1. Purpose
Bayarcash recognizes that risk management is essential to achieving its strategic objectives, protecting stakeholders, and sustaining long-term growth. This policy provides a structured framework for identifying, assessing, managing, monitoring, and reporting risks across the organization.
The objectives of this policy are to:
- Establish a consistent and integrated approach to risk management across Bayarcash.
- Ensure compliance with applicable laws, Bank Negara Malaysia (BNM) regulations, and industry standards.
- Promote a risk-aware culture at all levels of the company.
- Safeguard the interests of customers, employees, shareholders, regulators, and stakeholders.
2. Scope
This policy applies to:
- All Bayarcash employees, managements, and directors.
- Contractors, agents, service providers, and third parties acting on behalf of Bayarcash.
- All business units, subsidiaries, and affiliates of Bayarcash.
3. Risk Management Principles
Bayarcash’s ERM approach is guided by the following principles:
| ERM Principle | Description |
|---|---|
| Alignment with Strategy | Risk management supports Bayarcash’s strategic and operational objectives. |
| Integrated Approach | Risks are managed across the enterprise, not in silos. |
| Proportionality | Controls are proportionate to the nature, scale, and complexity of risks. |
| Accountability | Risk management is a shared responsibility across all levels. |
| Transparency | Risks are identified, reported, and communicated openly to management and the Board. |
| Continuous Improvement | Risk practices are reviewed regularly and enhanced in line with evolving threats and regulatory changes. |
4. Risk Appetite & Tolerance
- The Board of Directors defines Bayarcash’s risk appetite - the amount and type of risk the company is willing to accept in pursuit of business objectives.
- Risk tolerances are established to ensure that risks remain within acceptable levels.
- All business decisions must be made within the approved risk appetite framework.
5. Risk Categories
Bayarcash manages the following key risk areas:
| Risk Area | Description |
|---|---|
| Strategic Risk | Risks affecting business strategy and market positioning. |
| Operational Risk | Risks arising from inadequate processes, systems, or human errors. |
| Technology & Cybersecurity Risk | Risks of system failures, cyberattacks, and data breaches (aligned with BNM’s RMiT guidelines). |
| Compliance & Regulatory Risk | Risks of non-compliance with laws and regulations (BNM, AMLA, PDPA, MACC Act). |
| Financial Risk | Credit, liquidity, interest rate, and investment risks. |
| Reputation Risk | Risks impacting customer trust, brand integrity, or public confidence. |
| Fraud & Misconduct Risk | Risks arising from fraud, bribery, corruption, or unethical behavior. |
| Business Continuity Risk | Risks from natural disasters, pandemics, or critical service disruptions. |
6. ERM Governance Structure
Bayarcash’s Enterprise Risk Management (ERM) governance involves clearly defined roles and responsibilities across all levels of the organisation, ensuring effective oversight, execution, and risk-aware culture.
| Role | Responsibility |
|---|---|
| Board of Directors | Provides oversight, approves risk appetite, and ensures effective ERM governance. |
| Audit & Risk Committee | Monitors risk management practices, reviews reports, and advises the Board. |
| Senior Management | Implements risk management processes, ensures compliance, and promotes risk culture. |
| Risk Management & Compliance Department | Develops policies, monitors risks, conducts assessments, and reports to management and the Board. |
| All Employees | Responsible for identifying, reporting, and managing risks within their roles. |
7. Risk Management Process
Bayarcash follows a structured risk management process:
| Risk Management Stage | Description |
|---|---|
| Risk Identification | Detect risks from internal and external sources. |
| Risk Assessment | Evaluate likelihood, impact, and inherent/existing controls. |
| Risk Response | Decide on mitigation strategies: Avoid, Reduce, Transfer, or Accept risk. |
| Risk Monitoring | Track key risk indicators (KRIs) and control effectiveness. |
| Risk Reporting | Provide timely risk reports to management, Audit & Risk Committee, and Board. |
8. Reporting & Escalation
- Regular risk reports shall be submitted to senior management and the Board Audit & Risk Committee.
- Significant or high-impact risks must be escalated immediately.
- External reporting to regulators (e.g., BNM) will be conducted as required.
9. Business Continuity & Disaster Recovery
- Bayarcash shall maintain a Business Continuity Plan & Disaster Recovery Policy to ensure resilience.
- BCP/DRP shall be tested periodically, with results reported to the Board.
10. Training & Awareness
- Employees shall receive periodic training on risk awareness, cybersecurity, compliance, and ethical conduct.
- Management shall foster a proactive risk culture across the company.
11. Review & Continuous Improvement
This policy shall be reviewed at least annually, or earlier if required by regulatory or business changes. Independent audits and assessments may be conducted to ensure effectiveness.