Annual Report 2017

86 Annual Report 2017 SET manages risk by investing in various securities and sets the investment limit in each financial institution or issuer in order to diversify the investment suitably and to ensure the limited loss. In addition, SET also uses the Value at Risk (VAR) technique to ensure that the aggregate portfolio risk is within a specified scope. SET invests in instruments such as government bonds, bank deposits, money market funds and corporate funds with at least “A” credit rating. Operational risk SET has continuously monitored and managed operational risk, resulting from inadequate internal control or errors in using people, process, and technology as well as risks caused by external factors. SET also emphasizes the importance of risk management of various information technology covering confidentiality, integrity and availability of information systems and several types of cyber threat. This is to ensure that technology infrastructure can support strategic operations and provide service continuously to serve investors in consistent with dynamic environment. Risk from critical system failure and business interruption SET assesses, monitors and manages risks that may affect critical systems. This includes standard procedures of incident reports, root cause analysis and solution findings in order to provide continuous services. SET establishes Business Continuity Management (BCM) covering emergency response and crisis management plan, business continuity plan and IT disaster and recovery plan. SET also reviews, exercises and tests business continuity plan with related participants in the capital market to cope with crisis or disaster every year. SET emphasizes the preparedness of its staff, systems of both its main and alternate sites, while testing alternate system with members to ensure that trading can continue without disruption if disasters occur. Cyberattack risk Cyberattack risk is on the rise and can devastatingly affect service level and confidence of related parties, especially financial institutions. Therefore, SET has implemented to cover four key areas as follows: (1) setting up information security management systems including information security policy and practice in line with ISO27001 and rules and regulations of related parties. These involve reviewing, setting priority for the strategic plan and objectives, assessment for appropriateness, inclusive of the test of efficiency and effectiveness of IT security policy regularly every year; (2) setting up measures and procedures to cope with situations that may affect IT security, as well as testing those procedures to assess the preparedness every year; (3) communicating and sharing knowledge on IT security to staff regularly; and (4) implementing tools for monitoring and preventing cyberattack risk such as Antivirus and AntiMalware, Firewall, DDoS Protection Service, etc. Fraud and corruption risk Fraud and corruption risk is one of SET’s key risks. Every unit assesses and identifies measure to mitigate this risk annually. This includes monitoring and reporting risk status regularly to make certain that SET can manage this risk promptly and be within the acceptable level. Risk management department monitors and reports the risk status to the BoG, RMC and executives regularly, while the internal audit department reviews the effectiveness of internal control related to anti-corruption. Compliance risk SET assesses, monitors and manages compliance risk, which covers those of violating rules and regulations of regulatory bodies and those not in compliance with policy and practice of the SET group. This is to ensure that SET strictly complies with all related laws and regulations.