39. FINANCIAL RISK MANAGEMENT (CONTINUED) (e) Operational Risk (continued) Management of operational risk (continued) The Group’s and the Bank’s overall governance approach in managing operational risk is premised on the Three Lines of Defence Approach: • • 1st line of defence – The risk owner or risk taking unit i.e. Business or Support Unit is accountable for putting in place a robust control environment within their respective units. They are responsible for the day-to-day management of operational risk. Head of Division/Department (“HOD”) are accountable for ef fective management of operational risk within their respective divisions. To reinforce accountability and ownership of risk and control, a Risk Controller for each risk taking unit is appointed to assist in driving the risk and control programme for the Group and the Bank. In addition, an Embedded Risk & Compliance Unit (“ERU”) has been established within the significant business and support units (“BU/SU”). The ERU would assist in implementing and monitoring the ORM activities within the BU/SU. The ERU’s relationship and knowledge of the business allow for a more focused implementation and effective oversight of ORM within the BU/SU. • • 2nd line of defence – Operational Risk Management Department (“ORMD”) is responsible for establishing and maintaining the ORM Framework, developing various ORM tools to facilitate the management of operational risk, monitoring the effectiveness of ORM via an integrated operational risk management system, assessing operational risk issues from the risk owner and escalating the issues to the relevant governance level with recommendations on appropriate risk mitigation strategies. In creating a strong risk culture, ORMD is also responsible to promote risk awareness across the Group and the Bank. Shariah Risk Management Department (“SRM”), Compliance Division which includes Shariah Compliance Department (“SCD”) and Information Security Governance (“ISGD”) complement the role of ORMD as the second line of defence. SRM is responsible for managing the Shariah compliance risk (“SCR”) by establishing and maintaining appropriate SRM guidelines, facilitating the process of identifying, assessing, controlling and monitoring SCR and promoting SCR awareness. Compliance Division is responsible for ensuring effective oversight on compliance-related risks such as regulatory compliance risk, compliance risk as well as money laundering and terrorism financing risks through proper classification of risks and develops, reviews and enhances compliance-related training programmes as well as conducts training that promotes awareness creation. SCD of Compliance Division, is responsible for reviewing and monitoring Shariah compliance of the Group’s operations, activities and services at BU/SU level. ISGD is responsible in managing technology risk by establishing, maintaining and enforcing technology risk policies and guidelines, as well as promoting Bank-wide awareness on technology risk. It also works closely with Information Technology Division (“ITD”) in identifying, assessing, mitigating and monitoring of technology risk in the Group and the Bank. • • 3rd line of defence – Internal Audit provides independent assurance to the Board and senior management on the effectiveness of the ORM process. INTEGRATED ANNUAL REPORT 202 1 Key Messages Overview Value Creation MD&A Sustainability Leadership Accountability Financial Additional Information 353
RkJQdWJsaXNoZXIy NDgzMzc=