The Board has the overall responsibility for maintaining sound and effective risk management and internal control systems and for reviewing their effectiveness. The objectives of the risk management and internal control of the Group are: to rationally establish a comprehensive risk management system in a scientific manner and to apply the concepts, philosophies, procedures, methods and tools of risk management throughout the establishment and implementation of strategies for effectively managing the risks while reasonably ensuring the realization of the Group’s strategic objectives and operation objectives and propelling the sustainable development of the enterprise. Such risk management and internal control systems are designed for managing risks rather than eliminating the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.
74 China Mengniu Dairy Company Limited 中國蒙牛乳業有限公司
CORPORATE GOVERNANCE REPORT
企業管治報告本集團已建立起全面風險管理和內部監控體系,
形成科學有效的職責分工體系,建立風險管理三 道防線,即各業務單位為第一道防線;風險與內 控管理委員會(以下簡稱「風控委員會」)、風險管 理部門、各職能監督部門為第二道防線;內部審 計和紀檢監察部門為第三道防線。
風險管理
本集團已建立由風控委員會、風險管理部門、各 業務單元風險管理專員組成的風險管理架構,
並明確風險管理各單位的職責;通過遵守COSO (Committee of Sponsoring Organisations of the Treadway Commission)風險管理框架、引進外部 諮詢機構進行風險管理指導和培訓、倡導風險管 理文化等方式,逐步提高風險管理人員的專業素 質。
本集團已建立了全面風險管理框架,基本建立了 風險管理基礎規範,採取風險識別、風險評估、
風險應對、風險監控、風險報告的流程循環管理 方法開展風險管理工作,審核委員會、管理層風 險管理委員會、本集團風險管理部可據此進行監 督與落地實施;本集團風險管理部遵循「樹立風險 管理理念、落實風險管理政策」的原則,每年度組 織各業務及職能單位全面識別和評估集團戰略、
市場、財務、營運、法律與合規、質量與食品安 全、可持續發展等七個領域的風險,根據風險分 類分級管理的原則,聚焦集團層面、業務系統層 面、業務中心層面的重要風險進行重點管控,採 取風險識別、風險評估、風險應對、風險監控、
風險報告的流程循環管理方法,制訂適當的風險 應對策略,有效降低和規避重要風險對本集團戰 略目標、經營目標、可持續發展的不利影響。
The Group has set up a comprehensive risk management and internal control system, forming a scientific and effective system for segregation of duties and three lines of defense in risk management, with the first line being each of the business units;
the second line being the Risk and Internal Control Management Committee (hereinafter referred to as “Risk Control Committee”), risk management department and each of the function supervision departments while the third line being the internal audit and disciplinary review function.
Risk Management
The Group has set up a risk management framework comprising Risk Control Committee, the risk management department and the risk management commissioners of each business unit, and has clearly outlined the responsibilities of each risk management unit. The Group, through complying with the risk management framework under COSO (Committee of Sponsoring Organisations of the Treadway Commission) and by ways of introducing external consultation bodies for providing guidance and training on risk management and advocating the culture of risk management, etc., has gradually enhanced the professional standard of the risk management staff.
The Group has established a comprehensive framework for risk management, with a fundamental standard of risk management basically formulated, adopting a rotational management method of risk identification, risk evaluation, risk responses, risk control and risk reporting to commence the work on risk management, where the Audit Committee, the risk management committee of the management and the risk management department of the Group are responsible for the supervision and implementation of such measures. The risk management department of the Group follows the principle of “building the concepts of risk management and implementing the risk management policies” and through annual full-scale identification and evaluation by each of the business and function units on the risks in seven aspects, namely, the Group’s strategies, market, finance, operation, law and compliance, quality and food safety as well as sustainable development, it focuses on the control over the significant risks at the Group level, the business system level and the business operation level. Based on the principle of managing risks in different categories and ranks, it adopts a rotational management method in the process of risk identification, risk evaluation, risk responses, risk control and risk reporting. Based on such an initiative, it has formulated appropriate risk response strategies to effectively reduce and avoid the adverse impact brought by such significant risks to the Group’s strategic objectives, operation objectives and sustainable development.
Annual Report 2017 二零一七年年報 75
CORPORATE GOVERNANCE REPORT
企業管治報告二零一七年,本集團採取分層分級的管理原則,
針對不同層級的重要風險均落實到責任部門與責 任人,制訂適當的風險應對策略和措施,集團風 險管理部及各業務單元風險管理專員對風險應對 過程和結果進行跟進監督,旨在發現剩餘風險,
促進第一道防線補充完善風險應對措施,以應對 影響企業戰略和經營目標實現的重大不利因素。
風控委員會由本集團總裁擔任主席,由分管風控 與審計業務的集團黨委書記擔任常務副主席,委 員由主要業務管理系統第一負責人組成,風控委 員會設立專門的風險管理部門進行日常管理,風 險管理部門定期向風控委員會報告風險管理工 作。同時,風控委員會和風險管理部門至少每年2 次向審核委員會報告風險管理工作,接受審核委 員會的工作評審和監督。
內部監控
董事會有責任維持穩健而有效的內部監控機制,
以保護本集團的資產及股東的權益,並定期檢討 有關機制是否有效。本集團的高級管理層定期舉 行會議,積極評估及檢討本集團面對的重大風 險,旨在強化本集團的風險管理文化,盡量減低 主要風險對本集團業務及盈利所帶來的影響,並 會定期向董事會彙報情況。本集團也適時聘用外 部顧問,以檢討本集團的內部監控、工作制度和 流程,以及管理體系等方面,並提供優化系統的 建議。
In 2017, the Group adopted a management principle of different levels and ranks, with significant risks against different levels and ranks assigned to the responsible departments and personnel for the formulation of appropriate strategies and measures on risk responses. The risk management department of the Group and the risk management commissioner of each of the business units performed follow-up supervision on the process and results of the risk responses, with an aim to recognise any outstanding risks and enhance the first line of defense with a supplement to perfect the measures on risk responses in order to deal with the material adverse factors which affect the realisation of the corporate’s strategic and operation objectives.
The chief executive officer of the Group and the Party secretary of the Group who is in charge of risk control and auditing business serve as the chairman and the executive deputy chairman of the Risk Control Committee respectively while the committee members comprise the head of the major business management systems. The Risk Control Committee has set up a specialized risk management department which will be responsible for day-to-day management and the risk management department will report to the Risk Control Committee regularly on their works in risk management. Meanwhile, the Risk Control Committee and the risk management department will report at least twice a year to the Audit Committee on their works in risk management and the Audit Committee will evaluate and supervise the work of the Risk Control Committee.
Internal Control
The Board is responsible for maintaining an established and effective internal control system, to safeguard the assets of the Group and the interest of shareholders, and for reviewing its effectiveness regularly. Aiming at strengthening the risk management culture of the Group and minimizing the impacts of the major risks on the business and earnings of the Group, the senior management of the Group meets to actively evaluate and review the significant risks to which the Group is exposed to and reports to the Board on a regular basis. The Group also appoints external consultants, when considered appropriate, to review the Group’s internal control, working systems and workflows, as well as the management systems, and to make suggestions on system enhancement.
76 China Mengniu Dairy Company Limited 中國蒙牛乳業有限公司
CORPORATE GOVERNANCE REPORT
企業管治報告董 事 會 已 審 閱 本 集 團 截 至 二 零 一 七 年 十 二 月 三十一日止年度的風險管理及內部監控系統並認 為其有效而足夠。
本集團已設立一系列就業務、生產、財務、法律 及行政等方面的書面工作制度,以及對員工的表 現實施嚴格考核制度及為員工提供培訓,以確保 本集團面對的重大風險得以控制:
- 監控環境-本集團有清晰的組織架構,授權 各管理層經營不同業務職能的權力,惟該權 力乃受限於總部高級管理層或執行董事的限 制。高級管理層定期討論及批核個別業務單 位所編製的業務策略、計劃及預算,而本集 團的表現將定期向董事會報告。
- 風險評估-本集團根據業務最相關的風險發 生的可能性及該等風險對本集團的財務及信 譽所造成的影響進行識別、評估及評級。
- 監控活動-為各業務功能設定政策及程序,
當中包括批文、認可、核證、建議、表現檢 討、資產擔保及職責劃分。
- 信息及溝通-本集團的工作制度以書面形式 列明所有業務單位的運作程序,以及重大決 策的授權及批准程序。
- 監察-本集團採用監控及風險自我評估方 法,透過本集團總部及各業務單位定期進行 的考核及向員工傳遞主要監控程序,以持續 評估及管理其業務風險。
The Board has reviewed the risk management and internal control systems of the Group for the year ended 31 December 2017 and considered them to be effective and adequate.
Apart from strict implementation of a performance assessment system and training programs for its staff, the Group has in place a series of written working systems in respect of business, production, finance, legal compliance and administration aspects, to ensure the significant risks, to which the Group is exposed, are contained:
– Control environment – The Group has established defined organizational structures. Authority to operate various business functions is delegated to respective management within limits set by senior management of the headquarters or the executive Directors. The senior management meets on a regular basis to discuss and approve business strategies, plans and budgets prepared by individual business units.
The performance of the Group is reported to the Board on a regular basis.
– Risk assessment – The Group identifies, assesses and ranks the risks that are most relevant to the Group’s business according to their likelihood, and their financial consequence and reputational impact on the Group.
– Control activities – Policies and procedures are set for each business function, in which approvals, authorization, verification, recommendations, performance reviews, asset security and segregation of duties are included.
– Information and communication – The Group’s working systems document operational procedures of all business units, as well as authorization and approval procedures for significant decision making.
– Monitoring – The Group adopts a control and risk self-assessment methodology, continuously assessing and managing its business risks by way of assessment by the headquarters of the Group and each business unit on a regular basis, and communication of key control procedures to employees.
Annual Report 2017 二零一七年年報 77
CORPORATE GOVERNANCE REPORT
企業管治報告內部審計
本集團已設立具有獨立性的內部審計部門,直接 向本集團分管風控與審計的集團黨委書記和審核 委員會彙報,內審部門遵循「聚焦重要風險、催化 管理改善、增加企業價值」的管理思想,保持客觀 性、獨立性原則,遵循「客觀、誠信、勝任、保 密」的標準,持續提高內部審計質量,採用科學系 統方法評估本集團在公司治理、風險管理和控制 方面的有效性並促進其持續改善,為企業增加價 值,合理保證企業戰略和經營目標的實現。
二零一七年,內部審計部門已完成經營管理層和 審核委員會批准的年度審計工作計畫和管理層的 審計需求,各項內審工作有效性及成果均經過審 核委員會的監督和審核。內部審計部門在風險評 估和管理層需求的基礎上,對企業重要的風險領 域進行了內部控制審計和專項審計,並著重於審 計發現的跟踪整改,促進了重要經營風險的有效 應對和管理的改善。同時,2017年建立了內部審 計實務指南、CSA (Control Self Assessment)標 準,完善了內部控制體系,強化業務單位的內控 意識和提升其自我管理的能力。
內部審計部門每年參加至少兩次審核委員會會議 並彙報內審工作,對重大審計發現可不受限制地 向審核委員會直接彙報。內部審計部門的年度管 理費用預算、人員配備及勝任能力等資源保證得 到審核委員會的關注和支持,確保內部審計部門 擁有充足審計資源以有效完成年度工作目標和履 行職責。
Internal Audit
The Group has set up an independent internal audit department which will directly report to the Party secretary of the Group who is in charge of risk control and auditing business and the Audit Committee. In addition to maintaining objectivity and independency, the internal audit department also adheres to the management philosophy of “focusing on significant risks, prompting the improvement in management and increasing the value of the enterprise”, and the standard of “objectivity, integrity, capability and confidentiality”, with a view to constantly raising the quality of internal audit, adopting scientific and systematic ways to evaluate the effectiveness of the Group in corporate governance, risk management and control, procuring consistent improvement thereon, enhancing the value of the enterprise and reasonably ensuring the realization of corporate strategies and operation objectives.
In 2017, the internal audit department has completed the formulation of annual audit plan and the layout of audit requirements of the management approved by the management and the Audit Committee. The Audit Committee has also monitored and reviewed the effectiveness and result of the work of internal audit. Based on the risk assessment and the needs of the management, the internal audit department conducted internal audit and project audit in the risks areas that were significant to the Company and attached great importance to the follow-up and rectification in relation to the audit findings, which promoted the effective coping of significant operational risks and the improvement in management. Meanwhile, a practical guide on internal audit and CSA (Control Self Assessment) standard has been formulated in 2017 to improve the internal control system, enhances the awareness of internal control of business units and their self-management capability.
The internal audit department attends the Audit Committee meeting and reports the works on internal audit at least twice a year. Significant audit findings can be directly and freely reported to the Audit Committee. Resources such as the annual budget on management fee, staffing of the internal audit department and competence are guaranteed to be taken into consideration by the Audit Committee and necessary support will be provided. This is to ensure that sufficient audit resources are allocated to the internal audit department for effective fulfilment of annual work objectives and responsibilities.