Bursa Malaysia Annual Report 2014

GOVERNANCE

Bursa Malaysia

•

Annual Report 2014

The second line of defence is provided by the Corporate Risk

Management team, with oversight by the RMC. The Corporate Risk

Management team is responsible for monitoring the risk management

activities of the Group and ensuring compliance with, as well as

effective implementation of risk policies and objectives. The RMC

provides directions and has an oversight role in the risk management

process. The ToR of the RMC were revised in January 2014 to provide

clarity to the purpose and responsibilities of the RMC with regard to risk

management. At its scheduled meetings in 2014, the RMC appraised

and assessed the efficacy of the controls and progress of action plans

taken to mitigate and monitor the risk management exposure of the

Group, including Bursa Malaysia Securities Clearing Sdn Bhd and

Bursa Malaysia Derivatives Clearing Berhad. The RMC also monitored

the progress and status of ERM activities, as well as raised issues of

concern for Management’s attention.

d. The third line of defence is provided by the GIA. The GIA reports directly

to the AC and provides independent assurance of the adequacy and

reliability of risk management processes and system of internal control,

and ensures compliance with risk-related regulatory requirements.

Within the framework, there is an established and structured process

for the identification, assessment, communication, monitoring as

well as continual review of risks and effectiveness of risk mitigation

strategies and controls at the divisional and corporate levels. In order

to improve our risk management process and reporting, our risk

management system has been upgraded to the latest software version

with new and enhanced functionalities.

Our level of risk tolerance is expressed through the use of a risk impact

and likelihood matrix with an established risk tolerance boundary

demarcating those risks that are deemed to have “exceeded risk

tolerance” and those which have not. We have clear risk treatment

guidance on the actions to be taken for the relevant risks.

g. To ensure that our ERM framework and processes remain sound and

are in compliance with international recognised standards, we are

reviewing our existing ERM framework and processes against the ISO

31000 Risk Management – Principles and Guidelines and will revise

and update our Risk Management Policy and Guidelines accordingly in

2015.

h. The management of the significant risks identified for the financial

year 2014 are outlined below:

STATEMENT ON INTERNAL CONTROL AND RISK MANAGEMENT

Business Interruption Risk

A comprehensive Business Continuity Plan (BCP), including a

Disaster Recovery Plan which is tested annually, is in place to

ensure continuity of our business and technology operations. We

conducted two BCP exercises in 2014, one for the Derivatives

Market and the other for the Securities Market. The Islamic, Bond

and Offshore markets were tested together with the Securities

Market industry wide testing. This is to provide assurance that

in the unlikely event that Bursa Malaysia encounters major

business interruption, its alternate site and backup systems

can be successfully activated to resume its critical business

operations. In 2014, Bursa Malaysia did not face any major

business interruption.

A BCP exercise for the Securities Market, which operates on

the Bursa Trade Securities 2 (BTS2) platform, was conducted

on 16 August 2014 by means of a simulated power failure. The

Securities, Islamic, Bond and Offshore markets were all tested, as

well as other Bursa Malaysia’s supporting functions and systems.

Since some of the test objectives were not fully met, a re-test for

those systems/functions was conducted on 13 September 2014.

All test objectives were met in this second test, and the recovery

was successfully completed within the target recovery time for all

the systems/functions.

A BCP exercise for the Derivatives Market, which operates on the

Globex platform, was conducted on 1 March 2014 between Bursa

Malaysia Derivatives (BMD)’s primary site and CME Group Inc.

(CME)’s new disaster recovery (DR) site in New York City. The

primary focus was on establishing connectivity to CME’s DR site.

The second test between BMD’s primary site and CME’s DR site

was successfully conducted on 29 March 2014 with industry

participants.

As part of the Business Continuity Management (BCM)

improvement exercise, in 2014, we conducted an internal review

of our BCM framework, processes and procedures to comply with

the ISO 22301:2012 Standards. A review of Bursa Malaysia’s

existing BCM programme, framework and practices to benchmark

against the BCM System requirements in ISO 22301:2012

Standards was completed in May 2014. The updating of the

BCM framework, processes and procedures to comply with the

Principles of ISO 22301:2012 Standards is ongoing and with

enhancements to our BCM framework, processes and procedures

planned for operationalisation in 2015.

ii.

Cyberattack Risk

To ensure that our systems are secured, Bursa Malaysia has set

in place adequate IT security tools and mechanisms to detect,

protect against and respond to cyberattacks. These tools and

mechanisms include:

• Firewall and intrusion prevention system;

• Clean pipe services;

• Applications and systems segmentation;

• Anti-virus and anti-malware; and

• Round-the-clock cyber threats monitoring.

SIGNIFICANT RISKS

for the financial year 2014

RISK 1

BUSINESS INTERRUPTION RISK

RISK 2

CYBERATTACK RISK

RISK 3

TALENT MANAGEMENT RISK

RISK 4

COMPETITION RISK

RISK 5

COUNTERPARTY CREDIT RISK

RISK 6

MARKET REGULATION RISK