Risk Management

The Group understands that risk management has perhaps never been more important than it is now. The risks that the Group faces have grown more complex, fueled by the rapid pace of globalisation, pandemic, war, use of digital technology and climate change. Risk management helps to caution the Group on the uncertainties and predict their impact, thus providing the Group a basis for decision making. Risk management also provides the Group the opportunities to proactively manage the unexpected by mitigating or minimising the impacts of risk rather than reactively. This effective management of risk is vital for our long-term sustainability.

The Board and its sub-committee, Board of Audit and Risk Management Committee (“BARMC”) is responsible in overseeing and maintaining a sound risk management system to ensure smooth business operation. The Chairman and committee members of BARMC are directors from the Board. The BARMC Chairman is entrusted to present the audit and risk management report of the Group for the Board’s consideration.

Our risk management is a continual process,which comprises the identification and examination of risks, including materiality risks and the potential impact on our business operation and strategies. We rate the risks according to a metric that consists of likelihood and consequences, and then, take necessary measures to address and monitor the risks.

The Group is certified to several risk-based ISO Management Systems, where one of the key requirements in these management systems is managing risks. We identify, manage and monitor the risks and opportunities that could impact the achievement of long-term sustainability goals in relation to ethics and integrity, cyber security, quality, environmental, occupational safety and health.

Considering the rising global concern of climate change, SSB has taken steps to expand its Environmental, Safety and Health Risk and Opportunity Registers to include climate-related risks and opportunities.

The audit by certification bodies benefits the Group, whereby it assists to ensure that the management systems have been properly implemented and maintained, as well as identifying opportunities for improvements and potential risks that may have been missed out. 

The Risk and Opportunity Registers of the Group are listed in the table below. In FY 2023, climate-related risks and opportunities of SSB is incorporated into Environmental Risk and Opportunity Register. The Group Managing Director, as the chairman of SSC, is responsible to report the climate-related risks and opportunities of SSB for the Board’s consideration.

Risk ExposureRisk and Opportunity RegisterFrequency of reviewOutcome
  • Strategic
  • Operations
  • Compliance
  • Cyber/IT
  • Climate

Control Self Audit with ICQ

Company Risk Register including Quality Risk Register

Anti-Bribery Risk Register

Safety and Health Risk and Opportunity Register

Environmental Risk and Opportunity Register

Register of Environmental Aspect and Impact (“EAI”)

Safety and Health Hazard Identification, Risk Assessment and Risk Control (“HIRARC”)

Half yearly
  • Value creation to business, stakeholders and material sustainability.
  • Enhance stakeholders’ confidence and trust.
  • Support Environmental, Social and Governance (“ESG”) performance.


Ethics and Integrity

The Group recognises the expectation from the employees, stakeholders and communities in which we operate, to act in an ethical and honest manner. We are committed to uphold integrity, promote accountability and transparency as a way of doing business and transaction. The Group adopts procedures which are guided by the HLMG policies. 


The BARMC is the governing body for the Group’s Anti-Bribery and Corruption Management System (“ABCMS”), approving the related policy and has oversight over the implementation of the policy. The Group’s ABCMS Compliance Function Officer is responsible for the overall implementation of ABCMS and ensuring that the objectives of ABCMS are met. The Group is certified with ISO 37001 Anti-Bribery Management System, which defines the expectation in the way the stakeholders act, so as to ensure that the decisions made are lawful, ethical and honest in line with our policy.

An overview of the Group’s key policies, codes, procedures and activities are listed as below:

ISO 37001 Anti-Bribery Management System

100% of the companies in the Group are certified to ISO 37001 Anti-Bribery Management System. The Group has completed the external audit by SIRIM QAS and the certification is continued.

ABCMS Risk Assessment

In addition to the requirement of ISO 37001, the Group adopts the practice of HLMG to identify, maintain and review ABCMS risk on quarterly basis. From the list of identified risks, especially the high (significant) risks, the respective risk owner will establish mitigation plans to address the risk accordingly.

The Group has procedures and policies in place to address the identified major or significant risks so as to reduce the potential bribery and corruption risks. Procedure of Tender, procedure of Recruitment, as well as Gift and Entertainment Policy are examples of procedures and policies with the objective of preventing corruption including bribery, false claim, fraud and/or abuse of power.

Anti-Bribery and Corruption (“ABC”) Policy

The Group is committed to conduct business ethically and in compliance with applicable anti-bribery and corruption laws of every country in which we operate. We do not condone any form of bribery and corruption.

The stakeholders (staff, contractors, joint ventures, parties working with the Group, external stakeholders and members of public) can report any form of bribery and corruption related concern or suspicion to the Head of Internal Audit or Head of Human Resources as stated in the policy.

Whistleblowing Policy

The Group promotes and supports the culture where employees feel comfortable to raise genuine and legitimate concerns about inappropriate conduct and behaviour. We encourage our employees and staff to speak up if they become aware of any improper or wrongful act involving the Group.

The Group publishes Whistleblowing Policy together with Whistleblower Form to facilitate the reporting by whistleblower. The Group is also committed to protect the confidentiality of people or whistleblower who make genuine and legitimate disclosures from adverse employment action to the extent permitted by law.

The Group has Whistleblowing Communications Plan and Investigation Procedures which lay down the mode of communicating Whistleblowing Policy to employees as well as investigation procedures to follow up on any noncompliance.

For FY 2023, there was no whistleblowing disclosure reported through any of the various whistleblowing channels and no investigation case was conducted.

FY 2021FY 2022FY 2023
Number of claims or incidents of non-compliance (fraud)
Staff disciplined or dismissed due to non-compliance with anti-corruption policies
Cost of fines, penalties or settlements in relation to corruption (RM)


Gift and Entertainment Policy

The Group adopts a “No Gift Policy” whereby all employees are prohibited, save as expressly permitted by the policy, from giving and/or receiving gifts and entertainment.

Effective from 1st January 2021, the Group’s policy requires all employees to make half-yearly declaration on giving and/or receipt of gifts and entertainments.

The declaration rate of the Group is shown in table below. Those under long hospitalisation leave during the period of declaration were excluded.

FY 2022FY 2023
Declaration rate (%)

Donation Policy

The Group adopts the Donation Policy of HLMG. The scope of the policy includes corporate donations made to charities, non-profit organisations and/or causes of greater good by an operating company. The Group prohibits all forms of political contributions.

Refer to section Social, under sub-section Community Engagement details on donation.

Code of Conduct and Ethics

The Group is committed to good business ethics and integrity. The Group adopts the HLMG Code of Conduct and Ethics. The last review of the Code of Conduct and Ethics was in October 2018.

Conflict of Interest

To avoid any potential conflict of interest during tendering process, the tender committee members are required to make self-declaration on whether there is potential conflict of interest with the tenderers. During the recruitment interview, the interviewee is also required to declare if he/she has any family members or relatives who are currently working in the Group.

Refer to FY2023 Annual Report page 72 for Statement of Declaration by the Board members. 


The Group continues to enhance the understanding of ABCMS and policies. We have set up E-Training and Evaluation Portal for employees to go through refresher training once in every three years.

The content of the refresher training includes overview of: 

  • Anti-Bribery Management System
  • Anti-Bribery and Corruption Policy Statement
  • Anti-Bribery and Corruption Policy
  • Whistleblowing Policy
  • Gifts and Entertainment Policy
  • Certification on ISO 37001
  • Type of Bribery Risk (Legal Risk, Reputation Risk, Financial Risk, Safety and Quality Risk, and Business Risk) and potential damage

In FY 2021, we conducted an employee survey on the understanding of ABCMS that was implemented. We achieved a rating of 4.4 out of the total of 5. Our Compliance Officer had further analysed the outcome of the survey and launched a two-year program until the end of FY 2023 to brief and refresh the Gift and Entertainment Policy and Whistleblowing Policy to employees.

The refresher training includes:

  • Detail explanations of Gifts and Entertainment Policy as well as Whistleblowing Policy
  • The use of Declaration Form and Whistleblower Form
  • Relevant Laws of Malaysia, ACT 711 Whistleblower Protection Act 2010 Part III, Section 6 to 11 to enhance employees’ understanding on available protection to the whistleblower

The percentage of employees in the Group that attended the training at the end of FY 2023 is 100%.

Gift and Entertainment Policy and Whistleblowing Policy Refresher Training

FY 2022 (Year 1)FY 2023 (Year 2)
Executive and above95%100%

Annual ABCMS Awareness Program

As part of the continuing effort to create awareness, the Group has set up ABCMS corners at each operating company. The Group also organised poster competition and 2 briefing sessions by MACC officers at Prai and Klang for its employees to enhance their awareness.

Communication of ABC Policy to Business Associates

The Group communicates its ABC Policy to business associates including contractors by email. In addition, suppliers are also provided with the Suppliers’ Code of Conduct and Ethics. We have been actively following up with the business associates for their acknowledgement. For FY 2023, the cumulative business associates’ responses for the Group are as below: 


Due Diligence

The Group conducts due diligence for potential vendors and employees prior to further engagement.

Data Privacy and Security

Processing of personal data is essential in operating a business. The Group understands the concerns of stakeholders on the collection, use and storage of their personal data. The Group also recognises that with the increasing use of digital technology, the importance of data privacy and security cannot be understated. Therefore, the Group manages personal data in accordance to the Hong Leong Group Privacy Notice.

Cyber security is important to protect the data and information of the company, business associates and stakeholders. Cyber threats can originate anywhere, either from the inside or outside of the Group. One single security breach aimed at disrupting normal business operations can lead to a disaster which has strong financial impact to the Group and also loss of the trust of our customers.

We have completed the review and update of our policies and procedures with reference to ISO/IEC 27001 Standard. The objective of our cyber security fort is to be better prepared to defend against cyber-crime effectively in order to protect our critical systems and sensitive information from digital attacks.

AreaThe Group's Efforts
Policy and procedure

Adhered to:        

  • 13 policies pertaining to information security, and         
  • 12 policies which were developed based on COBIT 5 framework.
End users' education and training

Built security awareness across the Group to strengthen understanding on cyber security, with the following actions:         

  • Guided end users on how to identify potential threats and respond appropriately via email.         
  • Performed phishing drills and testing regularly.         
  • Conducted cyber security briefing as part of new employees' onboarding program.         
  • 89% of the employees in the Group have undergone Cyber Security Awareness training.
Data leakage prevention

Customer Data Security:         

  • Maintained data in Enterprise Resource Planning ("ERP") system.      
  • Practiced authorization control to access data.
Threat intelligence

Strengthen the sensitivity of employees on phishing email through awareness campaign.       

End point security:         

  • Installed Endpoint Prevention, Detection and Response ("EPDR") for each personal computer ("PC") and servers.         
  • Prohibited the use of illegal software through frequent checking.       

Application security:         

  • Password aging control.         
  • Built security into applications with considerations on data handling, user authentication, and etc.         
  • Reviewed users' authorization.

The Group has established a channel at our website for the stakeholders to raise complaints pertaining to breaches of customer data privacy since May 2023. So far, the Group registered zero substantiated complaint of such nature from our customers.