The management of operational risk is guided by the definition and Principle 17 of the IOSCO PFMI. Operational risk is identified as the risk that deficiencies in information systems or internal processes, human errors, management failures, or disruptions from external events that will result in the reduction, deterioration, or breakdown of services provided by Bursa Malaysia. 

The management of some of the significant operational risks faced by the Group are outlined below:

Business interruption

Appropriate systems with adequate capacity, security arrangements, facilities and resources are in place to mitigate risks that could cause interruption to the Group’s critical business functions. The Group has a comprehensive Business Continuity Plan (BCP), including a Disaster Recovery Plan which is tested annually to ensure continuity of the business and technology operations. Besides the mandatory industry wide tests, the Group also facilitates BCP exercises for the market participants. The objective of this exercise was to ensure market participants’ backup sites / systems can be connected successfully to Bursa Malaysia in the event of a disruption.

Cyber security

Bursa Malaysia has adopted the Cyber Resilience for Financial Market Infrastructures issued by IOSCO and Guidelines on Management of Cyber Risk issued by the SC Malaysia.

Physical Breaches

Bursa Malaysia has put in place several controls to mitigate physical breaches covering the main Bursa building as well as the Disaster Recovery site. To ensure that Bursa Malaysia is sufficiently prepared to meet any eventuality, there are plans that have been developed and exercised to address multiple possible scenarios which can impact the physical security at Bursa Malaysia’s premises.

Policies & Procedures

The effective operations of Bursa Malaysia is dependent to a significant extent on the availability, adequacy and effectiveness of its frameworks, policies, processes and procedures. Hence, Bursa Malaysia has put in place the key frameworks, policies and procedures which include the following:

• System/Operations – IT Security Policy, Information Management Policy, Business Rules, Trading & Clearing procedures, ISMS Manual
• Risk & Compliance – ERMPF, Compliance Framework, BCM Framework
• People – Code of Ethics, Employee Handbook, Group Disciplinary Policy
• Budget – Finance Policies & Procedures, Corporate Authority Manual, Contract Management Guidelines

The key frameworks, policies and procedures will continue to be reviewed to ensure that the effectiveness and adequacy of the implementation are in accordance with global best practices and standards.