© 2014 HUMAYON DAR; A seminar delivered at Qatar Faculty of Islamic Studies on May 13, 2014 HUMAYON DAR CHAIRMAN, PRESIDENT & CEO EDBIZ CORPORATION Risk

© 2014 HUMAYON DAR; A seminar delivered at Qatar Faculty of Islamic Studies on May 13, 2014

HUMAYON DAR

CHAIRMAN, PRESIDENT & CEO

EDBIZ CORPORATION

Risk MANAGEMENT

in Islamic Banking and Finance Shari’a, Legal and Operational Risks

INTRODUCTION

• Risk Management in Islamic Banking and Finance• Operational risk is more complex and difficult to quantify• Quantification methods are imperfect and still evolving• Islamic Financial Services Board (IFSB)• Focus on Operational Risk Management in Islamic Finance

FOUR GENERIC RISKS FACING ALL BANKS

RISK TRANSFORMATION IN MURABAHA

EXAMPLE OF DEFAULT: CONVENTIONAL VS ISLAMIC

FOCUS ON OPERATIONAL OPERATIONAL RISK IN ISLAMIC FINANCE

RWCR =K

A + B – C

IFSB Standard Formula

where

RWCR = Risk-weighted Capital Requirement

A = Total Risk-weighted Assets [Credit + Market Risks]

B = Operational Risks

C = Risk-weighted Assets Funded by Profit Sharing Investment Accounts

≥ 8%


RWCR =K

A + B – C – (1-α)D – α.E

Regulatory Discretion Formula

where

RWCR = Risk-weighted Capital Requirement

A = Total Risk-weighted Assets [Credit + Market Risks]

B = Operational Risks

C = Risk-weighted Assets Funded by Profit Sharing Investment Accounts

0 ≤ α ≤ 1

D = Risk-weighted Assets Funded by Unrestricted Profit Sharing Investment Accounts

E = Risk-weighted Assets Funded by Restricted Profit Sharing Investment Accounts

≥ 8%


RWCR =Eligible Capital

TRWA [Credit + Market Risks] + Operational Risks – RWA Funded by PSIAs [Credit + Market Risks]

IFSB Standard Formula

Supervisory Discretion Formula

RWCR =Eligible Capital

TRWA [Credit + Market Risks] + Operational Risks – RWA Funded by PSIAs [Credit + Market Risks] –

(1- a)RWA Funded by UPSIAs[Credit + Market Risks] – (a)RWA Funded by RPSIAs [Credit + Market Risks

≥ 8%

≥ 8%

OPERATIONAL RISK DEFINED

OPERATIONAL RISK is defined as the risk of loss resulting from the inadequacy or failure of internal processes, as related to people and systems, or from external risks [Van Greuning and Iqbal (2008), p. 174]

ISLAMIC FINANCIAL SERVICES BOARD [IFSB] includes Shari’a risk under the definition of operational risk

[Guiding Principles of Risk Management for Institutions (other than Insurance Institutions) Offering Only Islamic Finance Services 2005, No. 7]

SHARI’A [NON-COMPLIANCE] RISK is the risk that arises from an IFI’s failure to comply with the Shari’a rules and principles determined by its Shari’a Board or the relevant body in the jurisdiction in which the IFI operates

[IFSB, ibid, 7.2 (121)]

OPERATIONAL RISK: CAUSE EVENT AND EFFECT

CAUSE EVENT EFFECT

Internal processesPeopleSystems

Internal processes[No clear policy on the LC*]

Internal fraudExternal riskDamage to physical assets

External risk (Piracy)

Write-downLegal liabilityLoss of recourse

Write-down

Management

Measurement

*Whether to be on the FOB shipping port or destination basis

OPERATIONAL RISK: CAUSE EVENT AND EFFECT

CAUSE EVENT EFFECT

Internal processesPeopleSystems

People

Internal fraudExternal riskDamage to physical assets

Internal fraud (Misinforming the client*)

Write-downLegal liabilityLoss of recourse

Legal liability

Management

Measurement

*Misinforming the client that it was a regulatory requirement to convert foreign remittances into local currency

OPERATIONAL RISK: GENERAL CONSIDERATIONS

OPERATIONAL RISK covers any risk that may arise from general and specific operations of an organisation, and in the present context, banks in general and Islamic banks and financial institutions in particular.

As it is general in nature, hence it is difficult to quantify it precisely. This is why it has not been of a major focus prior to an emphasis on it by Basle Committee on Banking Supervision [BSBC].

In a well-run bank (or financial institution), its incidence is expected to be less. Hence, a starting point to quantify it must have something to do with the management function.

Management consists of the interlocking functions of creating corporate policy and organizing, planning, controlling, and directing an organization's resources in order to achieve the objectives of that policy.

GENERAL OPERATIONAL RISKS

1. Failure to open branch(es) in time [part of people risk]

2. Misinformation to customers

3. Theft (stationery, equipment etc.) and misuse

4. Technology breakdown

5. Electricity shutdwon

6. Bad weather

7. Accidents

8. Acts of terrorism

9. An adverse Shari’a opinion about a product

10.Withdrawal of funds

11.A senior (Muslim) member of the executive management team of an Islamic bank is seen drinking alcohol on QR302 flight and someone has uploaded a video on YouTube with a caption: “Is it Islamic? Islamic Banks’ Non-Islamic Bankers”

GENERAL OPERATIONAL RISKS

12.Somehow, your online banking system has a loophole and some online search engines have started picking up “cache” pages of some of the customers who view their accounts using a particular internet browser

OPERATIONAL RISKS IN ISLAMIC FINANCIAL INSTITUTIONS

• Possible loss arising from Shari’a non-compliance of Islamic financial institutions and failure of acting in accordance with the fiduciary responsibilities of management of such institutions

• If an IFI / Islamic bank does not comply with Shari’a rules and principles, its transactions must be cancelled and income generated from them shall be considered as illegitimate

• Recent example:– Bank Negara Malaysia issued new guidelines on Bai’ ‘Ina in 2012, which

came after the Shari’a guidelines for Islamic banks and Takaful companies, making it clear that any non-compliance with Shari’a will not only be considered as illegal but the bank will also have to claw back income from the non-compliant transactions


• FIDUCIARY RISK is thus also part of the IFSB’s definition of operational risk

• IFSB’s PRINCIPLE 7.2IFI / Islamic bank must have in place appropriate mechanisms to safeguard

the interests of all fund providers. Where Investment Account Holders [IAH] funds are commingled with IFI’s own funds, IFI must ensure that the bases for asset, revenue, expense and profit allocations are established, applied and reported in a manner consistent with IFI’s fiduciary responsibilities.

[Guiding Principles of Risk Management for Institutions (other than Insurance Institutions) Offering Only Islamic Finance Services 2005, No. 7.2]


WHY IS SHARI’A RISK DEEMED AS PART OF THE OPERATIONAL RISK?

• For example, if in an Bai’ ‘Ina transaction, an evidence was found that the bank staff actually made the two transactions (first sale to the customer and the second purchase from the customer) inter-linked, even verbally or through an action, the transaction will be deemed Shari’a con-compliant and the bank will be asked to claw back all the accrued income from the transaction and donate it to charity (and possibly face some penalty from the regulator).

• This is certainly a failure in the Shari’a process on part of the personnel, and hence should be considered as an operational risk.


• In summary, operational risk in IFIs also include:

– Legal risk– Shari’a risk– Fiduciary risk

• Reputational risk arising from Shari’a non-compliance and failure to act in accordance with the fiduciary duties of Islamic banks’ management is also critical

SHARI’A, LEGAL AND OPERATIONAL RISKS: SOME EXAMPLES (1)

• A UAE-based Islamic bank sold a used car to a customer on Murabaha basis• A few months into the contract, the customer met an accident while driving

the purchased car• While dealing with the case, the police found out that the car was reported

missing a few months back• [The bank actually happened to have bought a “stolen” car before selling it to

the customer]• The customer disputed with the bank and asked for full refund of the money

he had already paid• On the other hand, the bank wanted to accelerate the payments and asked the

customer to pay the amount in full


• A Saudi bank provided seed capital for an Islamic equity fund• The bank was informed that the fund would follow AAOIFI Shari’a

screening methodology• The internal communication between the bank management and its Shari’a

Advisory Committee was in Arabic• After the fund was launched by the fund manager, the Shari’a Advisory

Committee objected to the the impermissible income ratio used by the fund• The fund used [IMPERMISSIBLE INCOME/TOTAL INCOME < 5] while

the Shari’a Advisory Committee proposed [IMPERMISSIBLE INCOME /PERMISSIBLE INCOME < 5]

• LESSIONS ???


• In 1998, an official of a UAE Islamic bank did not conform to the bank’s internal credit term

• It cost the bank US$50 million• This resulted in a one-day run on the bank’s deposits to the tune of US$138

million, representing 7 percent of the bank’s total deposits

[Van Greuning and Iqbal (2008), p. 175]


• An Islamic bank had to incur losses on an international trade finance transaction when a ship carrying the goods it had financed was captured by pirates

• The bank had made the payment on the basis of FOB Shipping Point• The transaction got delayed by three months• The bank incurred a loss of 3-month credit income

OPERATIONAL RISKS SUMMARISED

Reputational Risk

Shari’a Risk

Fiduciary Risk

People Risk

Technology Risk

Displaced Commercial Risk

Withdrawal Risk

There is certainly an overlapping of these risks and it is important to take into account double counting when calculating operational risk capital charge

OPERATIONAL RISK AND ISLAMIC FINANCIAL CONTRACTS

Musharaka

Murabaha

Ijara

Istisna’

Salam

Mudaraba

Operational Risk

OPERATIONAL RISK MANAGEMENT

•The Operational Risk Management framework should include:

– Identification –Measurement–Monitoring– Reporting– Control and –Mitigation

OPERATIONAL RISK MANAGEMENT: IDENTIFICATION

•Technology

– How many servers are hosting the data and IT systems? – Is there a back-up server?– Is the back-up server in the same place (building/street/city/country)?– How many people are responsible server management and maintenance?–What is the frequency of system back-ups?–Where are the back-up tapes / CDs kept?

In 2012, computer failure cost RBS £100 million


•Sales

– It is important for bank personnel to understand fully what they are selling to their customers

– Advertisements on print and electronic media, one-on-one sale pitches and all other marketing and sales material must go through strict scrutiny

– Telephonic sales calls must be recorded and scrutinised by the senior management to identify “conversations” that may lead to potential losses

In UK, mis-selling of PPI has cost banks billions of pounds


•Documentation

–It is absolutely imperative that all the legal documents used for Islamic financial products are vetted by competent personnel well-versed in Shari’a and law

[In a lot of cases, law firms preparing documents for Islamic financial contracts adpat/amend the templates that they otherwise use for conventional financial products; this may leave reference to “interest”, penalty etc unchanged, which may make the contract Shari’a non-compliant]–For conventional banks involved in Islamic banking and finance, it is

important that they ensure that the Shari’a documents are executed and a proper record of the same is maintained, in addition to the legal documentation required conventionally

OPERATIONAL RISK MANAGEMENT: MEASUREMENT

•There are two main approaches to quantify operational risk management:

– Basic Indicator Approach [BIA] – Standardised Approach [STA]

OPERATIONAL RISK MANAGEMENT: BIA

• The BIA is based on the following simple formula:

KBIA = α.GI

where

KBIA = Capital charge under BIA

α = the pre-defined scaling factor set by BCBS

GI = average gross income over the last three years• Gross income is used as a measure of operational risk because:

–It is a reasonable indicator of the size of the activities–It is readily available–It is verifiable–It is reasonably consistent and comparable across jurisdictions –It has the advantage of being counter-cyclical

OPERATIONAL RISK MANAGEMENT: BIA

• The gross income is the sum of:

–Net interest income–Net non-interest income–Net trading income–Other income

• For Islamic banks, the gross income can be sum of:–Net income from service-based activities–Net trading income from the Murabaha, Salam, Ijara based transactions–Other income may include investments in Shari’a compliant securities,

including Sukuk, and Mudaraba and Musharak based investments

OPERATIONAL RISK MANAGEMENT: STA

•The STA is a more detailed approach that classifies bank activities into eight business lines:

1. Corporate finance

2. Trading and sales

3. Retail banking

4. Commercial banking

5. Payment and settlements

6. Agency services• Asset management• Retail brokerage

OPERATIONAL RISK MANAGEMENT: STA

•The STA is based on the following modified formula:

KSTA = Σi=1 βi.GIi

where

KSTA = The capital charge under the Standardised Approach

GI = Average annual level of income in the last three years

βi = Beta values for each business line

8

BETA VALUES FOR DIFFERENT BUSINESS LINES

Corporate finance = β1 = 0.18

Trading and sales = β2 = 0.18

Retail banking = β3 = 0.12

Commercial banking = β4 = 0.15

Payment and settlements = β5 = 0.18

Agency services = β6 = 0.15

Asset management = β7 = 0.12

Retail brokerage = β8 = 0.12

STA COMPARED BETWEEN A AND BA B

Identification Excellent Good

Measurement Very Good Average

Monitoring Excellent Average

Reporting Good Bad

Mitigation Good Good

Control Good Good

β1 0.18 0.18

β2 0.18 0.18

β3 0.12 0.12

β4 0.15 0.15

β5 0.18 0.18

β6 0.15 0.15

β7 0.12 0.12

β8 0.12 0.12

STA COMPARED BETWEEN A AND BA B




Reporting Good Bad


Control Good Good

β1

β2

β3

β4

β5

β6

β7

β8

<

<

<

<

<

<

<

<

BIA AND STA : CRITICISM

– “Eating fried shrimps lead to capital punishment”– Gross income approach – is it adequate to capture the incidence of

operational risk?– How about other factors?

• Sources of income (number of products and investments)• Stability/volatility of income• Number of employees• Number of clients

QUANTIFICATION OF OPERANTIONAL RISK: MANAGEMENT APPROACH

– Instead of relating the operational risk to the size of the organisation (gross income), it might not be a bad idea to look into the management function deeply to come up with a measure of operational risk.

– For example, a one-man firm (an owner-managed firm) should have less incidence of operational risk as compared to a firm with multiple personnel (owners as well as managers).• Hence, complexity of organisation should be considered as a factor that

may affect the operational risk– More complex organisations should be more prone to operational

risk– In complex organisations, both the management and control

functions should be strong to reduce incidence of operational risk

QUANTIFICATION OF OPERANTIONAL RISK: MANAGEMENT APPROACH

– In IFIs, there should be an additional control function around Shari’a compliance

MEASUREMENT OF MANAGEMENT AND CONTROL FUNCTIONS

Identification

I1 I2 I3 I4 … In

Measurement

Me1 Me2 Me3 Me4 … Men

Monitoring Mo1 Mo2 Mo3 Mo4 … Mon

Reporting R1 R2 R3 R4 … Rn

Mitigation Mi1 Mi3 Mi3 Mi4 … Min

Control C1 C2 C3 C4 … Cn

MEASUREMENT OF MANAGEMENT AND CONTROL FUNCTIONS

B1

B2

B3

… Bn

B1

B2

B3

… Bn

B1

B2

B3

… Bn

B1

B2

B3

… Bn

I11

I12

I13

… I1n

I21

I22

I23

… I2n

I31

I32

I33

… I3n

… In1

In2

In3

… Inn

Me11

Me12

Me13

… Me1n

Me21

Me22

Me23

… Me2n

Me31

Me32

Me33

… Me3n

… Men1

Men2

Men3

… Menn

Mo11

Mo12

Mo13

… Mo1n

Mo21

Mo22

Mo23

… Mo2n

Mo31

Mo32

Mo33

… Mo3n

… Mon1

Mon2

Mon3

… Monn

R11

R12

R13

… R1n

R21

R22

R23

… R2n

R31

R32

R33

… R3n

… Rn1

Rn2

Rn3

… Rnn

Mo11

Mo12

Mo13

… Mo1n

Mo21

Mo22

Mi23

… Mi2n

Mi31

Mi32

Mi33

… Mi3n

… Min1

Min2

Min3

… Minn

C11

C12

C13

… C1n

C21

C22

C23

… C2n

C31

C32

C33

… C3n

… Cn1

Cn2

Cn3

… Cnn

MEASUREMENT OF MANAGEMENT AND CONTROL FUNCTIONS: CONSTRUCTION OF Γ GRID

γ11 γ12 γ13 … γ1j

γ21 γ22 γ23 … γ2j

γ31 γ32 γ33 … γ3j

… … … … …

γi1 γi2 γi3 … γij

MEASUREMENT OF MANAGEMENT AND CONTROL FUNCTIONS: CONSTRUCTION OF WEIGHTS

w11 w12 w13 … w1j

w21 w22 w23 … w2j

w31 w32 w33 … w3j

… … … … …

wi1 wi2 wi3 … wij


w11γ11 w12γ12 w13γ13 … w1jγ1j

w21γ21 w22γ22 w23γ23 … w2jγ2j

w31γ31 w32γ32 w33γ33 … w3jγ3j

… … … … …

wi1γi1 wi2γi2 wi3γi3 … wijγij

γ1 γ2 γ3 … γj


where

The final gamma is in standardised form

MODIFIED STA COMPARED BETWEEN A AND BA (γ1 = 0.75) B (γ2 = 0.56)




Reporting Good Bad


Control Good Good

β1 0.06 0.15

β2 0.06 0.15

β3 0.04 0.10

β4 0.05 0.12

β5 0.06 0.15

β6 0.05 0.12

β7 0.04 0.10

β8 0.04 0.10

<

<

<

<

<

<

<

<

MONITORING AND REPORTING OF OPERATIONAL RISKS

• Operational risk grid should be made available to the top management on a frequent basis

• Dedicated personnel working for the risk management and operational management teams

• Operational risk grid should me made available throughout the organisation, with a score

MITIGATION AND CONTROL OF OPERATIONAL RISKS

• Assurance of compliance with Shari’a– Setting up and maintaining a Shari’a Advisory Committee as per

regulatory requirements in a jurisdiction in which the IFI / Islamic bank is operating

• Documentation of contractual arrangements

• Shari’a compliance review

• Calculation of the impermissible income and its disbursement in accordance with the applicable Shari’a rules and guidelines

• The operational risk score should be a component in the bonus formula for the top management

DISCUSSION POINTS

• Is incidence of operational risk more in Islamic banks than their conventional counterparts? [Khan and Ahmed (2001), among others]

• Whether 8% capital minimum capital requirement is adequate in case of Islamic financial institutions?

• Is there a need for a separate focus on operational risk management given that it is part of the capital adequacy requirements for Islamic financial institutions?

• Any other questions?

THANK YOU

[email protected]

http://www.edbizconsulting.com

mailto:[email protected]

Documents

© 2014 HUMAYON DAR; A seminar delivered at Qatar Faculty of Islamic Studies on May 13, 2014 HUMAYON DAR CHAIRMAN, PRESIDENT & CEO EDBIZ CORPORATION Risk