The Company has continuously placed importance on the internal control because it realizes that an internal control system is a crucial mechanism for the Company to run its business in order to achieve its goals efficiently and effectively, using resources and asset management, reporting financial information, complying with the law, rules, and regulations, and preventing or reducing risks of any actions which may damage the Company. The Board of Directors has clearly specified roles and duties of the committees and the Management Team. The Board has also supervised them to comply with stipulated roles and duties by setting the organizational structure and its distinct chain of command for checks and balances and appropriate internal control, and set its business goals and Key Performance Indicators (KPI) in order to assess the efficiency and follow up its operational performance compared with the organization's goals regularly.
The Board of Directors has formulated a policy on Good Corporate Governance, business ethics and a code of conduct for the Company's directors, executives, and employees, an anti-corruption policy, and a policy on notification of clues or complaints in writing. The Board has also launched a campaign to promote every employee to have awareness and continuously act on this practice by providing the employees with annual knowledge training so that the performance is transparent and fair to every group of stakeholders, a follow-up process and clear punishment, reviewing and preparing written manuals of the execution of authority and performance of every system which are used as guidelines on performance and help with flexible and systematic business operations. The scope of duties and responsibilities, and the internal control system are taken into consideration.
The Board of Directors allows the Audit Committee to supervise the internal control system, the risk management system, the corporate governance system whether those systems are appropriate and efficient, including the compliance of related laws, orders and regulations, preventing conflicts of interest. Making, related transactions to control and utilizing, asset in order to prevent fraud or misconduct. The Company sets up an auditing mechanism for checks and balances by establishing the internal audit division an independent, unit who reports directly to the Audit Committee, performs audit, evaluates the efficiency and sufficiency of the internal control system, the risk management system and the corporate governance system in the performances of all units in the Company and its subsidiaries. They adopts the framework of COSO (The Committee of Sponsoring Organizations of the Tread way Commission) and Enterprise Risk Management, and monitoring regulations in compliance with the Stock Exchange of Thailand (SET), Thai Institute of Directors (IOD), and Organization for Economic Co-operation and Development (OECD) to be used to fulfill internal control, risk management, and governance in order to allow the Company's performances to pursue the utmost of operational performance efficiently and effectively.
Besides, the Board of Directors has revised the assessment of the sufficiency of the internal control system annually according to an internal control framework of Securities and Exchange Commission (SEC) which reference to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) - for both 5 principles and 17 components. The Company has not found any significant flaws affecting the Company's internal control system.
THE RISK ASSESSMENT
The Company realizes the importance of the risk management which may affect the business operations, from the organization's both internal and external factors. The Company then organizes the Risk Management Committee (RMC) to monitor the organization's risk management to achieve goals according to the organization's acceptance level. RMC then sets a policy on risk management in order that every employee complies with the policy which risks from external and internal factors -covering every aspect of the risks - are evaluated and managed. For example, they are strategic, operational, financial, compliance, event risk factors, including risks from corruption. These risks are divided into risks for MBK Group, business group, organization, and division levels. In order to find suitable and adequate measures against these risks, a report is submitted to RMC every quarter and another report is submitted to the Board of Directors annually. Risk factors which are changing externally and internally that may affect the organization are also reviewed annually.
THE PERFORMANCE CONTROL
The Company has internal control measures in accordance with risks and business types by clearly dividing duties and responsibilities of each position, providing and reviewing manuals of authority and manuals/processes of performance appropriate to the organizational structure and current work performance regularly. Each position can be run by checks and balances, and a mechanism for proper rechecks- particularly, operational performance entailing crucial risks such as financial transactions, selling, procurement, or asset management - in order to prevent and reduce errors. Also, each position's work performance is regularly reexamined by an internal audit division in compliance with rules, regulations, and manuals of authority and work performance in order to ensure efficient work performance with a suitable and adequate internal control system. An information technology system is employed to promote faster and more efficient work performance.
Moreover, the Company imposes policies, rules, and regulations to transactions on a parties involved in the Company to comply in the same direction such as major shareholders, directors, executives, and interested party for correctness, transparency, and fairness. The Company's utmost benefits are taken into consideration according to regulations of the Stock Exchange of Thailand (SET) and the Securities and Exchange Commission (SEC).
THE IT AND COMMUNICATION SYSTEM
The Company realizes the importance of the IT and communication system and always encourages the improvement of the system to ensure that all information is accurate and up-to-date. An efficient and modern IT system is adopted to guarantee the safety of the information from the process of collecting, processing, storing and following-up to bring such information to advantage management work of the directors, executive members, employees, shareholders, customers and stakeholders. This process should be carried out as a complete, accurate method and within an appropriate time so that it can be used in the business decision making. There is also a policy regarding the security in the information technology and the use of information.
Channels of communication are opened for information receivers from both inside and outside the organization to have access easily and rapidly such as intranet and internet as the channels of communication to publicize the Company's policies, rules and regulations, manuals/processes of operational performance, information, and notification of corruption (Whistle-blower) through various channels of communication established by the Company.
THE FOLLOW-UP SYSTEM
The Board of Directors provides a system to evaluate and follow up the internal control system and risk management covering all aspects such as accounting and finance, operations, compliance with laws/regulations, asset management, and corruption, which significantly have an impact on the Company's reputation in order to solve any incurred problems. The Board of Directors assigns the Audit Committee to audit and monitor the internal control system by nominating internal auditors to follow up and evaluate work performance to ensure that findings found from auditing and monitoring will be improved or solved appropriately and promptly. Moreover, the evaluation of internal audit for accounting and finance is carried out by certified accountants and presented to the Audit Committee for consideration on a quarterly and yearly basis. As a result of reviews conducted by certified accountants and internal auditors, no significant fault is found.
THE INTERNAL AUDIT
The Internal Audit Committee has monitored that the internal control division has built assurance and given consulting advice independently and fairly about examining and evaluating the sufficiency of the internal control system covering the working processes of the Company and its subsidiaries, submitting a report to the Audit Committee every month, regularly following up results of the improvement of operational processes to be more appropriate - particularly, issues that are important or related to high risks - and being reported of abnormal incidents such as corruption and malpractice in order to find causes and measures to prevent damage or reoccurrence so that it can ensure that the Company's performance has the sufficient, appropriate, and efficient internal control system as well as the risk management at a level accepted by the Company. The Company's Good Corporate Governance is also monitored in order to achieve the organization's goals of its operation. The Charters of the Audit Committee and the Internal Audit Division and an internal auditor's code of conduct are clearly set as guidelines for operation. Also, these are annually reviewed for their appropriateness.
The Internal Audit Division has developed the internal audit system to accord with the International Standards for the Professional Practice of Internal Auditing (IIA) by setting the control self-assessment according to the standard and satisfaction assessment of audited. Moreover, audit competency is imposed to assess the performance quality of internal auditors in order to continuously improve efficiency and effectiveness of the Internal Audit Division and recognize actual conditions and work performance so that problems, obstacles and working limitations related to work performance can be properly analyzed. Also, the internal auditors are developed so that their knowledge, skills, and competency meet an international standard and they can conduct the auditing more efficiently by means of encouraging them to receive training such as professional practice of internal auditing, businesses of the Company Group, knowledge of other professionalism, and taking examinations to get professional certificates, for example.
The Risk Management Committee of MBK GROUP
The duties and responsibilities of the Risk Management Committee
- To impose MBK Group's policies and guidelines on risk management in order that MBK Group's operations reach its objectives and goals.
- To analyze and evaluate incurred or possibly incurred risks at a level of MBK Group continuously and annually.
- To consider, approve, and review risk management plans of MBK Group annually.
- To review and monitor risk management performance of MBK Group regularly.
- To report to the Board of Directors and communicate risks and major risk management to the Audit Committee.
- To support, follow up, and develop risk management of MBK Group regularly.
MBK Public Company Limited realizes the importance of risk management as an important mechanism and tool to help the organization achieve the target objectives and goals. Therefore, the Company has set up a risk management policy that focuses on the improvement of the risk management system according to the good corporate governance guidelines. There is also an integrated risk management that is implemented systematically and consistently throughout the organization.
In 2014, MBK Public Company Limited enforced risk management in all levels - from MBK GROUP, Business Unit (BU) and MBK Shopping Center. In 2015, MBK Group re-reviewed the risk management in order that the risks were more strategic and initially piloted in 3 business groups - the Shopping Center business, Food business, and Financial business. The new risk management is applied to the rest of the business groups in 2016.
Risks in all levels of the organization and may directly affect the business can be divided into 5 aspects that may directly affect the business as follows:
- Strategic Risk is the risk in important strategies and policies of the Company. It can arise from inappropriate strategy formulation or implementation, or the inconsistency of the policy, targets, strategies, organization's structure, the state of competition, resources, plan implementation and environment. However, the Company has regularly followed up on important strategies and policies that may affect the Company' operational performance in order to achieve its strategic goals.
- Operational Risk is the risk that can arise from every operational process. It covers all factors related to the process, tools, IT, and personnel that may affect the operation of the organization. However, the Company has set up a clear operational process and a measure to supervise the work of each unit that may cause damage on the organization so that the operational performance can be correct and appropriate.
- Financial Risk is the risk that can arise out of the ineffectiveness of budget, financial problems and risks that can affect the performance and financial status of the organization. The Company has always generated sufficient fund in time to reduce the risks that can affect the Company's investment.
- Compliance Risk is the risk that can arise out of the inability to comply with the regulations or the related rules and laws. It can be that the rules and laws are inappropriate and become an obstacle to the operation. However, the Company has also considered the compliance with the rules inside and outside the organization as well as important laws by supervising and examining the strict compliance by the related rules and laws.
- Hazard Risk is the risk that can affect the life safety of customers, tenants, employees and the organization's property. The hazard can come from both internal and external factors. The Company has set up a policy and safety measure to strictly prevent such risk that may cause damage to the Company.
Additionally, in regards to the investments in different projects, the Risk Management Committee (RMC) in each level (MBK GROUP / BU / MBK Center) has implemented a rule stipulating that the request for the approval of the budget exceeding THB 10 million requires a risk analysis and an approval from the relevant directors. The Risk Management Committee (RMC) must always be informed to prevent any investment risk of the Company.
The Company continues to track the execution of risk management. All levels are required to submit a quarterly risk management report in order to reduce the risk to an acceptable level and allow the risk management plan to be reviewed and updated annually.