GOVERNANCE

Axiata Group Berhad | Annual Report 2016

101

3.2 Security (Application and IT Network)

•

Business Continuity Management

The Board is committed to safeguard the interest of our

stakeholders by ensuring the ability of business operations to

continue during a crisis and to have speedier recovery from a crisis

through the implementation of Business Continuity Management

(BCM) across the Group. The BCM programme provides a

framework for the Group in building organisational resilience in

the face of a crisis. The programme created is sufficiently robust

in catering for enhancement due to technological evolution or

organisational changes.

The Group BCM framework, aligned against international

standards of ISO 22301 Business Continuity Management

have been formalised and standardised across the Corporate

Headquarters and selected OpCos. At the same time, our versatile

framework allows for customisation in accordance to each OpCo’s

requirements and operating environment. Business recovery plans

have been documented for mission critical processes, tested and

rehearsed regularly to ensure effective coordination, familiarity

and awareness among employees. The Group Risk Management

department, which is led by the Group Chief Risk Officer, is

responsible in ensuring effective implementation and coordination

of business continuity efforts across the Group. As at end 2016,

BCM has been implemented for all OpCos including Corporate

Centre.

•

Information Technology (IT)

IT modernization and digital enablement for superior customer

experience is identified as one of the Group’s key strategies. All

OpCos have been focusing in line with this strategy undertaking

various initiatives which include the ground work for inducting

Digital IT Stack, application rationalization, enhancing Application

Programme Interface (API) strategy, modernising Business

Support Systems (BSS) and Operations Support Systems (OSS)

in order to meet evolving business requirements and achieve

competitive positioning. Cybersecurity is an essential and

underlying part of our digital strategy and risk mitigation. In 2016,

the Cyber Security Operations Center (CSOC) was established

across the majority of OpCos to improve incident monitoring

capability. In addition, relentless focus continues on strengthening

cybersecurity resilience through various initiatives, for example,

periodic Cyber Security Posture Assessment (CSPA) etc. With

business continuity being another critical area, continued focus

and investments are being ensured in disaster recovery for key IT

systems.

3.3 Regulatory and Compliance

•

Group Regulatory Affairs (GRA)

The approach used is to pro-actively shape the landscape

(external environment) at each OpCo market thus enabling proper

and effective management of regulatory issues confronting the

OpCos. The regulatory issues are those identified and monitored

via regular reviews of the Group’s risk matrix and managed as

part of the Enterprise Risk Management process.

This approach encompasses:

1.

Regulatory Strategy:

a.

Constant monitoring of regulatory developments and

identification of regulatory issues for each OpCo based on

issues of highest strategic, financial and/or reputational

impact;

b.

Periodic reviewof national OpCo annual regulatory strategies

which addresses these issues. This would translate into an

advocacy plan engaging regulators and other authorities

through formal and informal submissions and where

appropriate, joint advocacy with international partners such

as GSMA; and

c.

Development of Group-wide positions on key issues such

as availability of new spectrum bands, review of spectrum

strategy, same service same rules for ‘Over-The-Top’ (OTT)

providers, net neutrality, competition, digital services

regulations and the ASEAN Digital Revolution Framework.

2.

Stakeholder Engagement:

a.

Engagement plan covering key government and political

stakeholders in each OpCo market including key agencies

such as the National Regulatory Agencies with effective

messages based on the regulatory strategy; and

b.

Engagement plan covering international and regional

regulatory bodies, inter-governmental agencies and trade

bodies with effective messages based on the regulatory

strategy.

3.

Regulatory Compliance Framework:

a.

Forms an essential part of the Corporate Governance

Framework of the Group and states the principles and the

tone by which regulatory compliance is to be approached

and implemented;

b.

Objectives of the Regulatory Compliance Framework:

i.

Set baseline expectation in relation to regulatory

compliance;

ii.

Place Axiata and OpCos in the best position to comply

with regulatory obligations;

iii.

Manage exposure to unacceptable compliance risk;

and

iv.

Avoid surprises on regulatory compliance and action

from regulatory authorities.

In addition, GRA constantly embarks on ensuring a group-wide

baseline of best practice regulatory skills and knowledge, through

the development of industry collaterals, position papers and regular

capacity building programmes.

The Group Regulatory Policy outlined in the Group Policy document

provides guidance and establishes internal policies and procedures that

attempt to manage the risk and impact of adverse regulatory decisions.