MBK Group

Job Opportunity  Home

Internal Control and Risk Management


The Internal Control System and Internal Audit

The Board of Directors and the Management Team have continuously placed importance on the internal control equipped with continuous monitoring because they realize that an internal control system is a crucial mechanism for the Companyto beabletorunits businessand achieveits goalsefficientlyand effectivelysustainable inorder togainlongterm returns,useresourcesand asset management, reportfinancial information,havetrustworthy operations, comply with the law, rules, and prevent or reduce risks of any actions which may damage the Company’s assets and reputation.The Companyhas improved theInternal Control System for thesakeof itsongoingefficiency, as well assessing the operations according to Good Corporate Governance (GCG) and anti-corruption measures according to the principles of the Collective Action Coalition against Corruption (CAC). The Board of Directors has provided an environment for the internal control and internal audit by clearly specifying roles and duties of the committees and the Management Team. The Board has also supervised them to comply with stipulated roles and duties by setting the organizational structure and its distinct chain of command for checks and balances in order to have proper and flexible operations, and has set its business goals and Key Performance Indicators (KPI) in order to assess the efficiency and follow up its operational performance compared with the organization’s goals regularly.

From a policy on Good Corporate Governance, business ethics and a code of conduct for the Company’s directors, executives, and employees, a policy and its anti-corruption measures, a policy on notification of clues or complaints, the imposition of penalties for discipline violations and serious mistakes. The Company has monitored that aforementioned policies whichareimplemented. Its performanceisefficient, transparent, and equitable.There is ongoing communication so that all employees acknowledge these policies and seriously implement them. It has also launched a campaign to promote every employee to have awareness and continuously act on this practice by providing the employees with knowledge training, reviewing and improving a manual of authority and a manual of operation systems which are used as guidelines on performance and help with flexible and systematic business operations. The scope of duties and responsibilities, and the internal control system are taken into consideration in order that a system of the internal control is appropriate, consistent with current performance, and considers changes that possibly occur in the future.

The Board of Directors allows the Audit Committee to supervise the internal control system, the risk management system, the corporate governance system, and follow the Company’s policy and anti-corruption measures sothat theyareappropriateand efficient, including thecomplianceof related laws,ordersand regulations, preventing conflicts of interest, related transactions to control and utilizing assets in order to prevent fraud or misconduct. The Company sets up an auditing mechanism for checks and balances by establishing the internal audit division whichis independentand reports directlytothe Audit Committee. It performsaudit,evaluates theefficiency and sufficiency of the internal control system, the risk management system and the corporate governance system in the performances of all units in the Company and its subsidiaries. The frameworks of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and Enterprise Risk Management, and monitoring regulations incompliance withtheStockExchangeofThailand (SET),Thai Instituteof Directors (IOD)areadopted tofulfill internal control, risk management, governance, and audit of policy compliance and anti-corruption measures in order to allow the Company’s performances to pursue the utmost of operational performance efficiently and effectively.

The Risk Assessment
The Company realizes the importance of the risk management under changing circumstances which may affect the business operations, from the organization’s both internal and external factors. The Company’s Risk Management Committee (RMC) has been established in order to monitor the organization’s risk management to achieve goals according to the organization’s acceptable level. RMC then sets a policy on risk management in a written document and it is promulgated for the employees’ acknowledgement. The risks from external and internal factors -covering different aspects of the risks - are evaluated and managed. For example, strategies, operations, finance, compliance, situations, including risks from corruption. These risks are divided into risks for MBK GROUP, its business group, its organization, and its division levels so that risks can be managed sufficiently, appropriately, and ina timely manner. Indicatorsused for the efficiency assessmentof the risk management (KeyRisk Indicatorsor KRI) are stipulated by arranging a quarterly meeting, and annually reviewing risk factors which are changing externally and internally that may affect the organization. Moreover, a report is specified to be submitted to the Audit Committee and the Board of Directors in order that the risk management of the Company’s operations is at acceptable level.

The Information Technology and Communication System
The Company realizes the importance of the IT and communication system and always encourages the improvement of the system to ensure that all information is accurate, up-to-date, and catching up with expanding and changing circumstancesof businessoperations as well as changing consumer behavior. Anefficient and modern IT system is adopted to guarantee the safety of the information from the process of collecting, processing, storing and following-up to bring such information to advantage management work of the directors, executive members, employees, shareholders, customers and stakeholders. This process should be carried out as a complete, accurate method and within an appropriate time so that it can be used in the business decision making. A policy regarding the security in the information technology and the use of information is also specified in order to ensure that the Company has appropriate safety measures of information.

Various channels of communication are opened for information receivers from both inside and outside the organization to have access easily and rapidly, as well as the channels of communication to receive notification of corruption (Whistle-blower) through various channels established by the Company.

The System of Monitoring Activities
The Board of Directors provides a system to assess and monitor performance results by comparing operational results with the Company’s goals which are then submitted to the Executive Committee and the Board of Directors every month, as well as evaluating and following-up the internal control system and risk management covering all aspects suchasaccountingand finance,compliance withlaws/regulations,asset management,and corruption which significantly has an impact on the Company’s reputation in order to ensure that the internal control system appropriately and fully operates as specified and can manage the changing risks in each period in time. Any matter whichhasanimpactontheinternal control will bereported to peopleincharge.Significant matters will bereported to top executives, the Executive Committee, the Audit Committee, and the Board of Directors within proper period. The Board of Directors assigns the Audit Committee to audit and monitor the internal control system by nominating internal auditors in order to monitor and assess work performance to ensure that the stipulated Internal Control System is regularly abode, including findings found from auditing and monitoring which affect the internal control will be improved or solved appropriately and promptly. Moreover, the evaluation of internal audit for accounting and finance is carried out by certified accountants and presented to the Audit Committee for consideration on a quarterly and yearly basis. As a result of reviews conducted by certified accountants and internal auditors, no significant fault is found.

The Audit Committee and the Board of Directors have assessed the sufficiency of the Internal Control System in accordance with guidelines stipulated by Securities and Exchange Commission (SEC) and the Internal Control-integrated Framework stipulate by the Stock Exchange of Thailand (SET), which refers to 5 elements and 17 principles of the Committee of Sponsoring Organization for the Treadway Commission (COSO). The Company has not found drawbacks whicharesignificant tothe Company’s Internal ControlSystem.The Companyalsogivesuseful recommendations. It is concluded that the Company has the sufficient and appropriate internal control and risk management for business operations which is consistent with the auditors’ opinions.

The Internal Audit Committee has monitored the Internal Audit Division to perform its duties with independence, fairness, ethics, and compliance with International Standards for the Professional Practice of Internal Auditing (IIA) so that assurance can be built and consultation is given in order that the working process within the organization monitors business, manages the risks, carries out the internal control, conforms to the law, rules, and regulations, as well as the accuracy of information of the Company and its subsidiaries. A report is submitted to the Audit Committee. Also, performance according to advice— as a result of what was found in monitoring— is followed up regularly, particularly, important or high risk-related issues and acknowledgement of reports on abnormal incidents such as corruption and malpractice in order to find causes and measures to prevent damage or reoccurrence so that it can ensure that the Company’s performance has the sufficient, appropriate, and efficient internal control system as well as the risk management at the Company’s acceptable level. For the Company’s Good Corporate Governance, the Charters of the Audit Committee and the Internal Audit Division and internal auditors’ code of conduct are clearly set as guidelines for operations. Also, these are annually reviewed for their appropriateness. The Audit Committee has approved Ms.Yupapun Paritranun to take the position of Head of the Internal Audit Division because she has knowledge and understanding of the Company’s business very well, together with her capabilities and experiences which are suitable for the performance of this duty.

The Audit Committee and the Internal Audit Division are independent. They are assigned to perform like oneofchannels toreceivenotificationofclues,complaints,orother information.Their dutyassures that the Company has the process of receiving notification of clues, complaints, or other information and handles them transparently and equitably according to the good governance principle.

The Internal Audit Division has developed the internal audit system to accord with the International Standards for the Professional Practice of Internal Auditing (IIA) by utilizing the Information Technology System to help the audits and the satisfaction assessment of monitored executives. They are submitted to the Audit Committee annually and are used as data for the improvement of the working performance of the Internal Audit Division. Moreover, audit competency is imposed to assess the performance quality of internal auditors in order to continuously improve efficiency and effectiveness of the Internal Audit Division and recognize actual conditions and work performance so that problems, obstacles and working limitations related to work performance can be properly analyzed. Also, the internal auditors are developed so that their knowledge, skills, and competency meet an international standard and they canconduct theauditing moreefficiently by meansofencouraging them toreceive training such as knowledge, professional expertise in internal audits, businesses of the Company Group, knowledge ofother professionalism, and self-development by taking examinations toget professional certificatesof auditingor other auditing-related professions, for example.

The Risk Management
The Risk Management Committee of MBK GROUP
The Duties and Responsibilities of the Risk Management Committee

  1. To impose MBK GROUP’s policies and guidelines on risk management in order that MBK GROUP’s operations reach its objectives and goals.
  2. To analyze and evaluate incurred or possibly incurred risks at a level of MBK GROUP continuously and annually.
  3. To consider, approve and review risk management plans of MBK GROUP annually.
  4. To review and monitor risk management performance of MBK GROUP regularly.
  5. To report to the Board of Directors and communicate risks and major risk management to the Audit Committee.
  6. To support, follow up and develop risk management of MBK GROUP regularly.

The Corporate Group of MBK Public Co., Ltd. realizes the importance of risk management as an important mechanism and tool to help the organization achieve the target objectives and goals. Therefore, the Company has set up a risk management policy that focuses on the improvement of the risk management system according to the good corporate governance guidelines and guidelines according to the anti-corruption policy and measures. There is an integrated risk management in order to be consistent in the Quality Management System (ISO 9001: 2015) which is implemented systematically and continuously throughout the organization.

The Corporate Group of MBK Public Co., Ltd. enforced risk management in order to conform to strategies and operations by covering all levels — from MBK GROUP, Business Unit (BU), key lines, Sub Business Unit (SBU), and MBK Shopping Center – in order that the organization can achieve its objectives and goals set at each level.

Risks at all levels of the organization and may directly affect the business can be divided into 5 aspects that may directly affect the business as follows:

  • Strategic Risk is the risk in important strategies and policies of the Company. It can arise from inappropriate strategy formulation or implementation, or the inconsistency of the policy, targets, strategies, organization’s structure, the state of competition, resources, plan implementation and environment. However, the Company has regularly followed up on important strategies and policies that may affect the Company’ operational performance in order to achieve its strategic goals.
  • Operational Risk is the risk that can arise from every operational process. It covers all factors related to the process, tools, IT, and personnel that may affect the operation of the organization. However, the Company has set up a clear operational process and a measure to supervise the work of each unit that may cause damage on the organization so that the operational performance can be correct and appropriate.
  • Financial Risk is the risk that can arise out of the ineffectiveness of budget, financial problems and risks that canaffect the performanceand financial statusof theorganization.The Companyhasalways generated sufficient fund in time to reduce the risks that can affect the Company’s investment
  • Compliance Risk is the risk that can arise out of the inability to comply with the regulations or the related rules and laws. It can be that the rules and laws are inappropriate and become an obstacle to the operation. However, the Company has also considered the compliance with the rules inside and outside the organization as well as important laws by supervising and examining the strict compliance by the related rules and laws.
  • Hazard Risk is the risk that can affect the life safety of customers, tenants, employees and the organization’s property. The hazard can come from both internal and external factors. The Company has set up a policy and safety measure to strictly prevent such risk that may cause damage to the Company.

Additionally, in regards to the investments in different projects, the Risk Management Committee (RMC) in each level (MBK GROUP / BU / MBK Center) has implemented a rule indicating that a request for the approval of specified budgets requires a risk analysis and an approval from the relevant committees. The Risk Management Committee (RMC) must always be informed to prevent any investment risk of the Company.

The Company continues to track the execution of risk management. All levels are required to submit a quarterly risk management report in order to reduce the risk to an acceptable level and allow the risk management plan to be reviewed and updated annually.