Statement On Risk Management and Internal Control


Pursuant to Paragraph 15.26 (b) of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad, the Board of
Directors hereby presents its Statement on Risk Management and Internal Control of the Group. This statement has been
prepared in accordance with the Malaysian Code on Corporate Governance and guided by the Statement on Risk Management
and Internal Control: Guidelines for Directors of Listed Issuers.


The risk management processes in identifying, evaluating and managing signi?cant risks facing the organisation are embraced
in the operating and business processes. These processes are driven by all Executive Directors and Senior Management team
members in their course of work. Key matters covering the ?nancial and operation performances, changes in customers’
preference, suppliers, raw material prices, risks and market outlook are reviewed and deliberated in the EXCO meetings.
During these EXCO Meetings, causes and reasons for performances are discussed in order to identify the appropriate
measures to manage risks effectively. Key issues discussed in EXCO meetings are recorded in minutes and are presented in
the quarterly Board meetings in order for all Board members to review and consider the overall performance of the Group.

Annual risk assessment workshop, attended by Executive and Non-Executive Board members and Key Senior Management
personnel, is held to identify new risks, reassess the risk appetite of the Board as well as the possibility and impact of the
existing risks, consider the effectiveness of the existing controls; and to formulate new risk management mitigation action
plan. The application of this risk management processes is based on the principles of Committee of Sponsoring Organizations
of the Treadway Commission (“COSO”) Enterprise Risk Management framework as well as ISO 31000 on risk management
which are internationally recognised risk management frameworks. Based on the key risks identi?ed, management then
proceeds to develop the necessary measures to minimise the possibility and impact of these risks.

The principal risks and challenges faced by the Group presently are ?uctuation of prices of raw materials and foreign currency
exchange as well as risk associated with shortage of foreign workers. By managing these principal risks effectively, the Group
will be able to protect and improve its business competitiveness and quality of products and to meet the expectation and
demands of its local and international customers. As risk is dynamic, the risks mentioned in the foregoing do not re?ect the
order of their priority.


HeveaBoard Berhad continues to maintain the following certi?cations. These management systems and certi?cations form

the guiding principles for the operational procedures. Internal quality audits are carried out and annual surveillance audits
are conducted by external certi?cation bodies to ensure compliance with the respective certi?cation bodies’ requirements.

i.? ? ?Quality Management Systems of ISO 9001:2008;

ii.? ? The Environment Management Systems ISO 14001:2004;

iii.? ? Occupational Safety and Health Management System OSHAS 18001 and MS 1722;

iv.? ? Sustainable Forest and Energy Management Systems under the Programme for the Endorsement of Forest Certi?cation
? ? ? ?(“PEFC”);

v.? ? ?Energy Management System ISO 50001:2011 Certi?cation in ef?cient and effective energy management system;

vi.? ? Singapore Green Label Certi?cate, Sirim Eco-Label Scheme Certi?cation and MyHijau Certi?cation for environmentally-
? ? ? ?friendly product; and

vii.? ?CARB (California Air Resources Board) Certi?cation on compliance with applicable emission standard.

viii.? Japanese Industrial Standard (JIS) Mark Certi?cation A5908:2015


In addition to the above, the fundamental controls and measures that have been put in place in the Group are:-


i.? ? ?Management organisation chart outlining the management responsibilities and hierarchical structure of reporting and
? ? ? ?accountability;

ii.? ? Approval and authority limits of the top executives and heads of department;

iii.? ? Insurances to protect the assets and interests of the Group;

iv.? ? Review of operation performance and segregation of duties in the management functions of the Group;

v.? ? ?Job descriptions are established providing understanding to employees of theirtasks in discharging their responsibilities;

vi.? ? Financial forecasts are used as performance targets;

vii.? ?Whistleblowing policy for reporting of employees’ misbehaviours; and

viii.? Audit Committee review of the quarterly ?nancial reports, annual ?nancial statements, related party transactions,
? ? ? ?external and internal audit reports.


There are two levels of review of systems of risk management and internal control in the organisation. The ?rst level of the
review is undertaken by the Executive Directors and Senior Management while the second level constitutes the independent
review performed by the Audit Committee. The Internal Audit Function reports directly to the Audit Committee, conducts
periodic audits to assess the effectiveness of the risk management and internal control procedures; recommends actions to
management for improvement; and reports the status of management control procedures to the Audit Committee. The scope
of works of the Internal Audit Function are carried out based on the approved internal audit plan by the Audit Committee.?

The internal audit function has organised its work in accordance to the principles of the internal auditing standards covering
the conduct of the audit planning, execution, documentations, communication of ?ndings and consultation with senior
management and Board on the audit concerns.


In accordance to the Guidelines, management is responsible to the Board for identifying risks relevant to the business of the
Group‘s objectives and strategies, implementing and maintaining sound systems of risk management and internal control
and monitoring and reporting signi?cant control de?ciencies and changes in risks that could signi?cantly affect the Group
achievement of its objective and performance.?

The Board has received assurance from the Group Managing Director and Chief Financial Of?cer that, to the best of their
knowledge that the Group's risk management and internal control systems are operating adequately and effectively, in all
material respects.


The Board con?rms that there is an ongoing process for identifying, evaluating and managing signi?cant risks faced by the
Group. The Board continues to derive its comfort of the state of risk management and internal control of the Group from the
following key processes and information:-?

  • ?Periodic review of ?nancial information covering ?nancial performance and quarterly ?nancial results;
  • ?Audit Committee’s review and consultation with Management on the integrity of the ?nancial results, Annual Report
    ?and audited ?nancial statements before recommending to the Board for approval;
  • ?Audit ?ndings and reports on the review of systems of internal control provided by the Internal Auditors and status of
    ?Management's implementation of the audit recommendations; and\
  • ?Management’s assurance that the Group’s risk management and internal control systems have been operating
    ?adequately and effectively, in all material respects.

For the ?nancial year under review, the Board is satis?ed that the existing level of systems of risk management and internal
control are effective to enable the Group to achieve its business objectives and there were no material losses resulted from
signi?cant control weaknesses that would require additional disclosure in the Annual Report. Nonetheless, the Board
recognises that the systems of risk management and internal control should be continuously improved in line with theevolving
business development. It should also be noted that all risk management and internal control systems could only manage rather
than eliminate risks of failure to achieve business objectives. Therefore, these systems could only provide reasonable but not
absolute assurance against material misstatements, frauds and losses.



Pursuant to Paragraph 15.23 of the Main Market Listing Requirements of Bursa Malaysia Securities Berhad, the external auditors
have reviewed this Statement on Risk Management and Internal Control. Their assurance engagement was performed pursuant
to the scope set out in AAPG 3, Guidance forAuditors on Engagements to Report on the Statement on Risk Management and
Internal Control included in the Annual Report.

Based on their review, the External Auditors have reported to the Board that nothing has come to their attention that causes them
to believe that this Statement is inconsistent with their understanding of the process adopted by the Board in reviewing the
adequacy and integrity of the risk management and internal control systems of the Group.?


This Statement is made in accordance with the approval and resolution of the Board of Directors dated 30 March 2018.