Bank Islam Integrated Annual Report 2020

7. OPERATIONAL RISK (CONTINUED) 7.3 Management of Operational Risk The Group recognises and emphasises the importance of ORM and manages this risk through a control-based environment where processes are documented, authorisation is independent, transactions are reconciled and monitored and business activities are carried out within the established ORM policies, guidelines, procedures and limits. The Group’s overall governance approach in managing operational risk is premised on the Three Lines of Defence Approach: a) 1st Line of Defence – The risk owner or risk-taking unit i.e. BU/SU is accountable for putting in place a robust control environment within their respective units. They are responsible for the day-to-day management of operational risk. To reinforce accountability and ownership of risk and control within 1st Line of Defence, the RC is appointed for each BU/SU and ERU is established at selected BU/SU. 2nd Line of Defence – The Operational Risk Management Department (“ORMD”) is responsible for establishing and maintaining the ORM Policy and its supporting guidelines/manuals, developing methodologies and various ORM tools to facilitate the management of operational risk, monitoring the effectiveness of ORM, assessing operational risk issues from the risk owner and escalating operational risk issues to the relevant governance level with recommendations on appropriate risk mitigation strategies. In creating a strong risk culture, ORMD is also responsible to promote risk awareness across the Group. Shariah Risk Management Unit (“SRMU”), which forms part of ORMD, is responsible for managing the Shariah non-compliance risk (“SNCR”) by establishing and maintaining appropriate Shariah Risk Management (SRM) guidelines, facilitating the process of identifying, assessing, controlling and monitoring SNCR and promoting SNCR awareness. Compliance Division, which includes Shariah Compliance Department and Information Security & Governance Division (“ISGD”) complement the role of ORMD as the 2nd Line of Defence. Compliance Division is responsible for ensuring effective oversight on compliance-related risks such as regulatory compliance risk, compliance risk, corruption risk, money laundering and terrorism financing risks through proper classification of risks and developing, reviewing and enhancing compliance-related training programmes as well as conducting trainings that promote awareness creation. Shariah Compliance Department under Compliance Division is responsible for reviewing and monitoring Shariah compliance of the Group’s operations, activities and services at BU/SU level. ISGD is responsible in managing information technology risk by establishing, maintaining and enforcing information technology risk policies/guidelines and it works closely with Information Technology Division in identifying, assessing, mitigating and monitoring of information technology risk in the Bank. b) 3rd Line of Defence – Internal Audit including Shariah Audit Department provides independent assurance to the Board and senior management on the effectiveness of the ORM and SRM process. BANK ISLAM MALAYS IA BERHAD INTEGRATED ANNUAL REPORT 2020 367