RISK
MANAGEMENT SYSTEM
Risk management at the Exchange is an integral part of its operations and is carried out at all levels, from an average employee to the Board of Directors. This activity is based on the recommendations of international standards ISO 31000, 27001, 22301.
The requirements to the Exchange's risk management system are set out in the three regulations listed below:
- the Rules for Establishing Risk Management and Internal Controls System for the Stock Exchange(5) ;
- the Requirements for a Clearing Organization's Risk Management System, Terms and Procedures for Monitoring, Control and Managing Risks in a Clearing Organization(6) ;
- the Requirements for a Central Counterparty's Risk Management System, Terms and Procedures for Monitoring, Control and Managing Risks in a Central Counterparty(7);
In accordance with these documents, the Exchange has developed risk management policies and rules that are the main documents that guide the Exchange. Continuous improvement in risk management, risk assessment and monitoring is provided by the Risk Management Department of the Exchange.
For the purposes of the analysis, the Exchange divides risks into operational, credit, market (currency, price, interest), systemic, legal, reputational, liquidity loss risks and other risks.
The Risk Management Department focuses on managing operational risks and risks associated with investment activities, assessing current risks, including monitoring them, advising on improving business processes, overseeing all planned measures to minimize risks, conducting stress and back-testing of the risks of the Exchange's investment portfolios, monitoring the amount of provisions accrued on financial instruments in the Exchange's investment portfolios in accordance with the International Financial Reporting Standards.
The introduction of the new TCS and the development of the CCP functions have led to the identification of new risks associated with this area of activity. In this regard, the Exchange has introduced a risk management system as partof the functions of the CCP and default settlement system. In order to effectively manage the risks of the Exchange in the implementation of the CCP activities, the Market Risk Committee, a permanent collegiate body under the Exchange’s Management Board, whose main task is to manage market risks of the Exchange, was set up. The Committee's functions include approving risk parameters, determining the parameters of the GS profitability curve, preparing recommendations to the Management Board of the Exchange to determine the list of financial instruments for which the Exchange performs the functions of the CCP, and financial instruments that can be accepted as collateral in the implementation of the CCP function, as well as other functions provided by the internal documents of the Exchange.
5 approved by the Resolution of the NBRK Management Board No. 252 dated December 19, 2015 6 approved by the Resolution of the NBRK Management Board No. 59 dated February 24, 2012 7 approved by the Resolution of the NBRK Management Board No. 11 dated January 28, 2016
In order to maintain an effective risk management process, the Exchange has taken comprehensive measures to reduce and prevent risks in 2019. This has helped to cut the number of recurring risk events by half.
The Exchange pays a lot of attention to the development of risk culture. Training workshops and lectures on risk management are held for employees, and individual awareness-building is carried out.
In 2018, a self-assessment was conducted on compliance with the Exchange's risk management system to the recommendations of the ISO 31000:2018 Risk Management Standard based on the Exchange's status as an infrastructure organization of the financial market. In 2019, the Action Plan based on the results of this self- assessment was adopted, which includes ten activities over three years, annual self-assessment of compliance with the standard, and adjustment and update of self-assessment activities.
MANAGING CONTINUITY OF
OPERATIONS
The Exchange is working on the improvement of the system for managing continuity of operations. These activities are governed by internal documents such as the Policy for Managing Continuity of Operations, the Rules for Operations Continuity and Recovery, and the Continuity and Recovery of Operations Plan, which are designed in accordance with international standards and are designed to ensure the continuity of critical activities in the event of incidents and emergencies resulting in the failure of the Exchange's information systems. In 2019, significant changes were made to the IT infrastructure of the Exchange. The Exchange refused to use the RTRS backup centre and replaced data storage and processing service provider. Instead of the RTRS Center, the Exchange launched a system of three data processing centres (DPC) - one main and two backup centres - and completely changed the continuity of operations management scheme.
At the end of the reporting period, the Exchange's IT infrastructure included servers, mainly DPCs, servers in backup DPCs (in the cities of Almaty and Nur-Sultan), the main and backup communication channels. In general, the DPCs also has hot standby servers helping to automatically switch to them the MOEX TCS in the case of failure of the main servers. Automatic switching will not affect the work of the Exchange and its client.
As part of a change in approaches to the continuity of operations management system, a virtual workplace system (VDI) has been developed and tested, which is created on the Exchange's servers and allows access to all information systems of the Exchange, regardles s of the user's location. Workplace virtualization will enable rapid response to emergencies and reduce the cost of creating physical jobs.
The Exchange periodically conducts trainings and and drills related to the continuity of operations, which involve testing the operation of backup systems. In the reporting year, the plan for such drills was revised and a fully updated training system is planned to be launched in Q1 2020, taking into account the use of VDI and new DPCs.
INFORMATION
AND PHYSICAL SECURITY
Updated telecommunications equipment providing high level of protection against various types of cyberthreats, has been purchased and put into operation in order to minimize the risks of information security and improve the level of protection of the Exchange's information and communication infrastructure from possible cyberattacks during the reporting period. To reduce the risk of leakage of sensitive information, specialized software has been introduced to monitor the integrity of confidential files and audit trail logs. Control of the connection of devices to the corporate network of the Exchange at the ports of active networking equipment is set up. The security of the Exchange's WiFi network has been improved, a single system of authentication of administrative access to the Exchange's servers using the Exchange’s domain controller has been configured and is functioning.
Also, as part of the improvement of the information security system during the reporting period, a number of checks on compliance with internal documents were carried out, audits of access rights of all users to the Exchange's information systems were carried out, as well as a set of other measures related to strengthening user discipline in the network and systems of the Exchange.
As part of the plan to improve the regulatory documentation under the ISO 27001:2013 Information Security Standard and the Information Security Requirements for Banks and Organizations that Carry out Certain Types of Banking Transactions8, changes have been made to the internal documents governing the functioning of the Exchange's information security management system, as well as new internal information security documents have been developed and approved.The combination of these measures has improved the level of information security of the Exchange and reduced the risks of the Exchange in this area.
In order to improve physical security of the Exchange, the procedures for monitoring the provision of security services have been improved, and additional intrusion and alarm sensors have been installed in the premisesof some departments.
8 approved by the Resolution of the NBRK Management Board No. 48 dated March 27, 2018