Enterprise Risk Management Policy Print E-mail
Investor Relations - Group Policies


Registration No. 199601037932 (410285-W)
(Incorporated in Malaysia)


GTB Enterprise Risk Management Framework/Policy

Enterprise Risk Management(ERM) enhances an organization’s ability to effectively manage uncertainty. It is a comprehensive, systematic approach for helping all organizations, regardless of size or mission, to identify events, and measure, prioritize and respond to the risks challenging its most critical objectives and related projects, initiatives and day-to-day operating practices.

Corporate Vision
GTB is committed to its vision, which is to be the global business partner of choice in niche products and services. In achieving this vision, GTB will face risks to its business strategy, operational risks and risks associated with the protection of its people, property and reputation. This document describes the policies by which these risks are to be effectively managed.

Objective Setting
Within the context of GTB’s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the Company. It is through this lens that GTB views risk and define how to respond to that risk.

Business/Operations Risk Review Committee (BORRC) sets overarching strategic objectives as well as financial targets based upon the Company growth priorities. These objectives are cascaded to our major subsidiaries ensuring alignment across the Group. Senior management is accountable for meeting the set objectives. Business unit, functional and individual employee goals are aligned to the overall objectives of the organization and are consistent with the Company’s overall mission and belief.


The enterprise risk management framework is geared to achieving GTB’s objectives. The objectives can be mainly categorized into strategic, operations, financial and compliance.

Enterprise Risk Management Policy
GTB defines risk as any potential event which could prevent the achievement of an objective. It is measured in terms of impact and likelihood.

GTB’s policy is to identify, analyse and respond appropriately to all critical risks. The risk responses selected are determined by the appetites and tolerances for risks. These will vary over time according to the specific business objectives such as strategic, operational or financial. The effectiveness of risk management and control measures will be regularly reported to and acted upon by the Board. In addition, periodic independent review on the effectiveness will be conducted.

The Board has overall responsibility for the Group’s Risk Management Framework and has assigned the Audit and Risk Management Committee (ARMC) with the assistance of BORRC and internal auditor to be responsible to review the adequacy and effectiveness of the Risk Management Framework.

The Senior Leadership Team under the leadership of Executive Chairman and Chief Executive Officer are responsible for implementing the strategy, culture, people, processes, technology and structures which constitute the Enterprise Risk Management Framework.

Key Principles on Managing Risk:

  • Risks must be considered and managed enterprise-wide in order to achieve GTB’s business objectives;
  • Risk management is integral to the strategic planning process, business decision making and day-to-day operations;
  • Risk are identified, analysed, responded to, monitored and reported accordingly;
  • Risk responses are tailored to each particular business circumstance;
  • Management must regularly assess the status of risks and risk responses; and
  • Compliance with the Enterprise Risk Management Framework must be monitored and reported.

GTB’s Enterprise Risk Management Approach

GTB applies COSO Enterprise Risk Management approach to ensure consistent application of risk management in execution of strategy, achievement of business objectives and day-to-day operations.

GTB’s Enterprise Risk Management Process

Risk management process is a structured approach of incorporating risk management into daily, broader management process. It is more than just an exercise of risk avoidance but rather about identifying opportunities for avoiding or mitigating losses. It is a dynamic, ongoing assessment, decision-making and implementation process that is integrated with management activities.

The Board assisted by ARMC and Internal Auditor and senior management set the tone for enterprise risk management. This includes establishing GTB’s risk appetite and how risks will be identified, measured and managed. There are five primary steps in the ERM process, as indicated in Table below. It is also important to ensure that ERM process and risks are reevaluated and updated on an on-going basis to reflect new information and experiences so that all significant risks are appropriately identified and addressed and that any material opportunities are not overlooked.

Enterprise Risk Management Cycle


i) Risk Identification
Identification of risks should occur on an on-going basis for existing processes and on an ad hoc basis as required for new product introductions, projects or changes contemplated to existing products and processes. The techniques used to help identify risks included interviews, discussion with employees, review of financial statements and previous risk management report. To help with risk identification, risks should be considered within main risk categories such as strategic, financial, operational and compliance risks.

ii) Risk Assessment & Measurement
Once the risks have been identified, the likelihood of the risk occurring and the potential impact if the risk does occur are assessed.


iii) Risk Response and Action
For each identified risk, GTB would establish an appropriate “response” option in order to optimize risk management. These generally range from accept to avoid. Four possible response options are identified as per below table.

Response Definition
Avoid Risk is unacceptable and will specifically avoid the risk
Treat GTB is willing to accept some risk by implementing control processes to manage the risk within established tolerances
Transfer GTB to transfer the risk to a third party (e.g. obtaining insurance)
Tolerate GTB decides to accept, manage and monitor the level of risk

iv) Monitoring
Risks and risk response activities would be monitored by the responsible manager to ensure that significant risks remain within acceptable risk levels, that emerging risks and gaps are identified and that risk response and control activities are adequate and appropriate. ARMC and internal audit play an important oversight role in confirming that management is monitoring and managing risks in accordance with established levels. Indicators that fall outside of acceptable risk levels would be escalated with appropriate action plans to bring the risk back within established risk levels. Those risks that still remain above acceptable risk levels should be considered by the Board for their approval of any necessary resolution strategies. This activity will form the basis for reporting to the Board and on-going monitoring by management.

v) Reporting
ARMC will require the results of the ERM process to be reported to them in their oversight capacity and to gain assurance that risks are being managed within approved risk levels.

On an annual or periodic basis (if needed), management would prepare a Risk Management Report to be reviewed and tabled for discussion in ARMC meeting. The Risk Management Report would include the following:

  • summarize the nature and magnitude of significant risks;
  • highlight all significant risks and those risks that exceed their acceptable risk levels;
  • identify the timeframe and status of any additional risk management activities that may be required to bring risks within approved risk levels;
  • identify any negative trends of higher risk areas and any changes to risk management activities;
  • highlight any new risks including their risk assessment, risk response and management activities:
  • identify any material emerging risks; and
  • summarize any exceptions to established policies or limits for key risks.

On periodic basis, the Board would review all high-risk areas (even those that are appropriately mitigated within acceptable levels) in order to have a full understanding of all significant risks that GTB is facing.

Review of ERM framework/ policy
This framework/policy and underlying principles will be reviewed annually by the Board, to ensure its continued application and relevance.