I wanted to have a peep behind the scene on aspects of risk, audit and compliance in IHI. Naturally, the best man on that topic is Melvin Bonnici, Head of Group Internal Audit, Risk and Compliance at IHI. He was more than glad to oblige

Melvin Bonnici 

Risk, Audit, and Compliance refer to the interconnected practices of identifying, assessing, and managing potential risks within an organisation. Risk management involves proactive measures to mitigate threats, whilst at the same time maximising opportunities. Audits evaluate the effectiveness of these strategies and ensure compliance with laws and regulations. However, as part of the Group’s risk strategy the team also focuses on resilience – an organisation’s ability to adapt and recover from disruptions, maintaining smooth operational continuity. Together, these elements form a comprehensive framework that enhances organisational stability and promotes long-term success.

I asked Melvin to describe his role without being too technical for our readers.

As Head of Internal Audit, Risk & Compliance, I lead a team that delivers independent assurance and advisory support across the Group. Our work spans operational audits, enterprise risk management, and regulatory compliance – ensuring that Corinthia operates with transparency, efficiency, and foresight. From aligning audit plans with high-risk areas to preparing the organisation for ESG disclosure requirements, our focus is on building resilience, supporting informed decision-making, and driving continuous improvement across all levels of the business.

Melvin (centre) and his Audit Team, Milan Seghatoleslami and Miklos Bethlendi.

 “We are currently leading a strategic transformation in how risk, audit, and compliance are approached across the organisation – shifting from traditional, reactive practices to an integrated, enterprise-wide model that enhances governance, supports strategic objectives, and builds long-term resilience.

With Francois Ganado (right), Director of Risk & Compliance

“Traditionally, risk was often seen through a compliance or control-based lens. Today, we’re embedding Enterprise Risk Management (ERM) principles across the business – linking risk more closely with strategic decision-making, ownership, and performance. This shift is helping departments move from reactive risk management to a more proactive, forward-looking approach. It ensures that risks – whether strategic, operational, regulatory, technological, or external – are considered holistically, in context, and with input from those closest to them.

“To support this evolution, we are also implementing a centralised digital platform that will streamline how risks are identified, assessed, and monitored across the Group. This tool will enhance transparency, encourage consistency, and empower operational teams to take greater ownership of their risks – fostering a stronger, risk-aware culture at all levels.

“Every project we undertake may differ in focus, but the overarching goal remains the same: to improve how we operate, reduce risk exposure, and create lasting value across Corinthia.

I noted that Melvin’s duties involve overseeing audits in a very diverse portfolio – from catering to hotel assets. How does he adapt to such variety?

Corinthia London

Adaptability is key in our work – no two operations are the same. A catering business has very different dynamics from auditing a high-end property in London versus an operationally constrained environment like Libya.

“What allows us to navigate this complexity effectively is the strength of our internal audit team: we are a group of professionals who bring not only audit and financial expertise, but also direct operational experience from within the hospitality industry. This gives us a grounded understanding of how decisions are made on the floor, not just on paper.

“Our approach is consistent in its intent – we look for accuracy, transparency, operational efficiency, and how well processes align with the Group’s strategic objectives. But equally important is how we prioritise our work.

 “Our audit plans are not generated in isolation; they are informed through our enterprise risk assessments and ongoing engagement with stakeholders. We focus our efforts on areas of highest risk – the issues that have the greatest potential to impact performance, reputation, or resilience.

“By aligning audits with risk assessments, we ensure that our work doesn’t just meet compliance requirements, but actively contributes to risk mitigation and long-term value creation.

Melvin led work on comparing F&B results across the Group with industry benchmarks. What stood out to him?

I would say that what stood out most was the power of data when it’s made visible, structured, and comparable. When we benchmarked our F&B performance against global hotel chains, the analysis moved beyond figures – it revealed where we excel, where efficiencies can be gained, and how much potential remains untapped at outlet level.

“The real opportunity lies in strengthening visibility and accountability at each F&B outlet. While headline performance might seem strong, breaking it down by outlet, cost driver, and guest segment often uncovers margin erosion or pricing inefficiencies. In markets like Malta – where conditions are relatively stable – this visibility becomes even more powerful for driving performance to international standards.

The preparation of non-financial data that is reported in the financial statements have grown in extent and importance. What are the complexities of generating such a report?

The preparation of non-financial data has become increasingly complex and critical – it’s no longer a parallel narrative to financial reporting but an integral part of it. We’re not just reporting on environmental, social, or governance matters for reputational value; these are now strategic disclosures with tangible compliance, legal, and operational implications.

“The regulatory landscape, especially within the EU, is evolving at a rapid pace. The Corporate Sustainability Reporting Directive (CSRD) has raised expectations significantly – from what gets reported to how data is verified and traced. It demands granular, structured disclosures on a wide spectrum of ESG (environmental, social, and governance) factors, including climate risk, human rights due diligence, diversity, and governance practices. 

“Although the EU’s proposed amendments to the CSRD — often referred to as the Omnibus Directive — aim to reduce the reporting burden on companies by revisiting thresholds and simplifying requirements, the situation remains complex.

“With the thresholds still under discussion and Malta yet to transpose the CSRD into national law, businesses face an unclear regulatory landscape. As year-end approaches, this creates added pressure: organisations must prepare for detailed sustainability disclosures without full certainty on scope or timing. In this environment, taking a proactive stance and aligning early with EU-level guidance becomes crucial, even in the absence of formal national transposition.

“Meeting these expectations is not just a matter of collecting data – it’s about ensuring its accuracy, source traceability, and consistency across departments and jurisdictions. Often, the required information doesn’t sit neatly in a single system or function. It requires collaboration between finance, HR, operations, sustainability teams, and external advisors. We also need to keep abreast of technical guidance, sector-specific standards, and the timing of legislative rollouts – which are sometimes staggered or revised.

“Staying ahead of this curve means attending technical seminars, working with consultants specialised in ESG regulation, and continuously strengthening our internal frameworks. Ultimately, our aim is to ensure that the non-financial disclosures not only meet compliance requirements but genuinely reflect the risks and responsibilities we carry as a Group.

Reports can sometimes be taken coldly and may even lose their impact. The work leading to such reports often requires to seep down through the veins of the organisation. How did Melvin ensure his work creates impact and not just reports?

In short, by follow-up and collaboration. We don’t just file reports and walk away. We present findings with the stakeholders involved, help them understand the root causes, and recommended actionable steps. Where needed, I work with them to update procedures, train teams, or draft new policies. It’s a cycle of improvement – and one that must be continuously reinforced.”

I have always known Melvin as a dedicated professional who works with passion and determination. What really motivated him in his work?
Making the invisible, visible. I enjoy uncovering insights that might otherwise go unnoticed – whether it’s a control weakness, a performance gap, or an opportunity to streamline. Helping others make better decisions is a quiet but powerful form of impact.”

That’s more or less the Melvin Bonnici I have always known. Quiet but compellingly effective.