C A M B R I D G E I N D U S T R I A L T R U S T
A N N U A L R E P O R T 2 0 1 5
/ 8 6
for quarter-on-quarter and year-to-date performance. In
assessing business risks, the Board takes into account
the economic environment and risks associated with the
property industry.
The Board also reviews the risks to the assets of CIT,
examines the management of liabilities, and will act upon
any comments from internal and external auditors of CIT.
Given the importance of compliance and risk management,
the ARCC has been tasked to oversee this aspect of
the Manager and CIT’s operations. The ARCC reviews
and assesses the adequacy of the Manager’s financial,
operational, compliance, information technology controls,
risk management policies and systems established by the
Management. The ARCC also oversees the establishment
and operation of the risk management system, including
reviewing the adequacy of risk management practices
for material risks, such as commercial and legal, financial
and economical, operational and technology risks, on a
regular basis; and reviews major policies for effective risk
management.
RISK MANAGEMENT AND INTERNAL CONTROLS
Risk Management and Internal Controls
Principle 11:
The Board is responsible for the governance of
risk. The Board should ensure that Management maintains
a sound system of risk management and internal controls
to safeguard unitholders’ interests and the company’s
assets, and should determine the nature and extent of
the significant risks which the Board is willing to take in
achieving its strategic objectives.
The Manager has put in place a system of internal controls
to safeguard CIT’s assets, Unitholders’ interests and to
manage risk in general. The Manager’s approach to risk
management and internal control and the management
of key business risks is set out in the “Risk Management”
section on pages 20 to 23 of the Annual Report.
CIT’s and the Manager’s ERM framework have been
implemented to further enhance risk management
capabilities. Key risks, control measures and management
actions are continually identified, reviewed and monitored
as part of the ERM process. The monitoring of the risks
identified is via a “traffic light alert system”. The risk
appetite threshold of each risk is based on the colours of
a traffic light – Red, Amber and Green. Green is within
the acceptable risk appetite, Amber signals increasing risk
which needs to be monitored and reduced as necessary
CORPORATE GOVERNANCE
and Red means it is outside the risk appetite that both CIT
and the Manager is willing to undertake and thus measures
and steps need to be put in place to reduce the risk level
to within the acceptable range. The ERM Risk Appetite
Statement is monitored on a quarterly basis to ensure
that all risks are appropriately managed. The Statement is
reviewed and tabled to both the ARCC and the Board on a
quarterly basis for their notation. The metrics adopted for
each measure will be reviewed at least annually or more
frequently if the business environment warrants.
In addition, a Risk Matrix is produced covering CIT’s and
the Manager’s relevant material operational risks by sub-
category (Commercial & Legal; Economical/Financial;
Operational; and Technology), the likelihood of the risk
occurring, the consequence should it occur and the
controls put in place to mitigate or manage these risks.
Risks are analysed by combining estimates of likelihood and
consequences, adequacy of existing controls/treatments
or actions to determine whether a level of risk is to be
accepted, or requires specific management responsibility
or escalation to the ARCC. Identified risks are reviewed
quarterly or whenever the business environment changes
substantially to ensure that changes in circumstances have
not altered risk priorities. Identified controls/treatments
or actions are reviewed quarterly to ensure that changes
in circumstances have not affected their adequacy and
effectiveness.
During the year, PricewaterhouseCoopers LLP (the
Manager’s Internal Auditors) conducted a risk workshop
for the ARCC and the Manager’s management team to
collectively refresh the enterprise-wide risks and to align
and quantify the key risks across CIT and the Manager. The
workshop forms part of CIT’s continuous risk assessment
process and the output is used as input for ongoing
management and monitoring of risks across CIT.
In addition to the Risk Matrix, reports on the internal
controls are also provided to the ARCC on a periodic basis
to assess the adequacy of the existing internal controls and
risk framework.
The ARCC, through the assistance of internal and external
auditors, reviews and reports to theBoardon theeffectiveness
and adequacy of CIT’s risk management and internal control
system, including financial, operational, compliance and
information technology controls, taking into consideration
the reports and assurance provided by Management,
recommendations of both internal and external auditors
and the timely and proper implementation of all required
corrective, preventive or improvement measures.
