The responsibility for IT risk is spearheaded by the Information Security & Governance Division (ISGD). While it is responsible for establishing, maintaining and enforcing IT risk policies and guidelines, it also works closely with the IT Division, especially in identification, assessment, mitigation, monitoring and reporting of IT risk in the Group. In managing IT risk, the Group is taking amongst others, the following steps: COMPLIANCE MANAGEMENT Group Compliance as the second line of defence adds value by safeguarding the Bank against regulatory fines and administrative actions through our compliance programmes. We develop compliance and corruption risk assessment to formulate our monitoring intervals and review plans which provide assurance that controls are working as designed. We develop policies and procedures to set the baseline and expectations for stakeholders to further embed in their own policies and procedures. We strongly believe that compliance starts with the understanding that an employee acts in accordance with the Bank’s Code of Conduct and embracing the values espoused. It all starts with doing it right every time doing what is right at all times. The Bank addresses and tackles financial crimes by developing typologies and red flags for financial flows, training frontline staff to identify potential suspicious transactions, and participating in public-private partnerships to share intelligence and good practices. The Bank supports the industry in combating financial crime by conducting training and providing certification to compliance officers across the industry on financial crime risks and AML topics. In addressing the financial crime risk, the Bank has established comprehensive controls to anticipate, prevent, detect and respond to any money laundering and terrorist financing activities. The AML/CFT policy and relevant guidelines provides the roles and responsibilities and define clear roles and i. Implementing IT risk management strategy that reflects the culture, appetite and tolerance levels of the Group, taking into consideration technology, budgets and regulatory requirements; ii. Designing policies and internal controls – policies and internal controls are designed to reduce technology related risks to an acceptable level and the effectiveness of those controls are monitored; iii. Performing risk assessment – risk assessment exercises are performed by looking at vulnerabilities and threats including those related to emerging technologies, making reference to audit findings, loss events, IT projects, etc.; iv. Monitoring process – reviews are conducted to ensure controls are adequately implemented and if not available, interim actions to mitigate the risks are applied; and v. Reporting – IT and cyber risk related reports are periodically presented to Management committees and the Board for deliberation. responsibilities for the Board of Directors, Senior Management and employees. The controls include putting in place several monitoring rules which are designed to detect and provide a platform to investigate and further establish potential crime. In 2022, we adopted technology in addressing financial crime by leveraging the Robotic Process Automation. Addressing AML risk does not stop at the Bank level only. As part of managing ML/TF risk at subsidiary level, the Institutional Risk Assessment (IRA) at BIMB Investment Management Berhad and at BIMB Securities Sdn Bhd were also developed. In performing our Group Compliance function, we have executed planned Group Reviews to support Bank Islam and its subsidiaries by conducting compliance reviews and provide reasonable assurance to minimise compliance risks. Enhancement of the roles within the review departments have been made to enable the staff to perform reviews on subsidiaries. In addition, greater synergy and collaboration between regulatory review and Shariah review teams have been achieved. This allows improved sharing of knowledge between the two (2) departments in achieving completion of respective review plans. Group Compliance has recently set up a trade surveillance team with core function of managing conduct risk for wholesale financial market through vigilant trade surveillance deployment to detect market misconduct. This is important to ensure the Bank’s Ethical Wall Policy is properly implemented. Integrated Report 2022 214 Statement on Risk Management and Internal Control
RkJQdWJsaXNoZXIy NDgzMzc=