How SORMIC 2025 puts Malaysia ahead in ASEAN
By Zarina Zakaria
Malaysia’s SORMIC Guide 2025 — the refreshed Statement on Risk Management and Internal Control — tightens and modernises what boards must disclose about risk governance and the architecture of internal controls, aligning the long-standing SORMIC framework with COSO/ISO principles and contemporary governance expectations.
The Guide emphasises clear articulation of risk appetite and tolerance, the cascade of key risk indicators (KRIs) into strategy, and the need for measurable monitoring and reporting lines so that the SORMIC is more than a boilerplate reassurance: it must explain how the board oversees risk, what management does to mitigate it, and which controls are monitored and tested.
Practically, this raises the bar on the board’s role from passive approver to active risk steward: directors must demonstrate that they set tone-at-the-top, approve risk appetite, receive regular, decision-useful risk reporting, and confirm remediation of high-impact gaps — responsibilities that make risk oversight a core board KPI rather than an occasional agenda item.
At the same time the Guide reinforces the Audit Committee and Internal Audit Function (IAF) as central pillars: internal audit is expected to provide independent assurance over the adequacy of risk management and the effectiveness of key controls, report functionally to the Audit Committee, and work with management to close control weaknesses while retaining objectivity. This strengthens the IAF’s mandate to cover emerging risks (including cyber, climate and supply-chain) and to link audit results to board escalation processes.
The timing of SORMIC 2025 is significant, given Malaysia’s recent roll-out of the National ESG Strategic Plan (NESP) and the industry-focused i-ESG Framework, both designed to prepare companies—particularly SMEs—for phased ESG compliance. In this sense, SORMIC complements national efforts by ensuring that listed firms not only disclose ESG metrics but also have the internal processes to assess, monitor, and act on them.
The alignment is equally important for the growing suite of sustainability disclosure rules, from Bursa Malaysia’s enhanced reporting guide to the upcoming National Sustainability Reporting Framework (NSRF), all of which demand greater reliability in non-financial data. Without robust internal controls, sustainability reports risk descending into greenwashing; with SORMIC, disclosures can be grounded in credible governance and subject to meaningful assurance.
As such, the sharpening of governance mechanics has direct implications for firms’ ESG practices. For listed companies, a SORMIC that explicitly requires integration of ESG-related risks — climate transition, physical climate, human-capital and supply-chain risks — into the enterprise risk framework encourages boards to treat ESG metrics as real operational and financial risks rather than solely reputational checklists; that, in turn, drives better data governance, more robust assurance of ESG disclosures, and stronger alignment between ESG targets and incentive structures.
For SMEs, although SORMIC is primarily targeted at listed issuers, the Guide’s principles (risk appetite, controls, monitoring, assurance) create a practical blueprint SMEs can scale: adopting proportionate internal controls and periodic independent assurance improves resilience, access to green finance, and supplier credibility in regional value chains. Together, wider adoption nudges the market from fragmented ESG narratives toward risk-tested, evidence-backed practices that investors and financiers can rely on.
Finally, by embedding risk-based, auditable ESG oversight into corporate reporting and board accountabilities, SORMIC 2025 helps Malaysia raise its Sustainable Corporate Governance (SCG) credentials within ASEAN — strengthening comparability with peers measured by the ASEAN Corporate Governance Scorecard and other regional benchmarks.
Better SORMIC disclosures and stronger internal audit assurance should lift investor confidence, reduce information asymmetry, and improve cross-border capital flows into Malaysian issuers; at the national level, consistent implementation will support Malaysia’s standing in ASEAN governance rankings and help domestic firms compete on transparency and sustainability when vying for regional supply-chain roles.
In short, SORMIC 2025 is not merely a reporting tweak: it repositions boards and internal audit as frontline enablers of credible ESG transition, with ripple effects for corporate resilience and Malaysia’s competitiveness in the ASEAN market.
Dr. Zarina Zakaria is an Associate Professor at the Department of Accounting, Faculty of Business and Economics