Introduction
The launch of the SORMIC Guide 2025—the updated “Statement on Risk Management and Internal Control for directors of listed companies”—by YAB Dato’ Seri Anwar Ibrahim, Prime Minister of Malaysia, at the ACIIA Conference in Kuala Lumpur on 9 September 2025, marks a bold evolution in Malaysia’s corporate governance landscape.
The SORMIC Guide 2025, a landmark for Malaysian corporate governance, marks a bold evolution from a basic compliance checklist to a strategic blueprint for resilient organizations. It urges companies to embed risk governance into their corporate strategy/objectives. By aligning with the MCCG, NSRF, LR and other global standards (COSO, ISO, ESG, TCFD, TNFD, etc) it reinforces Malaysia’s international competitiveness. This guide stands out by integrating global best practices with Malaysia’s unique regulatory landscape.
How SORMIC Expects Organisations to Operate Today
The SORMIC Guide 2025 expects organizations to establish an effective risk management and internal control framework aligned with COSO and ISO standards. This includes defining and cascading risk appetite and tolerances, as well as monitoring related KRIs and metrics. The guide’s purpose is to facilitate the preparation of the SORMIC for its mandatory reports, providing stakeholders with insight into the company’s risk management. Key requirements include: Board oversight with periodic reporting; independent internal audits; ongoing evaluation of control effectiveness; business continuity planning; and the identification of emerging risks like ESG, AI, and cyber. The distinguish four main sections of the SORMIC 2025, as follows:
1. A New Regulatory Compass: Aligning with Global & Local Standards
The guide makes it clear that risk management and internal control are no longer siloed functions; they are the bedrock of effective governance. It meticulously aligns with prevailing requirements, creating a cohesive, integrated GRC ecosystem.
- Explicit Regulatory Linkage: The guide is directly tied to Bursa’s Listing Requirements, specifically Paragraph 15.26(b).
- Adopting a Common Language: It defines governance, risk management, and internal control through the lens of the Malaysian Code on Corporate Governance (MCCG).
- Global Best Practices: For the first time, the guide explicitly aligns with international standards from COSO, ISO, and The Institute of Internal Auditors (IIA), elevating Malaysian governance to a global standard.
Recommendation:
The SAI360 GRC platform provides the necessary tools for SORMIC compliance, including risk appetite governance, continuous monitoring, and structured reporting for board oversight and disclosures. It is compliant with ISO 31000, and its internal control module is built on the COSO framework. This ensures your practices are aligned with the SORMIC Guide’s requirements.
2. The Blueprint for Resilience
The SORMIC Guide 2025 provides a detailed map for building a resilient system. It champions the adoption of frameworks like:
Integration of ISO 31000 for risk management and the COSO Internal Control Framework. There is a significant new emphasis on addressing new opportunities.
Spotlighting ESG, climate-related risks, and technological disruptions like AI16. The guide also adopts The IIA’s Three Lines Model, providing clear accountability.
- The Board provides oversight and approves risk appetite.
- Management (first and second lines) enables, owns and manages risk to achieve objectives.
- Internal Audit (third line) provides independent assurance on the effectiveness of GRC processes.
- Plus: External Assurance Providers: an addendum to additional assurance complementing internal assurance and legality expectations.
Recommendation:
SAI360’s integrated platform provides modules for Risk Management, Internal Control, Internal Audit, Business Continuity, and IT Risk. It supports forward-looking oversight of emerging threats with its scenario analysis and modelling capabilities, and its configurable roles align with the Three Lines Model and other additional.
3. From Policy to Practice: Activating Risk Appetite & Ensuring Effectiveness
The guide emphasizes turning principles into action through dynamic risk appetite setting and robust evaluation.
Risk appetite is defined as the level of risk an organization is willing to accept to achieve its objectives. The Board is now expected to provide clear evidence of how it defined and monitored this appetite.
System Effectiveness. Its assurance is non-negotiable, with both ongoing and annual assessments mandated. A crucial new element is the requirement for the board to assess the credibility and sufficiency of assurances provided by the CEO and CFO.
Recommendation:
SAI360 allows you to capture Board-approved risk appetite with customizable thresholds, automatically flagging breaches. Its automated reporting provides dashboards for the Board and Risk Committee, showing risk trends, appetite breaches, and remediation status. The platform’s automated control assessments provide a necessary evidence trail.
4. Communicating with Confidence: Drafting a Meaningful SORMIC
The guide requires a statement that is both comprehensive and transparent, covering the main features of the risk management system and internal controls, the processes used to identify, evaluate, and manage significant risks; towards reviewing its effectiveness and shortfalls. It also requires written confirmation that the Board has received adequate assurance from the CEO and CFO.
Recommendation:
SAI360 serves as a centralized repository for policies, test evidence, and meeting minutes, ensuring all necessary information is readily available to justify disclosures and demonstrate remediation. Its configurable dashboards align with SORMIC metrics, making it easier to provide evidence for disclosures.
The Way Forward: A Call to Action
The SORMIC Guide 2025 is a call for Malaysian companies to elevate their governance. It is a strategic opportunity to build a sustainable and resilient business that can thrive in an uncertain future.
We recommend the following steps:
- Read the Guide: Download the full SORMIC Guide 2025 and familiarise yourself with its contents.
- Engage Your Board: Use the diagnostic questions in the appendices to benchmark your current framework.
- Conduct a Gap Analysis: Identify areas where your current systems need enhancement, particularly for ESG and emerging risks.
For businesses seeking a comprehensive solution to help manage these requirements, a platform like SAI360 is purpose-built to help Malaysian businesses embrace this new paradigm.
Mapping SAI360 Modules to SORMIC Requirements
| SORMIC Requirements | SAI360 Module | How SAI360 Supports Compliance | Evidence to Capture for SORMIC |
|---|---|---|---|
| Enterprise-wide risk identification, assessment & monitoring | Risk Management | Centralised risk register; taxonomy mapping; likelihood/impact scoring; residual risk tracking; appetite thresholds | Risk register export (owners, review dates, ratings); dashboard showing risks vs appetite; trend charts |
| Risk appetite & tolerance setting, Board oversight | Risk Management | Configurable risk appetite thresholds; automatic breach alerts; KRI engine for early warning | Appetite configuration log; KRI definitions & breaches report; Board dashboards with residual risk vs appetite |
| Scenario analysis & emerging risks | Risk Management + AI Horizon Scanning | AI-driven scenario analysis; stress testing; horizon scanning to detect AI/ESG/cyber risks | Scenario modelling report; horizon scanning outputs; Board minutes referencing scenario reviews |
| Internal control environment & monitoring | Internal Control | Control library mapped to risks & objectives; automated testing; deficiency tracking; remediation workflows | Control matrix; test results & evidence attachments; deficiency resolution report (closure rates, timeliness) |
| Policy management & compliance monitoring | Internal Control | Centralised repository for policies; versioning; attestations; linkage to risks/controls | Policy repository export; attestation logs; compliance training records |
| Independent internal audit assurance | Internal Audit | Audit plan & resourcing; workpaper mgmt; issue linkage to controls; AC reporting | Audit plan approval log; internal audit reports; workpapers; independence/conflict logs |
| Annual & ongoing evaluation of controls | Internal Control + Internal Audit | Scheduled control testing; internal audit follow-ups; deficiency remediation tracking | Year-end control testing results; remediation closure report; audit finding tracker |
| CEO/CFO assurance to Board | Risk Management + Dashboards | Executive dashboards with integrated risks, appetite breaches, remediation status | Quarterly dashboard screenshots; management sign-off records; Board pack annexes |
| Board & Audit Committee oversight | Reporting & Dashboards | Automated Board / AC packs; consolidated view of risk, controls, audit, incidents | Pack extracts; dashboard exports; minutes referencing SAI360 evidence |
| Business Continuity Planning & testing | BCM | BC plans repository; RTO/RPO fields; test & exercise scheduling; incident linkage | BCM plan templates; test schedules & post-test reports; evidence of exercises |
| IT & cyber risk oversight | IT Risk Management | IT asset & control mapping; vulnerability & incident feeds; vendor risk module | IT risk dashboard; KRI metrics (patching, incidents); vendor risk register |
| Regulatory change management | Internal Control + AI Horizon Scanning | Continuous monitoring of external changes; centralised repository for updated obligations; automated alerts | Regulatory change log; updated policy versions; horizon scanning report showing new regulations |
| Emerging risk awareness (AI, ESG, cyber, climate) | AI Horizon Scanning | AI-driven external risk signal capture; automatic risk register updates; alerts & scenario analysis | Horizon scanning outputs; alerts log; Board minutes showing discussion of new risks |
