5. Information Technology Risk Today, information technology plays a very important role in the business operations of the Company and its subsidiaries, particularly in increasing efficiency in providing customers with financial services which are accurate, efficient, safe and meet customer needs at a lower cost. The Company and its subsidiaries recognize that the use of information technology which is changing rapidly all the time, may pose risks to service-related security, customer information, service continuity and impacts on the business operations of the Company and its subsidiaries. As a result, the Company and its subsidiaries pay great attention to the management of information technology risks, ensuring that they are managed in line with international standards. Emphasis is placed on protecting information and interests of customers, taking into consideration three key principles including 1) Confidentiality-security of systems and information, 2) Information integrity-trustworthiness and dependability of systems and information, and 3) Availability-ability to make systems and information accessible as needed. To enable the Company and its subsidiaries to manage information technology risks in an efficient and continuous manner and also in line with the nature of their business operations, volume of transactions, information technology complexity, and related risks such as operational risk, strategic risk, reputational risk and legal risk, the Company and its subsidiaries have established a risk governance framework based on the fundamental principle of the three lines of defense-a guide to how responsibilities should be clearly divided and segregated. These include the following: 1) operations of information technology, 2) management of information technology risks, and 3) audit of information technology. Moreover, the Company and its subsidiaries have established the policy and standards for ensuring information technology security, the policy on information technology management, regulations as well as procedures and processes related to risk management. Importantly, they provide Directors, executives and staff with knowledge and awareness of information technology risks on a continuous basis. The Company and its subsidiaries have put in place the following processes for managing the information technology risks in line with international standards. • The risk assessment consists of 1) risk identification, 2) risk analysis, and 3) risk evaluation. The objectives are to estimate the likelihood that the risks may arise and to assess the extent of effects on business operations. • As regards risk treatment, the Company continues to manage, control and prevent the risks in an appropriate manner, in line with the risk assessment results. The objective is to keep the remaining IT risks at an acceptable level. In this connection, the Company has established a number of IT key risk indicators. • The Company has put in place a process for monitoring, reviewing and reporting the risk, ensuring that the IT risk is at an acceptable level. In this connection, reports are presented regularly to the committee concerned. 6. Strategic Risk This type of risk arises from the inappropriate formulation of strategies, business planning, and implementation which are not compatible with internal setups and external environment, resulting in an adverse impact on earnings, capital or the existence of the Company and its subsidiaries. In managing the strategic risk, the formulation of strategies of the Company and its subsidiaries will be considered over the three years ahead, with the review required annually or in the case of an external event that may impact the achievement of the Company’s business goals. The Executive Committee is responsible for regular monitoring and evaluating the performance of the work units upon the established targets stated in the annual operation plan. 7. Reputation Risk The reputational risk means a risk that occurs when the public i.e. customers, strategic or alliance partners, investors, and regulators have a negative perception of or lose confidence in the Company and its subsidiaries. This 70
RkJQdWJsaXNoZXIy ODEyMzQ3