SHARE/GUIDE RMiT series Day 2: Board responsibilities
Malaysia’s IT user association, SHARE/GUIDE, organised a 3-day RMiT Week webinar with sessions from 17 to 19 August where speakers and panelists who are also SHARE/GUIDE members shared their experience, knowledge, products and services to others. The events of Day 2 comprised of a virtual panel discussion on board members’ responsibilities when it comes to technology risk management in the financial services industry.
The RMiT or Risk Management in Technology policy document issued by Bank Negara Malaysia applies to financial institutions, and it came into effect on 1st January of this year according to SHARE/GUIDE’s Chairman, Nazrul Hisham Abdul Hamid.
With service providers having shared solutions and information on Day 1 of the series, Day 2 started off with a discussion among board members of two banks. Mr. Chu Hong Keong (CIMB) and Mr. Yuzaidi Yusoff (Bank Islam) shared their views about accountability and responsibilities of the board of directors (BOD) of financial institutions, while being moderated by SHARE/GUIDE CEO, Woo Yuen Seng.
Hong Keong stated, “I believe the significance (of this policy document) centres on strategic technology and cyber risk management instead of the traditional effective IT and data management. Cyber risk is also singled out.”
He pointed out that the critical aspects of the RMiT guideline are proper governance and effective management of tech risk by the financial institution (FI), with the primary objective being to focus the FI in managing key tech risk more strategically, seriously, and effectively to ensure service, operations and cyber resilience for protection against disruption and financial/reputational loss.
This is not just to protect FIs and their customers, but also stability of the entire industry from systemic risks.
“I cannot emphasise enough the importance of these guidelines from Bank Negara,” Yuzaidi later added.
“It’s very critical, it’s very important… having a guideline from BNM actually helps us to solidify our understanding and make it consistent and standardised across the board.”
It also helps banks ensure that cybersecurity and technology risks are being addressed and prevented.
The RMiT was to be expected
Yuzaidi shared that the RMiT was also expected.
When it comes to IT risk, the board should be on top of it and should be in control on what needs to be done and how to ensure management is identifying IT risk, risk appetite and steps to compliance.
“From the board perspective, we are very cognisant and we want make sure all these are put in place on a quarterly basis,” he said.
Besides being a check and balance between the financial entity and RMiT guidelines, adequacy is also something the board of directors have to look into.
“We need to ensure the policies put in place are adequate and cover all the necessary angles and issues that need to be addressed,” he explained.
Hong Keong agreed with Yuzaidi and said, “Honestly, I am not surprised at all (that the RMiT came about),” he said.
“This is a strategy with a very top down approach. It really gets the board to focus on (important details). It is about clear oversight to ensure effective tech risk management,” he said, also observing that the guideline singles out IT and cybersecurity.
The third thing is it also ensures effective implementation of sound and robust risk management framework with the key element of resilience.
“This will actually impress upon senior management and the entire organisation, the critical importance of implementing a true tech and cyber risk framework consistently and based upon the approved risk appetite and tolerance that the board decides with the senior management,” he said.