RISK GOVERNANCE AND OVERSIGHT The Board is responsible for risk governance and for setting strategic direction, supported by the Audit & Risk Committee (ARC), which provides oversight of financial reporting, audit matters and the effectiveness of risk management and internal controls. The Group’s risk governance structure is based on the Three Lines of Defence model, which clearly defines roles and responsibilities and reinforces a risk-aware culture across the Group. Board Audit and Risk Committee Third Line of Defence Board Level Oversight Management Oversight Type of Information Alignment, communication, coordination, collaboration Risk and control certifications from head of division/ department (for e.g. Control Self-Assessment) Legend: : Direct reporting line : Indirect/administrative reporting line Second Line of Defence First Line of Defence Risk Management and Internal Control Information ExCo Management Risk Committee Risk Owners External Assurance Providers Internal Audit ERM designs, implements, and improves the risk management framework to foster a culture of risk ownership and accountability. It also provides objective monitoring and reporting of material risks and portfolio concentrations to the MRC and ARC. The Management Risk Committee (MRC), together with the Management Executive Committee (ExCo), oversees the identification, assessment, and management of enterprise-wide risks. The MRC convenes regularly to review material risks, emerging issues, and mitigation strategies, with ERM providing facilitation and independent challenge. Internal Audit provides independent assurance on the adequacy and effectiveness of the risk framework and control systems, with key findings reported to the ARC and Board to ensure timely oversight and provide reasonable assurance regarding the Group's risk posture, while partnering with management to track remediation progress. ERM Line managers are responsible for executing daily controls and managing risks within their functions. They enforce policies and risk thresholds while identifying process gaps or unexpected risk events. Overview of the Group’s Risk Governance Structure ANNUAL REPORT 2025 | 63
RkJQdWJsaXNoZXIy ODIwNTc=