Annual Report 2019

Information Security Information Security protects information (data), the systems it is housed in and the users of these systems from a wide range of threats, as well as safeguards the confidentiality, integrity and availability of information. Information security in the Group is achieved through a set of controls which includes policies, standards, procedures, guidelines, organisation structures and software control functions. The Group acknowledges the importance of leveraging Information Technology (“IT”) to promote effectiveness and efficiency of business operations. Heavy reliance on IT exposes us to emerging cyber security threats, hence Group Information Security Management is in place to manage cyber security risk. The Information Security Management programme includes: • Evaluations of the adequacy of controls for new infrastructures and information systems • Evaluations of emerging security technologies • Adequacy of information asset protection within the Group • Assurance of the adequacy of security controls by coordinating security reviews such as penetration testing and vulnerability assessment Code of Conduct AAGB has a Code of Conduct (“the Code”) which governs the conduct of its employees, officers and directors. The Code sets out the standards and ethics that they are expected to adhere to. It highlights AAGB’s expectations on their professional conduct which includes: • The environment inside and outside of workplace • The working culture • Conflict of interest • Confidentiality and disclosure of information • Good practices and controls • Duty and declaration The Code also sets out the circumstances in which an employee, officer and director would be deemed to have breached the Code after due inquiry and disciplinary actions that can be taken against them if proven guilty. Whistleblowing Policy AAGB has in place an effective Whistleblowing Policy which provides a platform for employees or third parties to report instances of unethical behaviour, actual or suspected fraud or dishonesty, or a violation of AAGB’s Code of Conduct. It provides protection for the whistle-blowers from any reprisals as a direct consequence of making such disclosures. It also covers the procedures for disclosure, investigations and the respective outcomes of such investigations. The Group expects its employees to act in AAGB’s best interests and to maintain high principles and ethical values. The Group will not tolerate any irresponsible or unethical behaviour that would jeopardise its good standing and reputation. As the custodian of the Whistleblowing Policy, GIAD has consistently conducted internal control, fraud and whistleblowing awareness briefings to all new hires through the Regional Orientation Programme conducted at least once a month in 2019 in collaboration with the People & Culture Department. GIAD also shares information and articles regarding whistleblowing and fraud through AAGB’s internal sharing platform, Workplace, which is accessible to all employees. Conclusion The Board has received assurance from the CEO, President (Airlines), President (RedBeat Ventures) and Group Chief Financial Officer of AAGB that AAGB’s risk management and internal control system are operating adequately and effectively in all material aspects. For areas which require improvement, action plans are being developed with implementation dates being monitored by the respective Heads of Department. The Board also receives quarterly updates on key risk management and internal control matters through its Board Committees. Based on assurance received from Management and updates from the Board Committees, the Board is of the view that the Group risk management and internal control systems were operating adequately and effectively during the Financial Year under review up to the date of approval of this statement. The Group’s associate companies are in the process of fully adopting AAGB’s risk management and internal controls. The disclosure in this statement does not include the risk management and internal control practices of AAGB’s material joint ventures. Review of the Statement by External Auditors As required by Paragraph 15.23 of the MMLR, the External Auditors have reviewed this Statement on Risk Management and Internal Control. Their limited assurance review was performed in accordance with the Audit and Assurance Practice Guide (“AAPG”) 3 issued by the Malaysian Institute of Accountants. The AAPG 3 does not require the External Auditors to form an opinion on the adequacy and effectiveness of the risk management and internal control systems of the Group. This statement is in accordance with the resolution of the Board of Directors of AAGB on 6 July 2020. STATEMENT ON RISK MANAGEMENT & INTERNAL CONTROL (CONT’D) 200 MORE THAN JUST AN AIRLINE >