Risk Management for Islamic Banks Recent Developments

26 INTRODUCTION rate-of-return risk, but with a degree, form, and transaction that are differ- ent from commercial banks. With mapping, the Islamic bank can more easily control its entire risk exposure. The risk management manager can easily see which line of business has contributed the most to the total risk faced by the Islamic bank; which business line has exceeded the risk limits set to them and should therefore reduce their risk exposure; and which line of business should receive special priority under certain conditions. Measuring and Reporting Risk After identification, risk needs to be measured consistently and presented in an easily understandable form, not just for purposes of risk mitigation by the bank, but also because it is usually required by the regulator. To ensure that a bank is not threatened by bankruptcy, the bank’s capital must be ascertained to be enough in amount to weather the various risks currently faced by the bank. In evaluating whether the bank’s capital is enough or not, the regula- tor requires that the bank calculate the potential loss that will be borne if the risk actually manifested as a real problem. Calculating risk is necessary not merely to measure the current capital adequacy ratio, but also to determine the minimum amount of additional capital that needed to be raised to fulfil it. The risk measurement model plays an important role in the entire risk management process, because from the model of risk measurement, the risk and return position of the Islamic bank can be known. Information related to risk and return is an important issue to consider in formulating the frame- work and guidelines of risk management applied by the Islamic bank, where they will determine every transaction done by every unit of the Islamic bank. A mistake in determining the risk measurement model will lead to a fatal consequence to the application of risk management as a whole, because any mistake in the risk measurement model will lead to a mistake in the cal- culation of risk and return profile by the Islamic bank. The simple way to measure and report the risk faced is that the bank can construct and utilize the risk matrix as in Table 2.1. Risk Mitigation Once a particular risk is identified and measured, hopefully its actual occur- rence can be minimized. Yet if the probability of it happening is significant, or if (despite its level of rarity) it could do a significant amount of harm, then it is still important to enact mitigation efforts to minimize the effects as much as possible. The risk mitigation strategies that can be chosen by the Islamic bank are different for differing types of risk. The Islamic bank needs to put in place various mitigation techniques that are appropriate for all the

The Islamic Bank and Risk Management 27 TABLE 2.1 Constructing the Risk Matrix Information Related to Risk Risk ABCD Frequency of occurrence Effect generated Prevention/mitigation efforts completed so far Prevention/mitigation efforts recommended in the future Possibility of loss (Rp) Prevention and control costs (Rp) Loss value (Rp) risks it faces. To add to this endeavor, unlike a conventional bank, an Islamic bank also has other limitations in risk mitigation techniques. The principle of syari’ah compliance should always be put first, even when mitigating risk. RISK AND RETURN TRADE-OFF Profit can only have its lawfulness admitted if it is accompanied by risk, effort, and responsibility done. This principle is in line with the hadith “al ghunmu bil ghurmi” (profit accompanies risk) and “al-kharaju bidh-dhamani” (income is received by taking a responsibility). This principle is in line with the concept of risk-return trade off that is already known in finance. Each party involved in a transaction has the right to a certain level of return because of their willingness to bear the corresponding amount of risk. In other words, every risk received by parties in a transaction should also have the possibility of being compensated with adequate level of return. In the Islamic bank, the contract used can be grouped into two. The first group consists of contracts with a social purpose (tabarru’) and contracts with a profit motive (tijari). The use of both types of contracts in a banking transaction generates a direct consequence to the application of the concept of risk and return. In a tabarru’ contract, like a loan (qardh), the principle of risk-return trade-off cannot be applied, because it violates the principle of “al ghunmu bil ghurmi.” The capital owner in a loan contract (qardh) does not bear any risk from the loan given to the debtor. If the capital owner insists on charging the borrower with additional debt, then that addition is usury, making it into unlawful wealth. But what about the use of a sales contract (tijari’) in which the client does not pay in a lump-sum payment, but in periodical installments? In that contract, the principle of risk-return trade-off is practiced when the murabahah contract is entered into. As a

28 INTRODUCTION seller, the Islamic bank buys the object that becomes the transaction object from a supplier to then sell it again (with the agreed-upon margin) to the customer. The Islamic bank then faces the various risks associated with the ownership of that object. It is from the Islamic bank’s willingness to bear the risk of owning the object that it gains the right to set the margin that is appropriate to compensate for that risk, and thus risk-return trade-off can be applied equally. But after the murabahah contract is over and is then continued with a loan contract (because the customer is unable to pay in cash), the size of the debt owed should refer to the exact amount in the murabahah contract, minus the down payment already paid beforehand. The Islamic bank is not allowed to request additional payment that can cause the total amount paid for the object to exceed the amount agreed upon in the murabahah contract. VARIOUS APPROACHES ON RISK IDENTIFICATION The response of Islamic banks toward risk can be divided into several groups. The first is risk averse or risk avoidance. The bank tends to avoid transaction if the risk from that transaction cannot be compensated by an appropriate return. If the risk can be compensated by an appropriate return, then the bank will enter that transaction. The second is risk transfer. The bank trans- fers the risk of a transaction to a third party. This method is often used in the conventional insurance industry, where the insurance firm is willing to bear a certain amount of risk belonging to the insured. In the Islamic banking industry, this method is difficult to do because of the absence of institutions that can bear the financial risk and the difficulty in finding a form of con- tract that is in accordance with the Islamic syari’ah. The third is risk sharing. Unlike risk transfer, the risk in the risk sharing approach is borne together by all risk bearers. In the balance considerations of the Islamic syari’ah, this method is very plausible to use, even if it is not commonly in practice in the current banking industry. The bank can also divide and transfer risk by diversification, subcontracting, outsourcing, takaful, or entering into a musyarakah-based business. Once the bank has decided to accept risk, the bank should also decide on the scope of the risk, the tolerance limit, and the risk measurement used, as well as develop a reliable monitoring system. THE IMPORTANCE OF RISK MANAGEMENT FOR AN ISLAMIC BANK The urgency in applying risk management in an Islamic bank is to minimize the effects and potential of risk occurrence. Because banks will certainly face

The Islamic Bank and Risk Management 29 risk, what is important is to consider how to minimize its occurrence and effects by managing risks properly. This is also not without its own set of benefits. The first is that, with good risk management, the Islamic bank is then capable of providing information and perspective to management about all risk profiles, about basic changes in products and services offered and changing market conditions, about changes in the business environment, as well as changes that are necessary in the risk management process that will later influence the bank’s business decisions. Secondly, with risk manage- ment, sources of large problems can be tracked down, easing the formulation of risk management policy as well as how to review risk. Third, risk man- agement also allows the Islamic bank to calculate and measure the size of the risk exposure faced. Fourth, with knowledge about risk exposure, the Islamic bank is expected to be able to determine the allocation of the sources of funds, as well as to measure risk limits more accurately. Fifth, with better risk management, the Islamic bank is able to avoid an overly concentrated investment portfolio. Sixth, without risk management, it will be difficult to estimate the amount of reserve necessary to anticipate the occurrence of the most probable risks according to the risk calculation and measurement that has been done. Seventh, by minimizing risks, the Islamic bank is able to avoid even larger potential losses. Other than the importance of risk management for the Islamic bank itself, other stakeholders also have some hopes and expectations on the bank’s application of good risk management. The central bank or the related regulator overseeing the banking industry in each country of course expects all banks under its supervision to be prudent and healthy banks, able to generate a real contribution to the nation’s economy. For the customers, the Islamic bank that is able to manage its risks well will be able to pro- vide the optimum service as well as the best rate of return. The customer will trust the Islamic bank as an institution that is trustworthy (amanah) in managing the investment that they planted, and trust is the most important capital for a bank to have to guarantee its continued survival. For investors as stock owners, other than receiving a satisfying rate of return, they also require adequate information. This will be used as a basis to consider invest- ments, and because of this, transparent information, including the bank’s own transparency efforts and risk profile, is an absolute necessity for the Islamic bank. Stockholders also expect the Islamic bank as a place of invest- ment will always be of going concern, has a stable profit as well as providing added value to society, one of which is blessings to society. For the business partners of the Islamic bank, like suppliers, providers, agency, and other parties, they expect that the Islamic bank in question will become a trust- worthy bank, with a good image and reputation, and will enter into good and mutually beneficial cooperation.

PART Two Risk Management Framework in Islamic Banking Risk Management for Islamic Banks: Recent Developments from Asia and the Middle East. Imam Wahyudi, Fenny Rosmanita, Muhammad Budi Prasetyo, Niken Iwani Surya Putri. © 2015 by John Wiley & Sons Singapore Pte. Ltd. Published 2015 by John Wiley & Sons Singapore Pte. Ltd.

3CHAPTER History of Risk Management in Islamic Banking Islamic banking differs significantly from conventional banking on a num- ber of principal, fundamental, and operational issues. Perhaps due to these differences, many aspects of risk management practices remain unexplored, insufficiently studied, and underdeveloped in Islamic banking. For example, a conventional bank can perform capital recovery by initiating bankruptcy proceedings against a debtor, followed by the liquidation of collaterals or calling in third-party sureties as a last resort. By comparison, the proce- dure for capital recovery in Islamic banking isn’t as simple or clear-cut; for example, when a customer acquires funding for the purchase of a housing property through a murabahah sale-repurchase contract but fails to perform on the payment, it is not so easy for the bank to recoup its lost capital by bankrupting the debtor or foreclosing upon the mortgage. Risk management practices in Islamic finance must not violate Islamic syari’ah laws. For example, Islamic banks are forbidden from using the derivative instruments (such as forward, future, option, and swap contracts) so common in conventional banks. As a result, risk management in Islamic banking becomes a tricky and challenging issue. Another example is when an Islamic bank applies the principle of profit- and loss-sharing in the man- agement of liabilities (third-party funds); any losses incurred due to nonper- formance in payments must be accounted as a mutual and shared loss for the bank and its depositors, not just for the bank. This is the most interesting and unique feature of Islamic banking. Apart from the mandatory adher- ence to Islamic laws, an Islamic bank must share all risks and rewards with its depositors and investors. This stands in contrast to conventional bank- ing paradigms in which the bank guarantees returns to its depositors and investors, isolating them from risks of credit nonperformance; all risks are faced solely by the bank, none are transferred to the depositors. Theoretically, this means an Islamic bank faces fewer risks than a con- ventional bank. However, it should not be forgotten than an Islamic bank Risk Management for Islamic Banks: Recent Developments from Asia and the Middle East. Imam Wahyudi, Fenny Rosmanita, Muhammad Budi Prasetyo, Niken Iwani Surya Putri. © 2015 by John Wiley & Sons Singapore Pte. Ltd. Published 2015 by John Wiley & Sons Singapore Pte. Ltd. 33

34 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING must deal with a number of risks not incurred by conventional banks. To put it simply, a conventional bank faces four categories of financial risks, namely credit risks, market risks, operational risks, and liquidity risks. Reg- ulating authorities in some countries also include four nonfinancial risks that the bank must account for, though the bank is not obliged to explicitly include these risks in capital adequacy calculations: strategic risks, business risk, legal risks, and reputation risks. In addition to these eight conven- tional risk categories, an Islamic bank must deal with several risk categories that only exist in Islamic finance, namely equity investment risks, displaced commercial risks, rate of return risks, and syari’ah compliance risks. For these reasons, an Islamic bank should devote a considerable amount of time, money, attention, and other resources into building a reliable risk manage- ment system. This cannot be accomplished by slavishly copying the tech- niques, models, and systems already established in commercial banking into the framework of Islamic banking, whether it be risk management, corporate governance, accounting and reporting systems, or codes of conduct. BASEL I AND ITS HISTORY For more than 30 years, countries influenced by the G-30 have empha- sized capital adequacy as the focus for the design of regulations intended to guarantee banks’ health and security. This approach was inaugurated by the promulgation of Basel I in 1988 by the Basel Committee. In addi- tion to focusing on minimum capital adequacy, regulators were enjoined to strengthen their supervisory role over specific banking activities, especially in the case of large banks that may become “too big to fail,” or in other words those that carry the risk of a systemic national collapse. Basel regulations have undergone numerous developments, changes, and revisions. These revisions were made to stay in touch with the developments in the banking world. The formulation of Basel I itself was motivated by experiences with the failure of active international banks from 1970 up to the collapse of the Continental Bank in 1984. These cases of failure among multinational banks alerted regulators to the necessity of maintaining the stability of foreign banks. The interconnection developed through interbank lending markets and clearance systems meant that the failure of foreign banks could drag domestic banks into the same mess. At the beginning of the 1980s, the central banks of G-10 countries had begun to discuss the importance of capital adequacy. The annual reports of the Basel Committee in the early 1980s consistently mentioned the supervisors’ concern over the erosion of banking capital at the global level.

History of Risk Management in Islamic Banking 35 Regulation Framework of Basel I Basel I was issued as an international regulation and supervision guideline for international standards in capital adequacy management in the interest of cushioning the impact of potential losses and preventing the rise of systemic problems. Additionally, it established a uniformity of rules for both banks and banking regulators in the management of banking risks throughout the world. The scope of the risks regulated in Basel I was limited to credit risks, which were regarded as the dominant risk factor in the banking world. Banks were advised to separate their credit exposures into broad classes based on similar types of debtors. The basic approach tabulated each asset (on the balance sheet) or financial item (off the balance sheet) held by the bank into one of five risk categories, calculated the amount of capital required to bal- ance each asset or item according to its risk-based weighting, and then added the individual amounts all together in order to calculate the amount of total minimum capital that the bank should own. Exposure to the same type of debtor would result in the same degree of capital requirement, regardless of the credit repayment capabilities and risks of each individual debtor. Basel I laid out comprehensive explanations of four main concerns, namely principal capitalization, risk weighting, standard target ratios, and implementation and transition agreements. According to Basel I, bank capital can be divided into two categories. The first, Tier 1 capital (bank’s core capital), is made up of cash reserves and other stock-based capital. This Tier 1 must equal at least 4 percent of the value of risk-weighted assets. Tier 2’s capital comprises the capital segment that serves as a reserve to cover losses from nonperforming loans, subordinated loans handled by the bank, and potential profits from the sale of assets funded by the sale of bank stocks. The total value of Tiers 1 and 2 must add up to at least 8 percent of the value of risk-weighted assets. Basel I instructed banks to consider the magnitude of risks and the capital adequacy needed to anticipate them. In assessing risk and capital adequacy, Basel I employed a “one size fits all” approach without regard for each individual debtor’s repayment capabilities and risks. The core metric used to calculate the capital adequacy of banks in Basel I is the capital adequacy ratio (CAR) also known as the leverage ratio. CAR is the ratio of capital to the total value of risk-weighted assets. Calculations of capital adequacy relative to credits risks are influenced by a number of factors, namely the risk weighting of assets, the inclusion of credit risks, target capital ratios, the calculation of eligible risks, and the yield sufficiency and structure of eligible capital. Basel I set the minimum CAR at 8 percent of the value of risk-weighted assets (RWA). This was the minimal sufficiency ratio deemed necessary to protect banks against their own credit risks.

36 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING Evolution of Basel I Basel I gave national supervisors a transitional period ending in 1992 for the thorough implementation of capital adequacy regulations. However, in the wake of the Latin American debt crisis, the Basel Committee issued an amendment to Basel I in 1991 by clarifying the characteristics of the general provisions or loan-loss reserves for a number of items in the Tier 2 capital category. The 1991 amendment was intended to exclude provisions allocated for national risks from the Tier 2 category after the end of the transitional period in late 1993. Apart from these clarifications to the loss provisions, the Basel Committee also revised the risk-weighting categories in 1994 and enacted two more amendments (in 1994 and 1995) to allow netting in exposure calculations for certain items off the balance sheet, such as derivative transactions. Having previously been restricted to credit risks, Basel I was amended in 1996 to include the assessment of market risks. As a matter of fact, the Basel Committee had been considering the need to treat market risks as a significant component of capital adequacy calculations since the promulgation of the capital adequacy directive (CAD) by the European Union in March 1993. The CAD originally applied to corporate entities, but since a number of Basel Committee members allowed commercial banking and other commercial activities to be carried out within the aegis of said corporations, CAD came to be applied to financial institutions in general in order to cover market risk as well as credit risk. With the upsurge of activity in derivatives and currency transactions, especially among banks active in the international market, the Basel Committee felt the need to issue a consultative paper in April 1993 in order to address market risks. This 1993 consultative paper received heavy criticism from major banks. These banks argued that the proposed approach failed to account for correlation and portfolio effects between instruments and the market, thus rendering it inconsistent with their established risk measurement methods, in addition to providing no incentive for banks to improve their systems by adopting innovations to risk measurement methods. The banks then proposed an alternative statistical measurement method known as the value at risk (VaR) model. In April 1995, the consultative proposal issued by the Basel Committee adopted this alternative approach. Later on in January 1996, the BCBS published “The market risk amendment to the original accord.” BASEL II AND ITS HISTORY Two decades into the implementation of Basel I, the global financial system had seen a number of significant changes. These changes included the

History of Risk Management in Islamic Banking 37 development of new banking products, the internationalization of the banking sector, and the dramatic growth of derivative products in financial markets. These changes destabilized the existing financial market, especially when a number of economic shocks led to major economic crises such as the failure of the Bank of Credit and Commerce International in 1990, the 1997 Southeast Asian crisis, the domino effect that hammered several major banks due to the fall of the highly leveraged Long-Term Capital Management (LTCM) in 1998, and the Eastern European crisis (Russia’s default upon its sovereign bonds) in 1998. The Basel I rules were felt to be inadequate and thus in need of revision and development. By early 1998, many countries were convinced that an extensive change to Basel I had become inevitable, although they could not clearly state the desired direction of this change or when it should be put into place. As promised, the Basel Committee issued a consultative paper in June 1999. Although the paper acknowledged the usefulness of internal credit ratings (or credit risk models), it brought no new paradigms for capital regulation and relied largely upon the same fundamental methodology as Basel I. Addi- tionally, the Basel Committee began to apply all quantitative capital require- ments through a “three-pillar” approach, with capital regulations as the first pillar, review processes by supervisors as the second pillar, and market dis- cipline as the third pillar. Then in addition to encouraging the use of the internal rating–based (IRB) approach, the Basel Committee also suggested the use of ratings provided by external rating agencies such as Moody’s or Standard & Poor’s as a basis for categorizing debtors into risk buckets. In January 2001, the Basel Committee proposed a revision to the 1999 consultative paper, especially with regards to the promised IRB approach. In the IRB methodology, small and intermediate institutions were given the choice of developing an IRB model or following an existing approach. This proposal was shorter than Basel I but was very complex, and would later be included in the final version of Basel II. Despite the complexity, this second consultative paper remained fundamentally incomplete in certain technical features (such as the proper calibration for the IRB’s risk-weighting for- mula) and the analysis of the proposal’s impacts upon minimum capital requirements. During the period between June 2001 and the publication of the third consultative paper in April 2003, the Basel Committee issued eight substantive proposals about specific elements of the IRB approach. In the third consultative paper, the Committee inserted a number of major changes in retail exposures, small business lending, operational risk, credit risk mitigation, and asset securitization, apart from modifications to existing regulations on the first pillar. Afterward, from January 2004, the Basel Committee constantly reviewed, refined, and elaborated changes to expected losses, securitization

38 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING frameworks, capital requirements for operational risks, and clarifications for the implementation of the second pillar. In May 2004, the Committee announced that it had resolved any outstanding issues, including changes to the formula for revolving retail exposures (credit cards). Finally, on June 26, 2004, the BCBS further refined Basel I’s capitalization framework by issuing a new capital concept (better known Basel II) in a document titled “International Convergence of Capital Measurement and Capital Standards: A Revised Framework.” The implementation of Basel II did not begin until 2006. Framework of Basel II Basel II proposed three main pillars for the effort to achieve financial stability and better risk management practices, namely mandatory minimum capital adequacy, supervisory reviews, and effective market discipline. Pillar I: Minimum Capital Adequacy The first pillar requires banks to calculate minimum capital requirements for their three main risk components: credit risk (as in Basel I), market risk (as in the Amendment to Basel I), and opera- tional risk (newly introduced in Basel II). Other risks, such as liquidity risks, strategic risks, legal risks, and the like, had not yet come into the picture in Basel II. The minimum capital adequacy ratio was 8 percent out of the sum of capital divided by risk weighted assets, or in other words 8 percent out of the total amount of capital divided by the aggregate of credit, market, and operational risks. Capital adequacy was regarded as an extremely impor- tant indicator of the banking system’s stability and health. Sufficient business capitalization would create confidence in the business players’ capability to perform transactions since the capital could serve as a buffer against losses. Thus, banking capital had an important function in protecting investors and depositors. Pillar II: Supervision and Internal Control The second pillar established reg- ulations on internal control and supervision. In this case, regulators were asked to develop bank supervision frameworks based on contemporary best practices. Pillar II contained four main principles to complement the first pillar’s rules on minimum capital requirements. First, a bank should pos- sess a capital adequacy assessment process tailored to suit its risk profile. The bank should also develop a strategy for maintaining its capitalization level. The bank’s management is responsible for making sure that it has suf- ficient capital according to its risk profile. Second, regulators or supervisory authorities should review and evaluate the internal capital adequacy assess- ment and its synchronization with the bank’s strategy. The banks should be

History of Risk Management in Islamic Banking 39 capable of monitoring and ensuring their own compliance to the established minimum capital ratio. Supervisory authorities must take action if they find the results of this process unsatisfactory. The review process utilizes the sum total of information obtained from field visits, data review, and documen- tation; meetings with the bank management; periodic reports from external auditors; and regular monitoring of reports. Third, bank supervision author- ities should require banks to operate above the minimum capital level and to be able to maintain their capital above the minimum requirements. Banks should possess adequate control systems, develop a diversified risk portfolio, and take account of business risks in all its business activities according to Pillar I. Fourth, supervisory authorities should perform prompt intervention to prevent a drop of capitalization levels below the required minimum. Such interventions would be required to ensure the restoration of the required capital level. Supervisors were also empowered to take necessary measures, such as increasing the minimum capital requirements for short periods. Pillar 3: Market Discipline The third pillar of Basel II covered effective mar- ket discipline, such as how banks implemented open information policies to allow public scrutiny of their risk coverage, capital, risk exposure, risk assessment processes, and capital adequacy, and how they improved their business transparency. This transparency allows each bank’s shareholders and market analysts to closely observe the bank’s growth and development. According to this pillar, each bank has an obligation to provide the market with an accurate picture of its overall risk position so that the stakeholders would be able to analyze pricing and risk concerns on the basis of valid data. Figure 3.1 illustrates the Basel II framework. 3 Pillars of Basel II Pillar I Pillar II Pillar III Market Discipline Minimum Capital Adequacy Supervisory Review Process • Fulfillment of minimum • Assessment of solvency vs. risk • Disclosure of capital structure capitalization level profile • Disclosure of risk assessment • Improvement of credit risk • Supervision of bank capital and management method calculations and strategies • Disclosure of risk profile • Explicit treatment of operational • Banks must hold more than the • Disclosure of capital adequacy risks minimum capital • Market risk framework • Early regulatory intervention if capital drops FIGURE 3.1 Basel II Framework

40 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING Significance of Basel II Basel II brought at least two significant changes to banking regulations. The first consisted of changes to the basic approach in banking regulation with regards to the fulfillment of minimum capital requirements as the foundation of the prudential supervision of banks. Second, it highlighted the need for coordination and harmonization in the implementation of new international regulations. The practical success of these Basel regulations depended heavily upon the continued cooperation between the numerous national banking regulators and supervisors. Each bank was required to gradually reinforce its risk management capability as an implementation of the Basel II rules and to maintain adequate reserves against the potential risks from its credit/loan and investment activities. The more risks taken by the bank, the more capital it had to keep at hand maintaining its liquidity. BASEL III AND ITS HISTORY Basel II was a reasonably comprehensive attempt at monitoring and supervising bank governance. However, the eventuality of a financial crisis still cast a long shadow upon it, as proven by the financial and economic crisis in 2007–2008. The main trigger to this crisis was the sheer number of banks that suffered a heavy burden of debts, both on and off balance sheet. This eroded the amount and quality of the banks’ equity. At the same time, there was a systemic interconnection of financial risks in the absence of an adequate liquidity buffer. At the end of the day, the banking system proved unable to absorb its losses and the crisis erupted in full force. Based on the issues that underlay the crisis, the notion to improve the existing capital regulations (i.e., Basel II) soon gained much ground. In late 2010, BCBS responded with the publication of two Basel III documents titled “Basel III: Global Regulatory Framework for More Resilient Banks and Banking System” and “Basel III: International Framework for Liquidity Risk Measurement, Standards and Monitoring.” Raison d’Être for Basel III and Its Scope Basel III is basically intended as a refinement to Basel II. The recurrence of financial crises with systemic risks stemmed from weaknesses in the Basel II regulations, such as the CAR of 4 percent that proved to be inadequate to cushion the massive losses sustained from the bank failures that triggered the crisis. The procyclical nature of capital requirements, whereby the require- ments tended to fall by themselves during periods of stable global economic climate and rising asset prices, highlights the need for an increase in capital

History of Risk Management in Islamic Banking 41 requirements and the tightening of credit. In addition, the potential for con- flicts of interest began to appear as rating agencies assumed the responsibility for risk-weighting bank assets. With these weaknesses of Basel II in mind, the BCBS developed Basel III to achieve several goals. The first was to reinforce global capital and liquidity regulation by improving the banking sector’s resilience. The second was to enhance the banking sector’s capabilities and endurance by raising the amount of capital reserves that could absorb the shocks of economic and financial pressures and prevent the spread of finan- cial derivative crises into the economy at large. The third was to improve the quality of risk management, governance, transparency, and openness. The fourth was to provide the best solution to the systemic risks of multinational banking systems. Resolution Framework of Basel III Basel III contains three main points: new rules on capital quantity and quality, comprehensive risk coverage, leverage ratio, capital conservation buffers, and countercyclical capital buffers. Two other points worth mentioning are the implementation of debt ratios and the enhancement of liquidity management. Basel III’s suggestions for the strengthening of global capitalization are to increase the quality, consistency, and transparency of capital; to extend the coverage of capitalization ratios; to increase risk-based minimum capital requirements according to leverage ratio; to reduce procyclicality and increase countercyclical buffers; and to mitigate the systemic risk of interrelations between financial institutions. For liquid- ity management, it implements the measurement of minimum standards. This new regulation implements two metrics for internationally active banks, namely the liquidity coverage ratio and the longer-term structural ratio. The first ratio indicates the bank’s resilience in fulfilling its short-term liquidity (over a period of less than 30 days). The second is meant to encourage the use of more stable funding sources by the bank. The implementation of Basel III began in 2013. All banks would be required to strengthen their capital reserves by increasing the total amount of their core reserves from 2 percent to 7 percent. By 2015, it is manda- tory for banks to reserve an amount of core capital (Tier 1) equal to at least 4.5 percent of the value of risk-weighted assets (RWA). Later on, by 2018, the bank will have to reserve another 2.5 percent in conservation capital as a fund reserve. Thus, the total percentage of high-quality capital reserve the bank should gather by 2019 is 8 percent. The generous implementation timeframe for Basel III (2013–2019) should allow both policy makers and financial institutions plenty of preparation time in the effort to fulfill the three main points of Basel III regulations, particularly in terms of capital requirements. See Figure 3.2.

The 1991 Consultative Consultative Consultative amendment paper, April paper, January paper, April of Basel I 1993 2001 2003 Failure of Continental Latin Capital Southeast Subprime Herstatt bank; bank American adequacy Asian crisis in mortgage disturbance in debt crisis; directive 1997 – 1999; crisis in collapse failure of (CAD) issued falls of LTCM foreign Bank of by European USA exchange Credit and Union in in 1998; Commerce March 1993 Eastern market International European crisis in 1998 1974 1988 1996 2004 2007 2010 1970s 1984 1990s 1993 1997-1999 2008 BCBS Basel I Amendment Basel II Basel II Basel III formed released to capital released advanced released by G-10 on July accord on on June countries market risk method in late in Basel 1988 on January 2004 2010 1996 Consultative Basel I Consultative paper, December amendment 1994 paper, June 1999 1987 and 1995 FIGURE 3.2 Milestones of Basel Regulations 42

History of Risk Management in Islamic Banking 43 THE AAOIFI AND ITS ROLE As relatively young institutions, Islamic banks require operational guidance, especially related to accounting practice and the standard operating proce- dure of creating Islamic banking products. The guidance could be used as general references in developing Islamic banking businesses, such as guid- ance issued by the Accounting and Auditing Organization for Islamic Finan- cial Institutions (AAOIFI). In this case, AAOIFI has an important role in the development of the Islamic banking industry in many countries. Accounting Standards in Islamic Banks The third pillar of Basel II on effective market discipline states that all banks, including Islamic banks, are required to establish transparency and disclosure measures. Both of these are important prerequisites of risk-based analysis. Transparency essentially means an open information policy on the bank’s present situation, business decisions, and concrete actions that can be seen, assessed, and reviewed to provide the proper understanding to all stakeholders. Meanwhile, disclosure refers to statements on more specific concerns, such as on the process and methodology of information dissemination and on policy- (or decision-) making processes through mutual openness and understanding. A bank’s financial reporting obligations cover the balance sheet, the income statement, the cash flow report, the asset quality report, and the like. These reports must be submitted on a periodic basis, whether monthly, quarterly, or yearly according to the regulators’ demands. In addition to the financial reports, the bank should also disclose its risk evaluations on a periodic basis. This allows regulators to perform risk supervision more efficiently. Risk reporting covers the CAR report, the credit risk report, the aggregate market risk report, the liquidity risk report, the foreign currency risk report (though not in the context of active investments), the commodity and equity position report, the operational risk report, and the country or market risk report. Transparency in risk reporting should cover a picture of the bank’s risk profile (both on- and off-balance sheet accounts), risk coverage, risk exposure, and risk measurement methods. Additionally, there should be enough information on capital adequacy and the bank’s resilience against short-term troubles as well as its ability to acquire fresh capital. These reports would become particularly important with the imple- mentation of Basel III. Risk reporting provides information on the bank’s operational details (especially with regards to its solvency and liquidity posi- tion) and the level of risk inherent in each of its current business activities.

44 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING For Islamic banks, AAOIFI develops reporting standards for the balance sheet, profit–loss statements, cash flow statements, and other bank financial reports. In addition, AAOIFI presents a uniform syari’ah standard for the language of the contracts commonly used in Islamic banking. Lastly, AAOIFI complies fully with Basel methods in matters of reporting, such as for the assessment of risks and asset quality. The disclosure of this informa- tion would facilitate the implementation of market discipline as mandated in the third pillar of Basel II. A variety of information useful to the stake- holders can be made publicly available. This situation is made possible through the uniformization of accounting measures throughout the Islamic banking industry according to AAOIFI standards. This will create the desired degree of consistency, transparency, and comparability for the financial reports of all Islamic banks. Good Bank Governance and Risk Management In the field of good governance, the AAOIFI standard is known as the Gov- ernance Standard for Islamic Financial Institution (GSIFI). GSIFI seeks to empower the syari’ah supervision board’s role in the bank’s structure and governance. It provides guidelines on how to appoint and sack members of the syari’ah supervision board as well as the desired format and content of reports. The GSIFI explains the procedures that the syari’ah supervision board would have to follow during the review process in order to develop an opinion on whether an Islamic bank satisfactorily complies with syari’ah requirements. This GSIFI standard consists of four components. The first provides guidance on the definition, appointment, composition, and report- ing practices of the syari’ah supervision board. The second instructs the syari’ah supervision board on how to perform the reviews needed to ensure an Islamic bank’s compliance with syari’ah principles. The third sets down guidelines for internal syari’ah reviews in Islamic banks. The fourth defines the role and responsibilities of the auditing committee. THE IFSB AND ITS ROLE The Islamic Financial Services Board (IFSB) serves as an international authority that issues various governance principles and standards for the guidance of Islamic financial institutions, such as banks, insurance compa- nies, and capital markets, in the interest of promoting the stability of Islamic finance and service industries. So far, it has issued a number of standards on risk management principles, capital adequacy, bank governance, supervision and monitoring, transparency, market discipline, and so on. IFSB exten- sively adopted Basel rules in the development of its standards and guidance

History of Risk Management in Islamic Banking 45 principles for capital adequacy, risk assessment, corporate governance, transparency and market discipline, and supervisory review processes. In December 2005, the IFSB published standards (IFSB-2) for the calculation of minimum capital adequacy along with its components. Like conventional banks, Islamic banks need to maintain a reasonable level of capital adequacy, since Islamic banks face the same risks their conventional counterparts do. This capital adequacy is essential to ensuring that Islamic banks would be able to absorb a reasonable degree of loss without going bankrupt. A high CAR would make an Islamic financial institution more capable of protecting its depositors and investors, promoting stability and efficiency in the financial system by reducing the likelihood of insolvency. The maintenance of a healthy capital situation can accommodate all risk and strategy profiles. These paradigms follow the first pillar of Basel II, with particular provisions for Islamic service and financial institutions. The assessment methodology is based upon the risk-weighting system from Basel II. This capital adequacy should be able to cover losses from at least three risk categories: credit risks, market risks, and operational risks. In December 2013, the IFSB issued a set of standards (IFSB-15) as an improvement upon the IFSB-2 standards from December 2005. IFSB-15 adopted the Basel III proposals published in 2010 on capital components and macroprudential devices for Islamic banks. These standards would assist Islamic banks in implementing a capital adequacy framework that would guarantee the effectiveness of the banks’ risk exposure coverage and the appropriate capital allocation for covering such risks, although the coverage is still based upon the standardized approach of IFSB-2. To achieve these goals, IFSB-15 provides new guidelines on macroprudential devices such as capital buffers, leverage ratios, and methods to measure the systemic significance of domestic banks; this could help supervisory authorities in achieving the aim of protecting the banking system and the economy at large from system-wide shocks. Additionally, this standard provides more detailed guidelines on the maintenance of capital adequacy—especially with the addition of new components to Tier 1 and Tier 2 capital—against the various risk exposures faced by Islamic banks in the provision of Islamic banking products and services based upon syari’ah rules and principles, such as sukuk, securities, and real estate. These measures include the revision and consolidation of guidelines for the treatment of funding contracts based on profit–loss sharing (mudharabah or musharakah), guidelines for credit risk mitigation techniques, and the ratification of various models for the calcu- lation of capital charges on market and operational risks. The IFSB hopes that these standards will help Islamic banks increase their loss absorption capacities and develop more comprehensive risk-weighting frameworks for the underlying risk exposures. To allow sufficient preparation for the

46 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING implementation of IFSB-15, supervisory authorities in the IFSB member countries hope to begin its implementation in January 2015. Framework of Risk Management in IFSB The IFSB’s principles of risk management were published in December 2005 under the title of “Guiding Principles of Risk Management for Insti- tutions (Other than Insurance Institutions) Offering Only Islamic Financial Services.” These principles were meant as guidelines for Islamic financial institutions (including Islamic banks) in implementing risk management principles. IFSB named 15 principles of risk management that could apply to commercial banks, investment banks, and other financial institutions. These 15 principles are grouped under 6 risk categories: credit risks, investment risks, liquidity risks, operational risks, rate-of-return risks, and market risks. Apart from these six risk categories, Islamic banks must also contend with two others: business risks and reputation risks. Despite their status as a common reference, the guidelines possess a great deal of built-in flexibility, since in any case the actual risk management practices among Islamic banks would vary greatly in coverage and content, due to the differences between the individual banks’ activities. The implementation of risk management requires active supervision by the bank’s board of directors and commissioners. The entire risk manage- ment process, starting with the delineation of aims, strategies, policies, and procedures tailored to suit the prevailing financial conditions, should be sub- ject to the approval of the Board of Commissaries. This approval should then be communicated to all levels of management to ensure the success of the policies’ implementation. Therefore, an effective organizational structure is essential for regulating and directing an Islamic bank’s activities, includ- ing the availability of an adequate system for the assessment, monitoring, reporting, and control of the bank’s risk exposure. The directors, as the executors of the risk management policies, must be diligent in undertaking their responsibility to manage, monitor, and report risks.

4CHAPTER The Risk Management Process in Islamic Banking Risk management is a process with a number of interconnected phases that complete and complement each other. The risk management process is an inseparable part of the Islamic banking process and must be integrated into each and every business activity undertaken by the Islamic bank. The principal aim of risk management is to ensure the consistent imple- mentation of all risk and business policies. The implementation process required to achieve this aim depends heavily upon the risk management paradigm in use. Classic risk management focuses upon the application of a consistent risk limit without compromising the profitability of business activities. Modern risk management, on the other hand, covers not only consistent risk limitation but also the use of various risk measurements in the determination of risk limits and the implementation of risk-adjusted performance principles to every business unit. Classic risk management paradigms see risk management as a separate concern from the bank’s busi- ness activities, while modern risk management considers itself as an integral element of the business process. In any case, risk is one of the issues that must be properly considered in the development of a bank’s business policies. RISK MANAGEMENT MODEL IN ISLAMIC BANKS There is no such thing as a generic risk management practice that will apply equally well to any and all institutions, including banks. However, there is a set of standard risk management frameworks and processes that can provide guidance for individual institutions in the development of their own risk management practices. It has been mentioned before that modern risk management is an integral part of banking business policies. As such, the details of each bank’s risk management practices will depend heavily upon the bank’s business characteristics. In the particular case of Islamic banking, its unique features call for a number of specific adaptations. Islamic banks can directly borrow ele- ments from the risk management standards, frameworks, measurements, Risk Management for Islamic Banks: Recent Developments from Asia and the Middle East. Imam Wahyudi, Fenny Rosmanita, Muhammad Budi Prasetyo, Niken Iwani Surya Putri. © 2015 by John Wiley & Sons Singapore Pte. Ltd. Published 2015 by John Wiley & Sons Singapore Pte. Ltd. 47

48 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING and processes found in conventional banking. However, a number of fun- damental differences in business practices prevent the direct adoption of conventional banks’ risk management philosophies and mitigation policies by Islamic banks. At the end of the day, the initial process for the implemen- tation of risk management systems must begin with a detailed analysis of the institution’s business practices and the determination of the context for the risk management implementation efforts. The implementation of risk management in business institutions has undergone significant developments with the passage of time. The term risk management originated with a 1956 paper in the Harvard Business Review titled “Risk Management: A New Phase of Cost Control.” At this point, risk management had a very limited scope, its role being limited to the mini- mization of costs caused by the eventuality of risk. The general enterprise solution for handling risks was to transfer those risks to another party. After Black-Scholes developed the option-pricing formula that soon became widely used in the financial industry, enterprise risk management practices underwent a number of changes. Although the focus and scope of risk man- agement remained quite narrow, many enterprises began to use derivative instruments as risk management devices. Later on, classical risk management underwent a dramatic transforma- tion into business risk management. At this point, business enterprises no longer restricted their attention to financial risks. Nonfinancial business risks began to come into the picture, and their proper management became an important subject. However, the general aim of risk management had not changed appreciably and was still restricted to the preservation of enter- prise value. Due to the greater scope of the new risk management paradigm, the scope of its implementation also grew both deeper and broader. Risk management practices were no longer limited to financial and operational matters and began to pervade the enterprise management system. Even so, risk management systems were not yet seamlessly integrated into every com- ponent within the enterprise; instead, it was still implemented exclusively in several of the enterprise’s organizational components. The increasing complexity of business activities brought about a cor- responding increase in the variety of risks with which an enterprise must contend. These risks came from various internal and external sources. This development led to another major change to the practice of risk manage- ment. The new paradigm was known as enterprise risk management (ERM); unlike previous risk management systems, ERM sought to both protect and enhance the enterprise’s value. ERM assumed that risk could create added value for the enterprise, as long as it remained properly managed. ERM also took a much broader focus than previous paradigms, extending over all of an enterprise’s business risks, the enterprise’s internal control systems, and

The Risk Management Process in Islamic Banking 49 Focus Risk Management Business Risk Enterprise Risk Management Management Financial and hazard and internal controls Business risk, internal Business risk, internal control, taking risk by control, taking an Objective Protect Enterprise risk approach entity level portfolio Value view of risk Protect enterprise value Protect and enhance enterprise value Scope Treasury, insurance, Business managers Across the enterprise, and operation accountable at every level and unit Emphasis Financial and operations Management Strategy setting Application Selected risk areas, Selected risk areas, Enterprise-wide to all units and processes units, and processes sources of value FIGURE 4.1 Evolution of Risk Management the assessment of risks from the viewpoint of enterprise portfolios. In this way, the scope of risk management was no longer limited to particular seg- ments of the enterprise. A summary of the differences between the three risk management approaches is presented in Figure 4.1. Today’s ERM paradigms recognize a number of standards widely used by global corporations. The two most common standards are the Com- mittee of the Sponsoring Organizations (COSO) standard and the Interna- tional Organization for Standardization (ISO) 31000. COSO issued its ERM guidelines in September 2004, while ISO issued ISO 31000 in November 2009. The fundamental difference between the two is that COSO’s 2004 ERM guidelines did not provide a separate explanation of the management framework and placed more stress upon the development of a corpora- tion’s internal controls to ensure the proper management of risk. In con- trast, ISO 31000:2009 separated the risk management process from its basic framework, and focused upon the implementation of risk management as a value-creation device in the enterprise’s business processes. ISO 31000:2009 introduced the notion of “risk appetite” which was defined very similarly to the term “risk attitude” in COSO ERM 2004. These similarities are not coin- cidental, since ISO 31000:2009 attempts to integrate the best practices from COSO, PMI (Project Management Institute), ANZ (Australian and New Zealand Standard), and other international standards. Therefore, the ERM

50 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING standards proposed in ISO 31000:2009 are among the best ERM standards available to the corporate world, including Islamic banking. As a business entity, an Islamic bank can refer to either of those stan- dards in the development and implementation of effective ERM measures. For example, the Islamic bank could use the ERM standards from ISO 31000:2009 as benchmarks in the development and implementation of risk management practices. This is facilitated by the fact that ISO 31000:2009 provides ample guidance on the basics of ERM implementation in enter- prise settings. The risk management framework and process flows in ISO 31000:2009 have been specifically designed to allow enterprises—including Islamic banks—to implement them with relative ease. However, the stan- dards must first be adjusted to suit the business processes, characteristics, organizational culture, and basic values unique to each Islamic bank. Risk Management Framework An Islamic bank’s activities must always obey the rules and principles laid out in Islamic syari’ah. Syari’ah, in its role as the basic reference for an Islamic bank’s business activities, explains that an Islamic bank must always balance risks and returns in its business activities so as to preserve the long-term sustainability of the Islamic bank’s business activities. An Islamic bank must implement proper risk management in order to correctly manage its risks and enhance its value. With regards to enterprise practices and strategies, syari’ah gives Islamic banks considerable latitude in choosing between available management strategies. In other words, as long as an Islamic bank does not violate syari’ah’s principles, it is free to pick any of the risk management concepts that have been established as best practices among business organizations. Among these practices, the risk management standards of ISO 31000:2009 are considered to be particularly appropriate benchmarks for an Islamic bank. Its general risk management framework is displayed in Figure 4.2. The risk management framework in Figure 4.2 follows the plan–do– check–act (PDCA) principle formulated by Deming in 1986. This frame- work starts with the design of the risk management framework (plan), the implementation of the framework design (do), periodic monitoring and review (check), and continuous improvements to the risk management framework in use (act). In short, the risk management framework is a constant work in progress that changes in a dynamic and responsive manner according to changes in the present situation. A good risk management framework requires the appointment of a unit in an Islamic bank’s operational structure as the bearer of a mandate to ensure the proper implementation of risk management within the bank. This mandate and commitment should be clearly stated in the risk

The Risk Management Process in Islamic Banking 51 Mandate and Commitment: Risk Management Charter plan Design RM Framework: do • Establish the context • Risk Management Policy • Syari’ah principle compliance • Integrate the framework into organizational processes • Accountability • Resources • Communication (internal and external) act • Reporting mechanism Continuous Improvement Implementing RM Framework : of the RM Framework • Implementing RM Framework • Implementing RM Process check Monitoring & Review RM Framework FIGURE 4.2 Risk Management Framework management charter (RMC), which explains the philosophy of risk manage- ment implementation in the Islamic bank; the risk management organization scheme; the authority, responsibility, and various technical rules of risk management coordination; and the periodic evaluation procedure over the practice of risk management in the Islamic bank. The RMC reflects the bank’s commitment to good risk management practices by explicitly spelling out these commitments in a legal document that forms the basis for a comprehensive risk management practice. The framework contains a risk management procedure that includes all the necessary steps the bank must take. The flowchart for this risk manage- ment procedure is presented in Figure 4.3. The risk management process in an Islamic bank begins with context determination. This phase involves the clarification and definition of every detail in the risk management scheme. The context determination phase is intended to provide a thorough picture of the scope, framework, and base parameters of risk management; to identify the implementation environment for risk management; to find out and define the principal stakeholders; and to set the criteria for the analysis and evaluation of risks. Therefore, this context determination phase must include the following seven measures: 1. The identification of risks within the domain of interest 2. The planning of further risk management processes

Monitoring and Review52 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING Communication and Consultation Establish the Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment FIGURE 4.3 Risk Management Process Flow 3. The mapping of the social scope and the identity and goals of every stake- holder in the risk management process 4. The criteria and basic assumptions for risk evaluation 5. The redefinition of the framework for various activities and identified agenda 6. The development of analysis criteria for the risks involved in the process 7. The mitigation or resolution of risks with available technology, person- nel, and resources The white boxes in Figure 4.3 describe the details of risk assessment in an Islamic bank. These boxes represent the risk identification, risk analysis, and risk evaluation phases. The risk identification process can take the form of either source analysis or problem analysis. Naturally enough, the risk identification method would be heavily influenced by organizational culture, industry practices, and compliance to prevailing laws and regulations. Determining Risk Appetite Risk appetite is the bank management’s tolerance for risk in the effort to create value for stakeholders. Since risk is an inseparable part of banking

The Risk Management Process in Islamic Banking 53 activities, the management must reach an agreement with regard to how much risk they’re willing to take. The constantly changing situation in and around the corporation means that risk appetite should ideally be subjected to periodic review and approval by the board of directors. In determining the correct risk appetite, whether for the bank as a whole or for individual risks, the board of directors must take account of the company’s risk-bearing capacity. This capacity includes the amount and type of risks the company can take without losing its position in the industry, the condition of the bank’s capital structure, and the bank’s access to various sources of funding. If the risk appetite exceeds the Islamic bank’s actual risk capacity, it must perform the appropriate adjustment by increasing its risk capacity or reducing its risk appetite, which would directly affect its current business processes. In this way, the risk appetite serves as a connecting thread between the enterprise’s strategic policy, performance management, risk management, and capital structure. On the operational level, the risk appetite provides guidance to the Islamic bank’s business units in performing transactions. And on the strategic level, the risk appetite measures the degree of risk the Islamic bank is willing to take relative to its risk-bearing capacity. The three main components of risk appetite are risk tolerance, risk targets, and risk limits. Risk tolerance shows the maximum amount of risk the Islamic bank could possibly bear, both in total and for each individual risk category. Risk tolerance is normally measured quantitatively, so it is intimately tied to the capital reserve the Islamic bank holds in order to guard against risk. The risk target is the optimum level of risk desired by the Islamic bank in the interest of achieving particular business goals. The ful- fillment of the risk target should be based on the desired rate of return from business transactions. Last but not least, the risk limit is the risk threshold established in a more granular manner, such as for individual business units or divisions. The risk tolerance paints a general picture of the level of risk deemed acceptable by the bank under the assumption that the likely degree of loss can still be absorbed by the existing capital reserve. On the other hand, the risk limit provides a guideline for individual business units within the Islamic bank’s organizational scheme in taking the appropriate level of risk during the course of individual transactions. A transaction below the risk limit is cleared for further progress, but a transaction that goes over the risk limit should be either aborted or at least seriously reconsidered. An illustration of the components of risk appetite is provided in Figure 4.4. Risk Measurement Once the risks have been identified, they must be assessed and measured in order to figure out the potential losses and the likelihood of these losses. The results of this assessment will be used in setting priorities for the mitigation

54 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING 160 Actual risk exceeds Actual risk 140 risk limit, manage exceeds risk Risk tolerance 120 down unless returns tolerance, must justify risk position reduce net risk position 100 Risk appetite/ Risk limit Risk tolerance (high end) Risk target 80 Risk target 60 40 Actual risk less Risk limit than risk limit, (low end) add more risk 20 unless return is not adequate 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Time FIGURE 4.4 Illustration of Risk Appetite of the company’s risks. The most common method of risk measurement is the composite risk index (CRI), which is calculated with the following formula: CRI = potential impact of risks × probability of occurrence The potential impact is graded on a scale of 1 to 5, with 1 as the mini- mum and 5 as the maximum loss that would be incurred if the risk materi- alizes (measured in terms of a suitable currency). Similarly, the probability value is graded from 1 to 5, with 1 representing a very low probability and 5 a very high likelihood. The resulting CRI values would span from 1 to 25 and can be divided into three categories, namely low (1–8), moderate (9–16), and high (17–25). It is also possible to use four categories with the addition of a very high (catastrophic) category. CRI values can vary widely according to the characteristics of individual banks and the level of detail requested by the management. This method requires the availability of a reliable database on the severity and frequency of potential losses. This CRI calculation is normally required to produce a document known as the “risk register,” an example of which is shown in Figure 4.5. The final result of this process is a risk profile that provides a complete picture of the risks faced by a bank within a specific time period; this risk profile is presented in the form of a risk matrix.

Analysis and Evaluation Existing Controls Described & Further Actions Future Evaluated Risk Key Risk No Identified Risks Indicator (KRI) Severity Frequency Composite Risk Limit Tolerate Existing Current Current Further Actions to Risk Level (1–5) (1–5) Risk Index (1–25) Risk? (Yes Risk Effectivity Implemen- Minimize Risk Owner Target (1–25) (1–25) or No) Control tation 23–25 VH 17–22 H 9–16 M L 1–8 FIGURE 4.5 Illustration of a Risk Register 55

56 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING RISK IDENTIFICATION PROCESS IN ISLAMIC BANKING The risk identification process seeks to find out what risks are likely to occur, as well as why and how those risks happen in the first place. This identification process must be performed thoroughly, with a coverage that extends over sources of risk, areas of impact, and the various events that may affect risk. At the end of this process, the company should have a list of risks (ranked by probability) that may affect its aims and goals. The identification phase holds a critical importance, since a risk that has been missed at this stage will automatically left out of the analysis, assessment, and mitigation processes in later stages. When such unidentified risks sur- faced and caused losses, the Islamic bank would be left unprepared to deal with them. Every kind of product and activity in the Islamic bank carries a unique set of risks. Naturally, the financial impacts of these risks also vary widely in type and magnitude. The identification of risks would help greatly in defin- ing the parameters and scope of the risk management process, in addition to identifying all potential risks (with a proactive approach in analyzing their probabilities) and the possible mitigation measures (if any) for those risks. The risk identification process consists of several stages. The first is the com- pilation of a comprehensive catalogue of risks: potential risks are listed in the order of impacts to every activity element, and the factors that may affect these risks are recorded in detail. This phase produces a general picture of potential risks, along with the corresponding losses or consequences. The likely amount of loss would determine the assignment of risk levels in the categorization process. The second stage is the analysis of the risks attached to the Islamic bank’s products and business activities. The third phase is the description of the risk progression sequence through the analysis of the prob- able causes and the probability value of each individual risk. The fourth step is the creation of a list of potential sources for every risk category. The fifth is to determine the correct approach or instrument for the identification of risks, whether on the basis of experience, records of past risks, or whatever seems appropriate. In this risk identification process, the assessment of potential customers can be performed through credit scoring, calculating the probability of non- performance, scrutinizing business plans, and observing the cash flows by which the customers plan to repay their liabilities. The risks that an Islamic bank should identify are not limited to the risks it can control. Any and all risks that can interfere with the achievement of the Islamic bank’s aims and goals should be identified regardless of the bank’s ability (or the lack thereof) to control these risks. For example, an Islamic bank has no control over the likelihood of losses caused by natural disasters like floods, but the prior

The Risk Management Process in Islamic Banking 57 identification of these risks can help the Islamic bank develop appropriate risk mitigation plans for their eventualities. RISK MATRIX Risk assessment consists of two main activities: the description and quantifi- cation of risks along with their probabilities (i.e., the compilation of a risk matrix) and the estimation of the risks’ significance, the bank’s risk tolerance, and the cost-benefit analysis. Though the risk identification process has been accomplished, the quan- tification of risk through probabilities in order to construct a risk matrix remains a major challenge in the effort to measure risk. Several factors mili- tate against the easy measurement of risk. First, risks are not likely to become visible before the actual occurrence of a loss event. Risks cannot be defined as a simple statement of loss probability but must also comprise units of frequency, magnitude, and the likelihood of recovery. Second, there must be a sound risk management model as the basis for risk quantification. Risk is basically the economic manifestation of uncertainty, and as such no busi- ness can predict the occurrence of risks with perfect accuracy. However, this does not mean risks simply cannot be measured. A risk management model allows the prediction, estimation, and measurement of risk so as to allow an objective decision-making process. And third, the characteristics of banking firms are not entirely identical to those of non-banking firms, so the nature of risks in the banking industry is very different from that of the common risks experienced by most non-banking companies. These difficulties in quantifying risk can be solved with the use of a risk matrix as a tool for plotting risks along the dimensions of severity, fre- quency, and impact. This would facilitate a bank’s efforts to manage risks according to its capabilities. In the risk management process, the risk matrix can be used to identify risk, to calculate the probability and impact of risk events, and to rank these risks according to the bank management’s risk preferences. The risk matrix itself can be defined as a graphic with two or more dimensions that represent the risks in a bank’s products, product lines, or departments. It seeks to provide a way to estimate the probabilities of success for the bank’s activities and to identify activities that require stricter control than the rest. Developing the Risk Matrix As part of the risk analysis phase, an Islamic bank must compose a risk reg- ister that contains a calculation of the composite risk index (CRI). The sim- plest CRI takes account of only two components, namely the severity and

58 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING TABLE 4.1 Risk Categories in Conventional and Islamic Banks Risk Category Conventional Bank Islamic Bank Credit/financing risks ✓ ✓ Equity investment risks × ✓ Market risk ✓ ✓ Inventory risks × ✓ Liquidity risks ✓ ✓ Rate-of-return risks × ✓ Operational risks ✓ ✓ Interest rate risks ✓ × frequency of risks. Using this formula to assess risks on a numerical scale of 1 to 5, the bank can compose the risk matrix and find out its position within this matrix. In composing the risk matrix, the bank must list all the risk categories relevant to the bank’s activities and then detail the various activities con- tained within each risk category. Although the risk categories that matter to an Islamic bank are broadly similar to those faced by conventional banks, there are a significant differences, as shown in Table 4.1. It should be remembered that there are still a few other risk categories not mentioned in Table 4.1, such as strategic risks, reputation risks, legal risks, syari’ah compliance risks, etc. Once every possible event in each risk category has been identified, the next step is to find out the severity and frequency of each event. Severity is defined as the amount of loss (in terms of money) upon the event’s occur- rence, while frequency indicates how often and how likely the event is to happen. Both parameters are graded on a scale of 1–5; 1 denotes a rela- tively small amount or likelihood of loss, while a score of 5 is given for the highest amount or likelihood of loss. Multiplied together, these two compo- nents will result in an index number between 1 and 25, with 1 indicating a mild and unlikely loss event while 25 indicates a severe and highly proba- ble loss. A simple illustration of the risk matrix is presented in Figure 4.6. With the kind of risk matrix illustrated in Figure 4.6, an Islamic bank would have an easier time analyzing its risks. The risks in the green area should be properly managed so that they would not transform into more serious risks in the lighter grey or dark areas. On the other hand, the bank should find ways to manage “lighter grey” and “dark” risks so as to reduce them into the medium category, such as by minimizing their severity or lowering their frequency.

The Risk Management Process in Islamic Banking 59 1 2 Severity 3 4 5 1 23 4 5 Frequency Low Medium High FIGURE 4.6 Illustration of a Risk Matrix Inherent Risk Once an Islamic bank’s risks have been classified into a matrix, it is possi- ble to extract an important output from the matrix in the form of inherent risk. Inherent risks represent the quantifiable risks that nevertheless do not immediately become obvious once the bank has estimated the characteris- tics, complexity, and volume of risk-causing activities. In estimating these inherent risks, the bank does not necessarily account for the effects of risk mitigation and control, but the adequacy and capability of existing risk management measures should figure into the calculation. Inherent risks can provide more realistic information about the impacts of the risks that an Islamic bank may have to contend with. A risk matrix of the type shown in Figure 4.6 could provide initial clues to the inherent risks in an Islamic bank; in order to identify these risks, the bank should add information on the impact of risks upon the bank’s resources. Inherent risks can be classi- fied as high, moderate, or low. High inherent risk indicates that the bank’s activity has a high significance and influence upon its resources. This could involve a large number of transactions that increase the potential losses from the activity if things do not go as planned. On the other hand, low inherent risk indicates a level of risk that can easily be absorbed by the bank. Once the inherent risks have been identified, they should be compared to the bank’s risk management efforts. These efforts can be classified as weak, moderate, or strong depending on the Islamic bank’s performance in control- ling and mitigating the inherent risks. The comparison between the inherent risks and the degree of management efforts applied upon them would result in a composite risk matrix similar to the example in Figure 4.7. To facilitate analysis, the components involved in the composite risk matrix above have been classified into three levels, namely low, moderate, and high. These three levels can be taken to more detail by including the

60 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING Composite Risk Inherent Risk Predicate Low Moderate High Weak Low to Moderate to High Risk Medium High Mitigation Moderate Low Moderate High Strong Low Medium to High to Low Medium FIGURE 4.7 Illustration of a Composite Risk Matrix tendencies of the inherent risks according to their position in the com- posite risk matrix. The highest-risk segment (dark) in the composite risk matrix indicates that a particular activity contains inherent risks that pose considerable impact upon the Islamic bank and have not been adequately mitigated by the bank’s risk management system. On the opposite corner, the lowest-risk (lighter grey) region contains activities with low-impact inherent risks that can already be properly managed by the bank. For the moderate (medium grey) zone, the most important concern to the bank is any given activity’s tendency to shift out of this zone into the lower (lighter grey) or higher (dark) zone depending on the severity of the inherent risk’s impact and the adequacy of existing risk management efforts. When the inherent risk has moderate impact but has not been properly managed (low/poor risk mitigation), it will be assigned a moderate-to-high status in the composite risk matrix since the poor mitigation measures can increase the impact of the inherent risk upon the Islamic bank’s general situation. Meanwhile, inherent risks with moderate impact but good management would be assigned a low-to-moderate status in the risk matrix, since the strong control measures can help minimize the inherent risk’s potential impact. Time Horizon in Risk Matrices Risks are often impossible to define and highly situational in nature. The management of risks that can be defined, measured, and agreed upon in certain situations may change dramatically due to changes in stockholder composition or attitude, which could lead to corresponding shifts in risk appetite. The perception of a particular risk’s probability and frequency can be heavily affected by an improvement in the bank’s “know-how” or the development of new technologies that can make operational contributions in the minimization of the risk’s severity and/or frequency. Therefore, good risk

The Risk Management Process in Islamic Banking 61 management practices state that risk measurements and attributes (sever- ity, frequency, and preference) can only apply to a particular timeframe and should not be considered valid for the measurement of risks in later periods without extensive updating with appropriate information that applies to the new timeframe. RISK MITIGATION PROCESS When a risk materializes, there are several possible responses and actions available for its management. First, the bank could choose to avoid the risk if this course of action would cost less than any others. Second, the bank could opt to share the risk to a third party, such as a takaful (insurance) firm, especially if the loss caused by the risk is purely physical in nature (such as fire, workplace accidents, and the like). Third, the bank could perform risk mitigation if the risk in question cannot be avoided or transferred away. The bank may not be able to avoid the risk since it is indelibly attached to business processes, nor to transfer it since there are no other institutions prepared to take over the risk at a reasonable cost. Fourth, the bank could simply ignore the risk if its impact is quite low and has very little effect upon the bank’s business activities. Risk mitigation in banks—especially Islamic banks—is a rather compli- cated process. Before the risk mitigation measures can be defined, the bank must first scrutinize the characteristics of every risk it would like to mitigate, including their causes, mechanisms, and impacts. For instance, when the bank disburses loans to credit customers, credit risks (repayment defaults) could materialize when a debtor loses its ability to continue the payment of credit installments to the bank. To anticipate this possibility of the debtors’ default, the bank normally sets aside a certain amount of resources to guard against the potential losses. Additionally, bank would also usually request the debtor to provide collateral that can be liquidated in the event of a default. Through these steps, the bank can reduce and minimize the amount of losses it may suffer. Risk mitigation measures vary widely since they must be designed to suit the characteristics of each risk, the severity of the risk’s impacts, and the risk policies in use. The difference in fundamental operational principles between conventional and Islamic banks means that some risk mitigation strategies available to conventional banks are denied to Islamic banks. For example, conventional banks can mitigate certain types of risk (credit risks, market risks, and several others) through hedging activities with the use of derivative transactions such as forward, future, option, and swap. These forms of risk mitigation are forbidden to Islamic banks due to the high

62 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING degree of gharar (speculation), riba (usury), and maysir (gambling) elements in these derivative contracts. Risk mitigation practices in Islamic banks must not only neutralize or reduce the negative impacts of risk, but also prevent the violation of the syari’ah principles that lie at the heart of Islamic bank- ing operations. RISK REVIEW PROCESS The risk management process calls for a risk evaluation stage after the risks have been analyzed. Risk evaluation is a critical step in determining the fur- ther steps and actions that the management should take in order to manage the identified risks. In other words, the risk review and evaluation process takes the results of risk analysis and converts them into policy recommen- dations for the treatment and prioritization of risks. In the risk evaluation and review phase, the actual risk levels in an Islamic bank are monitored and compared to the various risk management standards that have been developed in previous stages, such as the risk tolerance level and risk limits. Any discrepancies between policy and reality could mean that the present risk management policies have been violated or that they have grown out of date (thus calling for a set of revisions and adjustments to realign them with recent developments). INFRASTRUCTURE AND FACILITIES The practice of risk management in Islamic bank would not run in a good manner if it were not supported by good and reliable infrastructure and facility. The infrastructure and facility has wide coverage, from organiza- tion structure and operational standards to hardware and software, such as computer hardware and applications supporting risk management. In many cases, the costs allocated for infrastructure and facility, which support risk management, are very high. Thus, this kind of cost could be categorized as long-term investment. Documentation A risk management policy document should cover at least a few points: (1) the delegation of authority to management personnel in the execution of risk management measures; (2) suitable criteria for risk management, including risk appetite; (3) a clear segregation of duties in the risk man- agement implementation process; (4) the communication channels needed

The Risk Management Process in Islamic Banking 63 for the reporting of risk management within the company. In other words, a good risk management policy document should cover the scope, aims, and goals of risk management; the company management’s philosophy towards risk management; risk identification procedures; organizational structure and governance; and risk management frameworks. The explanation of scope should describe the applicability of the bank’s policy document. The section on aims and goals should contain such things as (1) the management’s commitment to risk management functions; (2) an elaboration of risk management functions, including the segregation of tasks and authorities; (3) risk management process protocols that clearly tie risk appetite and best practices to matters of bank governance; (4) the importance of maintaining the management’s awareness towards the bank’s risk expo- sure; and (5) an emphasis upon the importance of consistency and accuracy in the implementation of risk management. The section on risk management philosophy should provide a high-level overview of the bank’s commercial activities and strategy, as well as state- ments that establish the connection between the bank’s risk tolerance and business strategies. In formal terms, the risk tolerance can be stated in terms of the minimum profit level or cash flow that can be tolerated, the minimum acceptable credit rating, and limits or targets on the variability of the bank’s financial performance (such as the value at risk [VaR], earnings at risk [EaR], cash flow at risk [CFaR], and the like). Organizational Structure The risk identification section should describe all the risks identified for their effect upon the bank’s business activities. Meanwhile, the business gover- nance and organizational structure section should explain the risk manage- ment organization structure and the segregation of tasks and responsibilities among the various risk management organs in the Islamic bank. The orga- nizational structure should make sure that the task unit responsible for per- forming transactions (the “risk-taking unit”) should be independent of the task-units assigned to internal control and also independent of the risk man- agement task force. This independence is intended to guarantee that every task force can focus upon its particular task and to avoid the possibility of fraud due to poor governance. The composition of an Islamic bank’s risk management organs can vary according to the bank’s risk management policies. However, these organs normally consist of a risk management committee, a risk management task force, and a risk monitoring committee. The risk management committee usually possesses a number of characteristics such as: (1) a membership that can be fluid or fixed depending on the needs of the bank; (2) a compliance

64 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING director or a risk management director who should be appointed into the risk management committee; (3) a lineup made up of officers one level below the board of directors, each of whom leads an operational task force or the risk management task force; and (4) a responsibility that covers the compo- sition and amendment of risk management policies, the improvement and enhancement of risk management implementation, and the justification of business decisions that deviate from normal procedures. Meanwhile, the risk management task force should have the follow- ing characteristics: (1) the task force’s organizational structure should be tailored to the company’s size and complexity; (2) the officer leading the task force can be at the same or a different level from the heads of oper- ational task forces, and should be responsible to a specifically appointed member of the board of directors; and (3) the risk management task force should be independent of both operational task forces and the internal audit task force. The risk management task force is saddled with a number of respon- sibilities, namely: (1) to monitor the implementation of risk management according to the recommendations made by the risk management commit- tee and approved by the board of directors, (2) to monitor the bank’s risk position or exposure in every item and category of functional activity, (3) to perform stress-testing upon the impact of every type of risk upon every oper- ational task force; (4) to review suggestions for new activities, products, investments, or transactions; (5) to recommend maximum risk limits for each operational task force; (6) to evaluate the accuracy and validity of the data used in the bank’s risk measurements; (7) to compose and present a risk profile report to the CEO and the risk management committee on a periodic basis, or more frequently in case of drastic changes to market conditions; and (8) to receive risk exposure information from operational task forces. Meanwhile, the risk monitoring committee should be chaired by an independent commissioner, and its membership should consist of several members of the board of commissioners along with a number of independent external experts in risk management. This risk management committee bears a number of responsibilities: (1) to evaluate the bank’s risk management systems, strategies, and policies, as well as the internal controls, metho- dology, and infrastructure of risk management in the bank; (2) to monitor the potential risks faced by the bank; and (3) to review the consistency between risk management policies and their implementation. Information Technology Systems The high risk levels that an Islamic bank must contend with is often brought about by the imperfect transmission of information between the Islamic

The Risk Management Process in Islamic Banking 65 bank and its various stakeholders, whether internal (business units, officers, etc.) or external (customers, debtors, market, etc.). This imperfect infor- mation flow can stem from any number of causes, but it can generally be said that the lack of an adequate information technology system tends to greatly exacerbate this information imperfection. To support the integrated and comprehensive application of ERM, an Islamic bank needs good net- working and information technology systems. The availability of effective and integrated information systems would allow the Islamic bank to mini- mize the possibility of information discrepancies. With good network and IT systems, an Islamic bank should be able to monitor the various activities that can become potential sources of risk. Indeed, in certain products based upon capital involvement contracts such as mudharabah and musyarakah, the presence of an information system could have a critical role in minimizing the high level of risk that the Islamic bank would otherwise have to face. For example, when an Islamic bank offers to finance a customer under a musyarakah contract, the Islamic bank’s posi- tion as a business partner requires it to obtain thorough and comprehensive information about the customer’s business activities. Such information is not always easy to find because the Islamic bank does not necessarily have the time and resources needed to thoroughly monitor each and every one of the customer’s activities. However, if the Islamic bank has established a sound and well-integrated information system, it should at least be able to find out the financial performance of the customer’s business from the periodic financial reports provided by the customer. Database Systems As with networking and IT systems, a large-capacity database that contains thorough information is an important prerequisite to ERM implementation. Without a complete and informative database, it would be impossible to accurately calculate the level of risk faced by an Islamic bank since risk mea- surement methods simply cannot be applied in the absence of sufficient data and information. The evaluation of some particular types of risk requires cer- tain forms of data that are very difficult to collect in an automatic manner. For example, the calculation of operational risks requires data on system errors, human errors, fraud, and similar concerns. These errors can hap- pen numerous times during the course of an Islamic bank’s operations, but may escape notice since the Islamic bank’s employees are reluctant to make a complete record of these mistakes or due to the absence of an adequate database system. Therefore, it would be impossible to accurately measure an Islamic bank’s operational risk without a robust database system. This means an Islamic bank has the obligation to establish a thorough system

66 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING for the recording of every operational mistake and to enforce a rule that requires every party involved in an operational mistake to report and record the mistake in the greatest possible detail. Risk Measurement Models Before the 1970s, the most common risk measurement methods were credit scoring methods such as the Altman Z-Score and the logit method. These methods had the advantage of being simple and easy to use. However, with the increasing complexity of banking activities and the rapid development of information technology, risk management methods underwent a number of significant changes. A large variety of highly complex risk measurement methods were developed with the aid of sophisticated mathematical and statistical techniques, and were claimed as being more sensitive to risk. From a historical perspective, this period saw a great deal of dynamic development in risk management methods. Islamic banks must pay particular attention to the proper fit between their risk measurement methods and their particular risk characteristics. Standard risk measurement software is frequently unable to account for an Islamic bank’s risk characteristics, so the purchase of such applications would be an unjustified expense for the Islamic bank. For this reason, an Islamic bank should first seek to acquire understanding of the various risk measurement methods in existence and then choose the ones that suit its unique risk characteristics. This opens the door for the Islamic bank to utilize simpler classic measurement methods or to develop an in-house risk measurement method tailored to the bank’s own risk characteristics. CALCULATION OF MINIMUM CAPITAL REQUIREMENTS The calculation of the capital adequacy ratio (CAR) in an Islamic bank must refer to the standards and guidelines issued by the Islamic Financial Service Board (IFSB). IFSB consists of representatives of central banks from countries that house Islamic banking activities. In 2005, the IFSB published standards and guidelines on minimum capital requirements for Islamic banks along with the recommended risk measurement methods. These minimum capital requirement standards and guidelines were partially based on the standards issued by the Basel Committee on Banking Supervision (BCBS) through the Basel II document. In its 2005 document, the IFSB recommended the standardized approach as the preferred method for Islamic banks in performing the calculation of credit risks, market risks, and operational risks. The use of advanced approaches in calculating credit, market, and

The Risk Management Process in Islamic Banking 67 operational risks was left to the Islamic banks’ discretion as long as it did not conflict with local regulatory policies. The IFSB also encouraged Islamic banking regulators to facilitate Islamic banks’ attempts to develop their own unique risk measurement methods if they had the resources to do so. The 2007 global financial crisis has forced banking regulators in various countries to rethink their ideas about the best solution with regards to the minimum capital requirements that could guarantee banks’ ability to absorb potential risks and losses. In response, the BCBS made significant revisions to Basel II and republished the results as Basel III with an emphasis on the reinforcement of liquidity and capitalization levels to enhance the resilience of the banking sector. Basel III paid extensive attention to the risks that stem from spillovers between different financial institutions within the economic system. Some of the innovations in Basel III are increased risk coverage, the complementation of the risk-based CAR with a leverage ratio, safeguards against procyclicality in the form of countercyclical and capital conserva- tion buffers, and inclusion of money market integration and systemic risk issues. To take account of these changes, the IFSB revised its minimum cap- italization standards and guidelines in January 2014 with a view toward incorporating the new issues accommodated by Basel III. IFSB hoped that all countries with Islamic banking firms would be able and willing to imple- ment these revised standards and guidelines by January 2015 in order to ensure that Islamic banks would be in a sufficiently robust capitalization state to absorb the various risks they face. The Capital Adequacy Ratio in IFSB Generally, the concept of the CAR for an Islamic bank does not differ much from that for a conventional bank, where the value of relevant of capital is the numerator and the value of risk-weighted assets is the denominator in the CAR calculation formula. The numerator is the sum of the values of Tier 1 and Tier 2. This aggregate value should make up at least 8 percent of the risk-weighted assets (RWA) value in order to satisfy the IFSB’s capital adequacy standards for Islamic banks. Further constraints state that the minimum ratio of Tier 1 capital to RWA is 6 percent, and the minimum ratio of the total Common Equity Tier 1 (CET-1) value to the total RWA value is 4.5%. Tier 1 Capital Tier 1 capital is made up of two components, namely the CET-1 and the Additional Capital Tier 1 (ACT-1). CET-1 is the high- est quality capital-forming component and is the principal mainstay in absorbing the losses caused by risks that have been properly accounted for.

68 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING Capital components in an Islamic bank can be categorized as CET-1 if they fulfill the following criteria: 1. Common shares issued by the Islamic bank: the amount of capital that has been fully invested in the bank by its stockholders. 2. Stock surplus: the premium created by the stock issuance process. 3. Retained earnings: the accumulated value of profits that have not been distributed to the stockholders in the previous financial reporting period, including profits or losses in the ongoing year. 4. Announced dividends and dividends payable are not included in CET-1, according to the rules of the International Financial Reporting Standard (IFRS). 5. In the case of the ongoing year’s profits or losses, banking supervisors must ensure that the Islamic bank’s financial reports have been audited by external auditors. 6. Common shares issued by the Islamic bank’s consolidated subsidiaries may count if they fulfill the criteria set by supervisory authorities. Meanwhile, the Islamic bank capital components that count as ACT-1 must fulfill the following criteria: (1) instruments are issued by the Islamic bank that capable of absorbing risk; (2) the issuance procedure complies with regulators’ policies; (3) they are not time-limited (perpetual) and may be callable; and (4) they are unsecured. One example of an instrument that fulfills all these criteria is a musyarakah-based sukuk issued by an Islamic bank with the entirety of the bank’s assets and businesses as the under- lying asset. This makes the sukuk-holders partners to the Islamic bank’s stockholders. Tier 2 Capital Tier 2 capital consists of several components. The first is made up of instruments that are issued by the Islamic bank and fulfill the following criteria: (1) they are capable of absorbing risks, (2) the issuance procedure obeys regulatory policies, (3) they have a maturity period of at least 5 years and may be callable, and (4) they are unsecured. One of such instrument is a long-term mudharabah sukuk with a convertibility clause that turns sukuk-holders into the Islamic bank’s stockholders in case of insolvency. The convertible ratio must be unambiguously stated at the beginning of the sukuk contract in order to avoid gharar. Another example is a general reserve established to anticipate unidentified risks. The third example is a long-term instrument issued by a subsidiary consolidated with the Islamic bank under a number of more specific criteria. The fourth is minority interest, subject to certain criteria. Apart from Tier 1 and Tier 2 capital, the IFSB also enumerated cer- tain items in an Islamic bank’s financial reports and activities that must be

The Risk Management Process in Islamic Banking 69 accounted for in the calculation of minimum capital adequacy ratios. These items include: 1. Minority interest, with several more specific criteria 2. Unrealized gains and losses; an Islamic bank should be able to identify the equity change components caused by changes to the fair value of the Islamic bank’s liabilities 3. Investment in own stocks: the purchase of (investment in) the Islamic bank’s own stocks is counted as buybacks, which reduces the Islamic bank’s capital; an increase in such activities would reduce the value of CET-1 4. Goodwill and intangible assets 5. Pension fund assets and liabilities: if the national regulator requires Islamic banks to establish their own pension funds and to describe the asset and liability positions of these pension funds, the funds must be entirely excluded from CET-1 calculations 6. Deferred tax assets 7. Cash flow hedge reserve: a cash flow reserve specifically meant for hedg- ing activities within the bounds of syari’ah principles, whether on or off the balance sheet; a positive value subtracts from and a negative value adds to CET-1 capital 8. Securitization exposure: any capital increases caused by asset securiti- zation transactions should be excluded from CET-1 9. Capital investment in banks and other Islamic financial firms: this covers an Islamic bank’s investments in the capital of other Islamic banks or financial institutions other than its consolidated subsidiaries 10. Zakat (charity) liabilities: zakat is acknowledged and included in assess- ments once the Islamic bank has operated for more than 12 months Capital Conservation Buffer One of the new concepts in the most recent IFSB document is the regu- lation on the capital conservation buffer, which consists of a certain per- centage of an Islamic bank’s capital that has been set aside to increase the CET-1 value and cushion the Islamic bank against the risks it may expe- rience during long-term economic declines. Taking a lesson from the 2007 global financial crisis and its lingering effects, this additional capital reserve is intended to improve the sustainability of Islamic banks’ business activi- ties and their ability to effectively absorb possible risks. This capital buffer should be put into place by Islamic banks in favorable economic conditions, thus helping the implementation of macro-prudential policies intended to maintain the stability of the national banking system. If the stability of a

70 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING national banking system can be preserved through the duration of a crisis, the probability of the economy bouncing back into a quick recovery would be greatly increased. The additional capital reserve in the capital conservation buffer should only be established once an Islamic bank has fulfilled the basic 8 percent CAR. If the Islamic bank is not yet capable of fulfilling this ratio, the banking regulator could restrict the Islamic bank’s activity and limit its distribution of dividends. The formation of a capital reserve would be the first priority for the allocation of the bank’s profits until it has met the required CAR. These new rules are expected to apply a stricter and more cautious regulatory regime upon the Islamic banking industry. The capital conservation ratio mandated for an Islamic bank is 2.5 per- cent of the total RWA value. In the usual calculation for capital adequacy ratios, an Islamic bank needs a CAR of 8 percent, with the CET-1 amounting to at least 4.5 percent of the RWA value. The additional 2.5 percent would increase the CET-1 ratio to 7 percent of RWA. If this ratio falls below 7 per- cent, the Islamic bank must set aside all or part of its profits for capital conservation, as shown in Table 4.2. Countercyclical Buffer Another new feature in the most recent capital sufficiency regulations is the countercyclical buffer. As with the capital conservation buffer, the counter- cyclical buffer was born from the lessons of the 2007 global financial crisis. The IFSB’s rate for the countercyclical buffer (CCB) is set at 0–2.5 percent. Despite this recommendation, regulators are given the discretion to frame micro-prudential policies within their national jurisdictions. If necessary, a regulator may require a CCB greater than 2.5 percent for all domestic Islamic banks and foreign Islamic banks with subsidiaries within its jurisdiction. As usual, the 2.5 percent rate refers to the ratio of capital to RWA values. The TABLE 4.2 Capital Conservation Ratio Minimum Capital Conservation Ratios (as a percentage of profits) CET-1 Capital Ratio 100% 4.5% – ≤5.125% 80% >5.125% – ≤5.75% 60% >5.75% – ≤6.375% 40% >6.375% – ≤7.0% 0% >7.0% Source: IFSB

The Risk Management Process in Islamic Banking 71 CCB is meant to be built up by Islamic banks during periods of high eco- nomic growth. During recessions, the CCB does not have to be implemented, and in fact its funds can be released to help absorb risks. Leverage Ratio According to the IFSB, Islamic banks follow a different pattern from conven- tional banks in funding their business activities. Leverage instruments such as collateralized debt obligations (CDOs) are basically gharar and thus for- bidden to Islamic banks. This should keep Islamic banks at a better solvency level than conventional banks. However, the IFSB still considers certain kinds of Islamic banking transactions as potential sources of leverage, namely: 1. Reverse CMT (commodity murabahah transactions). CMT can be used on either side of an Islamic bank’s balance sheet, either as an asset or as a liability. In most cases it is placed on the liability side as an alternative source of funding for the Islamic bank. The most common type of con- tract in such transactions is the tawarruq contract. On the other hand, some Islamic banks regard CMTs as assets that provide funding for their customers. 2. Syari’ah-compliant hedging contracts. Some transactions similar to swaps are becoming popular with Islamic banks. 3. Some sukuks are structured in such a way that their cash flows are not tied to underlying assets, making them very similar to conventional bonds. With such transactions in mind, the IFSB thinks that the leverage ratio should apply to Islamic banks. The IFSB’s version of the leverage ratio is calculated by the following formula: Leverage Ratio = (Tier 1 capital ÷ Total exposure) ≥ 3% The formula shows that the IFSB’s maximum permissible leverage ratio is 3 percent, where “exposure” covers the total exposure from both on- and off-balance sheet components.

5CHAPTER Financial Reporting and Analysis in Islamic Banking For an Islamic bank, financial accounting plays an important role in the regulation and supervision of financial institutions, the development of market discipline, and the establishment of integrated harmony between the various stakeholders involved in banking activities. In this way, the stakeholders can obtain reliable information for the purpose of assessing an Islamic bank’s financial performance and syari’ah compliance; the bank itself would also be able to refer to the financial reports in figuring out the rights and responsibilities of every party with which it has to interact. The availability of pertinent and useful information would allow the readers of these financial reports to make well-informed decisions in their dealings with the Islamic bank without suffering too much gharar (uncertainty). An Islamic bank’s business characteristics differ from a conventional bank’s, both in principle and in practice. These differences should be accurately reflected in the Islamic bank’s financial reports. The most important difference is the fact that an Islamic bank must carry out functions beyond the strict limits of banking; apart from its primary role as a financial intermediary, it must also handle a range of social functions, which pertain to the collection and redistribution of alms and charity funds (such as zakat, infaq, and shadaqah) to appropriate beneficiaries. THE IMPORTANCE OF FINANCIAL STATEMENTS IN RISK ANALYSIS An Islamic bank’s core activities include: (1) the collection of funds from the public through savings and giro accounts under qardh (lending), wakalah (agency), wadhiah (safekeeping), or mudharabah contracts, (2) the structur- ization of fund mobilizations and investments, (3) the investment of funds provided by investment account holders into syari’ah-compliant financ- ing activities under leasing-based contracts (ijarah), sale-based contracts (murabahah, salam, istishna’), and profit/loss sharing–based contracts (mudharabah, musyarakah), and (4) the implementation of profit-sharing Risk Management for Islamic Banks: Recent Developments from Asia and the Middle East. Imam Wahyudi, Fenny Rosmanita, Muhammad Budi Prasetyo, Niken Iwani Surya Putri. © 2015 by John Wiley & Sons Singapore Pte. Ltd. Published 2015 by John Wiley & Sons Singapore Pte. Ltd. 72

Financial Reporting and Analysis in Islamic Banking 73 (mudharabah) or agency (wakalah) mechanisms on behalf of investment account holders. On the liabilities side, the bank must advance the invest- ment account holders’ interest by carrying out fiduciary responsibilities, ensuring that investment and financing strategies are in line with the invest- ment account holders’ expectations on risks and returns, and providing adequate disclosure and transparency about its (i.e., the bank’s) activities. Differing from conventional accounting, Islamic accounting is based upon the ethical laws of the Qur’an and the Sunna, with a particular focus on the communities participating in resource utilization, and it pays attention to religious and socioeconomic concerns in addition to the usual financial/economic matters with a view towards promoting efficiency and commitment to the achievement of economic equitability. Islamic accounting also differs in the scope of the information it needs; how it measures, assesses, and records items and components in its financial records; and how it communicates the results to the users of the financial reports. Due to these differences, an Islamic bank requires the development of appropriate accounting and auditing standards that would fulfill its needs in disseminating relevant information about its activities and operations. An Islamic bank must always abide by syari’ah rules and principles in all its business activities, including the preparation of financial report forms. One of the most important syari’ah provisions is that an Islamic bank must not receive or offer interest (riba) in any of its business transactions. The bank’s financial accounting and reporting practices must mark any violations to this prohibition, describe them in the reports, and apply a careful treatment to keep the forbidden funds separate from the rest of the Islamic bank’s assets. Facilitating Risk Analysis with Financial Statements Islamic banks are responsible for informing stakeholders about the risks they face. There should be more transparency in the disclosure of risks through their financial reports. Islamic banks must also ensure that syari’ah compliance risks are adequately reported and mitigated. Similarly, other financial and nonfinancial risks should be thoroughly covered in the Islamic banks’ financial statements. To facilitate all this, the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) has issued a set of technical guidelines on prudential regulations in the interest of accurately portraying the risk profile and characteristics of the financial instruments used by Islamic banks, especially with regards to the disclosure of credit risks, market risks, operational risks, and liquidity risks as the four main risk categories that an Islamic bank must deal with in its role as a financial intermediary.

74 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING Global Harmonization of Accounting Standards The global harmonization of accounting standards can be defined as a gradual process to establish an international consensus on accounting stan- dards so that financial statements from different countries can be composed and presented under a uniform set of measurement and disclosure princi- ples. This harmonization implies that accounting is a transaction-specific activity, and that thus the relationship between transactions, events, and systems should be universally applicable in accounting despite geographical, chronological, and systematic differences—and even political, economic, and cultural differences among the world’s countries. The rapid growth of the Islamic banking industry highlights the need to harmonize Islamic banks’ best practices and accounting standards at the global level; this prompted the founding of AAOIFI in 1991 in Bahrain. The establishment of the AAOIFI marked a watershed in the comparability of accounting standards between Islamic and conventional banks, especially with regards to accounting debates as well as the acknowledgment, measurement, recording, and disclosure of various accounting items (including con- tingency liabilities and provisions). The international harmonization of accounting standards is an important step towards the availability of usable, comparable, reliable, consistent, and understandable financial statements that provide useful information for the decision-making processes of global users, such as supervisory authorities, investors, and creditors (among others). This allows comparative analysis through the comparison of current global accounting standards with the Islamic accounting standards. SCOPE OF FINANCIAL STATEMENT IN ISLAMIC BANKS Financial accounting aims play a major part in determining the type and nature of information that should be included in financial reports, along with the depth and scope of mandatory disclosures; this information could aid stakeholders (or other users) in making appropriate decisions. An Islamic bank’s financial reports must fulfill at least four accounting aims. The first is to explain the rights and obligations of every stakeholder in the Islamic bank in a manner consistent with syari’ah principles as well as equitability, transparency, and business ethics. This category includes the disclosure of all rights and obligations that arise from incomplete financial transactions (i.e., transactions that do not satisfy one or more syari’ah or contractual requirements). The second is to provide adequate safeguards for the Islamic bank’s assets, the Islamic bank’s rights, and other parties’ rights upon the Islamic bank. The third is to promote the improvement of management performance, productive capabilities, consistent policy

Financial Reporting and Analysis in Islamic Banking 75 implementation, achievement of aims, and syari’ah compliance in each and every transaction or activity undertaken by the Islamic bank. The fourth is to provide useful information to the users of the financial reports and to encourage these users to make proper and legitimate decisions in their mu’amalah (interaction) with the Islamic bank. Fundamental Assumptions in Islamic Accounting Islamic banks’ financial reporting practices rest on a number of fundamental assumptions. The first is that the accounting entity (i.e., the Islamic bank) is an economic unit that has been chosen as the subject for calculation and is seen as a real entity that exists in its own right, distinct and separate from related entities. This assumption allows an Islamic bank to be set apart from its owners, to own resources, and to take responsibility for claims by sources of capital (whether investors or creditors) and for all financial transactions and economic events (including revenues and expenditures) that are recorded from the viewpoint of the Islamic bank as an enterprise (as opposed to the owners’ viewpoint). The second assumption is that of a going concern or continuity, which is the assumption that an Islamic bank in normal condi- tions would carry on its operations for an indefinite period of time with no expectation of liquidation in the foreseeable future. This indefinite timeframe is deemed necessary for the conclusion of all projects, commitments, and ongoing activities undertaken by the bank. The third is accounting periodic- ity. Although an Islamic bank is assumed to be a going concern, it must divide its activities into distinct reporting periods according to the convention of “accounting periodicity” for the purpose of composing financial reports that would provide information about the bank’s performance. The users of these financial reports would rely upon the reports as the principal means by which they could stay abreast of recent developments in the banking industry in general and the Islamic bank’s performance in specific. In fact, the assump- tion of accounting periodicity facilitates the process of zakat calculation and payment as mandated by syari’ah. The fourth assumption is the purchasing power stability of the mea- surement units. Accounting relies on monetary units as the common denominator in the presentation of the basic elements in an Islamic bank’s financial reports. Accounting is a mechanism for the measurement, recording, reporting, and communication of an Islamic bank’s activities in terms of a monetary unit with a stable purchasing power. The use of monetary units carries the risk of impacts from inflationary or deflationary trends that could significantly affect purchasing power. However, for the sake of accounting consistency and standardization, these effects would be considered negligible and the financial reports would be presented in

76 RISK MANAGEMENT FRAMEWORK IN ISLAMIC BANKING a particular currency that can be regarded as a consistent standard. An Islamic bank is not recommended to use indexing, monetary correction, replacement price, or present asset value, since all of these solutions are temporary in nature and would not tackle the root of the problem; instead, it should apply the principle of price and currency stabilization. Information Quality in Financial Reports In the effort to present useful information in its financial reports, an Islamic bank should pay attention to several criteria that determine the quality of the information being presented. The first is utility or benefit. The utility of the information presented by an Islamic bank in its financial statements should be subject to constant evaluation with regards to the principal aim of finan- cial reporting, which is to provide the users of the financial statement (espe- cially external parties) with pertinent, accurate, and reliable information that would allow them to make appropriate decisions about the Islamic bank. The second criterion is relevance. This refers to the relation between accounting information and the intent behind its presentation. Only rele- vant information would be of use to the users of the financial reports in evaluating and making their decisions, whether it be to establish, maintain, or terminate their relationship with the Islamic bank; relevant information is also the only meaningful input for investors in choosing between the vari- ous investment options available to them. To satisfy this relevance criterion, the accounting information released by an Islamic bank must meet three qualifications: prediction capability, feedback capability, and timeliness. The third criterion is reliability. An Islamic bank must be able to assure the users of its financial reports that they can depend upon the report’s infor- mation as a basis of accurate decision-making. It means that the method chosen by the Islamic bank to assess and disclose the impact of every cir- cumstance surrounding a financial event or transaction would present the information in a way that accurately reflects the substance of the finan- cial event or transaction. The Islamic bank should also make sure that the estimation and judgment provisions in its accounting practices are based on methods consistent with syari’ah principles. In assessing the reliability of the information in an Islamic bank’s financial reports, there are several qualifications that must be given particular notice: objectivity, faithfulness, and neutrality. The fourth criterion is uniformity and comparability. This principle refers to the use of the same accounting procedure by different economic entities for similar transactions and economic events. The fifth criterion is consistency. An Islamic bank should consistently use the same assessment, disclosure, and presentation methods for its financial events and transactions throughout its accounting periods.

Financial Reporting and Analysis in Islamic Banking 77 The sixth is understandability. The financial and accounting information in financial reports is intended for all users, not only for accountants or supervisory authorities. A good financial report is one that can be easily understood by all of its intended users; therefore, an Islamic bank should pay attention to the nature of the information, the manner of presentation, and the potential users’ technical backgrounds in composing its financial reports. The seventh is objectivity. Objective measurement means that measure- ments should be verifiable according to impersonal data or measurements and be free of personal biases. Banks need to distinguish between objec- tive measurement and objective valuation, as in the use of historical cost. Although this method can facilitate the achievement of objectivity in the measurement of various assets’ values at the time of their acquisition, it can- not be implemented as a basis for valuation. Accounting Acknowledgment and Measurement Criteria Accounting acknowledgment relates to the timeframe for the recording of financial events and transactions as the building blocks of financial state- ments; the record is supposed to be made as each event or transaction takes place and works its effect upon the bank’s finances. By this principle, the bank should clearly define each accounting element prior to acknowledging it. The acknowledgment of flow data (such as the elements in the income statement or the cash flow statement) is more urgent than that of stock data (such as elements in the balance sheet) since stock data could be automat- ically acknowledged once flow data has been acknowledged too. The issue of acknowledgment is particularly important for Islamic banks (relative to conventional banks) since the acknowledgment of assets in financing activ- ities is affected by the variety of financial contracts (such as murabahah, ijarah, istishna’, mudharabah, musyarakah, and qardh), the acknowledg- ment of debts in current and saving accounts must take account of wadi’ah or qardh contracts, and the acknowledgment of funds in investment accounts is affected by the choice between mudharabah and temporary syirkah con- tracts. An Islamic bank also faces other challenges in the acknowledgment of murabahah profits or mudharabah revenue sharing: When must the profits (shared or not) be acknowledged, and how should it be done? In this regard, the Islamic bank must make sure that the management of acknowledgment and assessment issues is performed correctly according to syari’ah guide- lines. There are three principles in the application of matching concepts: correlation between cause and effect, systemic and rational allocation, and prompt acknowledgment. The bank should determine whether a certain cost is related to past revenues (and should be recorded against prior revenues),