PUBLIC

1

Continuity and Resilience (CORE)

ISO 22301 BCM Consulting Firm

Presentations by speakers at the 5th Middle East Business & IT Resilience Summit

20 – 21 April 2016 – Palace Hotel DownTown Dubai

Our Contact Details:

INDIA UAE

Continuity and Resilience

Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019

Tel: +91 11 41055534/ +91 11 41613033 Fax: ++91 11 41055535

Email: neha@continuityandresilience.com

Continuity and Resilience

P. O. Box 127557 Abu Dhabi, United Arab Emirates

Mobile:+971 50 8460530 Tel: +971 2 8152831 Fax: +971 2 8152888

Email: info@continuityandresilience.com

Please write to us if you would like to get in touch with the Speaker

PUBLIC

5th Middle East Business and IT Resilience Summit, Dubai, UAE

Integration of ERM and BCM as an independent function

for an enhanced organisational resilience

Affeiz Bin Abdul Razak MBCI (UK), CFSA (US), CMIIA, CBCI (UK), BBA

Chief Risk Officer and General Manager, ERM Division

21 April 2016

2

PUBLIC

Contents

Introduction

The objective

The integration of ERM and BCM

The independent ERM and BCM function

Benefits and limitations

Some lessons learnt Key takeaways

PUBLIC

About PIDM: The Establishment

A statutory body established under the Malaysia Deposit Insurance Corporation Act

Established in September 2005 to administer the national deposit insurance system aimed at protecting depositors

Beginning 31 December 2010, PIDM’s mandate has been expanded by Parliament to administer TIPS

Complements prudential regulatory and supervisory role of Bank Negara Malaysia (BNM) by providing safety net for depositors and insurance policy owners

4

PUBLIC

PIDM’s Mandate

* In achieving these, PIDM shall act in a manner to Minimise Costs to the Financial System

Administer the deposit insurance system

and TIPS

Provide protection for depositors, and takaful certificate and insurance policy owners against

the loss of their deposits and takaful and insurance benefits in the event of a member

institution (MI) failure *

Provide incentives for sound risk management in the financial system

Vision of PIDM: Best practice financial

consumer protection authority

Tagline of PIDM: Protecting Your Insurance and

Deposits in Malaysia

Promotes

stability of the

financial system

5

Promote or contribute to the stability of the financial system *

PUBLIC

Governance of PIDM • A statutory body that reports to

Parliament through Minister of Finance

• Board of Directors structure – Chairman appointed by Minister of Finance – Governor of BNM (ex officio) – Secretary General of Treasury (ex officio) – 6 other members from the public and

private sectors appointed by Minister of Finance

• CEO – Appointed by Minister of Finance on the recommendation of the Board of Directors

6

PIDM reports to the

Parliament through

Minister of Finance

Parliament of Malaysia

6

PUBLIC

The Objective

Sharing real life Malaysian experiences where ERM and BCM are integrated as a single independent

function within an organisation.

PUBLIC

ERM +

BCM

Business Continuity Management

The Integration of ERM and BCM

ISO31000: 2009 Risk

Management – Practices and

Guidelines

Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM Framework - 2004

PUBLIC

Board of Directors

Internal Audit Function

Board Audit Committee

Integrated ERM and BCM Function*

Management ERM & BCM Committee

Risk Management & BCM

Working Group

Department 1

* The Head of Integrated ERM and BCM reports functionally to the Board via the AC and administratively to the CEO.

Department 2

Department 3

Department 4

Department 5

Board Risk Management

Committee

The Independent ERM and BCM Structure

PUBLIC

Pre-requisites for Integration and Independence

Pre-requisites of an effective independent ERM and BCM function in an organisation: Integrated ERM and BCM Charter

Strong knowledge of both Risk Management and BCM

Unbiased support from the Board and Management

Role as risk owners and BCM process owners

PUBLIC

Comparison of Traditional and Independent Roles

11

Parties / Reporting line

Traditional Roles (Non – Independent )

Independent Roles

Board of Directors Ultimate owners of risk Ultimate owners of risk

Board Audit Committee (AC) / Board Risk Management Committee (BRMC)

Assist the board to provide oversight on the risk management and BCM

Assist the board to provide oversight on the risk management and BCM

Management Day-to-day management of risk activities and BCM

Day-to-day management of risk activities and BCM

ERM and BCM Functions Part of management functions

Independent from executive functions and do not have any management or financial responsibility functions

Reporting CFO / CEO Administratively to the CEO Functionally to the Board via AC / BRMC

PUBLIC

Benefits and Limitations

Benefits Limitations

Independent assurance Encounter culture shock, resistance and lack of coordination at the initial stage

Advisory and consultant A challenge to recruit - disciplines/ professionals on both ERM and BCM

Streamline the work in ERM and BCM

PUBLIC

Some Lessons Learnt

Full support

Time saving

Access to Board of Directors

No duplication

Consistent terminology

BIA easier to be understood - Risk Parameter

A standardised Risk Map

Risk Treatments simultaneously for ERM and BCM

ERM Risk Action Plans for recovering critical business functions

Enhance the readiness for the BCM Exercise

BCM Exercise tests the effectiveness of both BCM and ERM Risk Action Plans

PUBLIC

Key Takeaways

Compare the lessons learnt from the Malaysian experience

Evaluate the importance of having an independent ERM and BCM Function for your respective organisations

Select the best reporting structure and roles of the ERM and BCM to create value

PUBLIC

Roles of PIDM as part of the Financial Safety Net Players

Commercial

Banks

15

1. Affin Islamic Bank Berhad

2. Alliance Islamic Bank Berhad

3. Al-Rajhi Banking and Investment Corporation (Malaysia) Berhad

4. AmIslamic Bank Berhad

5. Asian Finance Bank Berhad

6. Bank Islam Malaysia Berhad

7. Bank Muamalat Malaysia Berhad

8. CIMB Islamic Bank Berhad

9. EONCAP Islamic Bank Berhad

10. Hong Leong Islamic Bank Berhad

11. HSBC Amanah Malaysia Berhad

12. Kuwait Finance House (M) Berhad

13. Maybank Islamic Berhad

14. OCBC Al-Amin Bank Berhad

15. Public Islamic Bank Berhad

16. RHB Islamic Bank Berhad

17. Standard Chartered Saadiq Berhad

Islamic

Banks

Insurance

Companies

1. AIA AFG Takaful Berhad

2. CIMB Aviva Takaful Berhad

3. Etiqa Takaful Berhad

4. Great Eastern Takaful Sdn. Bhd.

5. Hong Leong Tokio Marine Takaful Berhad

6. HSBC Amanah Takaful (Malaysia) Sdn. Bhd.

7. MAA Takaful Berhad

8. Prudential BSN Takaful Berhad

9. Syarikat Takaful Malaysia Berhad

10. Takaful Ikhlas Sdn. Bhd.

Takaful

Operators

15

PUBLIC

Viable MIs

Triggers for intervention Intervention and Failure Resolution Actions by MDIC D

PIDM’s Activities

Legend

PIDM’s Risk Categories

PIDM’s Intervention

Stages

PIDM’s Intervention

and Failure Resolution

Actions

Our continual Risk Assessment System and Early Intervention

& Failure Resolution Non-Viability Notice by BNM

Non-Viable MIs

Failure Resolutions: •Restructuring •Agency Arrangement •Purchase & Assumption

Interventions:

MDIC Intervention and Failure Resolution Actions

•Due Diligence •Preparatory Examination

•Financial Assistance •Asset Carve-Out

•Bridge Institution

Mechanisms: •Assumption of Control •Receivership

Special Mention

Early Warning

Viability Risk

Resolution Going

Concern Early

Warning Viability Risk Resolution

Low Risk Moderate

Risk

Above Average

Risk

Watch List

•Closure & Liquidation

Early Intervention Trigger

D

Regular Risk Assessment & Monitoring

Differential Premium System and Premium Surcharge

Supervisory Oversights and Actions by BNM

16

PUBLIC

1. Identify Risk

2. Assess and Analyze the Risk

3. Evaluate and Treat the Risk

4. Monitor and Review the Risk

5. Report and Communicate Risk

Establish External & Internal Context

ERM Risk Assessment Framework PIDM’s Mandates and Objectives

ERM – identify what will impact the achievement of our objectives

a. Identify Risk

b. Assess and

Analyse the Risk

c. Evaluate and Treat

the Risk

e. Report and

Communicate Risk

d. Monitor and

Review the Risk

Australian/ New Zealand Standard for Risk Management

COSO ERM

ISO 31000 Risk Management

17

PUBLIC

18

ERM Process in PIDM

2. Corporate and Divisional Risk Assessment

4. Follow-up on the Implementation of Risk Action Plans

5. Monitor the Effectiveness of Risk Action Plans Implemented and Reassess the Impact on Risk Rating

1. Establish the Context (Objectives; Risk Impact; and Risk Appetite/ Tolerance)

3. Risk Treatment Option Selection and Preliminary Risk Action Plans Preparation

PIDM

PUBLIC

ERM Policy, Procedures, and Board Risk Policies & Reports

Board Risk Policy 1.0 Definition 2.0 Policy 2.1 Board of Directors’

Oversight 2.2 Board’s Expectations 3.0 Risk Policy Review

Board Risk Report 1.0 Definition 2.0 Risk Owner 3.0 Background of the Risk 4.0 Current Internal

Controls, Practices, and Oversight Over Risk Exposure

5.0 Overall Assessment of

the Risk

ERM Policy Statement

ERM Charter

ERM Procedures

Board Risk Policies and Reports: Strategic and Governance Risk Insurance Powers Risk Assessment and Monitoring Risk Intervention & Failure Resolution Risk Reputation Risk Market Risk Liquidity Risk Operational Risk

Corporate-wide Board Risk Report ERM Annual Risk Assessment Report

19

PUBLIC

Affeiz Bin Abdul Razak Chief Risk Officer and General Manager

Enterprise Risk Management Division Perbadanan Insurans Deposit Malaysia

(Malaysia Deposit Insurance Corporation)

THANK YOU

PUBLIC

21

Continuity and Resilience (CORE)

ISO 22301 BCM Consulting Firm

Presentations by speakers at the 5th Middle East Business & IT Resilience Summit

20 – 21 April 2016 – Palace Hotel DownTown Dubai

Our Contact Details:

INDIA UAE

Continuity and Resilience

Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019

Tel: +91 11 41055534/ +91 11 41613033 Fax: ++91 11 41055535

Email: neha@continuityandresilience.com

Continuity and Resilience

P. O. Box 127557 Abu Dhabi, United Arab Emirates

Mobile:+971 50 8460530 Tel: +971 2 8152831 Fax: +971 2 8152888

Email: info@continuityandresilience.com

Please write to us if you would like to get in touch with the Speaker