Annual Report 2011
Risk Management Statement

Risk Management Statement

 
In accordance with Section 22 of the Capital Markets and Services Act 2007 (CMSA), Bursa Malaysia has established and maintained a Risk Management Committee (RMC) to provide risk oversight and to ensure prudent risk management of its business and operations.
 
The RMC is a Board Committee comprising five independent directors, including the RMC Chairman who is a Public Interest Director (PID) and who also satisfies the test of independence under the Main Market Listing Requirements (MMLR). The names of the RMC members and their attendance record are given on page 95 of this Annual Report.

In 2011, the RMC held four meetings. Matters reviewed and deliberated by the RMC were:

  1. developments and/or emerging concerns on key corporate risks and the actions taken, or being taken, by Management to mitigate these risks;

  2. risk assessment of strategic initiatives/projects;

  3. pertinent operational risks and mitigation measures; and

  4. progress and status of requisites in regard to Enterprise Risk Management (ERM) activities undertaken throughout the Group.

RISK GOVERNANCE FRAMEWORK

Bursa Malaysia has in place an enterprise risk governance framework for which the Board assumes overall responsibility, with established and clear functional responsibilities and accountabilities under three (3) lines of defence for the management of risk at Bursa Malaysia.

Senior management, inclusive of Management Committee members and the Divisional Heads, is the first line of defence accountable for all risks assumed under their respective areas of responsibility, as well as for the execution of appropriate risk management discipline in line with the Risk Management Policy approved by the Board, aided by the supporting guidelines, procedures and standards. This group is also responsible for creating a risk-awareness culture, which will ensure greater understanding of the importance of risk management and that its principles are embedded in key operational processes and all projects undertaken.

The second line of defence in the management of risk is provided by the RMC, assisted by the Corporate Risk Management (CRM) team, the members of which are collectively responsible for overseeing the risk management activities of the Group and ensuring compliance and effective implementation of risk policy and objectives.

The third line of defence is the Audit Committee (AC), assisted by Group Internal Audit. It provides independent assurance of the adequacy and reliability of the risk management processes and systems of internal controls, as well as compliance with risk-related regulatory requirements.

To ensure business sustainability, our enterprise risk management framework comprises an established and structured process for the identification, assessment, communication, monitoring and review of risks and effectiveness of risk mitigation strategies and controls at the divisional and corporate levels. An automated system has also been implemented to facilitate risk documentation and the reporting process in regard to divisional risks.
 
MANAGING SIGNIFICANT RISKS

Business interruption risk

In 2011, Bursa Malaysia Derivatives (BMD) conducted two Business Continuity Plan (BCP) tests with its market participants and CME Group Inc. (CME). The first was held on 7 May 2011 with a re-test on 24 September 2011. These tested the intra-day Derivatives systems failure at the BMD main site and the activation of BMD’s Disaster Recovery (DR) site.

BMD and its market participants also participated in another CME BCP test on 13 August 2011, simulating failure at the CME main site and connectivity to the CME DR site. The scope included a connectivity test from BMD’s main site to the CME DR site and functional tests for trading, surveillance, market data dissemination, clearing and settlement functions.

CME was involved in all the above BCP tests, as BMD had migrated its derivatives products onto the CME Globex® trading platform since 2010. The BCP tests and the failure scenarios at both BMD and CME provided the added assurance that BMD, its market participants as well as CME, were all prepared to respond, recover and resume their critical business functions in a timely manner.

As a follow-up to the BCP test with Securities market participants on 13 November 2010, a re-test of the Securities trading function was successfully conducted on 15 January 2011 with market participants. On 19 November 2011 another BCP test involving the Securities market, Islamic markets and Bond market was successfully conducted.

With the establishment of a crisis management framework in 2010, crisis management procedures were developed by respective departments within Bursa Malaysia in 2011, including procedures to manage cyber threats and attacks.

The National Security Council has classified Bursa Malaysia as a critical national information infrastructure (CNII) organisation. Due to this, Bursa Malaysia has applied for MS ISO 27001 Information Security Management Systems (ISMS) certification in order to comply with the government’s directive of February 2010 that all CNII agencies/organisations should be MS ISO 27001 (ISMS) certified within three years, i.e. by February 2013. Further, respective employees had attended relevant training and briefing sessions on the subject of Information Security as part of our staff competency development and awareness programme.

Bursa Malaysia also participated in X-MAYA 4, a national cyber crisis management exercise coordinated by the National Security Council, on 15 and 16 November 2011. In addition to exercising the workability of the National Cyber Security Response, Communication & Coordination Procedures, X-MAYA 4 also tested the capability of CNII agencies/ organisations in dealing with significant cyber incidents and workability of their internal incident handling procedure.

In 2011, Bursa Malaysia did not have any major business interruption incidents.

Talent management risk

Over the past year Bursa Malaysia initiated and implemented various programmes and initiatives to attract and retain talent, ensure proper succession planning for key positions, and develop core competency and leadership skills. These included:

  1. a Share Grant Plan for employees of Bursa Malaysia to reward performance, ensure sustainability and long-term performance, align corporate objectives to shareholders’ interests, promote wealth-sharing among employees, provide employees with a simple and transparent incentive plan and provide competitive and motivational compensation opportunities;

  2. career development programmes to enrich employees’ work experience and to cater to long-term capacity-building for the organisation;

  3. talent-profiling programmes to identify and select talented individuals for development and succession planning;

  4. workshops to identify and plan strategies to address employees concerns; and

  5. learning and training programmes for competency and leadership development.


The results of these programmes and initiatives would be monitored and appraised to ascertain their effectiveness and, where necessary, actions would be taken to address any areas of risk.

Regulatory risk

We believe in striking a balance between a healthy and growing market with transparent and progressive regulation. Our areas of focus for 2011 had been based on key risks that could have impeded investor protection, the existence of an orderly, fair and transparent market and the prevention of systemic risk. These areas are fully described in the Regulation pages 56 to 60 of this Annual Report.

We continue to review our key risk areas to ensure we become more effective, timely and efficient in discharging our regulatory responsibilities.

Counterparty credit risk

In managing counterparty/settlement risks where Bursa Malaysia Securities Clearing and Bursa Malaysia Derivatives Clearing act as the clearing houses for securities and derivatives trades respectively, and to prevent any systemic impact on the market, Bursa Malaysia continues to employ robust risk-management processes comprising:

  1. daily mark-to-market positions, initial and variation margin requirements and collateral management;

  2. capital requirements and adequacy;

  3. managing credit exposures via price/trading/single client/equity/ position limits and the provision of a bridging facility;

  4. monitoring the financial health of the Clearing Settlement Banks via the Risk Weighted Capital Ratio (RWCR) and credit ratings (the concentration risk is also monitored based on the TCP's total trade settlement with the relevant Clearing Settlement Banks); and

  5. maintenance of the Clearing Guarantee Fund (CGF) and the Clearing Fund for securities and derivatives trading respectively.


In 2011, there were no settlement defaults by any TCP and neither the CGF nor the Clearing Fund was called upon.
 
SUMMARY

In 2011, Bursa Malaysia had adequately and satisfactorily managed its business and operational risks.

In a volatile global economy, and given intense competition from other regional exchanges, technological challenges and growing complexity of customer demands, Bursa Malaysia is expected to continue facing risks and uncertainties which could adversely affect its business and operations.

To ensure business sustainability, the Board through the RMC closely monitors key risk areas and ensures the implementation of effective and appropriate risk-management strategies and responses. Plans are underway to review our ERM framework in 2012 to ensure that it is in line with the latest risk-management standards and practices as appropriate for the Group.