Risk Management and Internal Controls
Principle 11:
The Board is responsible for the governance of risk. The Board should ensure that
Management maintains a sound system of risk management and internal controls to safeguard
shareholders’ interests and the company’s assets, and should determine the nature and extent
of the significant risks which the Board is willing to take in achieving its strategic objectives.
The Manager has in place an adequate and effective system of internal controls addressing material
financial, operational, compliance and information technology risks to safeguard Unitholders’
interests and CRCT’s assets.
The Board has overall responsibility for the governance of risk and exercises oversight of the risk
management strategy and framework. The AC assists the Board in strengthening the Manager’s risk
management capabilities for CRCT and its subsidiaries (CRCT Group).
In carrying out this responsibility, in particular, the AC:
(a) makes recommendations to the Board on risk appetite including associated risk parameters for
CRCT Group;
(b) oversees Management in the formulation, updating and maintenance of an adequate and
effective risk management framework, policies and strategies for managing risks that are
consistent with the approved risk appetite and parameters for CRCT Group and report to the
Board on its decisions on any material matters concerning the aforementioned;
(c) makes the necessary recommendations to the Board such that an opinion and comment
regarding the adequacy and effectiveness of the risk management and internal control systems
can be made by the Board in the annual report of CRCT in accordance with the Listing Manual
and the Code; and
(d) reports to the Board on any material breaches of risk limits and the adequacy of any proposed
action.
The Manager adopts an Enterprise Risk Management (ERM) Framework which sets out the required
environmental and organisational components for managing risk in an integrated, systematic and
consistent manner. The ERM Framework and related policies are reviewed annually.
The Manager consistently seeks to improve and strengthen its ERM Framework. As part of the ERM
Framework, Management, amongst other things, undertakes and performs a Risk and Control
Self-Assessment (RCSA) process. As a result of the RCSA process, the Manager produces and
maintains a risk register which identifies the material risks CRCT Group faces and the corresponding
internal controls it has in place to manage or mitigate those risks. The material risks are reviewed
annually by the AC and the Board. The AC also reviews the approach of identifying and assessing
risks and internal controls in the risk register. The system of risk management and internal controls
is reviewed and, where appropriate, refined, regularly by Management, the AC and the Board.
The Manager has established an approach towards how risk appetite is defined, monitored and
reviewed for CRCT Group. Approved by the Board, the Risk Appetite Statement (RAS), addresses the
management of material risks faced by CRCT Group. Alignment of CRCT Group’s risk profile to the
RAS is achieved through various communication and monitoring mechanisms (including key
performance indicators set for Management) put in place across the various functions within the
Manager.
More information on CRCT’s ERM Framework can be found in the Enterprise Risk Management
section on pages 44 to 46 of the Annual Report.
Internal auditors and external auditors conduct audits that involve testing the effectiveness of the
material internal controls for CRCT Group addressing financial, operational, compliance and
information technology risks. This includes testing, where practical, material internal controls in areas
Delivering Performance | 35
