GRC (Governance Risk and Compliance) Analysis of Communication Industry in Malaysia

GRC (Governance Risk and Compliance) Analysis of Communication Industry in Malaysia

Mohd Soffi Puteh^1’, Halil Paino^2*and Made Dudy Satyawan³

¹Faculty of Accountancy, Universiti Teknologi MARA Kampus Tapah, Perak

²Faculty of Accountancy, Universiti Teknologi MARA Puncak Alam Campus, Selangor Malaysia. halil@uitm.edu.my

³Accounting Department, Faculty of Economics and Business, State University of Surabaya Jalan Ketintang, Surabaya, Indonesia

*Corresponding Author

DOI: https://dx.doi.org/10.47772/IJRISS.2025.905000419

Received: 15 May 2025; Accepted: 19 May 2025; Published: 19 June 2025

ABSTRACT

Governance, Risk, and Compliance (GRC) is a framework organizations use to manage and address risks while ensuring adherence to regulations and industry standards. It is a strategic approach that encompasses governance, risk management, and compliance activities to achieve organizational goals and maintain integrity. In essence, GRC is a holistic approach that helps organizations to manage uncertainty, achieve their goals, and act with integrity. It is essential for building trust with stakeholders, ensuring long-term sustainability, and achieving principled performance. GRC practices are built in view of corporate strategies rather than in isolation. When a company’s business strategies and GRC are well-integrated with one another, it reinforces confidence in the organisation in the marketplace and wider community. This secondary analysis paper looks very closely how GRC principles being applied and employed by the players of communication industry in Malaysia. Five prominent companies were selected as they were the earliest and established communication company in Malaysia since their incorporation. In forward thinking organizations for communication industry, GRC is a well-coordinated and integrated connection of all capabilities necessary to support Principled Performance at every level of the organizations. Additionally, GRC should be viewed as a business investment, not a cost. Further what we need to understand is the relationship between vulnerabilities, threats, and risk. Vulnerabilities are known weaknesses that expose the Threat of potential harm to the business that leads to the Risk of Potential Brand and Reputational damage when a Threat Exploits a Vulnerability. GRC achieves a business view into Vulnerabilities and Threats they expose to prevent damage, rather than respond to it. The GRC findings were presented using symbiotic relationship diagram for each of the selected companies as to highlight the inter-connection among GRC details.

Keywords:  Governance, Risk and Compliance; Communication Industry

INTRODUCTION

Governance, Risk, and Compliance (GRC) is a strategic approach organization use to ensure they are meeting objectives, managing risks, and complying with regulations. It involves integrating governance, risk management, and compliance practices to improve decision-making and achieve desired outcomes. Governance refers to the structures, processes, and policies that guide an organization’s strategy, operations, and decision-making. It ensures the organization is aligned with its goals and operates ethically. Risk Management – Involves identifying, assessing, and mitigating potential risks that could impact the organization’s objectives. This includes developing strategies to address risks and ensuring appropriate controls are in place. Compliance – refers to adhering to applicable laws, regulations, and industry standards. It involves establishing and maintaining systems to ensure the organization is meeting its regulatory obligations.

Corporate governance plays a pivotal role in ensuring transparency, accountability, and long-term sustainability within public listed companies. This assignment aims to provide an in-depth analysis and critically examine the corporate governance practices of selected companies listed on Bursa Malaysia, focusing on key pillars of: Governance, Risk Management, Compliance. These dimensions are essential indicators of corporate integrity, strategic oversight, regulatory adherence, and long-term value creation.

Governance, Risk and Compliance

Governance, Risk, and Compliance (GRC) has increasingly become a central strategic framework in modern organizational management.  As organizations operate in environments marked by regulatory complexity, technological disruption, and reputational scrutiny, the need for an integrated GRC system has become more pressing. The past two decades have seen a growing body of literature exploring each of these components individually and in relation to one another, emphasizing the synergistic benefits of a consolidated GRC framework.

Corporate governance is broadly defined as the system by which companies are directed and controlled. Effective governance ensures that management acts in the best interest of shareholders and broader stakeholders, including employees, regulators, and the public. Tricker (2015) emphasizes that governance frameworks not only address compliance but also help in shaping strategic direction and promoting ethical decision-making.

Over time, governance has evolved beyond structural compliance to include elements of strategic alignment, board diversity, executive compensation, and stakeholder engagement. The OECD’s principles of corporate governance (2015 revision) have reinforced the global relevance of governance, advocating for disclosure, equitable treatment of shareholders, and board responsibilities.

Risk management meanwhile, encompasses the identification, analysis, and mitigation of threats to an organization’s objectives. Historically viewed as a back-office or compliance-driven function, risk management has undergone a transformation through the promotion of Enterprise Risk Management (ERM) frameworks. The COSO ERM Integrated Framework (2004) further advanced the idea that risk should be embedded into all levels of strategic and operational planning. Beasley et al. (2005) argue that firms with mature ERM systems exhibit better strategic alignment and risk awareness, which can translate into superior financial performance.

Compliance traditionally refers to adherence to applicable laws, regulations, internal policies, and industry standards. The role of compliance has expanded significantly in the wake of global scandals and financial crises, particularly following the Sarbanes-Oxley Act of 2002, the Basel Accords, and GDPR. Compliance is now understood as both a legal necessity and a critical ethical practice that reinforces corporate integrity.

Pfister (2009) notes that internal controls, audit trails, and ethics programs are crucial for compliance management. However, modern organizations are expected to go beyond reactive compliance and embrace a culture of integrity. This includes voluntary commitments to sustainability standards, social responsibility initiatives, and diversity and inclusion benchmarks. As such, the compliance function increasingly intersects with corporate social responsibility and stakeholder expectations.

The integration of governance, risk, and compliance into a cohesive GRC framework is driven by the need to reduce redundancy, enhance information flow, and improve strategic decision-making. According to Racz et al. (2010), integrated GRC systems enable organizations to link objectives with risks and regulatory requirements, thus fostering transparency and accountability.

The literature on governance, risk, and compliance reveals a shift from fragmented, compliance-driven models to integrated, strategic frameworks. Governance establishes the ethical and strategic foundation, risk management ensures resilience and foresight, and compliance secures legal and regulatory alignment. When effectively integrated, GRC enhances transparency, reduces operational inefficiencies, and supports organizational longevity.

RESEARCH METHODOLOGY

This study employed a secondary data analysis from the respected companies’ annual report and presented the GRC information in a way of diagram portraying symbiotic relationship of GRC details and information. This study employed secondary analysis and presented the GRC details of the selected company by transforming their published report on the elements of governance, risk management and compliance into one diagram of GRC. This diagram was based on the information gathered and following the diagram of symbiotic relationship as suggested by South, M. (2018).

For the purpose of this analysis, we have selected five prominent ICT companies in Malaysia which are Maxis Berhad, CelcomDigi Berhad, Telekom Malaysia Berhad, RedTone Digital Berhad and Time DotCom Berhad. These companies were chosen due to their market presence, diversity in ownership structures, and accessibility of reporting disclosures. The study is based on an examination of their Corporate Governance Reports, which are extracted from their annual reports over a five-year period (2020–2024). By examining the disclosures and practices reported in the annual reports, this assignment seeks to assess how these banks align with best practices in corporate governance and contribute to sustainable and ethical banking operations in Malaysia.

Demographic analysis of the selected companies

Companies selected for this secondary-data analysis are the companies involved with ICT industry i.e. Information, Communication and Technology industry. Most of the companies were established during 1990’s except for Telekom Malaysia Bhd which incorporated since 1984 and said to be the earliest communication company evolving from the government agency. In terms of their capital scale, these selected companies were varied. Telekom Malaysia’s capital scale is substantial, both in terms of its market capitalization and its overall financial standing. In 2023, its market capitalization reached approximately 21.3 billion Malaysian ringgit. The company’s issued and paid-up share capital is also significant, totalling RM2,504,184,312. Maxis’ capital scale is characterized by a mix of equity and debt financing. They have invested heavily in network infrastructure, including telecommunications licenses and spectrum rights, which contribute to their intangible assets. Maxis is also significantly impacted by their net debt-to-EBITDA ratio, which reflects their overall financial health and debt burden. Maxis invests in capital expenditure (Capex) to maintain and expand their network infrastructure. In 2019, their Capex was RM1.213 billion, which was an increase of 16.9% from the previous year.

CelcomDigi is a major telecommunications company in Malaysia, formed through the merger of Celcom and Digi. Its market capitalization, as of November 19, 2024, was RM38,596.66 million.  In Q3 2024, the company’s revenue was RM3,126 million, and its EBITDA was RM1,514 million. The company’s focus is on network integration, modernization, and 5G deployment, with a capex commitment of RM4 billion. CelcomDigi is actively integrating and modernizing its network, with a capex commitment of RM4 billion to build Malaysia’s leading digital network. REDtone Digital Bhd is a listed telecommunications and digital infrastructure company in Malaysia. Its market capitalization is around RM479.23 million as of Morningstar’s latest update. The company’s recent share price shows a valuation around RM486.96 million, with a trading volume of 6.87 million shares. The market capitalization reflects the total value of REDtone’s outstanding shares. It can fluctuate based on market conditions and share price changes. TIME dotCom Bhd is a telecommunications service provider based in Malaysia with a market capitalization of approximately RM9.022 billion as of February 27, 2025. The company’s total shareholders’ equity as of FY2024 was RM3.932 billion. TIME dotCom Bhd’s market capitalization is around RM9.022 billion.

The following Table 1 is the summary of business information relating to the selected companies used at this study.

Table 1: Companies Used For The Study

4.1a Corporate, Risk & Governance (CGR) Framework – Maxis Berhad

Diagram 1: Symbiotic GRC Diagram for Maxis Bhd

4.1b Governance, Risk, and Compliance (GRC) in Maxis Berhad: Strategic Overview 

Over the past five years, Maxis Berhad has significantly evolved its Corporate Governance, Risk Management, and Compliance (CRG) framework. This transformation marks a shift from foundational regulatory compliance to a robust, integrated system that is analytics-driven and aligned with environmental, social, and governance (ESG) principles.

Based on Diagram 1 – In the area of governance, Maxis began by adhering to key statutory requirements such as the Communications and Multimedia Act, MCCG 2017, the Companies Act 2016, and Bursa Malaysia’s listing obligations. Governance efforts during the year of 2019–2020 which focused on policy implementation, board oversight, and compliance. These included the Code of Business Practice (CoBP), Director Fit and Proper Guidelines, and the formation of specialized board committees. From 2021 onwards, Maxis introduced its ESG Governance Framework, digitized board operations through BoardPAC, and enhanced internal protocols with ISO-based audits. Strategic ESG planning and stakeholder engagement also became core governance functions.

Risk management initially followed a traditional Enterprise Risk Management (ERM) structure based on COSO and ISO 31000. Periodic risk evaluations were the norm, with emphasis on operational and compliance risks. The onset of the COVID-19 pandemic in 2020 prompted the integration of business continuity planning (BCP) and crisis response measures. Between 2021 and 2023, Maxis enhanced its risk framework by introducing a 5×5 risk matrix and conducting quarterly ERM updates to both management and the Audit Committee. The internal audit function was strengthened to focus on evaluating risk control effectiveness. Risk themes now actively include ESG, cyber risks, digital transformation, and third-party exposures.

Compliance structures also matured considerably. From 2019 to 2020, Maxis established the Integrity & Governance Unit and introduced a Whistleblowing Policy, aligning operations with MACC Act Section 17A. The company utilized Board Effectiveness Evaluations (BEE) and internal control assessments to ensure accountability. From 2021, compliance became proactive with the attainment of ISO 37001:2016 certification, implementation of real-time compliance dashboards, and expansion into ESG-integrated audits. Annual declarations, policy re-affirmations, and structured vendor training monitoring became standard practices.

In terms of controls, monitoring, and reporting, the company moved from manual oversight, such as Limits of Authority and periodic financial audits, to more automated and intelligent systems. From 2021 onwards, Maxis deployed vendor integrity scorecards, KPI dashboards, and AI-powered fraud detection systems. Reporting improved significantly, with quarterly board updates, thematic audits, and ESG-linked compliance summaries becoming regular outputs. These tools provide real-time insights to Board and management, enabling faster and more informed decision-making.

In conclusion, the CRG framework at Maxis Berhad has matured into a future-ready system marked by ESG integration, digital oversight, and strategic risk governance. This evolution reflects the company’s strong commitment to ethics, sustainability, and resilient corporate management.

4.2a Corporate, Risk & Governance (CGR) Framework – Celcomdigi Berhad

Diagram 2: Symbiotic GRC Digram for CelcomDigi Bhd

4.2b Governance, Risk, and Compliance (GRC) in CelcomDigi Berhad: Strategic Overview 

Diagram 2 is referred. After Digi Telecommunications and Celcom Axiata Berhad merged in late 2022, the new company CelcomDigi Berhad was formed. With its vast network infrastructure and digital capabilities, the united firm becomes Malaysia’s biggest mobile network provider, offering sophisticated telecoms and digital services. Strong governance, risk management, and regulatory compliance have been emphasized throughout CelcomDigi’s operations, aligning with its ambition to lead the nation’s digital transformation. CelcomDigi follows all applicable local, state, and federal regulations as well as industry best practices via its robust governance system. As per the Bursa Malaysia Listing Requirements, the Malaysian Anti-Corruption Commission (MACC) Act, and the Personal Data Protection Act (PDPA), it remained compliant with all applicable regulations from 2019 to 2023. Especially after the merger in 2022, the business strengthened its cybersecurity procedures, adopted GRI standards for sustainable reporting, and put ISO 27001 into effect for information security.

Updates to the Code of Business Conduct & Ethics on a yearly basis and stringent adherence to the Supplier Code of Conduct served to strengthen business ethics. Internally, the new joint organization integrated governance methods, conducted yearly policy reviews, and improved internal audits. Audits of financial reports, whistleblower procedures, and board supervision further strengthened governance controls. To manage digital, operational, and strategic risks, CelcomDigi implemented an extensive Enterprise Risk Management (ERM) cycle. As part of this cycle, we identified potential risks by keeping a close eye on cybersecurity, finances, strategy, and compliance. Heat maps and score tools were used throughout the evaluation process to prioritize concerns.

To better handle these threats, risk mitigation plans delegated responsibilities and laid out strategies. The Board Risk Committee was informed quarterly, which further strengthened the monitoring. Sustainability and annual reports now include risk information, with an emphasis on ESG connections beginning in 2021. Following the merger, CelcomDigi took compliance very seriously and used four main factors to direct their efforts. In 2022, more robust mechanisms were implemented, including anonymous whistleblower channels, as part of the monitoring process that aimed to combat bribery and protect personal data. Every year, every department ran their own self-assessment, and starting in 2021, they started putting more of a focus on cybersecurity and ESG compliance. Outside companies reviewed the company’s finances, anti-bribery procedures (which were in line with MACC), cybersecurity, and data governance practices. The Integrated Annual Report now includes improved ESG-linked disclosures and quarterly updates to the Audit and Risk Committee, integrating reporting into corporate responsibility.

Alignment with regulations, systematic risk management, and open compliance standards were all aspects of CelcomDigi’s robust and comprehensive GRC framework, which was in place from 2019 to 2023. Being a leader in Malaysia’s digital and telecommunications sector, the firm is now more robust, responsible, and prepared for the future thanks to the merger in 2022.

4.3a Corporate, Risk & Governance (CGR) Framework – Telekom Malaysia Berhad

Diagram 3: Symbiotic GRC Diagram for Telekom Malaysia Bhd

4.3b Governance, Risk, and Compliance (GRC) in Telekom Malaysia Berhad: Strategic Overview 

Diagram 3 is referred – From 2020 to 2024, Telekom Malaysia Berhad (TM) has demonstrated a firm and evolving commitment to Governance, Risk, and Compliance (GRC), strengthening its position as Malaysia’s national digital infrastructure enabler while navigating digital transformation, regulatory pressures, and ESG imperatives.

TM’s governance framework is grounded in the Companies Act 2016, Bursa Malaysia Listing Requirements, and the Malaysian Code on Corporate Governance (MCCG), with oversight provided by its Board of Directors and specialized committees such as the Audit and Risk Committee and the Nomination and Remuneration Committee.

Governance instruments have been modernized, including an updated Board Charter and Code of Business Ethics (2023) emphasizing ESG leadership and digital responsibility, alongside strengthened Conflict of Interest and Whistleblower policies supported by secure third-party reporting channels. TM’s Vision 2023 and Strategic Plan 2024–2026 align with national agendas like JENDELA and the Digital Economy Blueprint, and in 2024, the Board expanded its oversight to cover data ethics, AI risk, and digital innovation.

On the risk front, TM maintains a robust Enterprise Risk Management (ERM) framework that addresses strategic, operational, reputational, and emerging risks—including cyber threats, climate impact, and 5G deployment. Major enhancements include the 2024 launch of a Digital Risk Register to monitor AI ethics, cloud vulnerabilities, and data localization risks, as well as the integration of ESG criteria into investment decisions and crisis simulations to test business continuity post-COVID.

Quarterly risk reviews led by the Board Risk Committee ensure alignment with corporate risk appetite and provide timely mitigation strategies. TM’s compliance culture is driven by strong internal controls and adherence to international standards such as ISO 37001 (Anti-Bribery), ISO/IEC 27001 (Information Security), and ISO 9001 (Quality Management). Between 2020 and 2024, the company launched an automated GRC platform to centralize compliance tracking, policy enforcement, and access control. Regulatory gap assessments were conducted to align practices with PDPA amendments, telecom law reforms, and Bursa Malaysia’s updated sustainability disclosure guidelines.

Training programs were expanded to raise awareness on digital compliance, data privacy, and ESG readiness across employees and third-party vendors.

The Group Compliance and Internal Audit units perform periodic evaluations and report directly to the Board Audit Committee, ensuring accountability. TM’s integrated GRC strategy over these five years has significantly improved stakeholder trust through transparent disclosures and proactive engagement, reinforced resilience against cyber and regulatory threats, embedded ESG into risk and board-level decision-making, and aligned the company’s digital infrastructure ambitions with national and global expectations. In recognition of its efforts, TM was acknowledged in 2024 for excellence in digital governance and sustainability reporting, further solidifying its standing as a responsible and future-ready corporate leader.

4.4a Corporate, Risk & Governance (CGR) Framework – Redtone Digital Berhad

Diagram 4: Symbiotic GRC Diagram for RedTone Digital Bhd

4.4b Governance, Risk, and Compliance (GRC) in RedTone Digital Berhad: Strategic Overview 

Diagram 4 is referred – According to Redtone’s Corporate, Risk & Governance (CRG) Framework, the Governance component places an emphasis on a solid base established by ethical behavior, systematic supervision, and adherence to regulatory requirements. The business complied with all applicable laws and regulations up to 2021, including those pertaining to shareholder approvals and the Malaysian Companies Act of 2016. It also included auditing and reporting best practices, as well as ISO certifications, which are globally acknowledged standards. In order to promote honesty and openness, REDtone established a whistleblower system, a code of ethics that was strictly enforced, and job descriptions for all board members and partners. Staff training on governance norms, frequent internal audits, and established checks and balances all contributed to bolstering operational governance. Organizational responsibilities were defined more precisely, power was more clearly delegated, and governance and risk management were more closely integrated after 2020, all of which served to bolster these processes even more. Thanks to this development, Redtone is now able to provide more effective monitoring, accountability, and compliance at every level of the company.

Redtone has progressively strengthened its risk management framework, evolving from a basic compliance-driven approach to a structured, enterprise-wide risk governance system aligned with ISO 31000:2018. Initially focused on financial and operational risks, the framework expanded significantly in 2020 during the COVID-19 pandemic to include business continuity and crisis response planning. By 2021, Redtone introduced more structured risk assessments through the classification of Gross and Nett Risk, while enhancing internal audit oversight. In 2022, ESG, cybersecurity, and regulatory risks were integrated into risk registers, reflecting a broader, forward-looking risk perspective. The transformation culminated in 2023 with biannual risk reviews, a formal Risk Appetite Statement, and embedded risk accountability across all business functions, positioning the company for more informed strategic decision-making and resilience.

Redtone has significantly strengthened its compliance framework, particularly after 2021, to align with regulatory expectations and global standards. The company implemented a formal Anti-Bribery and Corruption (ABAC) Policy, fully compliant with MACC Act Section 17A, marking a shift from its earlier, more informal compliance practices. A dedicated whistleblowing mechanism was also established, with oversight by the Audit Committee to ensure independence and confidentiality. Redtone further integrated compliance with risk management through structured internal controls and ISO-aligned practices. Internal audits became more regular and targeted, focusing on high-risk areas and vendor relationships. The company also adopted reporting mechanisms that promote early detection of misconduct and improve transparency. Employee training and policy awareness efforts were expanded to reinforce a compliance-oriented culture. Overall, Redtone’s compliance transformation reflects a proactive and accountable governance stance in the evolving digital landscape.

In summary, Redtone has built a strong and integrated Corporate, Risk, and Governance (CRG) framework. Its governance is guided by clear roles, ethical conduct, and strict adherence to regulations. Risk management has matured into a proactive, company-wide system aligned with international standards, helping the business respond better to challenges. The compliance framework has also been strengthened with formal policies, regular audits, and employee training to promote integrity and transparency. Altogether, these improvements have made Redtone a more accountable, resilient, and well-managed organization.

4.5a Corporate, Risk & Governance (CGR) Framework – Time Dotcom Berhad

Diagram 5: Symbiotic GRC Diagram for Time DotCom Bhd

4.5b Governance, Risk, and Compliance (GRC) in Time DotCom Berhad: Strategic Overview

Diagram 5 is referred – Over the past five years, Time DotCom Berhad has made substantial advancements in the areas of governance, risk management, and compliance (GRC), reflecting a strategic transformation in how the organization operates, manages risks, and ensures regulatory adherence. Previously, the company’s GRC initiatives were more compliance-oriented and primarily reactive, focused largely on fulfilling regulatory obligations as a publicly listed entity on Bursa Malaysia. However, the current framework, as illustrated in the latest internal overview, indicates a shift towards a more integrated, proactive, and standards-driven approach that supports long-term sustainability, operational resilience, and stakeholder trust.

Time DotCom has improved its governance by moving from basic corporate practices to a more organized system that follows global standards. While it still meets essential legal requirements like the Companies Act 2016 and Bursa Malaysia rules, the company has added international certifications such as ISO/IEC 27001 for data security and ISO 9001 for quality control. It also strengthens its legal and ethical foundation through important documents like NDAs, employment contracts, and board agreements to ensure responsibilities are clear and legally protected. Internally, Time DotCom has set up consistent processes to ensure accountability. These include building a strong risk management structure, regularly monitoring compliance, involving stakeholders, and updating company policies. These efforts are supported by internal controls, audits, and a solid compliance system.

In risk management, the company now uses a comprehensive Enterprise Risk Management (ERM) framework that aligns with its business goals. This means risk management is no longer done in separate areas, but as a company-wide effort. The ERM system helps the company continuously identify, analyze, and evaluate risks. To reduce these risks, Time DotCom uses control measures, invests in modern technology, and prepares crisis plans for unexpected problems. It also reports risks regularly to top management, ensuring responsibility at the highest level. This strong risk management approach not only helps the company deal with potential issues early but also makes the organization stronger and more adaptable in a fast-changing business environment.

Notably, Time DotCom has also prioritized transparency and sustainability in its reporting practices. It aligns its reporting framework with Bursa Malaysia Securities’ Sustainability Reporting Guide and the Global Reporting Initiative (GRI) Standards. This signals the company’s commitment to environmental, social, and governance (ESG) disclosures, an area increasingly scrutinized by investors, regulators, and other stakeholders. The emphasis on sustainable reporting highlights the company’s intention to go beyond financial performance and demonstrate its impact and responsibility toward society and the environment.

In conclusion, Time DotCom Berhad’s GRC transformation over the last five years represents a model of corporate maturity and strategic foresight. The shift from reactive compliance to proactive governance, integrated risk management, and embedded compliance reflects a deep organizational commitment to resilience, transparency, and sustainable growth. This evolution places the company in a strong position to navigate complex regulatory environments, respond to emerging risks, and maintain stakeholder trust in a rapidly changing business landscape.

CONCLUSION

The five examined firms, Maxis, CelcomDigi, Telekom Malaysia, RedTone Digital, and Time dotCom, exhibit differing degrees of maturity in their Governance, Risk, and Compliance (GRC) frameworks, indicative of their corporate size and strategic objectives. Maxis and Telekom Malaysia have robust governance maturity, supported by comprehensive risk management frameworks and sophisticated ESG implementation. CelcomDigi, despite its recent merger, has swiftly adopted best practices by integrating compliance systems and improving cybersecurity and sustainability initiatives. RedTone and Time dotCom have significantly advanced their governance and risk frameworks, transitioning from reactive compliance models to proactive and structured systems that adhere to ISO standards and global risk concepts.

Nonetheless, a shared problem persists across all five companies: integrating Governance, Risk, and Compliance more profoundly into the operational culture beyond just board-level reporting. Despite the existence of risk registers, audit systems, and reporting structures, the awareness of Governance, Risk, and Compliance (GRC) among employees and the daily integration of compliance processes need enhancement, especially for smaller entities such as RedTone and Time dotCom. Moreover, corporations have to contemplate broadening their digital governance to mitigate growing risks, like artificial intelligence, third-party data sharing, ESG greenwashing, and geopolitical uncertainty, which are progressively significant to long-term company resilience.

From a strategic GRC perspective, it is advisable for all firms to augment board-level GRC diversity and digital proficiency to more effectively manage technology-driven and ESG-related risks. Enhance the integration of ESG and risk functions, ensuring that ESG risks are consistently included into ERM matrices. Implement real-time Governance, Risk, and Compliance (GRC) systems or dashboards to enhance agile compliance monitoring and decision-making. Enhance openness and public accountability, particularly with whistleblower protection, anti-corruption efficacy, and vendor compliance.

In conclusion, although all five companies have shown notable advancement, the subsequent phase of their GRC journey should concentrate on future-proofing their frameworks by aligning with global best practices, cultivating a risk-aware corporate culture, and integrating digital and ESG governance at all organizational levels. This strategy will guarantee compliance while simultaneously bolstering investor trust and promoting long-term company sustainability. The symbiotic diagram presented at this paper is genuinely generated from the published report from each of the companies and representing the application of GRC by all of them.

REFERENCES

1. Beasley, M. S., Clune, R., & Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521–531.
2. COSO. (2004). Enterprise Risk Management—Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission.
3. CelcomDigi. (2019). Annual Report. https://celcomdigi.listedcompany.com/misc/FlippingBook PDF Publisher/Publications/HTM L/DIGI 2019-new/3/
4. CelcomDigi. (2020). Annual Report. https://celcomdigi.listedcompany.com/misc/FlippingBook PDF Publisher/Publications/HTM L/DIGI 2020/81/
5. CelcomDigi. (2021). Annual Report. https://celcomdigi.listedcompany.com/misc/FlippingBook PDF Publisher/Publications/HTM L/DIGI 2021/
6. CelcomDigi. (2022). Integreted Annual Report. https://celcomdigi.listedcompany.com/misc/FlippingBook PDF Publisher/Publications/HTM L/Celcom Digi 2022/124/
7. CelcomDigi. (2023). Integreted Annual Report. https://djsp1avzs99jk.cloudfront.net/
8. Maxis. (2019). Annual Report. https://maxis.listedcompany.com/ar19/
9. Maxis. (2020). Annual Report. https://maxis.listedcompany.com/misc/ar2020.pdf
10. Maxis. (2021). Annual Report. https://maxis.listedcompany.com/ar2021.html
11. Maxis. (2022). Integreted Annual Report. https://maxis.listedcompany.com/misc/ar2022.pdf
12. Maxis.  (2023). Integreted         Annual Report. https://maxis.listedcompany.com/ar23/ https://maxis.listedcompany.com/newsroom/Maxis Integrated Annual Report 2023.pdf
13. Pfister, J. A. (2009). Managing Organizational Culture for Effective Internal Control: From Practice to Theory. Springer.
14. Racz, N., Weippl, E., & Seufert, A. (2010). A frame of reference for research of integrated governance, risk and compliance (GRC). IFIP International Conference on Communications and Multimedia Security, 106–117.
15. REDTONE International Berhad. (2019). Annual Report. https://www.redtone.com/wp- content/uploads/2019/10/REDtone-Annual-Report-2019.pdf
16. REDTONE International Berhad. (2020). Annual Report. https://www.redtone.com/wp- content/uploads/2020/10/REDtone-AR2020.pdf
17. REDTONE Digital Berhad. (2021). Annual Report. https://www.redtone.com/wp- content/uploads/2021/10/REDtone-Annual-Report-2021-1.pdf
18. REDTONE Digital Berhad. (2022). Annual Report. https://www.redtone.com/wp- content/uploads/2022/10/Annual-Report-2022.pdf
19. REDTONE Digital Berhad. (2023). Annual Report. https://www.redtone.com/wp- content/uploads/2023/10/Annual-Report-2023.pdf
20. South, M. (2018). Scaling a governance, risk, and compliance program for the cloud, emerging technologies, and innovation. https://aws.amazon.com/blogs/security/scaling-a-governance-risk-and-compliance-program-for-the-cloud/
21. Telekom Malaysia Berhad. (2020, April 30). Annual report & CG report – 2019 [Integrated Annual Report]. Bursa Malaysia.
22. Telekom Malaysia Berhad. (2021, April 23). Annual report & CG report – 2020 [Integrated Annual Report]. Bursa Malaysia.
23. Telekom Malaysia Berhad. (2022, April 25). Annual report & CG report – 2021 [Integrated Annual Report]. Bursa Malaysia.
24. Telekom Malaysia Berhad. (2023, April 26). Annual report & CG report – 2022 [Integrated Annual Report]. Bursa Malaysia.
25. Telekom Malaysia Berhad. (2024, April 30). Annual report & CG report – 2023 [Integrated Annual Report]. Bursa Malaysia.
26. TIME dotCom Berhad. (2020, June 30). Annual report 2019. Bursa Malaysia.
27. TIME dotCom Berhad. (2021). Annual report 2020. TIME dotCom.
28. TIME dotCom Berhad. (2022). Annual report 2021. TIME dotCom.
29. TIME dotCom Berhad. (2023, April 28). Annual report 2022. Bursa Malaysia.
30. TIME dotCom Berhad. (2024). Annual report 2023. TIME dotCom.
31. Tricker, B. (2015). Corporate Governance: Principles, Policies, and Practices (3rd ed.). Oxford University Press.