Management of Operational Risk
The management of operational risk is guided by the definition and Principle 17 of the IOSCO PFMI. Operational risk is identified as the risk that deficiencies in information systems or internal processes, human errors, management failures, or disruptions from external events that will result in the reduction, deterioration, or breakdown of services provided by Bursa Malaysia.
The management of some of the significant operational risks faced by the Group are outlined below:
Appropriate systems with adequate capacity, security arrangements, facilities and resources are in place to mitigate risks that could cause interruption to the Group’s critical business functions. The Group has a comprehensive Business Continuity Plan (BCP), including a Disaster Recovery Plan which is tested annually to ensure continuity of the business and technology operations. Besides the mandatory industry wide tests, the Group also facilitates BCP exercises for the market participants. The objective of this exercise was to ensure market participants’ backup sites / systems can be connected successfully to Bursa Malaysia in the event of a disruption.
Bursa Malaysia has implemented various mitigation measures to manage Cyber Security risk including a robust network architecture which is segmented into private and public networks. This aims to isolate the problem within the segment in the event of a cyber-attack. Bursa Malaysia has invested and set in place adequate IT security tools and mechanisms to enhance the cyber resilience capabilities to anticipate, withstand, contain and rapidly recover from a cyber incident with the objective of limiting the escalating risks that cyber threats pose to Bursa Malaysia and the broader capital market. There has not been any compromise to the mitigation measures taken by Bursa Malaysia which will leave Bursa Malaysia’s infrastructure and system to be vulnerable to a cyber-attack. The tools and mechanisms are reviewed and assessed on an annual basis or as and when needed. In addition, review on the cyber security architecture by an independent party is conducted periodically. It aims to ensure observance with the Guidance on Cyber Resilience for Financial Market Infrastructures issued by IOSCO as well as to comply with the Guidelines on Management of Cyber Risk issued by the SC Malaysia.
Bursa Malaysia has put in place several controls to mitigate physical breaches covering the main Bursa building as well as the Disaster Recovery site. To ensure that Bursa Malaysia is sufficiently prepared to meet any eventuality, there are plans that have been developed and exercised to address multiple possible scenarios which can impact the physical security at Bursa Malaysia’s premises.
Policies & Procedures
The effective operations of Bursa Malaysia is dependent to a significant extent on the availability, adequacy and effectiveness of its frameworks, policies, processes and procedures. Hence, Bursa Malaysia has put in place the key frameworks, policies and procedures which include the following:
- System/Operations – IT Security Policy, Information Management Policy, Business Rules, Trading & Clearing procedures, ISMS Manual
- Risk & Compliance – ERMPF, Compliance Framework, BCM Framework
- People – Code of Ethics, Employee Handbook, Group Disciplinary Policy
- Budget – Finance Policies & Procedures, Corporate Authority Manual, Contract Management Guidelines
The key frameworks, policies and procedures will continue to be reviewed to ensure that the effectiveness and adequacy of the implementation are in accordance with global best practices and standards.