GOVERNANCE

86

Bursa Malaysia •

Annual Report 2015

STATEMENT ON INTERNAL CONTROL

AND RISK MANAGEMENT

d. The third line of defence is provided by the GIA. The GIA reports

directly to the AC and provides independent assurance of the

adequacy and reliability of governance, internal control and risk

management processes.

e. Within the framework, we have an established and structured

process for the identification, assessment, communication,

monitoring as well as continual review of risks and effectiveness

of risk mitigation strategies and controls at the divisional and

corporate levels. The analysis and evaluation of our risks are

guided by approved risk criteria. The Group also has a risk

management system with adequate features and functionalities

to support the risk management process and reporting.

f.

Our level of risk tolerance is expressed through the use of a risk

impact and likelihood matrix with an established risk tolerance

boundary demarcating those risks that are deemed to have

“exceeded risk tolerance” and those which have not. We have

clear risk treatment guidance on the actions to be taken for the

relevant risks.

g. The management of the significant risks identified for the

financial year 2015 is outlined below:

SIGNIFICANT RISKS

for the financial year 2015

RISK 1

BUSINESS INTERRUPTION RISK

RISK 2

CYBER ATTACK RISK

RISK 3

TALENT MANAGEMENT RISK

RISK 4

INCREASING COMPETITION RISK

RISK 5

CENTRAL COUNTERPARTY CREDIT RISK

RISK 6

MARKET REGULATION RISK

i.

Business Interruption Risk

Appropriate systems with adequate capacity, security

arrangements, facilities and resources are in place

to mitigate risks that could cause interruption to the

Group’s critical business functions. The Group also has a

comprehensive Business Continuity Plan (“BCP”), including

a Disaster Recovery Plan which is tested annually to ensure

continuity of our business and technology operations.

We conducted two industry-wide BCP exercises in 2015, one

for the Derivatives Market and the other for the Securities

Market. The Islamic and Bond Markets were tested together

with the Securities Market. This is to provide assurance that

in the unlikely event that Bursa Malaysia encounters major

business interruption, its alternate site and backup systems

can be successfully activated to resume its critical business

operations. In 2015, Bursa Malaysia did not face any major

business interruption.

A BCP exercise for the Derivatives Market was conducted on

25 April 2015 between Bursa Malaysia Derivatives Berhad’s

(“BMD”) primary site and CME Group Inc’s (“CME”) disaster

recovery (“DR”) site in New York City. BMD successfully

resumed all its critical functions namely trading, clearing,

surveillance and risk management within the target recovery

time objectives.The critical success factor was for the market

participants to successfully establish/switch the connectivity

to BMD’s primary site for clearing operations and to CME’s DR

site for trading operations.

A BCP exercise for the Securities, Islamic and Bond Markets as

well as Bursa Malaysia’s other key supporting functions and

systems was conducted on 12 September 2015 and all test

objectives were met. We successfully simulated the intraday

failure at the primary site and the recovery and resumption

of all critical functions/systems namely trading, clearing,

depository and surveillance within the target recovery time

objectives from our DR site for these three markets.

In addition, Bursa Malaysia also facilitated two BCP exercises

for the market participants, one on 23 May 2015 and the

other on 8 August 2015. The primary objective was for the

market participants to test and ensure that they could switch/

connect to Bursa Malaysia, BMD and CME’s primary sites’

systems from their backup sites/systems.

Continuing from 2014’s initiative to align Bursa Malaysia’s

business continuity practices with the requirements of ISO

22301:2012 Business Continuity Management Systems, the

Business Continuity Management (“BCM”) team conducted

further comprehensive reviews with key interested parties (i.e.

all BCP recovery teams) and made the necessary changes to

Bursa’s BCP Policy and Procedure Manual.The BCP Policy and

Procedure Manual was renamed Bursa Malaysia’s Business

Continuity Management System (“BCMS”), together with ISO

22301:2012 (BCMS Requirements) and ISO 22313:2012

(BCMS Guidance), and will serve as a comprehensive guide

for the Group’s BCM related processes and activities.

The BCMS is all encompassing as it includes all necessary

resources such as business continuity policy, BCP, business

and technology infrastructure and facilities, people with

defined responsibilities, and relevant business continuity

management processes such as leadership, business

planning, implementation, support, operation, performance

monitoring, management review and continual improvement.

The BCMS has been put into effect in 2015.