MBK Group

Job Opportunity  Home

Internal Control and Risk Management


The Internal Control System and Internal Audit

The Board of Directors and the Management Team have continuously placed importance on the internal control equipped with continuous monitoring because they realize that an internal control system is a crucial mechanism for the Company to be able to run its business and achieve its goals efficiently and effectively sustainable in order to gain long term returns, use resources and asset management, report financial information, have trustworthy operations, comply with the law, rules, and prevent or reduce risks of any actions which may damage the Company’s assets and reputation. The Company has improved the Internal Control System for the sake of its ongoing efficiency.

The Board of Directors allows the Audit Committee to supervise the internal control system, the risk management system, the corporate governance system, and follow the Company’s policy and anti-corruption measures so that they are appropriate and efficient, including the compliance of related laws, orders and regulations, preventing conflicts of interest, related transactions to control and utilizing assets in order to prevent fraud or misconduct. The Company sets up an auditing mechanism for checks and balances by establishing the internal audit division which is independent and reports directly to the Audit Committee. It performs audit, evaluates the efficiency and sufficiency of the internal control system, the risk management system and the corporate governance system in the performances of all units in the Company and its subsidiaries. The frameworks of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and Enterprise Risk Management, and monitoring regulations in compliance with the Stock Exchange of Thailand (SET), Thai Institute of Directors (IOD) are adopted to fulfill internal control, risk management, governance, and audit of policy compliance and anti-corruption measures in order to allow the Company’s performance to pursue the utmost of operational performance efficiently and effectively in order that the stipulated internal control system is performed as follows:

The Environment of the Control

  • To set a written policy and rules and regulations relevant to the Good Corporate Governance (GCG) issuing guidelines which the Committees, executives, and employees have to perform, as well assessing the operations according to Good Corporate Governance and anti-corruption measures according to the principles of the Collective Action Coalition against Corruption (CAC).
  • The Board has also supervised them to comply with stipulated roles and duties by setting the organizational structure and its distinct chain of command for checks and balances and setting its business goals and Key Performance Indicators (KPIs) in order to assess the efficiency and follow up its operational performance compared with the organization’s goals regularly.

From a policy on Good Corporate Governance, business ethics and a code of conduct for the Company’s directors, executives, and employees, a policy and its anti-corruption measures, a policy on notification of clues or complaints, the imposition of penalties for discipline violations and serious mistakes. The Company has monitored that aforementioned policies which are implemented. Its performance is efficient, transparent, and equitable. There is ongoing communication so that all employees acknowledge these policies and seriously implement them. It has also launched a campaign to promote every employee to have awareness and continuously act on this practice by providing the employees with knowledge training, reviewing and improving a manual of authority and a manual of operation systems which are used as guidelines on performance and help with flexible and systematic business operations. The scope of duties and responsibilities, and the internal control system are taken into consideration in order that a system of the internal control is appropriate, consistent with current performance, and considers changes that possibly occur in the future.

The Risk Assessment
The Company realizes the importance of the risk management under changing circumstances which may affect the business operations, from the organization’s both internal and external factors. The Company’s Risk Management Committee (RMC) has been established in order to monitor the organization’s risk management to achieve goals according to the organization’s acceptable level. RMC then sets a policy on risk management in a written document and it is promulgated for the employees’ acknowledgement. The risks from external and internal factors -covering different aspects of the risks - are evaluated and managed. For example, strategies, operations, finance, compliance, situations, including risks from corruption. These risks are divided into risks for MBK GROUP, its business group, its organization, and its division levels so that risks can be managed sufficiently, appropriately, and in a timely manner. Indicators used for the efficiency assessment of the risk management (Key Risk Indicators or KRIs) are stipulated by arranging a quarterly meeting, and annually reviewing risk factors which are changing externally and internally that may affect the organization. It is regarded that the risk management is both duty and responsibility of every unit for its management and risk control. Moreover, a report is specified to be submitted to the Audit Committee and the Board of Directors in order that the risk management of the Company’s operations is at acceptable level.

The Controlling Activities
The Company provides clear and proper internal control activities which help check the performance that follows rules and regulations and a performance manual regularly. The set policy and rules and regulations are written. Ethics, a code of conduct, and a policy on Good Corporate Governance are also provided for the employees to follow. Moreover, the Company clearly classify duties and responsibilities. The executives’ authority over operations and a financial limit on approving transactions are clearly written. The internal audit regularly checks the sufficiency and appropriateness of the control system by setting an audit plan covering the key work process.

The Information Technology System and the Communication
The Company realizes the importance of the IT system and the communication and always encourages the improvement of the system continuously in order to ensure that all information is accurate, sufficient, up-to-date, and catching up with expanding and changing circumstances of business operations as well as changing consumer behavior. The efficient and modern IT system, as well as information security from the process of collecting, processing, and storing, to following-up to bring such data, is adopted for work performance and important information are used for management by directors, executives, employees, shareholders, customers, or stakeholders. The information is complete, accurate, sufficient, and within an appropriate time so that it can be used in the business decision making. A policy regarding the security in the information technology and the use of information is also specified in order to ensure that the Company has appropriate safety measures of information. Various channels of communication are opened from both inside and outside the organization in order to have access easily and rapidly, as well as the channels of communication to receive notification of corruption (Whistle-blowing) through various channels established by the Company. Clues can be directly notified through various channels to the Audit Committee, CEO and President, and the Internal Audit Division. The Internal Audit Division will search for information and examine facts of notifications and complaints, including providing protection for whistle blowers or informants.

The System of Monitoring Activities
The Board of Directors provides a system to assess and monitor performance results by comparing operational results with the Company’s goals which are then submitted to the Executive Committee and the Board of Directors every month. The Audit Committee is assigned to check the internal control system through the Internal Audit Division which is an independent division with responsibility for checking and verifying the performance, the internal control system for risk management, monitoring divisions and following up the results of corrections made by checked divisions in every issue until they are already corrected; in order to ensure that the internal control system appropriately and fully operates as specified and can manage the changing risks in each period in time. Any issue impacting on the internal control will be reported to any persons in charge. Significant issues will be reported to top executives, the Executive Committee, the Audit Committee, and the Board of Directors within proper period.

Moreover, the evaluation of internal audit for accounting and finance is carried out by certified accountants and presented to the Audit Committee for consideration on a quarterly and yearly basis. As a result of reviews conducted by certified accountants, no significant fault is found.

The Audit Committee and the Board of Directors have assessed the sufficiency of the Internal Control System in accordance with guidelines stipulated by Securities and Exchange Commission (SEC) and the Internal Control-integrated Framework stipulate by the Stock Exchange of Thailand (SET). The Company has not found drawbacks which are significant to the Company’s Internal Control System. The Company also gives useful recommendations. It is concluded that the Company has the sufficient and appropriate internal control and risk management for business operations which is consistent with the auditors’ opinions.

The Audit Committee has monitored the Internal Audit Division to perform its duties with independence, fairness, ethics, and compliance with International Standards for the Professional Practice of Internal Auditing (IIA) so that assurance can be built and consultation is given in order that the working process within the organization monitors business, manages the risks, carries out the internal control, conforms to the law, rules, and regulations, as well as the accuracy of information of the Company and its subsidiaries. A report is submitted to the Audit Committee. Also, performance according to advice— as a result of what was found in monitoring— is followed up regularly, particularly, important or high risk-related issues and acknowledgement of reports on abnormal incidents such as corruption and malpractice in order to find causes and measures to prevent damage or reoccurrence so that it can ensure that the Company’s performance has the sufficient, appropriate, and efficient internal control system as well as the risk management at the Company’s acceptable level. For the Company’s Good Corporate Governance, the Charters of the Audit Committee and the Charters of the Internal Audit Division and internal auditors’ code of conduct are clearly set as guidelines for operations. Also, these are annually reviewed for their appropriateness. The Audit Committee has approved Ms.Yupapun Paritranun to take the position of Head of the Internal Audit Division because she has knowledge and understanding of the Company’s business very well, together with her capabilities and experiences which are suitable for the performance of this duty.

The Internal Audit Division has developed the internal audit system to accord with the International Standards for the Professional Practice of Internal Auditing (IIA) by utilizing the Information Technology System to help the audits and the satisfaction assessment of monitored executives. They are submitted to the Audit Committee annually and are used as data for the improvement of the working performance of the Internal Audit Division. Moreover, audit competency is imposed to assess the performance quality of internal auditors in order to continuously improve efficiency and effectiveness of the Internal Audit Division and recognize actual conditions and work performance so that problems, obstacles and working limitations related to work performance can be properly analyzed. Also, the internal auditors are developed so that their knowledge, skills, and competency meet an international standard and they can conduct the auditing more efficiently by means of encouraging them to receive training such as knowledge, professional expertise in internal audits, businesses of the Company Group, knowledge of other professionalism, and self-development by taking examinations to get professional certificates of auditing or other auditingrelated professions, for example.

The Risk Management
The Risk Management Committee of MBK GROUP
The Duties and Responsibilities of the Risk Management Committee

  1. To impose MBK GROUP’s policies and guidelines on risk management in order t h a t MBK GROUP ’ s operations reach its objectives and goals.
  2. To analyze and evaluate incurred or possibly incurred risks at a level of MBK GROUP continuously and annually.
  3. To consider, approve and review risk management plans of MBK GROUP annually.
  4. To review and monitor risk management performance of MBK GROUP regularly.
  5. To report to the Board of Directors and communicate risks and major risk management to the Audit Committee.
  6. To support, follow up and develop risk management of MBK GROUP regularly.

The Corporate Group of MBK Public Co., Ltd. realizes the importance of risk management as an important mechanism and tool to help the organization achieve the target objectives and goals. Therefore, the Company has set up a risk management policy that focuses on the improvement of the risk management system according to the good corporate governance guidelines and guidelines according to the anticorruption policy and measures. There is an integrated risk management in order to be consistent in the Quality Management System (ISO 9001: 2015) which is implemented systematically and continuously throughout the organization.

The Corporate Group of MBK Public Co., Ltd. enforced risk management in order to conform to strategies and operations by covering all levels — from MBK GROUP, Business Unit (BU), key lines, Sub Business Unit (SBU), and MBK Shopping Center – in order that the organization can achieve its objectives and goals set at each level.

Risks at all levels of the organization and may directly affect the business can be divided into 5 aspects that may directly affect the business as follows:

  • Strategic Risk is the risk in important strategies and policies of the Company. It can arise from inappropriate strategy formulation or implementation, or the inconsistency of the policy, targets, strategies, organization’s structure, the state of competition, resources, plan implementation and environment. However, the Company has regularly followed up on important strategies and policies that may affect the Company’ operational performance in order to achieve its strategic goals.
  • Operational Risk is the risk that can arise from every operational process. It covers all factors related to the process, tools, IT, and personnel that may affect the operation of the organization. However, the Company has set up a clear operational process and a measure to supervise the work of each unit that may cause damage on the organization so that the operational performance can be correct and appropriate.
  • Financial Risk is the risk that can arise out of the ineffectiveness of budget, financial problems and risks that can affect the performance and financial status of the organization. The Company has always generated sufficient fund in time to reduce the risks that can affect the Company’s investment.
  • Compliance Risk is the risk that can arise out of the inability to comply with the regulations or the related rules and laws. It can be that the rules and laws are inappropriate and become an obstacle to the operation. However, the Company has also considered the compliance with the rules inside and outside the organization as well as important laws by supervising and examining the strict compliance by the related rules and laws.
  • Hazard Risk is the risk that can affect the life safety of customers, tenants, employees and the organization’s property. The hazard can come from both internal and external factors. The Company has set up a policy and safety measure to strictly prevent such risk that may cause damage to the Company.

Additionally, in regards to the investments in different projects, the Risk Management Committee (RMC) in each level (MBK GROUP / BU / MBK Center) has implemented a rule indicating that a request for the approval of specified budgets requires a risk analysis and an approval from the relevant committees. The Risk Management Committee (RMC) must always be informed to prevent any investment risk of the Company.

The Company continues to track the execution of risk management. All levels are required to submit a quarterly risk management report in order to reduce the risk to an acceptable level and allow the risk management plan to be reviewed and updated annually.