Bursa Malaysia Annual Report 2015

GOVERNANCE

Bursa Malaysia •

Annual Report 2015

The adequacy and effectiveness of the Group’s governance,

internal control and risk management system are assessed

and reported according to the following five interrelated COSO

components:

c. In 2015, GIA had also carried out a review to assess the adequacy

and effectiveness of Bursa Malaysia’s risk management functions,

as well as to assess the conformance between the existing

risk management governance, framework and processes and

the recognised standards and guidelines. The outcomes of the

reviews highlighting areas of enhancement and corresponding

recommendations were provided to Management.

d. Annual on-site regulatory audits are conducted by the SC on

the Group’s operations to ensure compliance with its duties

and obligations under the CMSA, as well as its policies and

procedures.

e. The yearly certification for the Information Security Management

System (“ISMS”), MS ISO/IEC 27001:2013 was carried out

by CyberSecurity Malaysia. The ISMS scope covered the

management, operation and maintenance of the information

system assets and information systems of Bursa Malaysia and

its subsidiaries.

f. The Auditor Independence Policy requires the external audit

engagement and quality reviewing partners to be subject to a

five-year rotation with a five-year cooling-off period. An annual

plan, comprising planned statutory audits, recurring non-audit

services and other anticipated non-audit services by the External

Auditors, requires prior approval by the AC. The AC’s approval is

also required for unplanned non-audit services obtained from the

current External Auditors.

g. The GIA team is required to conduct quarterly assessments of

the internal control system pertaining to the processes of the

relevant business units/functional groups which have a bearing

on the financial information of Bursa Malaysia, to ensure the

reliability and integrity of such information. The Senior Executive

Vice President, GIA, who is also the Head of GIA, is required to

confirm the effective operation of process controls which support

the preparation of the financial statements.

h. In addition to the annual audit, the External Auditors are engaged

to conduct limited reviews on the quarterly financial results

together with the cumulative quarters in accordance with the

International Standard on Review Engagements 2410, “Review

of Interim Financial Information Performed by the Independent

Auditor of the Entity”.

6. Risk Management

a. The Group has in place an established risk management

framework for managing risks affecting its business and

operations. In order to ensure that our risk management

framework and process remain sound and are in conformance

with an internationally recognised standard, we have reviewed

and enhanced our risk management framework and process

this year by benchmarking against the ISO 31000:2009 Risk

Management – Principles and Guidelines. One of the key features

of our risk management framework is a risk management

structure comprising three lines of defence with established

and clear functional responsibilities and accountabilities for the

management of risk.

b. Senior Management, which includes Management Committee

members and Divisional Heads, are the first line of defence and

are accountable for all risks assumed under their respective areas

of responsibility based on the Risk Management Principles &

Framework and Risk Management Process & Guidelines manuals.

This group of personnel is also responsible for the continuous

development of the risk management capabilities of employees

and ensures that risk management is embedded in all key

processes and activities.

c. The second line of defence is provided by the Corporate Risk

Management team, with oversight by the RMC. The Corporate

Risk Management team is responsible for monitoring the

risk management activities of the Group and ensuring

compliance with, as well as effective implementation of, the

risk management framework and process. The TOR of the RMC

were revised to enable the RMC to fulfil its primary purpose and

various responsibilities in enhancing the effectiveness of the risk

management framework for the Group.

Information & Communication

Monitoring

Control Activities

Risk Assessment

Control Environment

THREE LINES OF DEFENCE

Senior

Management

Team

Corporate Risk

Management Team

Group Internal Audit

Line

STATEMENT ON INTERNAL CONTROL

AND RISK MANAGEMENT