29th August 2006

Chairman and Members

Management Merger Steering Committee
Mayban Fortis Holdings Berhad

POST MERGER RISK REVIEW REPORT AS AT JULY 31, 2006

1 OBJECTIVES
To report the Management Merger Steering Committee (“MMSC”) on the outcome of
the Post Merger Risk Review conducted between June to July 2006.

2 KEY SUMMARY RESULTS

2.1 Our review revealed that 26 out of 68 or 38% of the risk profile developed for the post
merger exercise were rated as high (combination of QA & QB) which mainly
contributed by IT (VC-1), Life Operations (VC-2) and Sales & Marketing (VC-5).
(Refer to Appendix 1).

2.2 Based on the nett impact rating, the risk of IT system back end & workflow (Oi1101)
had been classified as Catastrophic. In addition, we also noted that 5 other risks
were rated under the Major nett impact classification.

2.3 On the overall risks assessment (evaluation and analysis), the risk Nett rating
currently rated as high due to high probability of the causes for the critical risk factors
identified to manifest and the detrimental impact of such manifestation. The primary
reason of concern is due to ineffectiveness of the existing controls and high rate of
incompletion of management actions proposed for risk mitigation and resolution
purposes.

2.4 In addition, the immediate down side impact of the above would be slowdown of
revenue making momentum and subsequently the inability to fully meet the value
creation target of RM150mil. These can be observed as the three major risks
components that are still in red relates directly to production making capability
namely human capital, operation and customer. (Refer to Appendix 2).

2.5 In view of the above, the Risk Management team in collaboration with PMO had
proposed for a formulation and implementation of post merger risk management
exercise to ensure that ALL risks that threatened the achievement of the merger
objectives is managed and mitigated accordingly.

3 BACKGROUND/INTRODUCTION

3.1 To ensure the achievement of the merger objectives, the PMO has established 7
Value Creation (VC) teams which currently undertaking approximately 159 initiatives,
inclusive of 17 quick wins and 142 long term initiatives to realize the value creation
plans and objectives.

3.2 These will benefits the MFHB overall merger objectives which to achieve the Profit
before Tax (PBT) of RM500Million by financial year ended June 2009; that should be
contributed by RM260Million and RM90Million of the existing revenue and forecasted
 organic growth respectively. In addition, the total value to be created by the value
creation exercise for the next 3 years is approximately RM150 million.

3.3 Nevertheless, The McKinsey Quarterly indicate that in the three years following a
merger, only a mere 12 percent of companies grow more quickly than they had
before. “Most sloths remain sloths, and many solid performers slow down”1.

3.4 The failure to oversight on other risks area such as loss of revenue and disruption of
day-to-day business for example explain why so many mergers lose their revenue
momentum and market share while concentrating on cost synergies or failing to
focus systematically on post merger growth. In the end, coming up short on revenue
targets or lost of customer based after a merger has far more serious effects on the
bottom line than failing to meet planned cost savings.

3.5 In view to the above and as basis to move forward, the risk management team has
conducted a risk profiling session with respective VC heads to profile and access the
risks prevalent to their activities and subsequently prepare risk control and mitigation
actions to be implemented.

4 STATUS OF POST MERGER RISK MANAGEMENT DELIVERABLES

4.1 Overall status of post merger risk

Previous nett Rating2 Current Nett Rating3

Nett Rating Nett Rating

9%
17%
26% 28%

29%

18%

34%
31%

QA QB QC QD
QA QB QC QD

Analysis Previous Nett: Analysis current Nett:

ƒ The total no of risk initially identified were 724.
ƒ Majority of the risks identified fall under the
following components5, which represents
approximately 70% of the total risks identified.
o Operations/System
o Customer/Business
o Human Capital/People
ƒ Distribution of risks under respective
ƒ The total no of risk after the 2nd review
exercise were reduced to 68 (after
moderation)7
ƒ The improvement of the Nett risks rating was
mainly contributed by the effectiveness of the
existing control in place and/or the
implementation of proposed action plans
either by respective VC, entities and PMO.

1
The McKinsey Quarterly: Keeping your sales force after the merger.
2
Previous Nettthis rating reflects the exposure after evaluating the effectiveness of controls based on 1st review
exercise in mid-April 2006
3
Current Nett these ratings reflect the current/latest exposure after evaluating the effectiveness of current
actual controls and/or partial implementation of proposed action plans as at end of July 2006.
4
Refer Appendix 1: Identified risks based on risk quadrant
5
Refer Appendix 2: Risk prevalent to respective VC based on risk category
 quadrants ƒ Distribution of risks under respective
o QA6 = 26% (19 risks) quadrants8
o QB = 31% (22 risks) o QA = 9% (6 risks)
o QC = 18% (13 risks) o QB = 29% (20 risks)
o QD = 17% (18 risks). o QC = 34% (23 risks)
ƒ In general, the risk prevalent to the merger is o QD = 28% (19 risks)
inherently considered as EXTREME with ƒ In general, the overall risks related to the
>50% of the risks rated as Extreme and High. merger are still considered as HIGH 9.
ƒ In view to the above assessment and as a
basis to move forward, majority of the risk
profile requires an urgent action to strengthen
and further improvement especially on the
People, System and Business issues.

5 RISKS HIGHLIGHT

5.1 Our risk profiling exercise revealed that 17 out of 20 key risks (based on Top 20 Nett
Rating) within the Post Merger Risk Scorecard that been identified and raised were
mainly contributed by the risk relating to;

5.1.1 People and Human Capital Risks

Majority of the risks identified under this area were reflecting on the lack of
effectiveness and/or delay in addressing the critical issues relating to;

ƒ Staff resignation that mainly due to uncertainty relating to new organizational

structure, branding and perceptions on Takaful future operations as well as
issues relating to remuneration and benefits package. In addition, issues
relating to personal limitation & preferences, winner & loser perception and
adaptability (sense of loss) had also been cited as contributing factors to this
issue. During the first eleven months of the merger, 124 resignation cases
were reported as compared with very minimum number on new recruitment
for replacement.
(For detail, refer to the separate paper on Staff Resignation issues)

ƒ Disruption of ongoing operational issues arising from delay in relocation

exercise, delay in staff replacement of the vacant position/s, culture clash on
work culture, values, management styles, norms and standards and
ineffective coordination among entities

ƒ Loss of key staff to other competitors especially to the new Takaful operators.

ƒ Ineffective communication and/or lack of constant communication between

management and staff relating to merger integration initiatives, plans,
progress updates, programs and objectives. Occasional town hall meeting is
good but obviously insufficient especially to the executive and clerical level.

6
Rating Legend QA = Very Significant or Extreme Risk
QB = High Risk
QC = Medium Risk
QD = Low Risk
7
After Moderation: integration and/or combination of existing risks; and inclusion of new risks
8
Refer Appendix 3: Post merger risk matrix
9
Refer Appendix 4: Top 20 key risks within the scorecard ranked by the Nett ratings
 5.1.2 System Risks

Undoubtedly one of the most feared, contentious and time-consuming aspects of this
post merger integration exercise was the integration and harmonization of the
information systems. From our review, we noted that key issues that been highlighted
by the risk owners are as follows;

ƒ Lack of IT readiness in relation to system back-end support and workflow

ƒ Data quality and integrity risks

ƒ Delay in IT systems and/or automation initiatives

ƒ Non-integration of investment management system

ƒ Changes in data centre and new IT system

ƒ System connectivity and IT infrastructure in relation to relocation exercise

5.1.3 Customer and Business Risks

Based on the result of the risk assessment, 6 risks under the Customer/Business
component classification were rated as high and majority of the risks were raised by
the risk owners from Sales & Marketing (VC-5). Amongst the risks highlighted are as
follows;

ƒ Integration between takaful and conventional been exploited by competitors

ƒ Loss of revenue due to unfavorable response of agents and customers

ƒ Reduced customer satisfaction due to centralization of operation

ƒ Loss of 3rd party banca partners or banca partners do not accept products

ƒ Lack of preparedness of agency force

Without effective and timely action to mitigate the risks will definitely impacted the
overall revenue by reducing the business momentum and growth that may lead to
inability to achieve the overall merger objectives. Early indication on such impact was
reflected in the July 2006 production report as below;
Mayban Fortis Summary - July 2006
YTD SPLY Budget Vs Vs
AMOUNT RM '000
7/2006 7/2005 7/2006 SPLY Budget
Gross Written premium 197,409 238,312 418,162 -17% -53%

Mayban General Assurances (MGAB) 35,224 33,152 36,966 6% -5%

Mayban Life Assurance (MLA) 34,241 66,668 245,138 -49% -86%

Mayban Takaful (MTB) 6,967 5,646 8,570 23% -19%

Mayban Life International (MLI) - 100 - -100% Na

Malaysia National Insurance Berhad (MNIB) 63,884 69,025 69,434 -7% -8%

Takaful Nasional Sdn Berhad (TNSB) 57,093 63,721 58,053 -10% -2%
6 CONCLUSION AND RECOMMENDATION

6.1 Failure to achieve merger objectives will pose a far reaching negative impact on key
personnel, key clients, supplier (agency, broker & 3rd party banks), market share,
reputation, day-to-day operation, operational efficiency, productivity and these can be
translated into negative impact to the bottom line.

6.2 The timing between Mayban Fortis merger exercise and the issuance of the 4 new
Takaful licenses by BNM also amplifying the push and pulling factor for staff
resignation. Hence, posing unexpected obstacles in achieving the post-merger
integration plans and objectives.

6.3 To effectively address the extreme and high risk issues, the Management via the
merger PMO needs to formalize and ensure that timely implementation of the action
plans proposed by the risk owners for resolution or mitigation of the identified risks.
Each mitigation plans need to be consistently tracked and reported to MMSC.

6.4 In addition to the Risk Management analysis on the People/Human Capital risks, IT
and Sales & Marketing should also conduct similar analysis on System and Business
risks respectively.

6.5 The oversight functions namely risk management, compliance and internal audit must
continue to play an active role to monitor and report the risks, particularly those that
reside in QA & QB quadrants, on regular basis throughout the merger period.

Prepared by, Recommended by,

ABD RAZAK SULAIMAN RAZIN MURAT

Head, Operational Risk Management Head, Risk Management
Mayban Fortis Group Mayban Fortis Group
 Appendix 1
Identified Risks Based on Risk Quadrants

RISK RATING
No VC/FS Gross Nett
QA QB QC QD QA QB QC QD

1 VC 1 - IT 2 5 - - 2 5 - -

2 VC 2 - Life 4 - 1 - 2 2 - 1

3 VC 3 - General 2 2 - - - 1 3 -

4 VC 4 -Takaful 1 2 - - - 1 2 -

5. VC5 – Sales & Marketing

5.1 VC5_Alternative Distribution - 1 2 6 - 1 2 6

5.2 VC5_Agency 3 3 5 - - 4 7 -

5.3 VC5_Bancassurance 1 2 2 1 - 2 3 1

5.4 VC5_Branches 2 1 - - 2 1 - -

5.5 VC5_Enterprise/Corporate 2 1 1 2 - - - 6

5.6 VC5_Sales & Marketing 2 2 - - - 2 2 -

6 VC 6 - Investment 6 - - - - 1 - 5

VC 8 - Property, Admin &

7 - 2 2 - - - 4 -
Purchasing

TOTAL 25 21 13 9 6 20 23 19
 Appendix 2
Summary based on Risk Components

NETT RISK RATING Overall Conclusion (Risk

No RISK COMPONENT Indicator based on traffic
QA QB QC QD light system)

DANGER
1 Human Capital / People 3 2 3 2

DANGER
2 Operation / Process / System 2 9 9 5

DANGER
3 Customer/Business 0 6 5 3

CAUTION
4 Strategy / Corporate Governance 0 1 2 2

CAUTION
5 Product & Services 1 0 3 1

CAUTION
6 Model / Supplier 0 1 0 0

SATISFACTORY
7 Regulatory / Compliance 0 0 0 1

8 Legal 0 0 0 0 NA

SATISFACTORY
9 Financial 0 1 1 5

10 External 0 0 0 0 NA

Total 6 20 23 19
 Appendix 3
Overall Post Merger Risk Matrix

Corporate Risk Scorecard (Nett)

Almost
Oi1101
Certain

Ci1102, Ci1104, Pi7101, Oi1131,

Likely Ci1103 Oi1103
Oi1129, Oi1111 Hi1109, Hi1110

Ci1101, Ci1105,
Likelihood

Ci1106, Oi1105,
Oi1104, Oi1107, Oi1106, Oi1119,
Oi1112, Oi1113, Oi1121, Oi1122,
Possible Ci1111, Gi1102 Hi1119
Gi1103, Pi1105, Gi1104, Ci1112,
Ci1116 Hi1120, Oi1128,
Oi1130. Si1101,
Fi1111

Hi1101, Oi1108,
Hi1102, Oi1110,
Unlikely Ri2101, Gi1101 Fi1104, Hi1121, Hi1122
Ci1109
Gi1105, Ci1115

Oi1102, Fi1101,
Hi1103, Fi1102,
Fi1103, Ci1107,
Pi1102, Pi1103,
Ci1110, Fi1107,
Rare Ci1108, Oi1115,
Oi1114, Fi1108,
Oi1118
Oi1116, Pi1104,
Hi1108, Oi1120,
Oi1117
Insignificant Minor Moderate Major Catastrophic

Impact
 Appendix 4

Reports On The Top 20 Key Risks Within The Post Merger Scorecard Ranked By The
Nett Ratings