• IBANK Part 7.2 IBANK Part 7.2 Principles of operational risk management

    Note for Part 7.2
    This Part sets out the requirement for Islamic banking business firms in relation to the management of operational risk. There are general requirements relating to risk management (including the management of operational risk) in CTRL, which apply to Islamic banking business firms in common with all other authorised firms.

    Amended by QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.1 Principle 1: risk management culture

      The general obligations of an Islamic banking business firm’s governing body and senior management under CTRL in relation to the firm’s risk management culture include an obligation to establish a strong operational risk management culture. A general reference in CTRL to risk management includes the management of operational risk specifically.

      Derived from QFCRA RM/2015-2 (as from 1st January 2016)
      Amended by QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.2 Principle 2: operational risk management framework

      (1) An Islamic banking business firm must develop, implement and maintain a framework for the management of operational risk that:
      (a) is fully integrated into the firm’s overall risk management processes; and
      (b) is appropriate for the firm, taking into account the firm’s nature, size, complexity and risk profile.
      Guidance
      The fundamental premise of sound risk management is that the firm’s governing body and management understand the nature and complexity of the risks inherent in the firm’s products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.
      (2) The framework must be appropriately integrated into the risk management processes across all levels of the firm, including those at the group and business line levels, and into new business initiatives’ products, activities, processes and systems. In addition, the results of the firm’s operational risk assessment must be incorporated into the firm’s overall business strategy development processes.
      Guidance
      The framework is a vital means of understanding the nature and complexity of operational risk.
      (3) The framework must be comprehensively and appropriately documented in policies approved by the firm’s governing body, and must include definitions of operational risk and operational loss.
      Guidance
      An Islamic banking business firm that does not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of its framework.
      (4) The firm’s framework documentation:
      (a) must clearly identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
      (b) must clearly describe the risk assessment tools and how they are used;
      (c) must clearly describe the firm’s accepted operational risk appetite and tolerance, its thresholds or limits for inherent and residual risk, and its approved risk mitigation strategies and instruments;
      (d) must clearly describe the firm’s approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
      (e) must establish risk reporting and management information systems;
      (f) must provide a set of operational risk terms to ensure that risk identification, exposure rating and risk management objectives are consistent throughout the firm;
      (g) must provide for appropriate independent review and assessment of operational risk; and
      (h) must require the policies to be reviewed, and revised as appropriate, whenever a significant change occurs in the firm’s operational risk profile.
      Derived from QFCRA RM/2015-2 (as from 1st January 2016)
      Amended by QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.3 Principle 3: governing body to approve framework

      (1) The governing body of an Islamic banking business firm must establish, approve and periodically review the firm’s operational risk management framework. The governing body must oversee the firm’s senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.
      (2) The governing body:
      (a) must establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the firm’s strategies and activities, and must develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overall framework for managing all risks across the firm;
      (b) must provide senior management with clear guidance and direction regarding the principles underlying the framework and must approve the corresponding policies developed by senior management;
      (c) must regularly review the framework to ensure that the firm has identified, and is managing, the operational risk arising from external market changes and other environmental factors, and the operational risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities (for example changing business volumes);
      (d) must ensure that the framework is subject to effective independent review by audit or other appropriately trained persons; and
      (e) must ensure that, as best practice evolves, the firm’s senior management avails themselves of those advances.
      Guidance
      Strong internal controls are a critical aspect of the management of operational risk, and the governing body should establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence and separation of duties between operational risk management functions, business lines and support functions.
      Derived from QFCRA RM/2015-2 (as from 1st January 2016)
      Amended by QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.4 Principle 4: risk appetite and tolerance statement

      (1) An Islamic banking business firm must approve and review its risk appetite and tolerance for operational risk.
      (2) The firm must consider:
      (a) all relevant risks;
      (b) the firm’s level of risk aversion;
      (c) its current financial condition; and
      (d) its strategic direction.
      (3) The firm must set out the various operational risk appetites within the firm and must ensure that they are consistent. The firm must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.
      (4) The firm must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance. Such a review must consider changes in the external environment, significant increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume and nature of breaches of limits.
      (5) The firm must monitor management’s adherence to the statement and must provide for timely detection and remediation of breaches.
      Derived from QFCRA RM/2015-2 (as from 1st January 2016)
      Amended by QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.5 Principle 5: role of senior management

      (1) The senior management of an Islamic banking business firm must develop, for approval by the firm’s governing body, a clear, effective and robust governance structure for managing operational risk, with well defined, transparent and consistent lines of responsibility. The senior management is responsible for consistently implementing and maintaining, throughout the firm, policies, processes and systems for managing operational risk in all of the firm’s products, activities, processes and systems consistently with the firm’s risk appetite and tolerance.
      (2) The firm’s senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. The mechanisms should include systems to report, track and, when necessary, escalate issues to ensure that they are resolved.
      (3) The firm’s senior management must translate the operational risk management framework established by the governing body into specific policies and procedures that can be implemented and verified within the firm’s business units. Senior management must clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manage operational risk in line within the bank’s risk appetite and tolerance statement.
      (4) The firm’s senior management must ensure that the management oversight process is appropriate for the risks inherent in each business unit’s activity.
      (5) The firm’s senior management must ensure that the staff who are responsible for managing operational risk coordinate and communicate effectively with the staff who are responsible for:
      (a) managing other risks (such as credit risk and market risk); and
      (b) procuring external services (such as takaful risk transfer) and for making outsourcing arrangements.
      Guidance
      Failure to do so could result in significant gaps or overlaps in the firm’s overall risk management program.
      (6) The managers of the firm’s corporate operational risk function must be of sufficient stature within the firm to perform their duties effectively.
      Guidance
      The standing within the firm of the managers of operational risk would ideally be evidenced by their titles being similar to those of the managers of other risk management functions such as the management of credit, market and liquidity risk.
      (7) The senior management must ensure that the firm’s activities are conducted by staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the firm’s risk policy must have authority independent from the units they oversee.
      Derived from QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.6 Principle 6: risk identification and assessment

      (1) The senior management of an Islamic banking business firm must ensure that the operational risk inherent in all of the firm’s products, activities, processes and systems is identified and assessed to make sure that the inherent risks and incentives are well understood.
      Guidance
      Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors and external factors. Sound risk assessment allows the firm to better understand its risk profile and allocate risk management resources and strategies most effectively. Tools that can be used for identifying and assessing operational risk include:
      audit findings—although audit findings primarily focus on control weaknesses and vulnerabilities, they can also give insight into inherent risk that is due to internal or external factors
      internal loss data collection and analysis—internal operational loss data provides meaningful information for assessing the firm’s exposure to operational risk and the effectiveness of internal controls
      external data collection and analysis—external data elements consist of gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at other organisations; external loss data can be compared with internal loss data, or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures
      risk assessments—in a risk assessment, often referred to as a risk self-assessment, the firm assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact; a similar approach, risk control self-assessment (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered); scorecards build on RCSAs by weighting residual risks to provide a means of translating RCSA output into metrics that give a relative ranking of the control environment
      business process mapping—business process mappings identify the key steps in business processes, activities and organisational functions, and identify the key risk points in the overall business process; process maps can reveal individual risks, risk interdependencies, and areas of control or risk management weakness, and can help prioritise subsequent management actions
      risk and performance indicators—risk and performance indicators are risk metrics and statistics that provide insight into a firm’s risk exposure; risk indicators, often referred to as key risk indicators, are used to monitor the main drivers of exposure associated with key risks; performance indicators, often referred to as key performance indicators, provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss; risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans
      scenario analysis—scenario analysis is a process of obtaining expert opinion from business line and risk managers to identify potential operational risk events and assess their potential outcome; scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions; however, given the subjectivity of the scenario process, a robust governance framework is essential to ensure the integrity and consistency of the process
      measurement—larger firms may find it useful to quantify their exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure; the results can be used in an economic capital process and can be allocated to business lines to link risk and return
      comparative analysis—that is, comparing the results of the various assessment tools to provide a more comprehensive view of the firm’s operational risk profile; for example, comparison of the frequency and severity of internal data with RCSAs can help the firm determine whether self-assessment processes are functioning effectively; scenario data can be compared to internal and external data to gain a better understanding of the severity of the firm’s exposure to potential risk events.
      (2) The firm must ensure that its internal pricing and performance measurement mechanisms appropriately take into account operational risk.
      Guidance
      If operational risk is not considered, risk-taking incentives might not be appropriately aligned with the firm’s risk appetite and tolerance.
      Derived from QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.7 Principle 7: approval process for new products etc

      (1) The senior management of an Islamic banking business firm must ensure that there is an approval process that fully assesses operational risk for all new products, activities, processes and systems.
      Guidance
      In general, an Islamic banking business firm’s operational risk exposure is increased when the firm engages in a new activity, develops a new product, enters an unfamiliar market, implements a new business process technology system or engages in a business distant from its head office. Moreover, the level of risk may increase when a new product, activity, process or system transition from an introductory level to a level that represents a significant source of revenue or a business-critical operation.
      (2) An Islamic banking business firm must ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products, activities, processes and systems.
      (3) An Islamic banking business firm must have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process must consider:
      (a) the risks inherent in the new product, activity, process or system;
      (b) changes to the firm’s operational risk profile and appetite and tolerance, including the risk of existing products or activities;
      (c) the necessary controls, risk management processes and risk mitigation strategies;
      (d) the residual risk;
      (e) changes to relevant risk thresholds or limits; and
      (f) the procedures and metrics to measure, monitor, and manage the risk of the new product, activity, process or system.
      (4) The approval process must also include ensuring that appropriate investment has been made in human resources and technology infrastructure before a new product, activity, process or system is introduced.
      (5) The implementation of new products, activities, processes and systems must be monitored to identify any significant differences to the expected operational risk profile, and to manage any unexpected risks.
      Derived from QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.8 Principle 8: monitoring and reporting

      (1) The senior management of an Islamic banking business firm must implement a process to regularly monitor operational risk profiles and material exposures to losses. There must be appropriate reporting mechanisms at the board, senior management, and business line levels that support proactive management of operational risk.
      (2) An Islamic banking business firm must ensure that its reports are comprehensive, accurate, consistent and actionable across business lines and products.
      Guidance
      Reports should be manageable in scope and volume; too much or too little data impedes effective decision-making. An Islamic banking business firm should endeavour to continuously improve its operational risk reporting.
      (3) Reporting must be timely and the firm must be able to produce reports in both normal and stressed market conditions. The frequency of reporting must reflect the risks involved and the pace and nature of changes in the operating environment.
      (4) The results of monitoring activities, and assessments of the framework by the firm’s internal audit or risk management functions, must be included in regular management and board reports. Reports generated for the Regulatory Authority must also be reported internally to senior management and the board, where appropriate.
      (5) Operational risk reports must include:
      (a) breaches of the firm’s risk appetite and tolerance statement, and breaches of thresholds or limits;
      (b) details of recent significant internal operational risk events and losses; and
      (c) relevant external events and any possible effect on the firm and operational risk capital.
      Guidance
      Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making.
      (6) The firm must analyse its data capture and risk reporting processes periodically with a view to continuously improving the firm’s risk management performance and advancing its risk management policies, procedures and practices.
      Derived from QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.9 Principle 9: control and mitigation

      (1) The requirements of this rule are in addition to those set out in CTRL.
      (2) In addition to separation of duties and dual control, an Islamic banking business firm must ensure that it has other traditional internal controls as appropriate to address operational risk.
      Examples of controls
      • clearly established authorities and processes for approval
      • close monitoring of adherence to assigned risk thresholds or limits
      • safeguards for access to, and use of, bank assets and records
      • appropriate staffing level and training to maintain expertise
      • ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations
      • regular verification and reconciliation of transactions and accounts.
      (3) An Islamic banking business firm must ensure that it has appropriate controls to manage technology risk.
      Guidance
      1 Effective use and sound implementation of technology can contribute to the control environment. For example, automated processes are less prone to error than manual processes. However, automated processes introduce risks that must be addressed through sound technology governance and infrastructure risk management programs.
      2 The use of technology related products, activities, processes and delivery channels exposes an Islamic banking business firm to strategic, operational, and reputational risks and the possibility of material financial loss.
      3 Sound technology risk management uses the same precepts as operational risk management and includes:
      • governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the firm’s business objectives
      • policies and procedures that facilitate the identification and assessment of risk
      • establishment of a risk appetite and tolerance statement and performance expectations to assist in controlling and managing risk
      • implementation of an effective control environment and the use of risk transfer strategies that mitigate risk
      • monitoring processes that test for compliance with policy thresholds or limits.
      4 Mergers and acquisitions that result in fragmented and disconnected infrastructure, cost-cutting measures or inadequate investment can undermine the firm’s ability to:
      • aggregate and analyse information across risk dimensions or the consolidated enterprise
      • manage and report risk on a business line or legal entity basis
      • oversee and manage risk in periods of high growth.
      5 The firm’s management should make appropriate capital investment or otherwise provide for a robust infrastructure at all times, particularly before mergers are consummated, high growth strategies are initiated, or new products are introduced.
      (4) The firm’s governing body must decide the maximum loss exposure that the firm is willing, and has the financial capacity, to assume, and must perform an annual review of the firm’s risk and takaful management programme.
      Guidance
      If internal controls do not adequately address risk and exiting the risk is not a reasonable option, the firm can complement the controls by seeking to transfer the risk to another party such as through takaful.
      Risk transfer is an imperfect substitute for sound controls and risk management programs. Therefore, the firm should view risk transfer as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms to quickly identify, recognise and rectify distinct operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as takaful truly reduce risk, transfer the risk to another business sector or area, or create a new risk (for example counterparty risk).
      Derived from QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.10 Principle 10: business resiliency and continuity

      (1) An Islamic banking business firm must have business resiliency and continuity plans to ensure that the firm can continue to operate, and can limit its losses, in the event of severe business disruption.
      Guidance
      An Islamic banking business firm is exposed to disruptive events, some of which may be severe and result in an inability to fulfil some or all of the firm’s business obligations. Incidents that damage or render inaccessible the firm’s facilities, telecommunication or information technology infrastructures, or a pandemic event that affects human resources, can result in significant financial losses to the firm, and broader disruptions to the financial system.
      (2) An Islamic banking business firm must establish business continuity plans commensurate with the nature, size and complexity of the firm’s operations. The plans must take into account different likely or plausible scenarios to which the firm may be vulnerable.
      (3) Continuity management must incorporate business impact analysis, recovery strategies, testing, training and awareness programs, and communication and crisis management programs. The firm must identify critical business operations, key internal and external dependencies, and appropriate resilience levels.
      (4) Plausible disruptive scenarios must be assessed for their financial, operational and reputational impact, and the resulting risk assessment must be the foundation for recovery priorities and objectives. Continuity plans should establish contingency strategies, recovery and resumption procedures, and plans for informing management, employees, the Regulatory Authority, customers, suppliers and, if appropriate, the civil authorities.
      (5) The firm must periodically review its continuity plans to ensure that contingency strategies remain consistent with the firm’s current operations, risks and threats, resiliency requirements, and recovery priorities. Training and awareness programmes must be implemented to ensure that the firm’s staff can effectively carry out the plans.
      (6) The firm must test each plan periodically to ensure that its recovery and resumption objectives and timeframes can be met. If possible, the firm must participate in disaster recovery and business continuity testing with key service providers.
      (7) The results of testing must be reported to the firm’s management and governing body.
      Derived from QFCRA RM/2020-3 (as from 1st January 2021)

    • IBANK 7.2.11 Principle 11: Disclosure

      Note These rules do not yet have provisions on disclosure. Those provisions are to be inserted in the next phase of the development of these rules.

      Derived from QFCRA RM/2020-3 (as from 1st January 2021)