GHL System Berhad Annual Report 2019

G H L S Y S T E M S B E R H A D 1 9 9 4 0 1 0 0 7 3 6 1 ( 2 9 3 0 4 0 - D ) 64 KEY INTERNAL CONTROL PROCESSES (Cont’d) 5. Risk Management (Cont’d) d. Risk Reporting and Monitoring Each Business Units and Projects identified risks together with the controls and processes used to manage risks are tabulated in a risk assessment report. Significant risks of Business Units and Projects are presented to the RMC for their deliberation. Risk monitoring is an ongoing process in which the RMC monitors the Group’s business risks as part of their annual assessment for proper disclosure in the Annual Report. e. Merchant Risk The Group Risk Department currently monitors merchants’ performance risks of its active Transaction Payment Acquisition (“TPA”) businesses in Malaysia, Thailand, and Philippines. The Group Risk Department performs this function by firstly determining the risk acceptance criteria; followed by measuring, classifying, and monitoring merchant activities at a transactional level using predetermined risk rules; and finally instituting remedial and exit procedures for errant merchants. This approach is embodied in the Group’s Credit Policy manual and is heavily automated in the Group’s M-Cube Risk Management system. During the year, the Group Risk Department exited certain high risk merchants as a result of its review of transaction exceptions, evidencing the veracity of the M-Cube Risk Management system in detecting errant merchant behaviour. Management has continuously kept abreast of these reviews and findings via the monthly Business Reviews. The Group Risk Department also continues to fine tune its policies and procedures to stay in line with changes in the marketplace and business objectives and plans. 6. Information Technology Controls and Security a. Disaster Recovery Backup Plan A Disaster Recovery (“DR”) backup policy and procedure has been established group wide in order to ensure continuity of the business operations in the event of IT-disabling disaster strikes. DR drills are conducted by the technology division together with external service provider at least once a year with continuous effort to enhance the DR capability to cover all key aspects of the businesses. b. Payment Card Industry Data Security Standard (“PCIDSS”) PCIDSS is an actionable framework established by Payment Card Industry Security Standards Council (“PCISSC”) to ensure the safe handling of cardholder information at every step. PCIDSS covers systems, policies and procedures around the following: z Building and maintaining a secure network and systems z Protect cardholder data z Maintaining a vulnerable management program z Implementation of strong access control measures z Regularly monitor and test networks z Maintain an information security policy The Malaysia operations obtained its first Certificate of PCIDSS compliance in 2012 by meeting all the requirements set by the standards. During the year, the Company was reassessed by a qualified security assessor from PCISSC; as part of the annual certification exercises and continues to be PCIDSS compliant on the latest 3.2 version. During the year, the Company’s overseas subsidiaries in the Philippines and Thailand were both certified PCIDSS version 3.2 compliant. The Company acknowledges that maintaining high information technology security controls is critical to its business operations and will continue to implement best practices embedded within the security standards. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL CONT’D