APPENDIX 8

RISK EVENT CATEGORY
Loss event type classification as per Basel can be divided to three level of operational risk, which is Level 1, 2 and 3. Basel has proposed the following events as per Level 1 as shown in the table below: CATEGORY LEVEL 1: INTERNAL FRAUD

Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy excluding diversity/discrimination events, which involves at least one internal party.
EVENT BASE CATEGORY LEVEL 2 1.1 Unauthorised Activity ACTIVITY EXAMPLE LEVEL 3  Transactions not reported (intentional)  Transaction type unauthorized (with monetary loss)  Mismarking of position (intentional) Other specific examples:  Abusing bank database for personal business pursuit e.g. part time insurance or unit trust agent  Awarding projects or contracts to related parties in order to get kickbacks or bribes  No predefined selection criteria for appointment and awarding of project  Sale of customer¶s account balances or statements to outsiders for kickbacks  Unauthorised disclosure of Bank¶s operating process and IT security setting such as parameter setting and internal control  Effecting entries of genuine transactions e.g. reverse cash deposit transactions and take possession of the cash for personal use  Fraudulent transfer of funds from one account to another  Manipulation of general ledger accounts both at Service Outlet, Regional Office, Head Office i.e. Suspense account

DESCRIPTION

Risk of loss from staff carrying out activities that are not reported or that amount to mismarking of position Risk of loss from carrying out unauthorised and/or fraudulent transactions or passing unauthorised accounting entries

RISK EVENT CATEGORY

Page 16

Date Last Updated: 4 NOV 2009

APPENDIX 8 1.2 Theft and Fraud Risk of loss from falsification of financial instruments or documents for monetary gain Risks of loss from unauthorised possession or use of the Bank¶s assets by Bank staff for personal gain Risk of loss from unlawful removal of Bank¶s assets Risk of loss arising from inaccurate information or impersonation           Fraud / Credit fraud / worthless deposits Theft / extortion / embezzlement / robbery Misappropriation of assets Forgery Check kiting Smuggling Account take-over / impersonation / etc. resulting in cash shortage  Taking out currency notes from ATM and putting them to personal use  Use of Bank¶s vehicle for personal use  Unauthorised sale of fixed assets belonging to the Bank RISK EVENT CATEGORY Page 17 Date Last Updated: 4 NOV 2009 . Tax non-compliance / evasion (willful) Bribes / kickbacks Insider trading (not on firm¶s account) Other specific examples:  Alterations to medical bill to a higher amount  Altered invoice to obtain higher financing amount under staff loans  Falsified or altered salary slips to secure higher pay or position when applying job at the Bank  Altered cheque ± MICR codes for outstation cheque altered to local cheque  Encashment of forged or stolen cheques  Encashment of forged investment receipt and bankers cheque  Fraudulent application for cheque book or bankers cheque followed by encashment  Forged security documents accepted as collateral  Malicious destruction of assets  Placement of cash in hand into fixed deposit at other banks to earn interests  Take possession of cash by teller or cashier for personal use.

by a third party. misappropriate property or circumvent the law. system and premises  Theft of information (with monetary loss)  Hacking into Bank¶s system with the intention to disrupt operations  Abuse of customers¶ ATM PIN. EVENT BASE CATEGORY LEVEL 2 2. IC) for Bank Islam cards application or opening of new depository accounts  Robbery at the branches Risk of loss from falsification of financial instruments or documents by external parties Risk of loss from unlawful removal or stealing of Bank¶s assets by external parties 2.2 Systems Security Risk of loss from unauthorised or fraudulent access by outsiders into Bank¶s network. etc RISK EVENT CATEGORY Page 18 Date Last Updated: 4 NOV 2009 . income tax form.1 Theft and Fraud DESCRIPTION ACTIVITY EXAMPLE LEVEL 3  Theft / Robbery  Forgery  Check kiting Other specific examples:  Collusion of cardholders and syndicates to obtain fraudulent transactions  Encashment of forged investment receipts or bankers cheque  Forged security documents  Fraudulent application for cheque book or bankers cheque followed by encashment  Used forged or stolen documents (bank statement.APPENDIX 8 CATEGORY LEVEL 1: EXTERNAL FRAUD Losses due to acts of a type intended to defraud. Internet login ID.

) in the Bank not timely tested  Bank staff located at an area which is near to electric wiring or control panel of electricity or telecommunications  Manual on employee health and safety is not made available to staff  Location of Bank branch at an area which is prone to robbery 3.  Salary scheme is not in line with the industry. promotion for staff.APPENDIX 8 CATEGORY LEVEL 1: EMPLOYMENT PRACTICES AND WORKPLACE SAFETY Losses arising from acts inconsistent with employment. termination issues  Organised labour activity Other specific examples:  Staff is not allowed to participate in labour activity  Compensation and staff benefit different from service level agreement  Disciplinary action / dismissal of employee without following proper investigation processes or representation to staff  Poor relationship and teamwork Risk of loss due noadherence to human resource policies.  Staff easily being pinched by others. RISK EVENT CATEGORY Page 19 Date Last Updated: 4 NOV 2009 . increment.  Staff involve in banking operations which have higher risk but the benefit do not commensurable as compared to those in marketing. etc.3 Diversity and discrimination Risk of loss from employee dissatisfaction on account of discrimination (all types)  Lower grade staff are not allowed to claim overtime for working after office hours. benefit. employment /labour/industrial relations acts or other relevant legislations regarding employee relations 3.)  Employee health & safety rules events  Workers compensation Other specific examples:  Alarm systems (fire etc.  New incomers gain higher positions and enjoy better salaries. from payment of personal injury claims. financing or other lines of business areas.  Absence of focus because of diversified responsibilities. health or safety laws or agreement.1 Employee relations DESCRIPTION ACTIVITY EXAMPLE LEVEL 3  Compensation. or from diversity and discrimination events EVENT BASE CATEGORY LEVEL 2 3.  No proper basis on bonus.2 Safe environment Risk of loss due to failure to provide safe working conditions to staff resulting in physical injury to the staff  General liabilities (slip and fall.  Lower grade staff carry higher responsibility but without getting commensurable benefits/ allowances.

2 Selection.g.  Staff inadvertently advising customers on stock or mutual funds not related to BIMB.APPENDIX 8 CATEGORY LEVEL 1: CLIENTS. disguising the sources. or from the nature or design of a product EVENT BASE CATEGORY LEVEL 2 4.1 Advisory activities DESCRIPTION ACTIVITY EXAMPLE LEVEL 3  Disputes over performance of advisory activities Specific examples:  Staff giving advice to customers on which financial products to invest of which different from customers' perception/ wrongly match customer's financial need/ financing activities/ purposes with financing facilities. Sponsorship & Exposure Risk of loss arising from exposure limits given to the customers  Daily excesses given to customers exceed authority limits  Delay in performing ³charge back´ of Bank Islam cardholder disputed transactions or suspected fraud transactions  Share financing ± exceeding limits in case of fall in share prices by delaying the force sale action  Offering high credit limit to credit card customers without proper justification. or moving the funds to a place where there are less likely to attract attention)  Training on money laundering not continuously conducted by the Bank  Management did not take initiative in promote anti money laundering awareness RISK EVENT CATEGORY Page 20 Date Last Updated: 4 NOV 2009 .  Breach single customer limit 4. PRODUCTS AND BUSINESS PRACTICES Losses arising from unintentional or negligent failure to meet professional obligation to specific clients (including fiduciary and suitability requirements) .3 Improper Business or Market Practices Risk of loss arising from unlawful transactions carried out on the basis of information available to staff Risk of loss from unlawful business and improper trade or market practice Risk of loss on account of unlawful activity involving money laundering       Antitrust Improper trade / market practices Market manipulation Insider trading (on Bank¶s account) Unlicensed activity Money laundering Other Specific examples:  Trading in the BIMB Holding shares on the basis of information related to future price movements  Non reporting of bank staff of suspected money laundering cases (e. changing the form. Risk of loss from disputes arising from Bank staff giving wrong advice to customers 4.

5 Product Flaws Risk of loss arising from flaws in the design of the bank¶s products  Product defects  Model errors Other specific example  Launching of new product without approval of Shariah Supervisory Council  Launching new products without getting approval from BNM RISK EVENT CATEGORY Page 21 Date Last Updated: 4 NOV 2009 . Disclosure & Fiduciary Risk of loss arising from wrongly disclosing confidential information pertaining to the bank or customers         Fiduciary breaches / guideline violations Suitability / disclosure issues (KYC.4 Suitability. etc) Retail customer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information Lender liability Risk of loss arising from violation of regulatory guidelines or wrongful disclosure of vital information Other specific examples:  Informing account particulars of customers unauthorised personnel  Informing Bank¶s Islam card parameters of customers syndicates  Informing inactive card or dormant account information syndicates  Informing vendor or supplier quotation to another  Breach of guidelines / manuals / policies pertaining banking products and practices to to to to 4.APPENDIX 8 4.

APPENDIX 8 CATEGORY LEVEL 1: DAMAGE TO PHYSICAL ASSETS Losses arising from loss or damage to physical assets from natural disaster or other events EVENT BASE CATEGORY LEVEL 2 5. riot or terrorism external sources (terrorism.g. developers' claim letter were lost or destroyed due to flood. CDM were destroyed in flood. ATM. RISK EVENT CATEGORY Page 22 Date Last Updated: 4 NOV 2009 .g.g.  All important documents e.g. financing agreements.  Cheques deposited in cheque express machine were destroyed and the details written on the deposit envelopes could not be read. ATM by acts of vandalism  Sabotage of the bank operating system by infecting it with computer virus  Physical cash in strong room. flood and human activities e. Other specific examples:  Destruction of Bank¶s assets e.1 Disasters and other events DESCRIPTION ACTIVITY EXAMPLE LEVEL 3  Natural disaster losses  Human losses from vandalism) Risk of loss or damage to Bank¶s physical assets due to natural disasters e.

 Poor critical activities tracking.  Insufficient Hard Disk & Memory Capacity.  Inadequate PC & printer.  Network failure due to Bank¶s non functioning LAN or WAN.  Breach of network security.  Insufficient or Inefficient support.  Bug in program or application resulting in wrong processing or function ability. application systems.  Poor system administration on user access matrix. particularly Service Outlet staff.  Power failure RISK EVENT CATEGORY Page 23 Date Last Updated: 4 NOV 2009 .APPENDIX 8 CATEGORY LEVEL 1: BUSINESS DISRUPTION AND SYSTEM FAILURES Losses arising from disruption of business or system failure EVENT BASE CATEGORY LEVEL 2 6.  Printer unavailable or breakdown.  Inability to support user requirements due to inadequate functionality in the application system. and power Specific examples:  Server down  Computer theft  Lack of CPU utilization Monitoring.  Infection of computer virus.  ATM/CDM/ Cheque Deposit Machine & Passbook Update Machine are out of service.  Inadequate system support provided to end users.  Inadequate monitoring of system downtime.  Disaster Recovery location is not ideal and dissimilar environment setup.1 Systems DESCRIPTION ACTIVITY EXAMPLE LEVEL 3     Hardware Software Telecommunications Utility outage / disruptions Risk of loss on account of business disruption arising from failure of computer or system hardware and software.  Interruption of Bank¶s telecom line.  Inadequate Firewall Infrastructure to protect Bank¶s network.  Corruption of local software on PC/laptop thus unable to execute programs. Bank¶s network and telecommunication systems. server processes and capacity utilization. system performance.  Insufficient Backup Tape.

DELIVERY AND PROCESS MANAGEMENT Losses from failed transactions processing or process management.  Failure to recognise/ reconcile ATM items (IBG) within MEPS stipulated time frame (5 days). SRR resulting the Bank being penalised by BNM 7. non-client counterparty disputes Other specific examples:  Disputes with counter-parties over differences in contract terms and agreement  Failure to deliver or to fulfill contractual obligations  Inadequate agreements with trade counter-parties which lead to inadequate coverage RISK EVENT CATEGORY Page 24 Date Last Updated: 4 NOV 2009 .  Non compliance with regulatory requirement e. private and confidential letters were sent to wrong addresses.30a. Risk of loss arising from improper management of customers accounts or assets 7. AFT.data integrity issues e.2 Customer intake and documentation Risk of loss arising from incomplete or missing documentation from customers or authorities  Client permissions / disclaimers missing  Legal documents missing / incomplete Other specific example:  Inadequate clauses.m).4 Trade counterparties Risk of loss arising from failure in the Bank¶s dealing with trade counter-parties  Non-client counterparty misperformance  Misc. Sweep arrangement. personal identification documents 7. Al-Rahn product) due to negligent by bank  Incorrect client records .  Failure to execute customers' instructions e.g.g. reports on returned cheque are available/ ready after cut off time with BNM (10.g.g.  Non closure of current accounts with frequent bad cheque or effect-not-cleared (ENC) incidences. from relations with trade counter parties and vendors EVENT BASE CATEGORY LEVEL 2 7. Standing Instruction (SI).1 Customer / Client account management DESCRIPTION ACTIVITY EXAMPLE LEVEL 3  Unapproved access given to accounts  Incorrect client records (loss incurred)  Negligent loss or damage of client assets Other specific examples:  Damage to customers asset acquired (e. Stopped payment cheques etc.g.3 Monitoring and reporting Risk of loss arising from inadequate or failed internal monitoring and reporting procedures  Failed mandatotu reporting obligation  Inaccurate external report (loss incurred) Other specific examples:  Delay in reporting to BNM or other regulatory bodies  Data is unavailable for timely reporting and decision making e. terms. documentation of contracts and agreement with customers  Missing or incomplete documents from customers such as application forms.  Wrongly debiting customers' account for financing payment.APPENDIX 8 CATEGORY LEVEL 1: EXECUTION.

5 Transaction capture. execution and maintenance processes          Miscommunication Data entry.APPENDIX 8 7. maintenance or loading error Missed deadline or responsibility Model / system misoperation Accounting error / entity attribution error Other task misperformance Delivery failure Collateral management failure Reference data maintenance Other specific examples:  Transactions errors due to failed internal communication between business units  Data entry error due to wrong date or incorrect information. execution and maintenance Risk of loss arising from failed transaction capturing.  Capturing wrong collateral information 7.6 Vendors and suppliers Risk of loss arising from failure of the Bank¶s dealing with vendors and suppliers  Outsourcing  Vendor disputes Other specific examples:  Disruption of supplies  Inability of vendor to deliver as per agreed service level / contract  Dispute by vendors that lead to non-delivery of services or legal suit RISK EVENT CATEGORY Page 25 Date Last Updated: 4 NOV 2009 .