UITM SHAH ALAM 

AA706: MASTER OF ISLAMIC BANKING AND FINANCE 

 
IFE 761: ACCOUNTING AND RISK MANAGEMENT IN ISLAMIC FINANCIAL
INSTITUITION

INDIVIDUAL ASSESSMENT: FINAL ASSESSMENT

   
PREPARED FOR: 
DR NORZITAH BINTI ABD KARIM
 
PREPARED BY: 
ANDI NUR ELISYA SYAHIRA BINTI BAHRI
(2022746559)

CLASS:
AA7062AF
QUESTION 1
Waqf is an honest gift in the form of private possession to the state or person of authority for
the benefits of all as long as the wealth is used in accordance with the Islamic requirements
(Masruki & Shafii 2013).

a) Discuss five (5) different practices in recording and recognition of waqf asset by the
State Islamic Religious Councils in its accounting book.
(10 marks)
1. Some SIRCs list the nominal value of their waqf assets. Others, however, do not. To
demonstrate the presence of waqf assets including buildings and land, the recognition
of waqf assets with nominal worth was instituted. However, it is unclear and not
known what the true value is.
2. Waqf is provided in two different forms: general waqf (wakaf am) and specific waqf
(wakaf khas). All waqf institutions have the general waqf (wakaf am), but not all waqf
institutions have the special waqf, according to a study. However, not all SIRCs have
the specific waqf. This is due to the difficulty of administering the particular waqf.
3. Malaysia essentially follows "mazhab" Shafie's position on waqf. However, other
SIRCs believe the Shafie's ruling to be overly rigid, which prevents the waqf area
from being improved. As a result, these religious councils embrace the judgments and
decrees from other "mazhab" like Hanafi, Maliki, and Hambali as they deem
appropriate for diverse situations. Thus, the variations in the Shariah opinions held in
each state may have an impact on the variety of waqf management and accounting
procedures among SIRCs.
4. These SIRCs offer two different approaches in terms of the recognition of cash waqf.
First, waqf assets in cash are recognized as Amanah Accounts, which are regarded as
SIRC liabilities. Due to the SIRCs' holding of a cash trust, this cash waqf is
recognized as a liability. This money will be sent out to the beneficiaries and other
things. The SIRCs see themselves as having duties that must be carried out. Cash
waqf collected by SIRCs is recognized as SIRC revenue and recorded in the profit and
loss statement. However, the waqf unit's revenue account will not be reflected in those
SIRC's accounts. This waqf has a separate checking account.
5. Additionally, there are many methods used by the SIRCs in Malaysia to disclose and
report their waqf holdings. The waqf-related operations and transactions are included
in the accounts of the Terengganu, Kelantan, and Pahang SIRCs. This means that the
 waqf assets, revenues, liabilities, and expenses are added to the SIRCs' accounts at the
end of each year. The majority of SIRC, according to earlier research, did not separate
its waqf account.

b) Discuss three (3) issues related to waqf accounting and reporting.

(15 marks)
In Malaysia, waqf accounting and reporting have fluctuated throughout time. This might be
affected by the federal government's lack of centralized control and power, as well as the
various interpretations of Shariah that each state's Islamic Religious Councils hold (SIRC).
Secondly, the Lack of Central Management and Authority at Federal Level refers to the
Malaysian federal authority's lack of coordination with waqf institutions, which results in
improper waqf asset management and recordkeeping. The Malaysian government established
the Department of Awqaf, Zakat, and Hajj (JAWHAR) in 2004 to strengthen waqf
governance throughout the nation, and Yayasan Waqf Malaysia (YWM) was founded in 2008
to serve as the primary organization in developing the waqf property. Every state has its own,
non-standardized system for handling matters relating to the Islamic faith. The function of
JAWHAR needs to be expanded in order to support SIRC's initiatives to increase the
effectiveness of waqf development, management, and administration. Reporting should be
used by JAWHAR to evaluate the effectiveness of waqf institutions and establish regulations
that can be implemented and tracked at the federal level.
On the other hand, The Jawatankuasa Fatwa Majlis Kebangsaan Bagi Hal Ehwal Agama
Islam Malaysia is the body in charge of all Islamic decisions and decrees. A fatwa is a ruling
that has been formally issued by a mufti or a Shariah State Committee and is published in the
State Official Gazette.
QUESTION 2
A Bank’s business (whether Islamic or Conventional) is to take calculated risks. As such risk
management is not the minimization of losses but the optimisation of the risk reward equation
and taking the opportunity for gain or reward. However, there are risks generic and applicable
to both Islamic and Conventional banks. There are also risks uniquely exposed to the Islamic
banks only. Discuss these four (4) generic risks and four (4) unique risks to Islamic and
conventional banks.
(25 marks)

Generic risk include credit risk, market risk, liquidity risk, and operational risk. These
risks can affect both Islamic and conventional banks. When compared to unique hazards,
which include rate of return risk, shariah non-compliance risk, displaced commercial risk,
and equity investment risk, the former refers to distinctive dangers that only Islamic banks
are vulnerable to.

Generic Risks:
1. Credit Risk
Credit risk is the chance that a counterparty won't carry out its duties under a credit-
related transaction in accordance with the terms and conditions that were mutually
agreed upon. The main source of credit risk is financing. The main source of credit
risk exposure in Islamic banking is the financing of Murabahah, Salam, Ijarah, and
other related activities.
2. Market Risk
The possible effects of unfavourable price movement are known as market risk.
Benchmark rates, foreign exchange rates, and equity prices, as examples of negative
market price movement that influences market risk, are based on the economic value
of an asset.
3. Liquidity Risk
Liquidity risk is the potential loss that results from the bank's failure to fund asset
growth as it becomes due without incurring unacceptably high expenses or losses.
Liquidity risk is a danger associated with deposit withdrawal.
4. Operational Risk
Operational risk is the possibility of financial loss as a result of subpar or ineffective
internal systems, procedures, personnel, or events.
Unique Risks:
1. Shariah Non-Compliance Risk (SNRC)
SNCR is risk arises from the failure to comply with the shariah rules and principles.
The Islamic banks must ensure that all their activities are compliance with the shariah
rules and principles. This would require all contracts and all necessary supporting
documentations, including legal papers, forms and processes, to be shariah compliant.
2. Rate of Return Risk
The potential influence that an unexpected change in the rate of returns could have on
the returns is known as the rate of return. A sort of market risk connected to the
Islamic banks' financial statements is the rate of return risk. The profitability of
Islamic banks are subject to certain risks due to fluctuations in the market benchmark
rate.
3. Displaced Commercial Risk
The danger that the bank could face commercial pressure to pay returns that are
higher than the rate that has been generated on its assets supported by investment
account holders is known as the "displaced commercial risk." In order to keep its fund
providers and discourage them from withdrawing their funds, the bank forfeits a
portion of its whole profit-sharing shares.
4. Equity Investment Risk
Equity Investment Risk is the danger associated with forming a partnership with the
intention of carrying out or taking part in a specific finance or general business
activity as specified in the contract. Under Mudharabah, this risk is significant.
QUESTION 3
a) The organization must decide on its risk appetite or how much risk it needs to take to
achieve its objectives and those of its shareholders and stakeholders.

Define risk appetite. Discuss the dimensions of risk appetite.

(10 marks)
Risk appetite is the level of risk that an organization is ready to accept in order
to pursue goals that it believes are worthwhile. It can also be referred to as an
organization's risk capacity or the greatest level of residual risk that it will accept
following the implementation of controls and other safeguards. Each RMP's risk
criterion will reflect the risk appetite, and risk evaluation will use the criteria to
establish the course of action for an acceptable level of risk.

There are two dimension in risk appetite:

1.  Focuses on the average or expected situation
When all other factors are equal, a person's appetite for risk is equal to their desire for
the norm. This "average all things considered" situation might never arise in some
industries, including mining. The parameters selected should be carefully validated,
and a monitoring and review framework should be in place.
2. Focuses on the extreme or worst case situations
The resilience and robustness of the company to the slings and arrows of
extraordinary fortune is typically represented in terms of the survival component of
strategic objectives. The simple financial condition in this dimension can be
calculated by taking into account the greatest financial loss or gain that can be
tolerated.
 b) The Risk Management Process (RMP) ensures that risk management and the
operation of risk controls will increase good consequences and reduce bad
consequences within a continuous improvement cycle.

Discuss the Risk Management Process within the Enterprise Risk Management
(ERM) framework. Provide examples where possible.
(15 marks)
The term "Enterprise Risk Management" (ERM) is used in business to refer to risk
management techniques used by organizations to detect and reduce hazards. The risk
management process is supported by the ERM framework in an organization while making
decisions. Additionally, it compiles data on hazards, risk management, and the effectiveness
of risk controls.
Taking a comprehensive strategy, enterprise risk management necessitates
management-level decisions that might not be appropriate for every business unit or market
sector. Therefore, firm-wide oversight is prioritized over each business unit's responsibility
for its own risk management.
Managers typically have a lot on their plates, so any additional duties they are held
accountable for must be doable. While thorough and detailed, too prescriptive approaches can
be burdensome and ineffective. Successful frameworks allow for intricacy and nuance in
their application while being easy to understand and use.
Business executives should use an efficient ERM process as a key strategic tool.
Management and the board can utilize this information to nimbly navigate hazards that could
emerge and undermine their strategic success as they grow more educated about potential
risks on the horizon. Understandings about risks that are revealed by the ERM are a crucial
component of the organization's strategic plan.
Risk Management Process:
1. Risk Management Process: Context
The area of activity that needs attention in order to determine the right degree of risk and
related risk treatments, controls, monitoring, and review is the risk management context
(RMP). This covers who bears the risk, the RMP's scope, how the product or service is
connected to other goods and services offered by the company, and the time allotted for such
an RMP.
2. Risk Management Process: Risk Assessment / Risk Identification
This covers both the direct risk (such as an explosion or power outage) and the
residual risk (employees may not feel safe returning to the office).
3. Risk Management Process: Risk Treatment
The following four options are available for a corporation to address risk:
1. A corporation shutting down a product line or ceasing to market a certain good is
one example of avoiding risk. This indicates that the business would rather forego
the activity's advantages than take the risk.
2. A company's endeavor to reduce the possibility or severity of the risk connected to
its operations is known as risk reduction. Keeping the product line available while
increasing spending on quality assurance or consumer education regarding proper
product usage is an example of risk reduction.
3. In exchange for a fee, an impartial third party may participate in the possible loss.
Purchasing an insurance policy is an instance of sharing risk. As a result, the
business continues as it is, with the activity's current risk profile and the
possibility of further losses.
4. The process by which a business determines whether it is financially worthwhile
to pursue mitigating strategies in the case of an accident or loss of business is
known as risk assessment. The business has the option to either share the risk with
its customers or maintain the product line's current operating status quo.
4. Risk Management Process: Monitoring and Review
An internal committee or an outside auditor are two options a firm has for
reviewing its rules and procedures. This can entail comparing what is done in practice
to what the policy texts recommend. Additionally, this can comprise asking for input,
studying corporate data, and alerting management about unprotected dangers.
Companies must be ready to evaluate their ERM environment in a constantly shifting
environment and adjust as necessary.
 5. Risk Management Process: Communication and Consultation
To make sure they are adhering to the strictest standards of risk management, a corporation
should continuously examine every area of its operations. Information systems should be able
to record data that helps management better understand the risk profile of an organization. By
applying any key risk indicators deemed useful, upper management will measure, monitor,
and report the success of the risk response methods.
6. Risk Management Process: Recording the Risk Management Process
Risk assessment is the procedure through which a company decides whether it is financially
advantageous to pursue mitigating techniques in the event of an accident or loss of business.
The company has the choice to either transfer the risk to its clients or continue running the
product line as is.
QUESTION 4
As a new Chief IT Risk Management of Malaysian Islamic Bank, you are to review the data
centre resilience of the bank’s risk management in technology. Prepare your review to be
presented to the board of director of the bank.
(25 marks)
1. Network Resilience
Network resilience is to protect against potential network faults and cyber threats
in Malaysian Islamic Bank.
 The head of IT risk management must make sure that the Malaysian
Islamic Bank's online banking system exclusively utilizes secure web
browsers.
 Malaysian Islamic Bank must have authentication protocol to indicate their
website.

On the other hand, network resilience also can minimise the risk of a system
compromises in the Malaysian Islamic Bank.
 The Malaysian Islamic Bank has installed an automated system for
detecting fraud. This is done to test the bank's heuristic behavioural
analysis capabilities.

2. Data Centre Infrastructure

(a) The Chief of IT Risk Management ust ensure the data centre and network
infrastructure designed to be resilient, secure and scalable in the Malaysian
Islamic Bank
 Malaysian Islamic Bank have a protocol of data centre failures or
interruptions. This is to protect their financial services and inhibit internal
operations.

Furthermore, they must ensure the Malaysian Islamic Bank have an adequate
maintenance, holistic and continuous monitoring on data centre and critical
components.
  The chief of IT risk management have to making sure the production of
data centre in Malaysian Islamic Bank have redundant capacity
components.
 The Malaysian Islamic Bank must store critical systems in a dedicated
production data centre space
 The Malaysian Islamic Bank have guarantee that the space is not in a
disaster-prone area.
 The Malaysian Islamic Bank have to make sure that the space from
authorised access.
 The Chief of IT Risk Management make sure there is no point of failure
(SPOF) in the design of crucial components production of Malaysian
Islamic Bank.

3. Data Centre Operations

 The Malaysia Islamic Bank needs to make sure that their bank's capacity
requirements are carefully calculated. For instance, adequate network
bandwidth, CPU, memory, and storage.
 In the implementation of capacity management, the Malaysian Islamic Bank
shall involve stakeholders .

4. Patch and End-of-Life-System Management

 The Malaysian Islamic Bank must make sure that none of its critical systems
are still powered by antiquated technology.
 The Malaysian Islamic Bank must create a patch and EOL management
framework. For example, the Malaysian Islamic Bank must do approval,
monitoring and tracking of their activities.

5. 3rd Party Service Provider Management

 The Chief of IT Risk Management have to ensure the 3rd party service
provider management of Malaysian Islamic Bank is intelligence in technology
solution. For instance, the 3rd party service provider management gives
guidance and support to the Malaysian Islamic Bank.
6. Cloud Services
 The Malaysian Islamic Bank shall consider the need for a third party in the
pre-implementation review of cloud.
 The Malaysian Islamic Bank must implement appropriate safeguards on
customer and counterparty information. This is to protect the data from
unauthorised disclosure and access.

7. Access Control
 The Malaysian Islamic Bank implement an appropriate access controls policy.
For example, identification, authentication and authorisation of users.
 The Malaysian Islamic Bank have to do a periodically review and adapt its
password practices. This is to enhance resilience against evolving attacks in
the bank.

8. Security of Digital Services

 The Malaysian Islamic Bank implement robust technology security controls.
For example, by providing digital services to their customers.
 The Malaysian Islamic Bank ensure that their bank have high ability of online
payment and banking services.
 For online banking, the Malaysian Islamic Bank has authentication protocol.
 The Malaysian Islamic Bank must ensure their security system is effective in
mitigating cyber-attacks, transaction fraud, phishing and others.
 For mobile application, the Malaysian Islamic Bank ensure the capability in
the mobile devices.