ESR Group Limited Annual Report 202471STRATEGIC REPORTSCORPORATE GOVERNANCEFINANCIAL STATEMENTSThe Group implemented the following risk management and internal control structures and measures to identify, assess, monitor and report key risks:%u2022%u0009 ERMFrameworkisbasedontheISO31000InternationalRiskManagementStandards,COSOInternalControlIntegrated Framework and the ISSB framework, which incorporates the former TCFD recommendations, for identifying, assessing, monitoring and reporting of risks. The Framework consists of tools such as risk governance, risk policies and risk parameters which are dynamic and adaptable to the changing business environment. It also provides a holistic and systematic approach for the identification, assessment, monitoring and reporting of key risks to the management, Audit Committee and the Board.%u2022%u0009 Astheriskprofilechangesfromtimetotime,themanagement performs periodic risk assessment by monitoring risk changes and trends as well as the effectiveness of the related control mechanisms and/or control activities within the overall risk profile on an as-needed basis, or at least once a year to ensure that they remain relevant. In addition, the Group Risk Management department works closely with the management to review and enhance the risk management system in accordance with market practices and regulatory requirements, under the guidance and direction of the Audit Committee and the Board.%u2022%u0009 TheGrouphasaninternalauditfunctiontocarryoutananalysisandindependentappraisaloftheadequacyand effectiveness of the systems and controls. Any material non-compliance or failure in internal controls and recommendations for improvements are reported to Audit Committee and the Board.%u2022%u0009 Stringentinternalpoliciesandprocessesareinplacetopreventthemisuseofinsideinformationandavoidconflictsof interest, including having a whistleblowing policy, information security policy, Employee Dealing and the Handling of Inside Information policy and Conflicts of Interest (%u201cCOI%u201d) policy in place.To reinforce a culture of good business ethics and governance, the Group has adopted a whistleblowing policy, which allows employees and outside third parties that have business relationships with the Group to raise any concerns about improprieties, malpractices and misconduct through a well-defined and trusted channel. The objective of this policy is to encourage the reporting of such matters with confidence and employees or external parties making such reports will be treated fairly, with confidentiality, and be protected from reprisal. All whistleblowing reports will be reviewed by the Group Compliance Director, the General Counsel and any other authorised person as determined by the Audit Committee. All Reports made in good faith will be received by the Audit Committee. The Audit Committee shall then determine the course of action to pursue.Refer to %u201cRisk Management%u201d on pages 55 to 61 of this annual report for further details of the Group%u2019s risk management programme.In addition, the Group has adopted a disclosure control policy which provides a general guide to Directors, the management and employees on the handing and dissemination of inside information and responding to enquiries in accordance with the Inside Information Provisions under Part XIVA of the Securities and Futures Ordinance and the Listing Rules.For the Year, the Board has conducted an annual review of the effectiveness of the Group%u2019s risk management and internal control systems, which covered all material controls, including financial, operational, technology and compliance controls. The Board has received confirmation from the management on, and is satisfied with, the effectiveness and adequacy of the systems. No significant areas of concern are brought to the attention of the Board.Internal AuditThe Group Internal Audit department provides independent assurance on the adequacy and effectiveness of the Group%u2019s systems and internal controls through the use of a risk-based approach. The Group Internal Audit department has direct access to the Audit Committee and has free and unrestricted access to information and management of the Group when carrying out its duties. It also adheres to professional standards set by the Institute of Internal Auditors, demonstrating a commitment to high standards.An internal audit plan is discussed and approved by the Audit Committee annually, and a summary of major audit findings, recommendations and remediation are regularly reported to the Audit Committee by the Group Internal Audit department. Group Internal Audit also conducts a comprehensive review of the Group%u2019s compliance processes, including ethical standards, on an annual basis to ascertain that the Group meets regulatory requirements and align with its commitment to integrity and ethical conduct. Continuous improvement initiatives, such as regular training and external quality assessments, are in place to enhance the internal audit function. The internal audit findings and the remedial actions taken by the relevant departments form part of the Board%u2019s assessment of the Group%u2019s risk management and internal control systems.