AfrAsia Bank Limited and its Group Entities

Annual Report 2015

page 103

Where, the Risk Matrix/Measurement at the Bank being

Absolute/

Inherent Level of

Risk

Exposure

1

2

3

4

5

>10

C

B

B

A

A

8 to 10

C

C

B

B

A

5 to 7

C

C

C

B

B

3 to 4

D

C

C

C

B

0 to 2

D

D

C

C

C

A - High

B - Medium to High

C - Low to Medium

D - Low

We note improvements in the Business Operations department in the various Inherent Level of Risk, overall. In another area where

we have seen some Inherent Level of Risk increasing, namely the Treasury Department, the Bank tested several systems and a

new Treasury system (Front Office) is currently being implemented to cater for the higher volume of trades and also based on

new products we are offering to clients. A new ALM (Asset & Liability Management) system is under testing for implementation.

The two systems will enhance the level of controls and risk monitoring capabilities. A new system for higher controls has also been

implemented for AML monitoring and detection.

BUSINESS CONTINUITY MANAGEMENT (BCM)

Business Continuity Management Policy has been put in place, with appropriate plans to mitigate operational risks, and as a

commitment to continue business to our shareholders, customers and employees. The BCM framework has been implemented to

provide for a Disaster Recovery site with data being updated as per preset recovery time objectives. This minimizes operational,

financial, legal, reputational and other material consequences arising from any disruption to the primary IT infrastructure.

The BCM Framework in place has the following in-built principles:

responsibility rests on the Bank’s Board of Directors and Senior Management;

explicitly consider and plan for major operational disruptions;

recovery objectives are in line with the criticality of the operation of the banking system;

in the “worst case scenario”, the recovery time objective (RTO) is set as 4 hours for the core banking application with a Recovery

Point Objective (RPO) of 15 minutes;

certain non-critical functions may be recovered within a maximum threshold of 24 hours (RTO) after declaring the crisis. The RPO

for these systems is set to the state of business as of previous end of day;

preparation for clear and regular communication during a major operational disruption;

highlights on cross-border communications during a major operational disruption, as the Bank has global reach;

ensuring that business continuity plans are effective and identify necessary modifications through periodic testing; and

ensuring that appropriate procedures for business continuity management reflecting that recovery objectives are adopted and

reviewed periodically.

The Bank has put in place a BCM Steering Committee to review the processes after each testing exercise and to review the policy

every year with a view to continuously improving resilience. The ultimate objective is to cater for any eventual disruption of operations

to be restored within a minimum lapse of time such that the Bank resumes to normal operations within a reasonable time frame.