7. OPERATIONAL RISK (CONTINUED) 7.3 Management of Operational Risk The Group recognises and emphasises the importance of ORM and manages this risk through a control-based environment where processes are documented, authorisation is independent, transactions are reconciled and monitored, and business activities are carried out within the established ORM policies, guidelines, procedures, and limits. The Group’s overall governance approach in managing operational risk is premised on the Three Lines of Defence Approach: a) 1st Line of Defence – The risk owner or risk-taking unit i.e., BU/SU is accountable for putting in place a robust control environment within their respective units. They are responsible for the day-to-day management of operational risk. To reinforce accountability and ownership of risk and control within 1st Line of Defence, the RC is appointed at each BU/SU and ERU is established at selected BU/SU. 2nd Line of Defence – Operational Risk Management Department (“ORMD”) is responsible for establishing and maintaining the ORM Policy and its supporting guidelines/manuals, developing methodologies and various ORM tools to facilitate the management of operational risk, monitoring the effectiveness of ORM, assessing operational risk issues from the risk owner and escalating operational risk issues to the relevant governance level with recommendations on appropriate risk mitigation strategies. In creating a strong risk culture, ORMD is also responsible to promote risk awareness across the Group. Shariah Risk Management Unit (“SRMU”), which forms part of ORMD, is responsible for managing the Shariah non-compliance risk (“SNCR”) by establishing and maintaining appropriate guidelines on Shariah Risk Management (SRM) by facilitating the process of identifying, assessing, controlling, and monitoring SNCR and promoting SNCR awareness. Group Compliance Division, which includes Shariah Compliance Department and Group Information Security & Governance Division (“ISGD”) complement the role of ORMD as the 2nd Line of Defence. Group Compliance Division is responsible for ensuring effective oversight on compliance-related risks such as regulatory compliance risk, compliance risk, corruption risk, money laundering and terrorism financing risks through proper classification of risks and developing, reviewing, and enhancing compliance-related training programmes, as well as conducting trainings that promote awareness creation. Shariah Compliance Department under Group Compliance Division is responsible for reviewing and monitoring Shariah compliance of the Group’s operations, activities, and services at BU/SU level. ISGD is responsible in managing information technology risk by establishing, maintaining, and enforcing information technology risk policies/guidelines and it works closely with Group Technology Division in identifying, assessing, mitigating, and monitoring of information technology risk in the Group. b) 3rd Line of Defence – Group Internal Audit including Shariah Audit Department provides independent assurance to the Board and management on the effectiveness of the ORM and SRM process. 462 Pillar 3 Disclosure as at 31 December 2023 Bank Islam Malaysia Berhad ◆ Integrated Annual Report 2023
RkJQdWJsaXNoZXIy NDgzMzc=