Annual Report 2019

FINANCIAL STATEMENTS STATEMENT ON RISK MANAGEMENT & INTERNAL CONTROL As part of our corporate governance and in line with best practices, AirAsia Group Berhad (“AAGB”) is committed to maintaining a comprehensive and robust risk management and internal control system. The Board of Directors (“the Board”) of AAGB is guided by the requirements set out within Paragraph 15.26 (b) of the Main Market Listing Requirements (“MMLR”) issued by Bursa Malaysia Securities Berhad as well as the Malaysian Code on Corporate Governance 2017 released by the Securities Commission Malaysia. The following statement outlines the nature and scope of the Group’s internal controls and risk management framework for the financial year ended 2019 (“Financial Year”). RESPONSIBILITIES OF THE BOARD The Board is committed to implementing and maintaining a robust risk management and internal control environment and is responsible for the system of risk management and internal control. The Board acknowledges that the risk management and internal control systems are designed to manage and minimise risks as it may not be possible to totally eliminate the occurrence of unforeseeable circumstances or losses. AUDIT COMMITTEE The Audit Committee (“AC”) monitors the adequacy and effectiveness of the system of internal controls through a review of the results of work performed by the Group Internal Audit Department (“GIAD”) and External Auditors and discussions with Senior Management. The AC, established by the Board in the year 2018, comprises two (2) Independent Non-Executive Directors and one (1) Non-Independent Non-Executive Director. The AC Report is disclosed on pages 191 to 194 of this Annual Report. The duties and responsibilities of the AC are set out in its Terms of Reference which is available on AAGB’s corporate website at (https://ir.airasia.com/misc/terms-of-reference-of-audit- committees.pdf). RISK MANAGEMENT COMMITTEE The Board has delegated the governance of Group risk to the Risk Management Committee (“RMC”). The RMC was established in the year 2018 and comprises four (4) Non-Executive Directors with a majority of Independent Directors. The RMC enables the Board to undertake and evaluate key areas of risk exposures. The primary responsibilities of the RMC are as follows: • To oversee and recommend the Enterprise Risk Management (“ERM”) strategies, frameworks and policies of the Group • To implement and maintain sound ERM frameworks, which identify, assess, manage and monitor the Group’s strategic, financial, operational and compliance risks • To develop and inculcate a risk awareness culture within the Group In fulfilling its responsibilities in risk management, the RMC is assisted by the Risk Management Department (“RMD”). MANAGEMENT The Management team is responsible for ensuring that policies and procedures on risk and internal control are effectively implemented. The Management team is accountable for identifying and evaluating risks as well as monitoring the achievement of business goals and objectives within the risk appetite parameters approved by the Board. RISK MANAGEMENT DEPARTMENT The Risk Management framework is coordinated by the RMD. The RMD develops risk policies, sets minimum standards, provides guidance on risk related matters, coordinates risk management activities with other departments, as well as monitors the Group’s risks. The RMD’s principal roles and responsibilities are as follows: • Review and update risk management methodologies, specifically those related to identification, measuring, controlling, monitoring and reporting of risks • Provide risk management training and workshops • Review risk profiles and mitigation plans of departments • Identify and inform the RMC and Management of critical risks faced by the Group • Monitor action plans for managing critical risks GROUP INTERNAL AUDIT DEPARTMENT The GIAD regularly reviews the Group’s systems of internal controls and evaluates the adequacy and effectiveness of the controls, risk management and governance processes implemented by Management. It integrates a risk-based approach in determining the auditable areas and frequency of audits. The annual audit plan for the Group is reviewed and approved by the AC. GIAD is guided by its Internal Audit Charter that provides independence and reflects the roles, responsibilities, accountability and scope of work of the department. For any significant gaps identified in the governance processes, risk management processes and controls during the engagements, GIAD provides recommendations to Management to improve their design and effectiveness of controls where applicable. The GIAD’s functions are disclosed in the AC Report on pages 193 to 194 of this Annual Report. AIRASIA GROUP BERHAD ANNUAL REPORT 2019 195