* Consists of Group Risk Management Division (including Shariah Risk Management), Group Credit Management Division, Group Compliance Division (including Shariah Compliance) and Group Information Security & Governance Division (GISGD). RISK APPETITE The risk appetite defines the levels of risk that the Group is willing to assume within its risk capacity. It is a critical component of the Group’s ERM Framework, which enables the Board and Management at all levels to communicate, understand and assess the types and levels of risks that the Group is willing to accept in pursuit of its strategic and business goals while taking into consideration the constraints under a stressed environment. The Group’s risk appetite has been integrated into its Corporate Direction and Business Plan and remains dynamic and responsive to the changing external and internal drivers such as the business and market conditions. It is determined based on the following elements: THREE LINES OF DEFENCE APPROACH The risk management functions for the Group as the Second Line of Defence are predominantly performed by the Group Risk Management, Group Credit Management, Group Compliance and Group Information Security & Governance Division. Risk Management functions provide oversight on an enterprise-wide level for a holistic risk view within the Group and support the Group in its strategic objectives. The Group’s risk governance approach is premised on the Three Lines of Defence Approach by placing accountability and ownership of risks to where they arise while maintaining the level of independence among risk taking units, risk control units and independent assurance unit in managing risks. The Three Lines of Defence is used in implementing the ERM Framework and providing risk management accountability across the Group. Responsible for providing Independent assurance to Board and Management that Risk Management Processes and Tools are effectively implemented Responsible for establishing and maintaining Risk Management framework; developing Risk Management Tools; assessing, monitoring, reporting and controlling risk; and promoting risk awareness across the Group Responsible for ongoing oversight of risk and control at day to day work level and promoting strong risk culture within business/support unit 1 2 3 Internal Audit Risk Control Units* Risk Owner or Risk Taking Units Risk Capacity • What is the maximum limit of risk the Group can withstand without causing its failure? Risk Tolerance • How much risk is the Group prepared to take per risk type or business unit? Risk Appetite • What level of risk is deemed acceptable by the Board in pursuing its strategy? 234 Bank Islam Malaysia Berhad ◆ Integrated Annual Report 2023 Statement on Risk Management and Internal Control
RkJQdWJsaXNoZXIy NDgzMzc=