KWAP, in its journey to achieve its Mission and Vision, recognises that the ever-changing business environment presents multiple forms of threats and opportunities. KWAP is committed to moving forward, managing threats and seizing opportunities for value creation and capital preservation in whatever form they take. The risk management approach is primarily through the adoption of Enterprise Risk Management (ERM) as a core strategy across the enterprise. This approach is designed to identify potential events that may adversely affect the entity and manage risks within its risk appetite, thus providing reasonable assurance regarding the achievement of organisational objectives.
Credit risk is defined as the probability that a borrower or counterparty will fail to meet its financial obligations in accordance with agreed terms. KWAP, being an active player in the domestic fixed income and money markets, with participation in both primary and secondary markets, requires strong credit risk policies. To that end, industry best practices are instilled via continuous updates of credit risk policies and processes. The purpose of credit risk management is to keep credit risk exposure within an acceptable level and to ensure that returns are commensurate with the risks taken. The Credit Risk Framework and Credit Risk Guidelines were introduced to formalise the credit risk function and cover credit risk measurement, credit risk assessment and monitoring.
The credit limits are designed to either cap risk exposures within a certain asset class or sub-asset class or cap risk exposures to a single entity or issuer. Management Action Triggers, on the other hand, are triggers that warrant management review and reassessment of the accompanying risk exposures.
KWAP’s market risk relates to the risk of loss resulting from adverse changes in the value of its asset holdings arising from movements in market areas or prices.
There are three (3) main asset classes that make up KWAP’s investments:
- Fixed Income
- Alternative Investment.
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Through Operating Risk Event (ORE) reporting, KWAP is able to capture and record loss events or near misses that occur within KWAP’s business operations. It also serves as an avenue whereby relevant departments cooperatively work towards addressing risk issues pertinent to the reported events, facilitated by the Risk Management and Compliance Department (RMCD).
Business Continuity Management (BCM)
Business Continuity Management (BCM) has always been one of KWAP’s priorities. KWAP continues to implement the BCM framework and identify areas where improvements can be made to internal capabilities and competencies to mitigate the risk of severe operational disruptions.
One of the key activities is the Disaster Recovery Exercise (DRE) whereby KWAP is tested on its ability to recover critical functions within a set timeline and thus ensure operational continuity despite the disruption.
The compliance function in the organisation has gained prominence in recent years due to the nature and size of financial losses and loss of reputation that can arise from compliance breaches. Compliance serves as an independent function that identifies, assesses, advises on, monitors and reports on compliance risks.
The main objective of compliance is to preserve KWAP’s reputation so that our competitive standing, reputation and shared value are not only maintained but also enhanced. To achieve this objective, KWAP’s underlying mission is to effectively measure and manage the compliance risks of the organisation to meet the expectations of all stakeholders. Compliance risk within KWAP is defined as the risk of impairment to the organisation’s business model, reputation and financial condition from a failure to comply with laws and regulations, internal policies and the expectations of stakeholders. The Compliance Framework, which was implemented in 2010, serves as the foundation for this aspiration and provides the building blocks from which the compliance functions are shaped. In managing the roll-out of the Compliance Framework, the compliance function adopted the Three Lines of Defence Model in managing compliance risks in KWAP.
The three lines of defence model was adopted by KWAP for the internal control framework in the context of risk management, corporate governance and risk oversight. On a functional basis, top Management and frontliners form the first line of defence against compliance risk. On the other hand, they are principally responsible for monitoring and ensuring that the conduct of their business activities is carried out in accordance with the approved policies. Besides this, Compliance Liaison Officers are appointed in each department to act as reference points for any non-compliance issues and to ensure that their departments are kept abreast of any implementation of new policies and guidelines.
The RMCD forms the second line of defence. The compliance function has a key role in its control structure. This includes helping the business to anticipate regulatory / internal policy requirements and to thoroughly assess the potential compliance risks and ensure that the business knows how to meet its obligations on a day-to-day basis. The third line of defence is internal audit, which undertakes independent and regular ex-post reviews of the overall organisation’s internal control and risk and compliance with regulatory requirements.
Scope of Compliance
a) Regulatory Compliance
This covers the external regulations and guidelines which KWAP is bound to comply with, such as the relevant Acts of Parliament, Minister of Finance Decrees and relevant guidelines from regulatory bodies such as Bank Negara Malaysia, the Securities Commission and Bursa Malaysia. The ownership of regulatory compliance is with the relevant operating unit at the transactional or operational level, where any potential breaches can be identified upfront before the event. A proactive approach has been adopted as non-compliance with regulatory obligations is not an option.
b) Internal Compliance
This covers compliance with the internal policies and guidelines, e.g. the Investment Policy and Guidelines, Discretionary Authority Limits and Standard Operating Procedures. The RMCD’s approach to ensuring internal compliance is sustained through risk limit controls in the investment system and operational process controls embedded in the Standard Operating Procedures.
Compliance activities are closely intertwined with compliance developments on the global front, existing legal requirements and KWAP’s policies and procedures.
Value of Compliance
As business models change, new technologies emerge and new investment asset classes increase amidst the intense focus on operational efficiencies. KWAP has never been more exposed to such a myriad of risks. In this regard, the Board and Senior Management of KWAP have extended their fullest support and cooperation in moving compliance to the forefront. They have done this by establishing the tone from the top, which is quite simply, to comply with all rules and regulations and employ ethical behaviour. All staff are aware that the Board and Senior Management must take an uncompromising stance if such trust is breached. The Compliance unit is increasingly becoming a point-of-reference and advisor for key strategic initiatives that KWAP embarks on.
The effective penetration of a proper compliance culture into all business and operating units has enhanced our public domain presence and facilitated early detection of compliance risks. This has resulted in quicker compliance risk mitigation actions being undertaken. KWAP recognises that a strong compliance culture is the foundation of good compliance practices and it is imperative that this becomes an intrinsic trait of the organisation.
Chinese Wall Policy
KWAP developed and implemented its Chinese Wall Policy in 2014. KWAP’s Chinese Wall Policy was introduced to establish procedures to control the flow of material non-public and price-sensitive information within KWAP to minimise the risk of insider trading and potential breach of laws and regulations. It also helps to ensure that the possession of material non-public and price-sensitive information does not give rise to the risk or perceived risk of a conflict between public interest, KWAP’s interest and the staff’s personal interests. The governance prescribed in this policy sets out the means to avoid possible leaks of information, thus avoiding unfair advantages to profit from or reduce losses ahead of the general public obtaining the said information.
KWAP’s ERM Oversight Structure
The Board is ultimately responsible for the oversight and management of KWAP’s risks. The Board, through the Risk Management Committee (RMC), maintains overall responsibility for risk oversight in KWAP.
The RMC’s responsibilities include, among others, reviewing and ensuring the adequacy of risk management policies and procedures, reviewing risk exposures and ensuring that infrastructure, resources and systems are in place for risk management activities.
The Board is also supported by the Audit Committee, whose responsibility is to provide an independent assessment of the adequacy and reliability of the risk management processes and system of internal controls and compliance with risk policies and regulatory requirements.
The Enterprise Risk Management Committee (ERMC), which is chaired by the CEO, serves as a platform where all risk-related matters, be they operational or investment-related, are deliberated and addressed. Issues are then updated to the Board’s RMC for notification and decision, if necessary.
The dedicated independent risk management and audit functions, namely the Risk Management and Compliance Department (RMCD) and Internal Audit Department, are responsible for ensuring the approved risk management framework and policies are implemented and complied with. They are also responsible for facilitating the risk management processes within operational units, which include risk identification, assessment, mitigation and monitoring.
At the forefront, all units are responsible for identifying and managing risks within their operations. They are to ensure that all daily activities are carried out within the established framework and in full compliance with approved policies, procedures and limits.
RISK MANAGEMENT FRAMEWORK & POLICY
KWAP has a formalised Enterprise Risk Management Framework (ERMF), which is in turn supported by an ERM Policy, to facilitate the implementation of ERM. The ERM approach is benchmarked against and aligned to the ISO 31000:2009 Risk Management Standard.
Key areas and sub-frameworks include the Operational Risk Management Framework, Market Risk Management Framework and Credit Risk Management Framework. These frameworks are developed on a modular basis to provide for a fair degree of segregation, depth and clarity for each key risk. KWAP has the flexibility to develop new sub-frameworks to address other risks if necessary. These other risks outside the broad risk categories (if any) are addressed with the corporate risk profile. Management of such risks is often executed via risk mitigation programmes that are then duly executed in KWAP.
The latest addition to the ERM Framework is the Liquidity Risk Management Framework. This was developed on a forward-looking basis to handle a risk that will increasingly become more important in the future.