414   BANK MUAMALAT MALAYSIA BERHAD


          BASEL II
          PILLAR 3 DISCLOSURE






          9.0   OPERATIONAL RISK MANAGEMENT (“ORM”) DISCLOSURES

              Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or
              from external events which includes wide spectrum of risks such as fraud, physical damage, business disruption, transaction
              failures, legal, regulatory breaches including fiduciary breaches and Shariah non-compliance as well as employee health
              and safety hazards.
              The objective of operational risk management is to effectively manage these risks in order to avoid or reduce any possible
              financial or non-financial losses arising from operational lapses.
              In relation to operational risk management, the Operational and Shariah Risk Management Section (“OSRMS”), Operational
              Risk Management Committee (“ORMC”), Internal Audit, Compliance, as well as the business and functional units play a
              significant role in the overall integrated risk management framewok.
              The management of operational risks is targeted at preventing and managing loss events and potential risks by using
              operational risk tools, namely, Risk and Control Self Assessment (“RCSA”), Key Risk Indicator (KRI), Incident Management
              and Data Collection (“IMDC”), Scenario Analysis (“SA”), Control Self Test (“CST”) and Stress Test (“ST”).
              The risk management processes and controls are established in line with the Bank’s operational risk management framework,
              internal policies, regulatory requirements and standard operating procedures as guidance.
              The Muamalat Operational Risk Solution (“MORiS”)

              The MORiS is a web-based application that is used as a tool in risk identification and assessment. It also acts as a centralized
              loss incidents database by capturing and storing loss-related data and is used to track risk exposures against established
              key risk indicators (“KRI”) overtime.
              Its key objective is to improve monitoring and reporting of risk activities in branches and the head office through the Risk &
              Control Self-Assessment (“RCSA”), Incident Management Data Collection (“IMDC”), and Key Risk Indicator (“KRI”).

              Business Continuity Management (“BCM”)
              The Bank adopts the BNM’s Policy on Business Continuity Management, which entails enterprisewide planning and
              arrangements of key resources and procedures that would enable the Bank to respond and continue to operate critical
              business functions across a broad spectrum of interruptions to business, arising from internal or external events.
              BCM Methodology

              The Bank develops the Business Continuity Plan (“BCP”) by way of completing the Risk Assessment (“RA”) and Business
              Impact Analysis (“BIA”). RA is a tool used to identify potential threats for all business functions. A BIA will be carried out to
              identify critical business functions’ recovery time objective (“RTO”) and maximum tolerable downtime (“MTD”) taking into
              account the Bank’s resources and infrastructures. The RA and BIA sessions are conducted annually with the business units.