The Operational Aspects (production technology, processes and systems)

Before mergers and acquisitions between SP Setia Bhd and I&P Group Berhad, they
have their own operational aspects such as in production technology, processes and systems.

SP Setia Bhd had reviewed their IT Security Action Plan to strengthen the
information technology security and controls within the Group. In SP Setia Bhd, their
practice of a strong internal control is guided by the model of “Three Lines of Defence”.

Table 1: Three Lines of Defence

Adopted from “SP Setia Bhd Annual Report” (2017)

For the first line of defence, it provides by senior management. The Heads of
Business Units are accountable for all of the risks and internal controls that assumed under
their respective areas of the responsibility. The senior management responsible for creating a
risk-awareness culture, which will ensure the greater understanding of the importance of risk
management and internal control whilst as ensuring its principles are embedded in key
operational processes and in all project evaluation and monitoring. For the Group’s internal
control systems, they do not apply top Association Companies and Jointly-Controlled Entities
where the Group does not have the full management control over them. However, for the
Group’s interest it is served through the representation on the Boards of the respective
Associate Companies and Jointly-Controlled Entities.
 Next, for the second line of defence, it is provided by the Group Risk Management
(“GRM”) and Group Quality Assurance (“GQM”). For the Group Risk Management (GRM)
it’s function is responsible in facilitating and monitoring the enterprise risk management
processes and internal control activities in the Group, while for Group Quality Assurance
(GQM) function is ensuring effective implementation and compliance to the Group’s policies
and procedures.

Lastly, for the third line of defence, it is provided by the Group Internal Audit
(“GIA”). The Group Internal Audit (GIA) providing independent assurance on the adequacy
and reliability of the risk management processes and systems of internal controls. GIA also
responsible to ensures compliance to risk-related regulatory requirements.

Competitive Challenges
Before mergers and acquisitions between SP Setia Bhd and I&P Group Berhad, they
had some competitive challenges occurs for both companies.

SP Setia Bhd sees challenges in Malaysia and London markets. This can be seen
when SP Setia downgrade to hold call with a lower target price of RM3.40, where the
management has revised down the financial year ending on 31st December, 2016 sales target
to RM3.5 billion unbilled from RM4 billion previously. This has given the tough operating
environment towards the key markets in Malaysia and London. This indicates that to be SP
Setia Bhd’s lowest sales since 2012. The sales of the Battersea Power Station project in
London, which contributes 49% of its RM8.2 billion unbilled sales, it has slowed down
considerably in the aftermath of Brexit. In spite of SP Setia’s diversified with the product
offerings to cater various target markets, the weak sentiment in Malaysia and London
property markets continues to weigh on its new property sales. It believes that slow property
sales are the new norm for going forward that will result in subdued earnings growth
prospects. So, SP Setia’s had downgrade to “hold” in view of the lack catalysts.

Besides, SP Setia Bhd

The Information Systems (ICT system and IPR)

 SP Setia Bhd has a leverage on information technology for effective dissemination of
information. This shows that the Group maintains a website which serves as a forum for the
general public to access information on the latest developments. In the Group’s website, it
has corporate presentations, annual reports, corporate announcements and financial
information utilized during analyst and also fund manager briefings.

In SP Setia Bhd, the Group Information & Technology’s (“GICT”) core role is to
plan, design, support and improve IT services in order to enable business users of the Group
to carry out their roles efficiently, productively and securely. This including educating and
facilitating business users to embrace relevant technology, either new or enhancing of
existing ICT systems to increase their business performance and market share.

For ICT Policy and Compliance, Setia GICT Policy had adheres to the Setia Group
policy and adopts the Setia GICT strategy, approach and digital maturity roadmap. The
internal ICT audit and system is reviewed yearly to ensure the compliance against Setia
Group policies and standard operating procedures (SOPs). In addition, Setia GICT also
appoints an external ICT auditor every two years, which is the last audit was performed in
2017.

Next, ICT Disaster Recovery Plan. The ICT Disaster Recovery Plan testing was
conducted as part of the Gorup Business Continuity Plan (“BCP”) which is takes place yearly
to ensure workability and compliance to the Group BCP policy.

Besides, for the IPR which is Intellectual Property Rights, it indicates that website sp
setia belongs to SP Setia Bhd. All the copyright to the contents of this website is owned by or
licensed to SP Setia Bhd. The website functions are for personal use, quick reference,
illustration and information purposes only and may not be not to be copied, redistributed or
published in any manner without the written permission of SP Setia Bhd. In addition, the
trademarks, logos, characters and service marks which is collectively “Trademarks” that
displayed on this website also belongs to SP Setia Bhd. All contained on this website also
should be constructed as granting any license or rights to use any Trademark that displayed
on this website. It is strictly prohibited any use or misuse of the Trademarks that displayed on
the website except that provided in the Terms and Conditions. In addition, SP Setia Bhd
reserves the rights to bring any action arising from the improper or unauthorized use of the
website, includes any action for infringement of its trademarks and other intellectual property
rights.

4. Policies, Guidelines and Procedures

Written Policies, Guidelines & Standard Operating Procedures

Policies and Standard operating procedures are established, reviewed and updated to reflect
changing business environments and maintain operational efficiencies. Compliance to such
policies and procedures are reported by GIA to the AC.

Discretionary Authority Limits (“DAL”)

The DAL has been established as part of Setia’s effort in ensuring an optimal balance between
strong corporate governance practices and operational efficiency. It is a written delegation of
authority by the Board to the respective Board Committees and Management within the Setia
Group. Its key objectives are to provide a holistic view of the authority limits set, to encourage
delegation, empowerment and accountability, and to eliminate guesswork, confusion hence
providing clarity.

The DAL document is subject to periodical review to incorporate any changes that affect the
authority limits.

5. Financial Performance Monitoring

Group Finance covers planning, monitoring, reviewing and reporting of Group financial
performance via periodic reviews of actual performance versus targets and ensures initiatives
and mitigating action are taken.

The review and deliberation of financial performance of the Group are conducted on a monthly
basis during the GAC meeting.

i. Cybersecurity & Awareness.

Cybersecurity. As part of prevention activity, Setia conducted an overall assessment, i.e.
penetration test, on the ICT systems (hardware and software) and from the results with
recommendations, measures have taken place to proactively monitor, prevent, contain
and recover from vulnerabilities.

Awareness. Awareness on methods of cybercrime was conducted for all Setia business
users through education and announcement, including social engineering test to make
business users cautious on the scams method.