk Management and Internal Control
The Board is responsible for maintaining sound and effective systems of risk management and internal control, which include financial, operational and compliance controls to safeguard the Group’s assets and Shareholders’ interests, as well as for reviewing the effectiveness of such systems. Sound and effective systems of risk management and internal control are designed to identify and manage the risk of failure to achieve business objectives.
The Group has formulated and adopted a risk management policy (the “Policy”) that depicts the systems to effectively identify, assess, mitigate, report and monitor key business risks across all business units. The “Top-Down” approach is adopted in the Policy, which is facilitated by strong oversight exercised by the Board, the Audit Committee, the Risk Management Taskforce (the “RMTF”) and senior management in the establishment and maintenance of the Policy, framework and program. At least on an annual basis, the RMTF identifies risks that would adversely affect the achievement of the Group's objectives, and assesses and prioritises the identified risks according to a set of standard criteria. Risk owners are assigned for different risks and mitigation plans are then formulated by risk owners for those risks considered to be significant.
Principal Risks and Uncertainties
The following are the key risks that are considered to be of most significance to the Group at this time. They may adversely impact the Group’s businesses, financial conditions, results of operations and growth prospects if they are not managed effectively. These key risks are not comprehensive, and there may be other risks, in addition to those set out below, which are not known to the Group or which may not be material now but could turn out to be material in the future.
Key risks related to the Group's businesses and to the industries in which the Group operates include:
Competition – The Group operates in markets and industries with competition from the local and overseas rivals, which has led to pricing pressure and increased marketing costs. The Group has operated in this competitive landscape for a few years and has had to adapt its business strategies in light of the changed market conditions.
Technology – The Group’s operations depend on its ability to innovate and the successful deployment of continuously evolving technologies, particularly its response to technological and industry developments, as well as its ability to foresee and/or rapidly adapt to the emergence of disruptive technologies.
The Group cannot be certain that technologies will be developed in time to meet changing market conditions, that they will perform according to expectations or that they will achieve commercial acceptance.
Economic Environment – The deterioration of global financial markets and a slowdown in global economies may result in a significant decline in demand for the Group's data centre services.
People – The Group’s success and ability to grow depends largely on its ability to attract, train, retain, and motivate highly skilled and qualified managerial, sales, marketing, operating, and technical personnel. The loss of key personnel, or the inability to find additional qualified personnel, could adversely affect the Group's prospects and results of operations.
The risk management process is embedded into the day-to-day operations of the Group and is an on-going process carried out by everyone in the Group. Key procedures are being established and implemented to ensure that there are appropriate and effective risk management and internal control systems which includes (a) setting core values and beliefs which form the basis of the Group’s overall risk philosophy and appetite; (b) having an organisational structure in place with defined lines of responsibility and delegation of authority which hold individuals accountable for their risk management and internal control responsibilities; (c) imposing an organisational structure which provides necessary information flow for risk analysis and management decision-making; (d) imposing budgetary and management accounting controls to efficiently allocate resources and providing timely financial and operational performance indicators to manage business activities and risks; (e) ensuring effective financial reporting controls to record complete, accurate and timely accounting and management information; and (f) expanding the roles and responsibilities of the Audit Committee to include the review of risk management and internal control systems.
In addition, the Group has an Internal Audit Department which is responsible for performing independent reviews on the effectiveness of the Group’s risk management and internal control systems. Deficiencies in the design and implementation of such systems are identified and recommendations are proposed for improvement. Significant internal control deficiencies are reported to the RMTF, the Audit Committee and the Board on a timely basis to ensure prompt remediation actions are taken.
The Audit Committee, as delegated by the Board, discussed the risk management and internal control systems for the financial year under review with Management to ensure that Management has performed its duty to have an effective risk management and internal control systems in place. The Board ensured that the resources, staff qualifications and experience, training programmes and the budget of the Group's accounting, internal control and financial reporting functions were adequate. The Board concluded that in general, the Group had set up control environment and installed necessary control mechanisms to monitor and correct non-compliance or material internal control defects, if any.
The Board, through the Audit Committee and with the assistance of the Internal Audit Department, has conducted an annual review on the effectiveness of the risk management and internal control systems of the Group for the financial year ended 30 June 2018 and considers that the Group’s risk management and internal control systems for the financial year was effective and adequate. No significant areas of concern that may affect the financial, operational, compliance controls, and risk management functions of the Group have been identified. The systems are designed to manage rather than eliminate risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.