MBK Group

Job Opportunity  Home

Internal Control and Risk Management


The Board of Directors and the Management Team have continuously placed importance on the internal control equipped with continuous monitoring because they realize that an internal control system is a crucial mechanism for the Company to be able to run its business and achieve its goals efficiently and effectively sustainable in order to gain long term returns, use resources and asset management, report financial information, have trustworthy operations, comply with the law, rules, and prevent or reduce risks of any actions which may damage the Company’s assets and reputation, as well as assessing the operations according to Good Corporate Governance (GCG) and anti-corruption measures according to the principles of the Collective Action Coalition against Corruption (CAC). The Board of Directors has clearly specified roles and duties of the committees and the Management Team. The Board has also supervised them to comply with stipulated roles and duties by setting the organizational structure and its distinct chain of command for checks and balances and appropriate internal control in order to have flexible and proper operations, and has set its business goals and Key Performance Indicators (KPI) in order to assess the efficiency and follow up its operational performance compared with the organization’s goals regularly.

From a policy on Good Corporate Governance, business ethics and a code of conduct for the Company’s directors, executives, and employees, a policy and its anti-corruption measures, a policy on notification of clues or complaints, the imposition of penalties for discipline violations and serious mistakes. The Company has monitored that aforementioned policies are complied with, the efficient, transparent, and equitable performance. It has also launched a campaign to promote every employee to have awareness and continuously act on this practice by providing the employees with knowledge training, reviewing and improving a manual of authority and a manual of operation systems which are used as guidelines on performance and help with flexible and systematic business operations. The scope of duties and responsibilities, and the internal control system are taken into consideration in order that a system of the internal control is appropriate, consistent with current performance, and considers changes that possibly occur in the future.

The Board of Directors allows the Audit Committee to supervise the internal control system, the risk management system, the corporate governance system, and follow the Company’s policy and anti-corruption measures so that they are appropriate and efficient, including the compliance of related laws, orders and regulations, preventing conflicts of interest, related transactions to control and utilizing assets in order to prevent fraud or misconduct. The Company sets up an auditing mechanism for checks and balances by establishing the internal audit division which is independent and reports directly to the Audit Committee. It performs audit, evaluates the efficiency and sufficiency of the internal control system, the risk management system and the corporate governance system in the performances of all units in the Company and its subsidiaries. The frameworks of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and Enterprise Risk Management, and monitoring regulations in compliance with the Stock Exchange of Thailand (SET), Thai Institute of Directors (IOD) are adopted to fulfill internal control, risk management, governance, and audit of policy compliance and anti-corruption measures in order to allow the Company’s performances to pursue the utmost of operational performance efficiently and effectively.

Besides, the Board of Directors has followed up and assessed of the sufficiency of the internal control system annually according to an internal control framework of Securities and Exchange Commission (SEC) which reference to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) - for both 5 elements and 17 principles. The Company has not found any significant flaws affecting the Company’s internal control system.

The Risk Assessment
The Company realizes the importance of the risk management under changing circumstances which may affect the business operations, from the organization’s both internal and external factors. The Company’s Risk Management Committee (RMC) has been established in order to monitor the organization’s risk management to achieve goals according to the organization’s acceptable level. RMC then sets a policy on risk management in order that every employee complies with the policy which risks from external and internal factors -covering different aspects of the risks - are evaluated and managed. For example, strategies, operations, finance, compliance, situations, including risks from corruption. These risks are divided into risks for MBK GROUP, business group, organization, and division levels so that risks can be managed sufficiently, appropriately, and in a timely manner. These risks are monitored and specified by the RMC by arranging a quarterly meeting, and annually reviewing risk factors which are changing externally and internally that may affect the organization. Moreover, a report is specified to be submitted to the Audit Committee and the Board of Directors every quarter in order that the risk management of the Company’s operations is at acceptable level.

The Control of Activities
The Company has internal control measures in accordance and appropriateness with risks and business types in order to achieve the organization’s goals by setting up the organization structure and clearly dividing duties and responsibilities of each position in order to work properly, flexibly, and consistently with changing business situations. Manuals of authority and manuals/processes of performance control all procedures and provide the appropriateness to the organizational structure and work performance through regularly revising them and keeping them up-to-date. Each position can be run by checks and balances, and a mechanism for proper rechecks- particularly, operational performance entailing crucial risks such as financial transactions, selling, procurement, asset management, and human resources management - in order to prevent and reduce errors. The Audit Committee is assigned to examine the internal control system which each position’s work performance is regularly re-examined by the internal audit division in compliance with rules, regulations, and manuals of authority and work performance in order to ensure work performance with a suitable and adequate internal control system. The efficient overall work performance and the information system management used in work performance are also examined whether they are performed systematically in order to promote fast and efficient work performance.

Moreover, the Company imposes policies, rules, and regulations to have transactions with parties involved in the Company to comply in the same direction such as major shareholders, directors, executives, and interested party for correctness, transparency, and fairness. The Company’s utmost benefits are taken into consideration according to regulations of the Stock Exchange of Thailand (SET) and the Securities and Exchange Commission (SEC).

The Information Technology and Communication System
The Company realizes the importance of the IT and communication system and always encourages the improvement of the system to ensure that all information is accurate, up-to-date, and catching up with changing circumstances of business operations as well as changing consumer behavior. An efficient and modern IT system is adopted to guarantee the safety of the information from the process of collecting, processing, storing and following-up to bring such information to advantage management work of the directors, executive members, employees, shareholders, customers and stakeholders. This process should be carried out as a complete, accurate method and within an appropriate time so that it can be used in the business decision making. A policy regarding the security in the information technology and the use of information is also specified in order to ensure that the Company has appropriate safety measures of information.

Various channels of communication are opened for information receivers from both inside and outside the organization to have access easily and rapidly such as intranet and internet as the channels of communication to publicize the Company’s policies, rules and regulations, manuals/processes of operational performance and important information, or to receive recommendations and information useful for the Company’s business operations as well as the channels of communication to receive notification of corruption (Whistle-blower) through various channels established by the Company.

The System of Monitoring Activities
The Board of Directors provides a system to assess and monitor performance results by comparing operational results with the Company’s goals which are then submitted to the Executive Committee and the Board of Directors every month, as well as evaluating and following-up the internal control system and risk management covering all aspects such as accounting and finance, compliance with laws/regulations, asset management, and corruption which significantly has an impact on the Company’s reputation in order to ensure that the internal control system appropriately and fully operates as specified and can manage the changing risks in each period in time. Any matter which has an impact on the internal control will be reported to people in charge. Significant matters will be reported to top executives, the Executive Committee, the Audit Committee, and the Board of Directors within proper period. The Board of Directors assigns the Audit Committee to audit and monitor the internal control system by nominating internal auditors to monitor and assess work performance to ensure that findings found from auditing and monitoring which affect the internal control will be improved or solved appropriately and promptly. Moreover, the evaluation of internal audit for accounting and finance is carried out by certified accountants and presented to the Audit Committee for consideration on a quarterly and yearly basis. As a result of reviews conducted by certified accountants and internal auditors, no significant fault is found.

The Audit Committee and the Board of Directors have considered the result of the assessment of the sufficiency of the Internal Control System and conferred with and given useful recommendations to the Management Team. It is concluded that the Company has the sufficient and appropriate internal control and risk management for business operations which is consistent with the auditors’ opinions.

The Internal Audit
The Internal Audit Committee has monitored the Internal Audit Division to perform its duties with independence, fairness, ethics, and compliance with International Standards for the Professional Practice of Internal Auditing (IIA) so that the Internal Audit Division can build assurance and give consulting advice independently and fairly about examining and assessing the sufficiency of the internal control system covering the processes of the performance, conformity to the law, rules, regulations, and the accuracy of information of the Company and its subsidiaries, submitting a report to the Audit Committee every month, regularly monitoring results of the improvement of operational processes to be more appropriate - particularly, issues that are important or related to high risks - and being reported of abnormal incidents such as corruption and malpractice in order to find causes and measures to prevent damage or reoccurrence so that it can ensure that the Company’s performance has the sufficient, appropriate, and efficient internal control system as well as the risk management at a level accepted by the Company. The Company’s Good Corporate Governance is also monitored in order to achieve the organization’s goals of its operation. The Charters of the Audit Committee and the Internal Audit Division and internal auditors’ code of conduct are clearly set as guidelines for operation. Also, these are annually reviewed for their appropriateness. The Audit Committee has approved Ms.Yupapun Paritranun to take the position of Head of the Internal Audit Division because she has qualifications, knowledge, abilities, and experiences suitable for perform this duty.

The Audit Committee and the Internal Audit Division are independent. They are assigned to perform like one of channels to receive notification of clues, complaints, or other information. Their duty assures that the Company has the process of receiving notification of clues, complaints, or other information and handles them transparently and equitably according to the good governance principle.

The Internal Audit Division has developed the internal audit system to accord with the International Standards for the Professional Practice of Internal Auditing (IIA) by utilizing the Information Technology System to help the audits and satisfaction assessment made by auditees’ executives. Moreover, audit competency is imposed to assess the performance quality of internal auditors in order to continuously improve efficiency and effectiveness of the Internal Audit Division and recognize actual conditions and work performance so that problems, obstacles and working limitations related to work performance can be properly analyzed. Also, the internal auditors are developed so that their knowledge, skills, and competency meet an international standard and they can conduct the auditing more efficiently by means of encouraging them to receive training such as professional practice of internal audits, businesses of the Company Group, knowledge of other professionalism, and taking examinations to get professional certificates, for example.

The Risk Management
The Risk Management Committee of MBK GROUP
The Duties and Responsibilities of the Risk Management Committee

  1. To impose MBK GROUP’s policies and guidelines on risk management in order that MBK GROUP’s operations reach its objectives and goals.
  2. To analyze and evaluate incurred or possibly incurred risks at a level of MBK GROUP continuously and annually.
  3. To consider, approve and review risk management plans of MBK GROUP annually.
  4. To review and monitor risk management performance of MBK GROUP regularly.
  5. To report to the Board of Directors and communicate risks and major risk management to the Audit Committee.
  6. To support, follow up and develop risk management of MBK GROUP regularly.

The Corporate Group of MBK Public Co., Ltd. realizes the importance of risk management as an important mechanism and tool to help the organization achieve the target objectives and goals. Therefore, the Company has set up a risk management policy that focuses on the improvement of the risk management system according to the good corporate governance guidelines and guidelines according to the anti-corruption policy and measures. There is an integrated risk management in order to be consistent in the Quality Management System (ISO 9001: 2015) which is implemented systematically and continuously throughout the organization.

The Corporate Group of MBK Public Co., Ltd. enforced risk management in order to conform to strategies and operations by covering all levels - from MBK GROUP, Business Unit (BU), key lines, Sub Business Unit (SBU), and MBK Shopping Center - in order that the organization can achieve its objectives and goals set at each level.

Risks at all levels of the organization and may directly affect the business can be divided into 5 aspects that may directly affect the business as follows:

  • Strategic Risk is the risk in important strategies and policies of the Company. It can arise from inappropriate strategy formulation or implementation, or the inconsistency of the policy, targets, strategies, organization’s structure, the state of competition, resources, plan implementation and environment. However, the Company has regularly followed up on important strategies and policies that may affect the Company’ operational performance in order to achieve its strategic goals.
  • Operational Risk is the risk that can arise from every operational process. It covers all factors related to the process, tools, IT, and personnel that may affect the operation of the organization. However, the Company has set up a clear operational process and a measure to supervise the work of each unit that may cause damage on the organization so that the operational performance can be correct and appropriate.
  • Financial Risk is the risk that can arise out of the ineffectiveness of budget, financial problems and risks that can affect the performance and financial status of the organization. The Company has always generated sufficient fund in time to reduce the risks that can affect the Company’s investment.
  • Compliance Risk is the risk that can arise out of the inability to comply with the regulations or the related rules and laws. It can be that the rules and laws are inappropriate and become an obstacle to the operation. However, the Company has also considered the compliance with the rules inside and outside the organization as well as important laws by supervising and examining the strict compliance by the related rules and laws.
  • Hazard Risk is the risk that can affect the life safety of customers, tenants, employees and the organization’s property. The hazard can come from both internal and external factors. The Company has set up a policy and safety measure to strictly prevent such risk that may cause damage to the Company.

Additionally, in regards to the investments in different projects, the Risk Management Committee (RMC) in each level (MBK GROUP / BU / MBK Center) has implemented a rule stipulating that the request for the approval of the budget exceeding THB 10,000,000 requires a risk analysis and an approval from the relevant committees. The Risk Management Committee (RMC) must always be informed to prevent any investment risk of the Company.

The Company continues to track the execution of risk management. All levels are required to submit a quarterly risk management report in order to reduce the risk to an acceptable level and allow the risk management plan to be reviewed and updated annually.