Risk

MANAGEMENT
in Islamic Banking and Finance
Shari’a, Legal and Operational Risks

HUMAYON DAR
CHAIRMAN, PRESIDENT & CEO

EDBIZ CORPORATION

© 2014 HUMAYON DAR; A seminar delivered at Qatar Faculty of Islamic Studies on May 13, 2014
 INTRODUCTION

• Risk Management in Islamic Banking and Finance

• Operational risk is more complex and difficult to quantify
• Quantification methods are imperfect and still evolving
• Islamic Financial Services Board (IFSB)
• Focus on Operational Risk Management in Islamic Finance
FOUR GENERIC RISKS FACING ALL BANKS
RISK TRANSFORMATION IN MURABAHA
EXAMPLE OF DEFAULT: CONVENTIONAL VS ISLAMIC
FOCUS ON OPERATIONAL OPERATIONAL RISK IN
ISLAMIC FINANCE

IFSB Standard Formula

K
RWCR = ≥ 8%
A+B–C

where
RWCR = Risk-weighted Capital Requirement
A = Total Risk-weighted Assets [Credit + Market Risks]
B = Operational Risks
C = Risk-weighted Assets Funded by Profit Sharing Investment Accounts
FOCUS ON OPERATIONAL OPERATIONAL RISK IN
ISLAMIC FINANCE

Regulatory Discretion Formula

K
RWCR = ≥ 8%
A + B – C – (1- )D –  .E
where
RWCR = Risk-weighted Capital Requirement
A = Total Risk-weighted Assets [Credit + Market Risks]
B = Operational Risks
C = Risk-weighted Assets Funded by Profit Sharing Investment Accounts
0≤ ≤1
D = Risk-weighted Assets Funded by Unrestricted Profit Sharing Investment
Accounts
E = Risk-weighted Assets Funded by Restricted Profit Sharing Investment
Accounts
FOCUS ON OPERATIONAL OPERATIONAL RISK IN
ISLAMIC FINANCE

IFSB Standard Formula

Eligible Capital
RWCR = ≥ 8%
TRWA [Credit + Market Risks] + Operational Risks –
RWA Funded by PSIAs [Credit + Market Risks]

Supervisory Discretion Formula

Eligible Capital
RWCR = ≥ 8%
TRWA [Credit + Market Risks] + Operational Risks –
RWA Funded by PSIAs [Credit + Market Risks] –
(1- a)RWA Funded by UPSIAs[Credit + Market Risks] –
(a)RWA Funded by RPSIAs [Credit + Market Risks
 OPERATIONAL RISK DEFINED

OPERATIONAL RISK is defined as the risk of loss resulting from the

inadequacy or failure of internal processes, as related to people and systems, or
from external risks [Van Greuning and Iqbal (2008), p. 174]

ISLAMIC FINANCIAL SERVICES BOARD [IFSB] includes Shari’a risk

under the definition of operational risk
[Guiding Principles of Risk Management for Institutions (other than Insurance
Institutions) Offering Only Islamic Finance Services 2005, No. 7]

SHARI’A [NON-COMPLIANCE] RISK is the risk that arises from an IFI’s

failure to comply with the Shari’a rules and principles determined by its Shari’a
Board or the relevant body in the jurisdiction in which the IFI operates
[IFSB, ibid, 7.2 (121)]
OPERATIONAL RISK: CAUSE EVENT AND EFFECT

CAUSE EVENT EFFECT

Internal Internal fraud Write-down

processes External risk Legal liability
People Damage to Loss of recourse
Systems physical assets

Internal External risk Write-down

processes (Piracy)
[No clear policy
on the LC*]
Management Measurement

*Whether to be on the FOB shipping port or destination basis

OPERATIONAL RISK: CAUSE EVENT AND EFFECT

CAUSE EVENT EFFECT

Internal Internal fraud Write-down

processes External risk Legal liability
People Damage to Loss of recourse
Systems physical assets

People Internal fraud Legal liability

(Misinforming the
client*)

Management Measurement

*Misinforming the client that it was a regulatory requirement to convert foreign

remittances into local currency
 OPERATIONAL RISK: GENERAL CONSIDERATIONS

OPERATIONAL RISK covers any risk that may arise from general and specific
operations of an organisation, and in the present context, banks in general and
Islamic banks and financial institutions in particular.

As it is general in nature, hence it is difficult to quantify it precisely. This is why it

has not been of a major focus prior to an emphasis on it by Basle Committee on
Banking Supervision [BSBC].

In a well-run bank (or financial institution), its incidence is expected to be less.

Hence, a starting point to quantify it must have something to do with the
management function.
Management consists of the interlocking functions of creating corporate
policy and organizing, planning, controlling, and directing an
organization's resources in order to achieve the objectives of that policy.
 GENERAL OPERATIONAL RISKS

1. Failure to open branch(es) in time [part of people risk]

2. Misinformation to customers
3. Theft (stationery, equipment etc.) and misuse
4. Technology breakdown
5. Electricity shutdwon
6. Bad weather
7. Accidents
8. Acts of terrorism
9. An adverse Shari’a opinion about a product
10.Withdrawal of funds
11.A senior (Muslim) member of the executive management team of an Islamic
bank is seen drinking alcohol on QR302 flight and someone has uploaded a
video on YouTube with a caption: “Is it Islamic? Islamic Banks’ Non-Islamic
Bankers”
 GENERAL OPERATIONAL RISKS

12.Somehow, your online banking system has a loophole and some online
search engines have started picking up “cache” pages of some of the
customers who view their accounts using a particular internet browser
 OPERATIONAL RISKS IN ISLAMIC FINANCIAL
INSTITUTIONS

• Possible loss arising from Shari’a non-compliance of Islamic financial

institutions and failure of acting in accordance with the fiduciary
responsibilities of management of such institutions

• If an IFI / Islamic bank does not comply with Shari’a rules and principles, its
transactions must be cancelled and income generated from them shall be
considered as illegitimate

• Recent example:
– Bank Negara Malaysia issued new guidelines on Bai’ ‘Ina in 2012, which
came after the Shari’a guidelines for Islamic banks and Takaful companies,
making it clear that any non-compliance with Shari’a will not only be
considered as illegal but the bank will also have to claw back income from
the non-compliant transactions
 OPERATIONAL RISKS IN ISLAMIC FINANCIAL
INSTITUTIONS

• FIDUCIARY RISK is thus also part of the IFSB’s definition of operational

risk

• IFSB’s PRINCIPLE 7.2

IFI / Islamic bank must have in place appropriate mechanisms to safeguard the
interests of all fund providers. Where Investment Account Holders [IAH]
funds are commingled with IFI’s own funds, IFI must ensure that the bases
for asset, revenue, expense and profit allocations are established, applied and
reported in a manner consistent with IFI’s fiduciary responsibilities.
[Guiding Principles of Risk Management for Institutions (other than
Insurance Institutions) Offering Only Islamic Finance Services 2005, No.
7.2]
 OPERATIONAL RISKS IN ISLAMIC FINANCIAL
INSTITUTIONS

WHY IS SHARI’A RISK DEEMED AS PART OF THE OPERATIONAL

RISK?

• For example, if in an Bai’ ‘Ina transaction, an evidence was found that the
bank staff actually made the two transactions (first sale to the customer and
the second purchase from the customer) inter-linked, even verbally or through
an action, the transaction will be deemed Shari’a con-compliant and the bank
will be asked to claw back all the accrued income from the transaction and
donate it to charity (and possibly face some penalty from the regulator).
• This is certainly a failure in the Shari’a process on part of the personnel, and
hence should be considered as an operational risk.
 OPERATIONAL RISKS IN ISLAMIC FINANCIAL
INSTITUTIONS

• In summary, operational risk in IFIs also include:

– Legal risk
– Shari’a risk
– Fiduciary risk

• Reputational risk arising from Shari’a non-compliance and failure to act in

accordance with the fiduciary duties of Islamic banks’ management is also
critical
 SHARI’A, LEGAL AND OPERATIONAL RISKS: SOME
EXAMPLES (1)

• A UAE-based Islamic bank sold a used car to a customer on Murabaha basis

• A few months into the contract, the customer met an accident while driving
the purchased car
• While dealing with the case, the police found out that the car was reported
missing a few months back
• [The bank actually happened to have bought a “stolen” car before selling it to
the customer]
• The customer disputed with the bank and asked for full refund of the money
he had already paid
• On the other hand, the bank wanted to accelerate the payments and asked the
customer to pay the amount in full
 SHARI’A, LEGAL AND OPERATIONAL RISKS: SOME
EXAMPLES (2)

• A Saudi bank provided seed capital for an Islamic equity fund

• The bank was informed that the fund would follow AAOIFI Shari’a screening
methodology
• The internal communication between the bank management and its Shari’a
Advisory Committee was in Arabic
• After the fund was launched by the fund manager, the Shari’a Advisory
Committee objected to the the impermissible income ratio used by the fund
• The fund used [IMPERMISSIBLE INCOME/TOTAL INCOME < 5] while
the Shari’a Advisory Committee proposed [IMPERMISSIBLE INCOME
/PERMISSIBLE INCOME < 5]
• LESSIONS ???
 SHARI’A, LEGAL AND OPERATIONAL RISKS: SOME
EXAMPLES (3)

• In 1998, an official of a UAE Islamic bank did not conform to the bank’s
internal credit term
• It cost the bank US$50 million
• This resulted in a one-day run on the bank’s deposits to the tune of US$138
million, representing 7 percent of the bank’s total deposits

[Van Greuning and Iqbal (2008), p. 175]

 SHARI’A, LEGAL AND OPERATIONAL RISKS: SOME
EXAMPLES (4)

• An Islamic bank had to incur losses on an international trade finance

transaction when a ship carrying the goods it had financed was captured by
pirates
• The bank had made the payment on the basis of FOB Shipping Point
• The transaction got delayed by three months
• The bank incurred a loss of 3-month credit income
 OPERATIONAL RISKS SUMMARISED

Shari’a Risk People Risk

Fiduciary Risk Reputational Risk Technology Risk

Withdrawal Risk

There is certainly an overlapping of

Displaced these risks and it is important to take
Commercial Risk into account double counting when
calculating operational risk capital
charge
 OPERATIONAL RISK AND ISLAMIC FINANCIAL
CONTRACTS

Mudaraba

Musharaka

Istisna’

Salam

Ijara

Murabaha
Operational Risk
 OPERATIONAL RISK MANAGEMENT

•The Operational Risk Management framework should include:

– Identification
– Measurement
– Monitoring
– Reporting
– Control and
– Mitigation
 OPERATIONAL RISK MANAGEMENT:
IDENTIFICATION

•Technology

– How many servers are hosting the data and IT systems?

– Is there a back-up server?
– Is the back-up server in the same place (building/street/city/country)?
– How many people are responsible server management and maintenance?
– What is the frequency of system back-ups?
– Where are the back-up tapes / CDs kept?

In 2012, computer failure cost RBS £100 million

 OPERATIONAL RISK MANAGEMENT:
IDENTIFICATION

•Sales

– It is important for bank personnel to understand fully what they are

selling to their customers
– Advertisements on print and electronic media, one-on-one sale pitches
and all other marketing and sales material must go through strict scrutiny
– Telephonic sales calls must be recorded and scrutinised by the senior
management to identify “conversations” that may lead to potential losses

In UK, mis-selling of PPI has cost banks billions

of pounds
 OPERATIONAL RISK MANAGEMENT:
IDENTIFICATION

•Documentation

–It is absolutely imperative that all the legal documents used for Islamic
financial products are vetted by competent personnel well-versed in
Shari’a and law
[In a lot of cases, law firms preparing documents for Islamic financial
contracts adpat/amend the templates that they otherwise use for
conventional financial products; this may leave reference to “interest”,
penalty etc unchanged, which may make the contract Shari’a non-
compliant]
–For conventional banks involved in Islamic banking and finance, it is
important that they ensure that the Shari’a documents are executed and a
proper record of the same is maintained, in addition to the legal
documentation required conventionally
 OPERATIONAL RISK MANAGEMENT:
MEASUREMENT

•There are two main approaches to quantify operational risk management:

– Basic Indicator Approach [BIA]

– Standardised Approach [STA]
 OPERATIONAL RISK MANAGEMENT: BIA

• The BIA is based on the following simple formula:

KBIA =  .GI
where
KBIA = Capital charge under BIA
 = the pre-defined scaling factor set by BCBS
GI = average gross income over the last three years
• Gross income is used as a measure of operational risk because:
–It is a reasonable indicator of the size of the activities
–It is readily available
–It is verifiable
–It is reasonably consistent and comparable across jurisdictions
–It has the advantage of being counter-cyclical
 OPERATIONAL RISK MANAGEMENT: BIA

• The gross income is the sum of:

– Net interest income

– Net non-interest income
– Net trading income
– Other income

• For Islamic banks, the gross income can be sum of:

– Net income from service-based activities
– Net trading income from the Murabaha, Salam, Ijara based transactions
– Other income may include investments in Shari’a compliant securities,
including Sukuk, and Mudaraba and Musharak based investments
 OPERATIONAL RISK MANAGEMENT: STA

•The STA is a more detailed approach that classifies bank activities into eight
business lines:

1. Corporate finance
2. Trading and sales
3. Retail banking
4. Commercial banking
5. Payment and settlements
6. Agency services
7. Asset management
8. Retail brokerage
 OPERATIONAL RISK MANAGEMENT: STA

•The STA is based on the following modified formula:

8
KSTA = i=1 i.GIi

where
KSTA = The capital charge under the Standardised Approach
GI = Average annual level of income in the last three years
i = Beta values for each business line
 BETA VALUES FOR DIFFERENT BUSINESS LINES

Corporate finance = 1 = 0.18

Trading and sales = 2 = 0.18
Retail banking = 3 = 0.12
Commercial banking = 4 = 0.15
Payment and settlements = 5 = 0.18
Agency services = 6 = 0.15
Asset management = 7 = 0.12
Retail brokerage = 8 = 0.12
 STA COMPARED BETWEEN A AND B
A B
Identification Excellent Good
Measurement Very Good Average
Monitoring Excellent Average
Reporting Good Bad
Mitigation Good Good
Control Good Good
β1 0.18 0.18
β2 0.18 0.18
β3 0.12 0.12
β4 0.15 0.15
β5 0.18 0.18
β6 0.15 0.15
β7 0.12 0.12
β8 0.12 0.12
 STA COMPARED BETWEEN A AND B
A B
Identification Excellent Good
Measurement Very Good Average
Monitoring Excellent Average
Reporting Good Bad
Mitigation Good Good
Control Good Good
β1 <

β2 <

β3 <

β4 <
β5 <
β6 <
β7 <
β8 <
 BIA AND STA : CRITICISM

– “Eating fried shrimps lead to capital punishment”

– Gross income approach – is it adequate to capture the incidence of
operational risk?
– How about other factors?
• Sources of income (number of products and investments)
• Stability/volatility of income
• Number of employees
• Number of clients
 QUANTIFICATION OF OPERANTIONAL RISK:
MANAGEMENT APPROACH

– Instead of relating the operational risk to the size of the organisation (gross
income), it might not be a bad idea to look into the management function
deeply to come up with a measure of operational risk.

– For example, a one-man firm (an owner-managed firm) should have less
incidence of operational risk as compared to a firm with multiple personnel
(owners as well as managers).
• Hence, complexity of organisation should be considered as a factor that
may affect the operational risk
– More complex organisations should be more prone to operational
risk
– In complex organisations, both the management and control
functions should be strong to reduce incidence of operational risk
 QUANTIFICATION OF OPERANTIONAL RISK:
MANAGEMENT APPROACH

– In IFIs, there should be an additional control function around

Shari’a compliance
 MEASUREMENT OF MANAGEMENT AND CONTROL
FUNCTIONS

Identification I1 I2 I3 I4 … In
Measurement Me1 Me2 Me3 Me4 … Men
Monitoring Mo1 Mo2 Mo3 Mo4 … Mon
Reporting R1 R2 R3 R4 … Rn
Mitigation Mi1 Mi3 Mi3 Mi4 … Min
Control C1 C2 C3 C4 … Cn
 MEASUREMENT OF MANAGEMENT AND CONTROL
FUNCTIONS

B1 B2 B3 … Bn B1 B2 B3 … Bn B1 B2 B3 … Bn B1 B2 B3 … Bn

I11 I12 I13 … I1n I21 I22 I23 … I2n I31 I32 I33 … I3n … In1 In2 In3 … Inn

Me11 Me12 Me13 … Me1n Me21 Me22 Me23 … Me2n Me31 Me32 Me33 … Me3n … Men1 Men2 Men3 … Menn

Mo11 Mo12 Mo13 … Mo1n Mo21 Mo22 Mo23 … Mo2n Mo31 Mo32 Mo33 … Mo3n … Mon1 Mon2 Mon3 … Monn

R11 R12 R13 … R1n R21 R22 R23 … R2n R31 R32 R33 … R3n … Rn1 Rn2 Rn3 … Rnn

Mo11 Mo12 Mo13 … Mo1n Mo21 Mo22 Mi23 … Mi2n Mi31 Mi32 Mi33 … Mi3n … Min1 Min2 Min3 … Minn

C11 C12 C13 … C1n C21 C22 C23 … C2n C31 C32 C33 … C3n … Cn1 Cn2 Cn3 … Cnn
MEASUREMENT OF MANAGEMENT AND CONTROL
FUNCTIONS: CONSTRUCTION OF GRID

11 12 13 … 1j

γ21 γ22 γ23 … γ2j
γ31 γ32 γ33 … γ3j
… … … … …
γi1 γi2 γi3 … γij
MEASUREMENT OF MANAGEMENT AND CONTROL
FUNCTIONS: CONSTRUCTION OF WEIGHTS

w11 w12 w13 … w1j

w21 w22 w23 … w2j
w31 w32 w33 … w3j
… … … … …
wi1 wi2 wi3 … wij
MEASUREMENT OF MANAGEMENT AND CONTROL
FUNCTIONS: CONSTRUCTION OF GRID

w1111 w1212 w1313 … w1j1j

w21γ21 w22γ22 w23γ23 … w2jγ2j
w31γ31 w32γ32 w33γ33 … w3jγ3j
… … … … …
wi1γi1 wi2γi2 wi3γi3 … wijγij
γ1 γ2 γ3 … γj
MEASUREMENT OF MANAGEMENT AND CONTROL
FUNCTIONS: CONSTRUCTION OF GRID

where

The final gamma is in standardised form

 MODIFIED STA COMPARED BETWEEN A AND B
A (1 = 0.75) B (2 = 0.56)
Identification Excellent Good
Measurement Very Good Average
Monitoring Excellent Average
Reporting Good Bad
Mitigation Good Good
Control Good Good
β1 0.06 < 0.15
β2 0.06 < 0.15
β3 0.04 < 0.10
β4 0.05 < 0.12
β5 0.06 < 0.15
β6 0.05 < 0.12
β7 0.04 < 0.10
β8 0.04 < 0.10
 MONITORING AND REPORTING OF OPERATIONAL
RISKS

• Operational risk grid should be made available to the top management on a

frequent basis

• Dedicated personnel working for the risk management and operational

management teams

• Operational risk grid should me made available throughout the organisation,

with a score
 MITIGATION AND CONTROL OF OPERATIONAL
RISKS

• Assurance of compliance with Shari’a

– Setting up and maintaining a Shari’a Advisory Committee as per
regulatory requirements in a jurisdiction in which the IFI / Islamic bank
is operating
• Documentation of contractual arrangements

• Shari’a compliance review

• Calculation of the impermissible income and its disbursement in accordance

with the applicable Shari’a rules and guidelines

• The operational risk score should be a component in the bonus formula for
the top management
 DISCUSSION POINTS

• Is incidence of operational risk more in Islamic banks than their conventional

counterparts? [Khan and Ahmed (2001), among others]
• Whether 8% capital minimum capital requirement is adequate in case of
Islamic financial institutions?
• Is there a need for a separate focus on operational risk management given that
it is part of the capital adequacy requirements for Islamic financial
institutions?
• Any other questions?
 THANK YOU

humayon@humayondar.com
http://www.edbizconsulting.com