Risk Management & Internal Control

Risk Management Unit


The Purpose


   The company's operations are linked to the inevitability of facing risks of various types, and risk management is represented in the thoughtful acceptance of risks in order to achieve returns, i.e. matching between returns on the one hand and risks on the other.
The company is interested in having the ability of its board of directors to understand and analyze the nature and size of the risks facing the company's activities in order to work to reduce them as much as possible, and to determine the appropriate procedure to deal with them, in order to preserve the interests of its shareholders and related parties.


The Risk Coverage


Risk management is part of sound corporate governance practices. The Board of Directors manages business risks and all other major risks. The scope of implementation of this policy falls within the competence of risk management, and it also includes all departments, divisions, and systems that are subject to direct supervision of compliance and risks, including internal control systems that include integrity of financial statements, efficiency of company operations, and compliance with regulatory controls.


General Responsibilities for Risk Management


The size of risk management and the definition of its role depends on the size of the company and its type of activity, but the general responsibilities of risk management (the task has been assigned to an external professional consulting firm). They are summarized as follows:


1) Laying down the necessary foundations for identifying, defining and analyzing the types of risks to which the company is exposed.


2) Evaluate and measure those risks on an ongoing basis.


3) Ensure that the acceptable risk appetite level in the company and approved by the Board of Directors is not exceeded.


4) Taking preventive measures and corrective steps to transfer risks to an acceptable level with the limits of risk propensity.


5) Implement risk management strategies and policies set by the Risk Management Committee.


6) Develop a database of risks and classify them according to their expected effects.


7) Implementation of the necessary plans to deal with risks and related procedures.


8) Dealing with executive management regarding day to day operations and implementation of risk management plans.


9) Continuing to monitor and follow up on those risks through the reporting mechanism that you submit to the Risk Management Committee.


10) Develop and support a culture of risk management by finding a common language that helps to understand and identify risks and organize activities accordingly.


11) Reviewing the deals and dealings proposed to be carried out by the company with related parties and making appropriate recommendations regarding the risks expected to arise as a result of those deals and dealings to the Board of Directors.


Risk Management Work


Risk Management Philosophy


A risk management philosophy is the beliefs and attitudes that you consider throughout the risk management process, from strategy setting to risk mitigation activities. Philosophy is applied at a level through its politics, communications, and decision making. It is also critical that the philosophy be operationalized periodically at the company level.


Integrity and ethics values


The success of risk management at an organization level depends on the integrity and ethical values of that organization. In this context, the top management of an organization determines the 'style' by which the company is to be operated. Top management can set this "style" through its procedures, decision-making, communications and/or through the use of codes of conduct.


Efficiency and development of the company's employees


Competence reflects the knowledge and skills that an employee needs to perform the tasks assigned to him. The company shall measure the efficiency of the employee on the basis of his experience, skills, training, qualifications, and willingness to learn.
With regard to the development of the company's employees, many mechanisms are used to ensure the development of the performance of each employee within the company. These mechanisms include performance appraisal, goal setting, training policies, educational programs, job rotation, promotions, and all other initiatives to develop employee performance.


Fundamentals of risk management


The company adheres to the well-known basic rules that must be taken into account in risk management, namely:


• Do not risk more than the losses that the company can bear. This rule is important and realistic, and ignoring it by risk management may lead the company to a heavy financial loss (there may be a risk that the company cannot bear on its own).


• Attention and not ignoring the unbearable risks, as there may be risks whose incidence is small, but if they occur, their consequences will be disastrous for the company and its losses will be heavy.


• Achieving a balance between potential loss and cost to reduce it.


• The risk management must attach great importance to the risk assessment process and arrange them according to priorities and appropriately, in order to avoid wasting time in dealing with unlikely risks, which leads to the dispersal of sources that should be used more beneficially.


• Good distinction between risk and doubt in order to avoid obstructing the company's work in completing its projects or even proceeding with them.
• The use of equipment, electronic systems and the appropriate mechanism for risk management in the company "if possible".


Internal Audit Policy


The Purpose


The purpose of the policies and procedures manual for the internal audit unit is as follows:


• Documenting the policies and procedures of the company's internal audit unit.


• Provide a reference for all employees of the internal audit unit to ensure that policies and procedures are applied appropriately.


• Developing procedures that provide management with periodic information on internal auditing, This guide covers all important aspects of the work of the Kuwait Resorts Company "hereinafter referred to as the Company" in the internal audit, The procedures mentioned in this manual must be carefully studied and then implemented by all employees of the internal audit unit.


This policy forms an integral part of the Company's corporate governance framework.


Ethics of the Internal Audit Profession


Professional Standards


The internal audit unit shall accredit the IPPF issued and endorsed by the Institute of Internal Auditors, as well as the International Financial Reporting Standards (IFRS) published and endorsed by the International Accounting Standards Board (IASB) in respect of relevant financial matters. The regulations of the Capital Markets Authority and the regulatory authorities in the State of Kuwait, the Code of Conduct of the Institute of Internal Auditors, and internal policies and procedures govern the internal audit unit.


Mission statement


The mission of the Internal Audit Unit is to assist the Board of Directors and the Executive Management of the Company in relieving the burden of supervision and management responsibilities placed on their shoulders, through independent auditing and consulting for the purpose of evaluating and strengthening the system of internal controls. The internal audit work has been assigned to an external consulting office.


Integrity


The integrity of the internal auditors adopts the pillars of trust, and this is what forms the basis for relying on their opinions and judgments, as follows:
• To perform their work with integrity, diligence and responsibility.
• To abide by the laws in force and to take into account the disclosure of the information available to them within the limits expected of them in accordance with the laws in force and the standards of the internal audit profession.
• Not to be a party to any illegal activity or to carry out any actions or behavior that harm the internal auditing profession or the company.
• Observe and contribute to achieving the legitimate and sound objectives of the company.


Organization


The internal audit process is an administrative control process, based on ensuring the effectiveness of other administrative controls.
The internal audit process examines and evaluates administrative work and activities to assist all levels of the Audit and Risk Committee and members of the Board of Directors in effectively alleviating their responsibilities and providing them with analysis, recommendations, advice and information on the activities and records reviewed.


The company's internal auditors prepare an annual internal audit plan for approval by the Audit, Risk and Risk Committee. This plan specifies the internal audit program that must be conducted for the company during the year.


Independence


• Freedom from any restrictions or conditions that may threaten or impede the fair and equitable exercise of internal audit functions.


• The coordinator of the internal audit unit must be affiliated with the audit and risk committee in the company, which ensures that the management exercises audit functions to the fullest.


• In order to obtain a neutral and unbiased judgment of the appropriate procedure for internal audit work, internal auditors must be independent of the activities they audit.


• Independence is essential for the effectiveness of the functions of the internal audit unit. This independence mainly depends on the organizational and objective status.


Confidentiality


• Internal auditors must respect the value and ownership of the information they receive or view, and they must not disclose that information without obtaining permission or authorization to do so, unless there is a legal or professional obligation to disclose that information.


• Maintain ownership and protection of information obtained in the course of performing their duties.


• Not to use this information for any personal benefit or in any way that would violate laws or offend the legality and moral objectives of the company in which they work or for its benefit efficiency.


• Internal auditors should use the necessary knowledge, skills and experience in performing internal audit services.


• Internal auditors should only perform internal audit services for which they have the necessary knowledge, skill and experience.


• To work continuously to improve their skills and the effectiveness and quality of the services they perform.


• The internal audit profession is practiced in accordance with the International Standards for the Professional Practice of Internal Auditing (IPPF) issued by the Institute of Internal Auditors (IIA). Therefore, all practical and scientific experiences and skills must be available in the internal auditors, in addition to the various competencies necessary to perform the internal audit tasks.


Audit Quality


The Board of Directors and the Audit and Risk Committee


1) The Internal Audit Unit identifies and presents the internal controls, systems, procedures and risks related to all departments of the company. The responsibility for ensuring that the company implements and reduces business risks to an acceptable level and maintains the appropriate controls framework rests with the Audit and Risk Committee and the Board of Directors.


2) The executive management identifies weaknesses in order to apply the tips and instructions contained in the reports of both the internal and external audits to enhance and strengthen the work methods that need to be developed.


3) The responsibilities of the executive management include the following:


4)  Developing an internal control framework for the risks that the company may face and for specific departments and operations, and it must be reviewed and updated on an ongoing basis.


5) Informing the internal audit unit of potential problems or existing problems in internal control, theft, fraud and embezzlement, unauthorized transactions, bad debts, etc.


6)  Provide comprehensive support to enable the internal audit team to carry out its duties properly and effectively.
Responsibilities of the external auditors.


7) The internal auditors must coordinate their tasks and responsibilities with those of the external auditors to ensure that the work is not repeated and results are given.