ANNUAL REPORT 2025 113 CORPORATE GOVERNANCE REPORT Review of Risk Management and Internal Controls Systems The Trustee-Manager regularly reviews the business and operational activities of HPH Trust to identify areas of signifi cant business risk, assess how the risks are being managed, as well as take appropriate measures to control and mitigate these risks. HPH Trust adopts an Enterprise Risk Management framework which is consistent with the COSO (The Committee of Sponsoring Organizations of the Treadway Commission) framework. The framework facilitates a systematic approach in identifying, assessing, managing and monitoring risks (including sustainability and cyber risks) within the Group, be they of strategic, fi nancial, operational or compliance nature. Risk management is an integral part of the day-to-day operations and management of the Group and is a continuous process carried out at all levels of the Group. There are ongoing dialogues between the CEO, CFO and the senior management about the current and emerging risks (including sustainability and cyber risks) that are relevant to their business, their plausible impacts and mitigation measures to ensure that the Management has performed its duty to have effective systems. These measures, among others, include instituting additional controls and deploying appropriate insurance instruments to minimise or transfer the impact of risks that the Group’s businesses face. The latter also includes Directors and Officers Liability Insurance to protect Directors and officers of the Group against potential personal legal liabilities. In terms of formal risk review and reporting, the Group adopts a “top-down and bottom-up” approach, involving regular input from each core business unit as well as discussions and reviews by the Management, CEO and CFO and the Board, through the AC. More specifi cally, on a half-yearly basis, each core business unit is required to formally identify the signifi cant risks (including sustainability and cyber risks) it faces, and assess the risk severity based on potential impact and likelihood, whilst the CEO and CFO provide input after taking a holistic assessment of all the signifi cant risks that the Group faces. Relevant risk information including key mitigation measures and plans are recorded in a risk register to facilitate the ongoing review and tracking of progress. The composite risk register together with the risk heat map, as confi rmed by the CEO and CFO, form part of the risk management report for review and approval by the AC on a half-yearly basis. The AC, on behalf of the Board, reviews the report, discusses the risk management and internal control systems, including matters related to cyber risks, with the General Manager of the Group’s internal audit function, being the head of the internal audit of the Group (“Head of Internal Audit”), CEO and CFO, and provides input as appropriate so as to ensure effective systems in place. The Board has received assurance from (i) the CEO and the CFO that the Group’s fi nancial records have been properly maintained and the fi nancial statements give a true and fair view of HPH Trust’s operations and fi nances and (ii) the CEO and other relevant key management personnel that the internal controls (including fi nancial, operational, compliance and information technology controls) and risk management systems in place within the Group are adequate and effective in addressing the material risks in the Group in its current business environment for the fi nancial year ended 31 December 2025. The Board, through the AC, has conducted a review of the adequacy and effectiveness of the Group’s internal controls (including fi nancial, operational, compliance and information technology controls) and risk management systems for the fi nancial year ended 31 December 2025. Based on such reviews and the work performed by the internal and external auditors, the Board, with the concurrence of the AC, is of the opinion that the Group’s risk management and internal control systems addressing material fi nancial, operational, compliance and information technology risks are adequate and effective to meet the needs of the Group in its current business environment as at 31 December 2025. Such review covered reviews on the Group’s compliance with terms provided for in the right of fi rst refusal agreement (“ROFR Agreement”) and the non-compete agreement (“Non-Compete Agreement“), both dated 28 February 2011 and amended by the respective amendment agreement dated 22 December 2015, entered into between HPH and the Trustee-Manager, in its capacity as the trustee-manager of HPH Trust. Details of the ROFR Agreement and Non-Compete Agreement are set out in the “Statement of Policies and Practices” section on pages 120 to 121 of the Annual Report. The Board notes that the system of risk management and internal controls established by the Management provides reasonable assurance that the Group, as it strives to achieve its business objectives, will not be signifi cantly affected by any event that can be reasonably foreseen or anticipated. However, the Board also notes that no system of risk management and internal controls can provide absolute assurance in this regard, or absolute assurance against poor judgement in decision-making, human error, losses, fraud or other irregularities.
RkJQdWJsaXNoZXIy NTM2MDQ5