Shariah Risk Management Function
Introduction
Shariah risk management is a function that systematically identifies, measures, monitors, and reports shariah non-compliance risks in the operations, business, affairs, and activities of the IFI. Shariah risk encompasses four essential functions: identification, measurement, monitoring, and reporting. These functions will be elaborated upon in the subsequent subtopic.
Integration of Shariah non-compliance risk into enterprise-wide risk management of Islamic financial institutions
The integration of shariah non-compliance risk within the enterprise-wide risk management of an IFI is crucial. The shariah risk management function must incorporate considerations for shariah non-compliance risks into the overall enterprise-wide risk management framework. These risks should be integrated into the IFI's operational risk, credit risk, market risk, and liquidity risk assessments.
The organizational structure, processes, and information flows for managing shariah non-compliance risk should foster awareness and promote integrated risk management across various risk categories (such as credit, market, operational, and liquidity), products, and business lines. This integration should extend to both the institution and group-wide levels.
IFI's should be able to demonstrate how correlations and concentrations of shariah non-compliance risk within and across different business units, institutions, or groups are accounted for under an integrated risk management approach. This ensures that the board and senior management have a comprehensive understanding of the overall magnitude of risks affecting the organization. By doing so, the IFI can ensure that its risk-taking activities align with the board-approved risk appetite.
It is important to highlight that Shariah non-compliance risks are expected to be incorporated into the enterprise-wide risk management of Islamic financial institutions (IFI). The understanding of the Shariah risk management function is cross-referenced with the operational risk policy, indicating that Shariah non-compliance risk is considered within the broader operational risk framework.
Identification and assessment of shariah non-compliance risks
The Shariah risk management function is responsible for identifying shariah non-compliance risk exposures in the business operations and activities of the IFI. Additionally, it must assess the shariah non-compliance risk and measure the potential impact of these risk exposures on the IFI.
An IFI must establish robust processes for identifying and assessing shariah non-compliance risks. These processes should consider both internal and external factors and adopt a comprehensive approach. Additionally, the processes should facilitate effective risk management by identifying significant shariah non-compliance risk events through scenario analysis.
A sound methodology for identifying and assessing shariah non-compliance risks should be able to identify internal and external risk drivers that influence key business objectives and strategies. It should also evaluate and test the effectiveness of existing internal control systems and risk mitigation measures. Furthermore, the methodology should be detailed enough to determine the root cause of a particular shariah non-compliance risk event.
The identification and assessment of shariah non-compliance risks should consider the following key inputs:
(a) Management's understanding of the current and future business and operating conditions, as well as anticipated changes in products, processes, regulations, and markets.
(b) Shariah non-compliance risk exposures or internal control deficiencies identified by internal audit, other control functions, or regulators.
(c) Business process mappings that identify the key steps, risk interdependencies, and control points in business processes.
(d) Shariah non-compliance risk indicators that capture the main drivers of shariah non-compliance risk exposures.
(e) Analysis of historical internal loss experience and root-cause analyses of significant shariah non-compliance risk events.
(f) Analysis of relevant external loss information, such as significant losses experienced by other organizations, if available.
IFIs must utilize both top-down and bottom-up approaches in their shariah non-compliance risk identification and assessment methodology.
A top-down approach helps IFIs identify major shariah non-compliance risks that could undermine their soundness. On the other hand, a bottom-up approach ensures comprehensiveness, promotes risk ownership and accountability, and allows IFIs to prioritize resources towards managing major shariah non-compliance risks within key business and functional lines. Utilizing both approaches enables IFIs to validate the enterprise-wide level view of shariah non-compliance risks.
The shariah non-compliance risk identification and assessment methodology must remain current, reflective of the dynamic nature of the IFI's business, and aligned with the time horizon of the IFI's business strategies and shariah non-compliance risk appetite. The methodology should also be updated in the event of major shariah non-compliance risk events or developments that could invalidate earlier assessments.
For scenario analysis, IFIs must develop plausible scenarios under which major shariah non-compliance risks could materialize. Each scenario should evaluate the effectiveness of current controls and risk mitigation measures, identify potential failure points, and estimate the probability and severity of impact of shariah non-compliance risk failures, including under a worst-case scenario.
The scenario analysis must be supported by a robust methodology and process that incorporates inputs from business and functional lines, risk managers, subject matter experts, and key control functions. Assumptions used in the analysis should be regularly reviewed. The methodology and process must be documented, approved by senior management, and consistently applied.
When identifying potential scenarios, IFIs should consider events that may pose a significant threat to the institution from a shariah non-compliance risk perspective, such as new rulings from Shariah Advisory Councils. Additionally, potential scenarios may be developed based on past incidents of shariah non-compliance within the IFI. While stress testing can complement the identification of significant shariah non-compliance risk events, IFIs should also consider other plausible scenarios, including those involving multiple high-frequency, low-impact events that could pose a significant threat if they occur simultaneously.
Shariah non-compliance risk response and mitigation strategies
The Shariah risk management function must establish appropriate risk mitigation measures. An IFI must ensure that the strategies and responses for mitigating shariah non-compliance risks effectively address all identified risks in line with the shariah non-compliance risk appetite set by the board.
When devising mitigation strategies, an IFI must consider the impact on other risks and whether these strategies could introduce new risks or unintended effects on risk-taking incentives, business, and operational performance. The IFI must clearly identify and address these implications within its overall risk management framework.
While takaful arrangements can complement the management of shariah non-compliance risks, they should not be seen as a substitute for a robust internal control environment. If an IFI utilizes such arrangements, it must assess any residual and new risks that may arise. This assessment should include considerations such as the financial strength of the takaful provider, potential legal and liquidity risks, and the level of deductibles specified in the certificate.
领英推荐
An IFI should also be aware of the limitations of using takaful arrangements as a risk mitigation strategy. This includes recognizing shariah non-compliance risk interdependencies that can change over time, challenges in quantification, and potential gaps between the actual risk exposure and the scope of takaful coverage.
An IFI must be able to demonstrate that the risk mitigation strategies and responses effectively contain shariah non-compliance risk exposures within the board-approved risk appetite. This should be supported by regular assessments of trends in the IFI's risk exposures and a process for affirming the ongoing appropriateness of the risk mitigation strategies and responses.
An IFI must establish business continuity plans that align with its shariah non-compliance risk profile and the approved risk tolerance level for business disruptions. These plans should cover all critical business operations and address plausible events or scenarios associated with potential business disruptions.
Shariah non-compliance risk indicators, metrics and loss events
The Shariah risk management function is responsible for monitoring shariah non-compliance risk exposures and the effectiveness of risk mitigation measures. An IFI must establish processes for systematically collecting and analyzing relevant data and metrics related to shariah non-compliance risk exposures.
Shariah non-compliance risk indicators and metrics should enable the early identification of emerging risks and potential changes to the IFI's shariah non-compliance risk profile before they materialize. Appropriate limits should be set for each indicator to trigger escalation and mitigation actions.
Key shariah non-compliance risk indicators and metrics should include:
(a) Generic indicators that are comparable across different business and functional lines and can be aggregated on an enterprise-wide basis, such as shariah compliance breaches.
(b) Customized indicators that monitor specific shariah non-compliance risks within individual business lines and processes, such as breaches of specific shariah requirements on tawarruq for consumer products.
An IFI must capture and track actual shariah non-compliance risk loss events and near misses. This includes incidents of shariah non-compliance that result in losses in other risk types, such as credit, market, and takaful risk.
To ensure completeness and accuracy, an IFI must establish a framework, processes, and controls for collecting and reporting shariah non-compliance risk loss events. This includes implementing an internal standard for loss recognition, criteria for allocating losses arising from centralized functions or activities spanning multiple business lines, and requirements for validating and reconciling quantified losses against accounting records and other internal information.
Shariah non-compliance risk reporting
The Shariah risk management function is responsible for reporting shariah non-compliance risk exposures to the board, shariah committee, and senior management. Shariah non-compliance risk reports provided to the shariah committee, board, and senior management should offer accurate information to support decision-making and enable timely management responses. The frequency of reporting should reflect the level of risks involved and the pace and nature of changes in the business and operating environment.
Shariah non-compliance risk reports should encompass financial, operational, and compliance information, as well as relevant external information about events and conditions that impact decision-making.
Shariah non-compliance risk information that aids informed decision-making by the shariah committee, board, and senior management includes:
(a) Analysis of the current shariah non-compliance risk profile, emerging trends of key shariah non-compliance risk indicators, and the direction of risks over a defined horizon (e.g., the next three months).
(b) Status updates on mitigation action plans for significant shariah non-compliance risks.
(c) Breaches of shariah non-compliance risk limits, particularly those resulting in the IFI's enterprise-wide shariah non-compliance risk level exceeding the approved risk appetite.
(d) Identification of shariah non-compliance risk management deficiencies observed by the risk management function, internal audit, or regulators.
(e) Reporting of significant shariah non-compliance risk events, control failures, and losses that have occurred.
(f) Lessons learned from relevant external loss events and internal assessments of the probability and potential impact of similar events occurring within the IFI.
The scope, context, and level of detail in shariah non-compliance risk reports should be appropriately tailored to meet the needs of different user groups. For instance, detailed shariah non-compliance risk information specific to activities and operations of business and functional lines is valuable for the respective management, while a high-level overview of the overall shariah non-compliance risk profile of the IFI and executive summaries of significant enterprise-level shariah non-compliance risks would better facilitate decision-making by the shariah committee, board, and senior management.
Challenging Shariah non-compliance risk assessment by business and functional lines
The Shariah risk management function must possess the necessary skills, credibility, and willingness to effectively challenge business lines in relation to Shariah non-compliance risks that may arise from the activities of the Islamic financial institution (IFI). It is important to note that the enterprise-wide Shariah risk management function does not replace the primary responsibility of business and functional lines in managing Shariah non-compliance risk. However, it is accountable for reviewing the identification and management of significant Shariah non-compliance risks by these lines, as well as integrating such risks at the enterprise level. This includes constructively challenging assessments provided by business and functional lines and evaluating the effectiveness of risk mitigation activities.
Senior officer responsible for shariah risk management function and competency requirement
The Chief Risk Officer (CRO), as the senior officer primarily responsible for risk management, is accountable for overseeing Shariah risk management function within the integrated risk management framework of the Islamic financial institution (IFI). From an organizational structure perspective, this effectively places the Shariah risk management function within the risk management function of the Islamic financial institution (IFI).
It is essential for an IFI to ensure that its risk officers, who handle the Shariah risk management function, possess the necessary knowledge of Shariah requirements applicable to Islamic financial business. This requirement implies that an IFI can utilize its existing risk officers to also perform the Shariah risk management function. While the requirement does not mandate the employment of specific individuals for Shariah risk management function, IFIs may choose a prudent approach by hiring dedicated personnel for this role.
Religious Teacher
7 个月Saya minta izin repost ya tuan. Untuk bacaan tambahan ilmu kemudian hari saya. Terima kasih ??
Islamic Products Specialist | Transformation into Islamic | Digitisation| Coach & Trainer
8 个月Good read
Head Shariah Risk Management at Tabung Haji |PhD Islamic Finance| Researcher| Shariah Advisor|Hafizul Quran
8 个月Jazakumullah khairan