SHARIAH NON-COMPLIANCE RISK Shariah non-compliance risk (SNCR) is part of operational risk and is defined as “risk of legal or regulatory sanctions, financial loss or non-financial implications, including reputational damage arising from failure to comply with the rulings of BNM Shariah Advisory Council (SAC), standards or decisions or advice of the Group’s Shariah Supervisory Council”. The responsibility of managing SNCR is spearheaded by the Group’s Shariah Risk Management Unit that is guided by the Group’s Operational Risk Management (ORM) framework and ORM Guideline. The documents detail out the Shariah risk management processes and tools in order to provide a consistent framework for managing SNCR across the Group. Shariah risk management is a discipline that systematically identifies, measures, monitors and controls SNCR to mitigate the occurrence of SNC events within the Group. Being part of operational risk, it leverages on the same principles, processes and tools of operational risk. However, the tools are modified to suit the regulatory requirements on Shariah governance in order to provide a robust and consistent approach in managing SNCR. INFORMATION TECHNOLOGY RISK The Group Information Security & Governance Division (GISGD) is responsible for managing technology, cyber and data risks. It operates as an independent function within the second line of defence in the three lines of defence model. GISGD’s Group Technology Risk Management Framework (GTRMF) addresses both business and technology drivers, with a focus on controls from a holistic perspective that includes people, process and technology control layers. GTRMF is aligned with the Operational Risk Policy and supports risk management by ensuring that technology risks are properly identified, managed, monitored, mitigated, and reported in a structured and consistent manner. GTRMF will be continuously enhanced in accordance with international standards and guidance issued by regulatory bodies. GISGD is responsible for ensuring enterprise-wide implementation of GTRMF, while ensuring compliance to relevant regulatory policies and guidelines. While discharging the above responsibilities, GISGD will continuously engage with the First Line of Defence to perform its oversight duties through the following initiatives:- I. Technology Risk Strategy • Implementing technology risk management strategy that reflects the culture, appetite and tolerance levels of the Group, while taking into consideration technology, budgets and regulatory requirements. II. Technology Risk Governance • Developing policies and internal controls to mitigate technology related risks to an acceptable level, and monitoring the effectiveness of internal controls. III. Technology Risk Measurement and Assessment • Technology risk assessments (including cloud risk assessments) are conducted by assessing vulnerabilities and threats including those related to emerging technologies, audit findings, loss events, IT projects, and so on so forth. Appropriate recommendations will be provided to business units for consideration. IV. Technology Risk Monitoring & Compliance • Monitoring process reviews, including independent reviews of technology key risk indicators (KRI), risk and control-self assessment (RCSA) and so forth, are performed to ensure controls are adequately implemented and if controls are unavailable, interim measures to mitigate risks are implemented. • Additionally, GISGD performs a technology compliance review programme to ensure that all key technology requirements prescribed by the governing bodies are complied with. This assessment is performed by assessing the effectiveness and adequacy of the controls implemented by the business units. This review serves as a check and balance function to review and report the compliance status to the Management and Board Committees. V. Technology Risk Reporting • Reporting on technology, cybersecurity and data risks related reports will be presented to Management committees and the Board for deliberation and approval (where applicable). 236 Bank Islam Malaysia Berhad ◆ Integrated Annual Report 2023 Statement on Risk Management and Internal Control
RkJQdWJsaXNoZXIy NDgzMzc=