The Iranian Association of Islamic Finance held an international webinar on Risk Management in Islamic Banking on 12 July, 2022.

First Speaker:

Dr. Ronald Rulindo

Former Director of Innovation, Financial Market Deepening, and Infrastructure Development for Islamic Finance, National Islamic Finance Committee from Republic of Indonesia

He his presentation is as follows:

What is Risk Management? Risk management is defined as a set of coordinated activities to direct and control an organization with regard to risk.

Why is Risk Management important for Bank?

Risk management help bank to achieve its objective!

Bank ultimate objective is to generate profit to maximize shareholders value.

Thus, they need to prevent bank to experience loss.

Bank should prevent and mitigate all possible sources of losses, such as:

Non-performing loans

Fraud

Bank run / rush

Loss in value of asset

Etc.

How Islamic Banks don’t deal with Riba?

They follow special business model such as Muḍārabah, Mushārakah, Murābahah, Salam, Istisnā, Ijārah contracts which are shariah compliant.

Risk Management in Islamic vs Conventional Bank

Risk Management Infrastructure for Islamic bank is mostly similar with those in conventional banks.

There are some risk management infrastructures that are required in Islamic banks but do not exist in conventional banks.

Some risk management tools in conventional banks may be prohibited to be used in Islamic banks.

Risks in Both Islamic vs Conventional Bank

Credit risk: It is defined as the exposure to the likelihood that a counterparty will fail to meet its obligations in accordance with agreed terms.

Market risk: It is normally referred to the potential impact of adverse price movements such as benchmark rates, foreign exchange (FX) rates, equity prices and commodity prices, on the economic value of an asset.

Liquidity risk: It is the potential loss to IIFS arising from their inability either to meet their obligations or to fund increases in assets as they fall due without incurring unacceptable costs or losses.

Operational risk: It is the potential loss due to people, process, system, and external event.

Specific Risks for Islamic Banks:

Equity investment risk: It is broadly defined as the risk arising from entering into a partnership for the purpose of undertaking or participating in a particular financing or general business activity, and in which the provider of finance shares in the business risk.

Rate of return risk: It is the possible impact on the net income of the IIFS due to change in market and benchmark rates.

Displaced Commercial Risk: It is referred to the magnitude of risks that are transferred to shareholders in order to cushion the IAH from bearing some or all of the risks to which they are contractually exposed in Muḍārabah funding contracts.

Sharī`ah non-compliance risk: It is the risk that arises from IIFSs’ failure to comply with the Sharī`ah rules and principles.

Fiduciary risk: It is the risk that arises from IIFSs’ failure to perform in accordance with explicit and implicit standards applicable to their fiduciary responsibilities.

IFSB’s suggestion about managing Credit Risk in Islamic bank:

IIFS shall have in place a comprehensive risk management and reporting process, including appropriate board and senior management oversight, to identify, measure, monitor, report and control relevant categories of risks and, where appropriate, to hold adequate capital against these risks. The process shall take into account appropriate steps to comply with Sharī`ah rules and principles and to ensure the adequacy of relevant risk reporting to the supervisory authority.

IIFS shall have in place a strategy for financing, using various instruments in compliance with Sharī`ah, whereby it recognises the potential credit Exposures that may arise at different stages of the various financing agreements.

IIFS shall have in place Sharī`ah-compliant credit risk mitigating techniques appropriate for each Islamic financing instrument.

IFSB’s suggestion about managing equity investment risk:

IIFS shall have in place appropriate strategies, risk management and reporting processes in respect of the risk characteristics of equity investments, including Muḍārabah and Mushārakah investments.

IIFS shall ensure that their valuation methodologies are appropriate and consistent, and shall assess the potential impacts of their methods on profit calculations and allocations. The methods shall be mutually agreed between the IIFS and the Muḍārib and/or Mushārakah partners.

IIFS shall define and establish the exit strategies in respect of their equity investment activities, including extension and redemption conditions for Muḍārabah and Mushārakah investments, subject to the approval of the institution’s Sharī`ah Board.

IFSB’s suggestion about managing Market risk:

IIFS shall have in place an appropriate framework for market risk management (including reporting) in respect of all assets held, including those that do not have a ready market and/or are exposed to high price volatility.

IFSB’s suggestion about managing Liquidity risk:

IIFS shall have in place a liquidity management framework (including reporting) taking into account separately and on an overall basis their liquidity exposures in respect of each category of current accounts, unrestricted and restricted investment accounts.

IIFS shall assume liquidity risk commensurate with their ability to have sufficient recourse to Sharī`ah-compliant funds to mitigate such risk.

IFSB’s suggestion about managing Rate of Return risk:

IIFS shall establish a comprehensive risk management and reporting process to assess the potential impacts of market factors affecting rates of return on assets in comparison with the expected rates of return for investment account holders (IAH).

IFSB’s suggestion about managing Displaced Commercial risk:

IIFS shall have in place an appropriate framework for managing displaced commercial risk, where applicable.

IFSB’s suggestion about managing Sharia Non Compliance risk:

IIFS shall have in place adequate systems and controls, including Shari`ah Board/ Advisor, to ensure compliance with Shari`ah rules and principles.

IFSB’s suggestion about managing Fiduciary risk:

Conclusion:

• Islamic banks have different business models as compared with conventional bank. Consequently, they have specific risks that may not be found in conventional bank.
• Risk management infrastructures for conventional banks is also applied to Islamic banks. However, there are some risk management techniques in conventional banks that are not allowed to be implemented in Islamic banks.
• IFSB has set a number of recommendations with regard to risk management for Islamic banks. The recommendations could ensure better stability of the Islamic banks.

Second Speaker:

Mughees Shaukat

Islamic Banking Advisor, Oman / Vice Chairman, AEB, AAOIFI

His presentation is as follows:

What is crucially noteworthy is the fact that the fintech driven, new age, finance is in complete actuality, application of 101 Islamic Finance i.e. a simple resortion to Mudaraba and Musharaka financing via e.g. crowd Funding, Angel Investing ,P2P.

In a typical risk sharing arrangement such as equity finance, parties share the risk as well as the rewards of a contract. Assets are invested in remunerative trade and production activities. The return to assets are not known at the instant assets are invested, akin to Arrow-Debreu securities.

“As we become more reliant on the bliss of technology, digital banking, services and payments, there is a dark side that comes as an inevitable package deal: CYBER RISKS.

The number of cyberattacks has tripled over the last decade, and financial services is the most targeted industry.

Cybersecurity has clearly become a threat to financial stability. Given strong financial and technological interconnections, a successful attack on a major financial institution, or on a core system or service used by many, could quickly spread through the entire financial system causing widespread disruption and loss of confidence”.

Transactions could fail as liquidity is trapped, household and companies could lose access to deposits and payments. Under extreme scenarios, investors and depositors may demand their funds or try to cancel their accounts or other services and products they regularly use. A NEW KIND OF BANK RUNS.

Hacking tools are now cheaper, simpler and more powerful, allowing lower-skilled hackers to do more damage at a fraction of the previous cost. The expansion of mobile-based services (the only technological platform available for many people), increases the opportunities for hackers. Attackers target large and small institutions, rich and poor countries, and operate without borders. Fighting cybercrime and reducing risk must therefore be a shared undertaking across and inside countries.

According to Gartner (2022), “the average cost of IT downtime is $5,600 per minute. Because there are so many differences in how businesses operate, downtime, at the low end, can be as much as $140,000 per hour.” 

IBM’s 2020 Cost of a Data Breach Report found, “Lost business costs accounted for nearly 40% of the average total cost of a data breach, increasing from $1.42 million in the 2019 study to $1.52 million in the 2020.

The he mentioned the climate change measures do not ideally go well with the working of commodification and financialization driven capitalism, where nature if acquisitive and process accumulative.

The Conundrum with extra topping of intrinsic Challenges:

Emerging vs developing world the financial and political dilemma,

Globalization intensify (climate) risks,

Climate refugees and new kind of Climate change ridden unemployment other than natural disruptions, food, water and health risks.

Lack of proper reliable Data needed to make understand the full impact of climate change to regulators etc,

New age understanding and securing of Maqasid Al Shariah as it is an auto securing SRI, SDGs, ESGs hence climate change not sure why we don’t promote the same as innate mechanism and why so much of the view to get node first from west than our own.

Someehere else, Shaukat talked about Cyber Hygiene, adding While the daily foundational risk management work — maintaining networks, updating software and enforcing strong ‘cyber hygiene’ — remains with financial institutions, there is also a need to address common challenges and recognize the spillovers and interconnections across the financial system (the Complexity dynamics more so of interest-bearing debt system).

Individual firm incentives to invest in protection are not enough; regulation and public policy intervention is needed to guard against underinvestment and protect the broader financial system from the consequences of an attack.

IMF Research, suggest six major strategies:

Cyber mapping and risk quantification

The global financial system’s interdependencies can be better understood by mapping key operational and technological interconnections and critical infrastructure. Better incorporating cyber risk into financial stability analysis will improve the ability to understand and mitigate system-wide risk. Quantifying the potential impact will help focus the response and promote stronger commitment to the issue. Work in this area is nascent—in part due to data shortcomings on the impact of cyber events and modelling challenges—but must be accelerated to reflect its growing importance.

Converging regulation

More locally & internationally consistent regulation and supervision will reduce compliance costs and build a platform for stronger cross-border cooperation. International bodies such as the Financial Stability Board, Committee on Payments and Market Infrastructure, and Basel Committee, have begun to strengthen coordination and foster convergence. National authorities need to work together on implementation.

Capacity to respond

As cyberattacks become increasingly common, the financial system has to be able to resume operations quickly even in the face of a successful attack, safeguarding stability. So-called response and recovery strategies are still incipient, particularly in low-income countries, which need support in developing them. International arrangements are necessary to support response and recovery in cross-border institutions and services.

Willingness to share

More information-sharing on threats, attacks, and responses across the private and the public sectors will enhance the ability to deter and respond effectively. Yet, serious barriers remain, often stemming from national security concerns and data protection laws. Supervisors and central banks need to develop information sharing protocols and practices that work effectively within these constraints. A globally agreed template for information sharing, increased use of common information platforms, and expansion of trusted networks could all.

Stronger deterrence

Cyberattacks should become more expensive and riskier through effective measures to confiscate crime proceeds and prosecute criminals. Stepping up international efforts to prevent, disrupt and deter attackers would reduce the threat at its source. This requires strong co-operation between law enforcement agencies and national authorities responsible for critical infrastructure or security, across countries and agencies. Since hackers know no borders, global crime requires global enforcement.

Capacity development

Helping developing and emerging economies build cybersecurity capacity will strengthen financial stability and support financial inclusion. Low-income countries are particularly vulnerable to cyber risk. The COVID-19 crisis has highlighted the decisive role that connectivity plays in the developing world. Harnessing technology safely and securely will continue to be central to development and with it a need to ensure that cyber risk is addressed. As with any virus, the proliferation of cyber threats in any given country makes the rest of the world less safe.

Addressing all these gaps will require a collaborative effort from standard-setting bodies, national regulators, supervisors, industry associations, private sector, law enforcement, international organizations, and other capacity development providers and donors.