CapitaLand Integrated Commercial Trust - Annual Report 2021

ACCOUNTABILITY AND AUDIT Principle 9: Risk Management and Internal Controls The Manager maintains adequate and effective systems of risk management and internal controls (including financial, operational, compliance and information technology (IT) controls) to safeguard Unitholders’ interests and the CICT Group’s assets. The Board has overall responsibility for the governance of risk and oversees the Manager in the design, implementation and monitoring of the risk management and internal controls systems. The AC assists the Board in carrying out the Board’s responsibility of overseeing CICT's risk management framework and policies for CICT Group. Under its terms of reference, the scope of the AC's duties and responsibilities includes: (a) making recommendations to the Board on the Risk Appetite Statement (RAS) for CICT Group; (b) assessing the adequacy and effectiveness of the risk management and internal controls systems established by the Manager to manage risks; (c) overseeing the formulation, updating and maintenance of an adequate and effective risk management framework, policies and strategies for managing risks that are consistent with CICT Group’s risk appetite and reports to the Board on its decisions on any material matters concerning the aforementioned; (d) making the necessary recommendations to the Board such that an opinion regarding the adequacy and effectiveness of the risk management and internal controls systems can be made by the Board in the Annual Report in accordance with the Listing Manual and the Code; and (e) considering and advising on risk matters referred to it by the Board or Management, including reviewing and reporting to the Board on any material breaches of the RAS, any material non-compliance with the approved framework and policies and the adequacy of any proposed action. The Manager adopts an Enterprise Risk Management (ERM) Framework which sets out the required environmental and organisational components for managing risks in an integrated, systematic and consistent manner. The ERM Framework and related policies are reviewed annually. As part of the ERM Framework, the Manager undertakes and performs a Risk and Control Self-Assessment (RCSA) annually to identify material risks along with their mitigating measures. The adequacy and effectiveness of the systems of risk management and internal controls are reviewed at least annually, by Management, the AC and the Board, taking into account the best practices and guidance in the Risk Governance Guidance for Listed Boards issued by the Corporate Governance Council and the Listing Manual. The CICT Group’s RAS, which incorporates the CICT Group's risk limits, addresses the management of material risks faced by the CICT Group. Alignment of the CICT Group’s risk profile to the RAS is achieved through various communication and monitoring mechanisms (including key risk indicators set for Management) put in place across the various functions within the Manager. More information on the Manager’s ERM Framework including the material risks identified can be found in the Risk Management section on pages 44 to 50 of this Annual Report. The internal and external auditors conduct reviews of the adequacy and effectiveness of the material internal controls (including financial, operational, compliance and IT controls) and risk management systems. This includes testing, where practicable, material internal controls in areas managed by external service providers. Any material non-compliance or lapses in internal controls together with corrective measures recommended by the internal and external auditors are reported to and reviewed by the AC. The AC also reviews the adequacy and effectiveness of the measures taken by the Manager on the recommendations made by the internal and external auditors in this respect. CapitaLand Integrated Commercial Trust 190 Corporate Governance