Bank Islam Integrated Annual Report 2020

Information Technology Risk Information Technology (IT) risk (including cyber risk) is the business risk associated with the use, ownership, operation, influence, involvement and adoption of technology within the Group. It also consists of technology related events that could potentially impact the business. Banking industry heavily relies on technology and Bank Islam is no exception. Such reliance exposes the Group to IT related risks such as cyber- attacks and system disruptions. To mitigate this, Bank Islam has established a framework and policy and has also put in place appropr iate control measures and processes that are continuously being reviewed and enhanced. The Group also continues to invest in the latest IT infrastructure and tool s as we l l as human capi tal development. The responsibility for IT risk is spearheaded by the Information ČljƺʍɨȈɽʰ ծ {Ɂʤljɨȶƃȶƺlj AȈʤȈɰȈɁȶ ӯŽČ{AӰӝ While it is responsible for establishing, maintaining and enforcing IT risk policies and guidelines, it also works closely with the IT Division, especially in identification, assessment, mitigation, monitoring and reporting of IT risk in the Group. In managing IT risk, the Group is taking among others, the following steps: i. Implementing IT risk management strategy that reflects the culture, appetite and tolerance levels of the Group, taking into consideration technology, budgets and regulatory requirement; ii. Designing policies and internal controls – policies and internal controls are designed to reduce technology related risks to an a c c e p t a b l e l e v e l a n d t h e effectiveness of those controls are monitored; ȈȈȈӝ ĀljɨǹɁɨȴȈȶǼ ɨȈɰȟ ƃɰɰljɰɰȴljȶɽ ӵ ɨȈɰȟ assessment exercise is performed by looking at vulnerabilities and threats including those related to emerging technologies, making reference to audit findings, loss events, IT projects, etc.; iv. Monitoring process – reviews are conducted to ensure controls are adequately implemented and if not available, interim actions to mitigate the risk are applied; and ʤӝ ĄljɥɁɨɽȈȶǼ ӵ Žě ƃȶǁ ƺʰƹljɨ ɨȈɰȟ ɨljȢƃɽljǁ reports are periodically presented to Management committees and the Board for deliberation. Compliance Culture The journey of cultivating compliance culture in Bank Islam is a continuous one with the strong tone from the top, cascading the momentum right down into the blood and vein of ever y employee of the Bank to assimilate it as part of the Bank’s culture. The Board of Directors and the senior management of the Bank have embedded the ɥɨȈȶƺȈɥȢlj Ɂǹ ԄŹljɨɁ ěɁȢljɨƃȶƺljԅ ɽȃɨɁʍǼȃӸɁʍɽ the financial year under review as part Ɂǹ ɽȃlj :ÝAKѵѴ ȚɁʍɨȶljʰӝ ěȃlj 9Ɂƃɨǁ ȃƃɰ also reinforced compliance resources and approved all proposed budget for compliance initiatives, projects, and systems. The Bank’s Compliance framework and programme prepares the Bank with the right platform, mechanisms, and tools to manage its regulatory and compliance ɨȈɰȟӝ ȢȢ 9ʍɰȈȶljɰɰ ƃȶǁ ČʍɥɥɁɨɽ ʍȶȈɽɰ ƺƃɨɨʰ ɰȈǼȶȈǹȈƺƃȶɽ ĄȈɰȟ ծ :ɁȴɥȢȈƃȶƺlj ɰƺɁɨlj Ȉȶ ɽȃljȈɨ ¶ljʰ ĀljɨǹɁɨȴƃȶƺlj ŽȶǁȈƺƃɽɁɨ ӯ¶ĀŽӰӝ The f inal score is distributed and ƃɰɰȈǼȶljǁ ƹʰ ĄȈɰȟ ƃȶǁ :ɁȴɥȢȈƃȶƺlj AȈʤȈɰȈɁȶ ȈȶǁljɥljȶǁljȶɽȢʰӝ ěȃlj ¶ĀŽ Ȉɰ ƃȢɰɁ assigned to each staff of the Bank in concert with their responsibility to protect the Bank. The embedment of ɽȃlj ĄȈɰȟ ծ :ɁȴɥȢȈƃȶƺlj ¶ĀŽ Ȉɰ ȶɁɽ ȶljʥ but was further ref ined part of the :ÝAKѵѴ ȈȶȈɽȈƃɽȈʤlj ɽɁ ȃljȢɥ ɰȃƃɥlj ɽȃlj desired corporate culture. ěȃlj ɽɁɥȈƺ Ɂǹ ŽȶɰɽȈɽʍɽȈɁȶƃȢ ĄȈɰȟ ɰɰljɰɰȴljȶɽ on Financial Crime Compliance and :ɁɨɨʍɥɽȈɁȶ ĄȈɰȟ ÃƃȶƃǼljȴljȶɽ ʥljɨlj ɽȃlj ȟljʰ ȃȈǼȃȢȈǼȃɽɰ Ȉȶ yťѵѳѵѳӝ ěȃlj 9Ɂƃɨǁ ȃƃǁ approved Compl iance to engage consultants to help assess where the Bank stands against the industry in these two areas and further develop the framework and tools to remediate any ƺɁȶƺlj ɨ ȶ ɰ ӝ ěȃlj :Ɂ ɨ ɨ ʍɥɽ Ȉ Ɂȶ Ą Ȉ ɰ ȟ Management covers Group wide in our ljǹǹɁɨɽ ɽɁ ɥɨljɥƃɨlj ǹɁɨ ɽȃlj à :: ČljƺɽȈɁȶ ѴѺ ӝ ěȃlj ɨljɰʍȢɽɰ ʥljɨlj ɥɨljɰljȶɽljǁ ɽɁ ƃȢȢ ɨljɰɥljƺɽȈʤlj ɰʍƹɰȈǁȈƃɨȈljɰԆ 9Ɂƃɨǁ Ɂǹ AȈɨljƺɽɁɨɰԆ meeting. yɁɨ yťѵѳѵѳӗ ɽȃlj :ɁȴɥȢȈƃȶƺlj ĄȈɰȟ ɰɰljɰɰȴljȶɽ ʥljɨlj ɥljɨǹɁɨȴljǁ ȃƃȢǹӸʰljƃɨȢʰ and the key risk areas were presented ɽɁ ɽȃlj 9Ɂƃɨǁ ĄȈɰȟ :ɁȴȴȈɽɽljljӝ yȈȶƃȶƺȈƃȢ Crime Compliance (FCC) remains as the top agenda with the highest inherent risk. The Board’s robust oversight in issues pertaining to FCC helps create the culture and raises awareness to 9ʍɰȈȶljɰɰ ƃȶǁ ČʍɥɥɁɨɽ ĩȶȈɽ Ɂȶ ɽȃlj ɨɁȢljɰ they play as first line of defence in ȴƃȶƃǼȈȶǼ øӣ:yě ljȈɽȃljɨ ƃɰ ȢȈȶlj Ɂǹ ƹʍɰȈȶljɰɰӗ ljȶƃƹȢljɨ Ɂɨ ƺɁȶɽɨɁȢӝ yɁɨ yťѵѳѵѳӗ the Bank was not served with either a public or pr ivate repr imand f rom regulators nor was the Bank fined or sanctioned. STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL FRAMEWORK 166 Accountabi l i t y Leader ship Financ ial Statement s