Empowering Risk
Intelligence in
Islamic Finance
Managing risk in
uncertain times
2 | Managing risk in uncertain times
Managing risk in uncertain times | 3
Contents
Foreword 4
Executive summary 5
Introduction 6
Risk governance in Islamic Finance 6
Key challenges facing Islamic Financial institutions 10
Empowering the Risk Intelligence Enterprise 21
4 | Managing risk in uncertain times
The global ?nancial crisis continues to hit hard, with
almost all markets of the world economy, and indeed
almost all sectors, having been directly or indirectly
impacted by this major economic turbulence. The
?nancial services - including Islamic Finance - are facing
a catalogue of regulatory and practice-related reforms.
This new wave of regulatory reforms, aimed at
upholding best practices, has renewed emphasis on
prudential oversight and good governance. These
changes resulted greater pressure on ?nancial
institutions offering Islamic ?nancial services (IIFS)
to galvanize their risk exposures and governance
capabilities. Moreover, the complexity of Sharia’a-
compliant debt and equity instruments has evolved,
and types of risks, issues and investors, as well as
market conditions, have emerged, all of which have
made it imperative for IIFS to develop and adopt
integrated risk management strategies, in order to
protect their businesses and stakeholders.
In many jurisdictions there is now heightened awareness
and scrutiny by national regulators and industry
standard-setters to safeguard the interest of investors
and customers. Key to this is the importance of public
awareness and market education. Hence, Deloitte
Islamic Finance Knowledge Center (IFKC) is committed
to producing relevant and timely thought leadership in
Islamic Finance, which addresses and investigates
important issues in practice and regulation. The prime
objective of this approach is to produce timely relevant
insights from the industry practice and to strive to
promote the value of best practices amongst
stakeholders. Lastly, this report focuses on the
governance and structural aspects of an effective risk
management framework in Islamic Finance. It presents
an analysis of case studies developed, new insights in
risk management practice to empower risk intelligence
in Islamic Finance and suggests ways to manage risk in
troubled times.
Regards,
Hatim El Tahir, director, Islamic Finance Knowledge
Center (IFKC), Deloitte in the Middle East
Foreword
Managing risk in uncertain times | 5
The Islamic Finance Risk Intelligence survey, published by
IFKC at Deloitte Middle East, assesses the status quo of
risk management practice in the Islamic Finance
industry. The report is based on a survey and group of
case studies developed during the second half of 2011
encompassing 20 Islamic Financial institutions from
the Middle East and South East Asia, with aggregate
assets of more than $50 billion, and representing a
range of Islamic Financial institutions. In addition,
several interviews were conducted with industry leaders
and risk management executives. The analysis included
cross reference analysis of Deloitte’s research and
analysis in risk management and made use of Deloitte’s
Risk Intelligence Maturity Model in developing point of
views on Islamic Finance risk intelligence. Needless to
say, the overall questions and issues discussed with
institutions and risk executives were structured around
Deloitte’s four enterprise risk management (ERM)
capabilities, namely Governance, Process, People,
and Technology. Finally the report similarly bene?ted
from revelations and re?ections of the ‘Executive
Roundtable on Risk Management’, organized by the
Islamic Financial Services Board (IFSB), hosted by the
Central Bank of Bahrain and supported by Deloitte IFKC,
in December, 2011.
In summary, the following key challenges warrant the
attention of Islamic Finance industry leaders and
stakeholders:
1. 63% of respondents believe that strong commitment
from Boards, Sharia’a Supervisory Boards and
Management is required to improve ERM in Islamic
Finance.
2. 65% of the institutions offering Islamic Financial
Services (IIFS) that participated in our study are
considering the development of an ERM program.
3. Only 59% of the IIFS that participated have
implemented the IFSB’s Risk Management Standard;
63% reported that they have not received any
external rating, and less than quarter of the
respondents had considered or received external
rating from an Islamic rating agency. This constitutes
a real challenge posed to industry participants and
standard-setters such as the IFSB, AAOIFI, IIFM and
the IIRA, to enforce best practices.
4. Creating a risk-aware culture is considered the most
(68%) important bene?t of ERM. The IIFS lack skilled
risk experts, and institutions are required to invest in
building capabilities in key risk management pillars -
People, Process, Technology and Governance.
5. 56% of the group studied have risk management
software, and 44% of them lag behind in automation
of risk information management.
6. Risk function executives and policy-makers are faced
with new international regulatory and governance
requirements and are required to fully adapt to
international best practices.
63% of respondents believe that
strong commitment from Boards,
Sharia’a Supervisory Boards and
Management is required to improve
ERM in Islamic Finance
Executive summary
6 | Managing risk in uncertain times
Introduction
As Islamic Finance continues to evolve, institutions
offering Islamic ?nancial services (IIFS) have continued
to face many challenges on the operational and
management fronts. Questions and issues relating to
best practices in risk management and effective risk
functions have surfaced as a result of this important
dialogue. Many Islamic and traditional ?nancial
institutions are reviewing their risk management
functions and models. Executive directors, Sharia’a
Supervisory Board members, and boards of directors,
are more actively engaged in the risk management
decision-making process than ever before. The
regulatory coordination and harmonization of standards
and Sharia’a fatwas is inevitable and market and
practice synergy is an aspiration of all stakeholders.
This report is structured around three sections. First,
it introduces risk governance in Islamic Finance and
underscores the key factors underpinning its practice.
The report then moves to discuss the key results of
the Deloitte IFKC Survey on risk intelligence conducted
between March and July, 2011. The discussion and
analysis encompasses industry and practice revelations
in two key markets, the Middle East and South East
Asia. It highlights new insights that have emerged
from the case studies which were developed and
tested against Deloitte’s ERM maturity model. The
case studies included a group of 20 institutions offering
Islamic ?nancial services (IIFS), operating globally from
nine countries. The surveyed group had total assets of
more than $50 billion and included IIFS in commercial
and investment banking and Takaful sectors. Half of the
institutions have assets totaling less than $1000 million;
a quarter of them have assets totaling between $1000
million and $10,000 million. Finally, the report concludes
with insightful complementary points of views from
prominent industry thought leaders around the world to
share their contextual perspective on risk management.
Risk governance in Islamic Finance
The pro?le of risks affecting the IIFS today is vastly
different than that of the risks impacting them a
decade ago. Globalization and changes in technology,
product offerings, process, and the nature of business
transactions create new types of challenges and risk
to the Boards and executives of these institutions.
Risk drivers in Islamic Finance stem from common
conventional known types of risks, as well as the unique
Sharia’a compliance risk that shapes the operations of
the IIFS business. The latter constitutes a fundamental
prerequisite factor for developing any risk management
strategy for the IIFS whether in sourcing of funds or
use of funds. It is, however, the role of Boards and
executives that ensures compliance to Sharia’a principles
in all levels of IIFS operations and management of their
assets. In discussing risk governance in Islamic Finance,
two key factors warrant consideration – ?rst the
embodied element of the ?duciary relationship between
the SSB, Board, management and other stakeholders
of the institution and secondly the importance of
transparency and disclosure in these unique operational
and management relations.
The essence of the ?duciary relationship
The ?duciary relationship between the shareholders,
investors and other stakeholders is paramount in
understanding the regulatory needs of risk management
and its practice. The common theme in this unique
relationship is good governance and an adequate
?nancial and management reporting mechanism. Key
to this is the role of Sharia’a Supervisory Boards (SSBs)
in vetting business suitability to comply with Sharia’a
principles, and its obligation to safeguard the interest of
investors, management and clients. This important role
is galvanized by support from interdependent business
units and functions such as legal, human resources,
tax/Zakat, information technology, and ?nance. These
interdependent units harness the task of identifying,
Managing risk in uncertain times | 7
measuring, managing, and monitoring risks, in four
main ways:
• Strategy: developing institution-wide policies and
procedures and controls that help build risk
governance
• Planning: providing required resources and
information management
• Transparency: ensuring homogenous ?ow of
information and standardized practice
• Education and training: identifying training needs
and skills development within the institution.
These four areas of coordination are affecting the
decisions made in all areas of operations, management,
risk management and business strategy. Strategic risk
dialogue begins with engaging management and
business support units. Prudential oversight, good
corporate governance and ?nancial reporting and
disclosure are key factors to ensure effective risk
management in Islamic Finance. The three-party
interdependent approach of disclosure and reporting in
Islamic Finance consists of interaction and coordination
between three main parties. The coordination between
the SSB, internal audit and external audit is a similarly
important process in risk management which ensures
consistency, standardization and Sharia’a-compliance
at all levels of the institution’s operation.
Consequently, Islamic Finance risk executives are
required to develop risk management strategies that
address the full spectrum of risks, including industry-
speci?c ones such as Sharia’a compliance, competition,
community development, strategic, reporting, and
operational. IIFS’s boards and executive management
should invest in risk management practices that are
infused into the corporate culture, and design risk
strategy and decision-making that evolve out of a
risk-informed process rather than assuming risk
considerations. Along with this expectation, four
key categories of risk areas are identi?ed:
1. Enhance risk governance strategy aligned with
Board’s support and oversight.
2. Enhance operational risk assessment and process
standardization.
BOD
Sharia’a
supervisory
board (SSB)
Executive
management
Business units and
supporting functions
The ?duciary relationship in Islamic Finance
• SSB is unique to the
IIFS’s governance
• It plays the important
role of ensuring
Sharia’a compliance
in the entire
operational system
of the IIFS
External
Audit
SSB
Internal
Audit
Transparency, Disclosure and Reporting framework (TDR)
• Standardized policies and
procedures of reporting
practices
• Identify and align standard
business transparency
practices
• Update of regulatory
practices and accounting
standards
Internal Audit
• Consistency in practices,
concerning transparency
and information disclosure
• Holds additional responsibility
as ‘Sharia’a Compliance
Inspectors’
External Audit
• Coordinate with external
auditors to ensure Sharia'a
compliance in areas
concerning operations
and accounting practices
SSB
8 | Managing risk in uncertain times
3. Integrate Sharia’a compliance in all operational risks
and process strategies.
4. Standardize and enhance disclosure and reporting
procedures.
The Islamic Finance Risk Management
capability model
The implementation of an integrated and holistic
risk management approach in Islamic Finance is a
compelling need to empower the risk function and
operate an effective risk practice. The following key
steps propose the building blocks of an effective
enterprise-wide risk management system in Islamic
Finance. Seven key areas of risk capabilities are identi?ed
as shown in the following diagram:
The Islamic Finance Risk Management capability model
The seven building blocks
Source: Deloitte ME IFKC
Sharia’a
compliance
planning
Risk
planning
Risk
ownership
and support
Risk
culture and
education
Risk
reporting
Risk
governance
and oversight
Risk
infrastructure
and management
Strategic
risk
Strategic risk
Financial
risk
Sharia’a
compliance
risk
Operational
risk
Enhance risk governance strategy supported by Board oversight
Financial risk
Standardize disclosure procedures. Reporting, valuation,
liquidity, market and credit risks
Sharia’a compliance risk
Integrate Sharia’a Compliance in process and operational risks
Operational risk
Enhance coordination between process, people, technology
and Sharia’a compliance that impact overall performance of
IIFS
Risk categories in Islamic Finance: four key areas of risks
Managing risk in uncertain times | 9
Introduction to Deloitte IFKC’s risk intelligence in
Islamic Finance:
This section is based on the ?ndings of a survey
conducted in 2011. The questions and interviews with
risk executives across the region were structured around
Deloitte’s four ERM capabilities:
• Governance
• Process
• People
• Technology
Governance: The governance capability focuses on
the structure and organization of the risk management
function (even if no risk manager position formally
exists) in order to make risk-intelligent decisions and
execute those decisions in a timely and effective
manner. A company needs to de?ne roles and
responsibilities of the board and its committees,
management, internal audit and risk management
functions with respect to risk management. Risk
management policies such as risk appetite, tolerance
and delegation of authority need to be formally
documented and communicated.
Process: The process capability focuses on the process
in place to execute risk management. This includes core
operational and infrastructure business processes
necessary to run the risk management in an ef?cient
manner to create and protect value.
People: The people capability focuses on having the
right number of people with the appropriate training
and awareness to execute the risk management process.
This includes trained people at all levels and a company-
wide risk awareness culture.
Technology: The technology capability focuses on
IT systems used to analyze and communicate risk
information throughout the organization as well
as to enable risk-intelligent decision-making in a
timely manner.
Risk intelligence
to create and
preserve value
Sustain and
continuously
improve
Develop
and deploy
strategies
Access and
measure
risks
Identify
risks
Respond
to risks
Design
and test
controls
Monitor,
assure and
escalate
Governance
T
e
c
h
n
o
l
o
g
y
Process
P
e
o
p
l
e
Deloitte ERM capability model
TM
10 | Managing risk in uncertain times
Key challenges facing Islamic
Financial institutions
Enterprise Risk Management (ERM) is relatively new
in the Islamic Finance industry. 79% of the institutions
that took part in the survey have a risk department
established in the last ?ve years. Only 5% of the IIFS’
risk departments were set up more than 10 years ago.
Governance
Risk governance and oversight
The case studies and survey shared with IIFS in the
Middle East and South East Asia have shown that many
IIFS have strengthened or adopted risk governance
frameworks and assigned Boards and senior executives
to the role of risk management.
Who, at executive level, has been assigned
accountability for the ERM program?
In 32% of institutions the CEO is accountable for the
ERM program while 27% have the Chief Risk Of?cer and
13% have the Head of Risk Management accountable.
Thus, IIFS management and decision-makers should
support the risk governance process with subject matter
experts for in-depth analysis and adequate selection of
risk solutions and strategies.
32%
7%
7%
7%
7%
13%
27%
Chief Executive Of?cer
Chief Financial Of?cer
GM
GM - C&RM
SVP regulatory services
Head of Risk Management
Chief Risk Of?cer
16%
5%
79%
1-5 years ago 6-10 years ago 11-15 years ago
When did you set up your risk department?
Managing risk in uncertain times | 11
Select the level of the Board of Directors’
oversight and engagement in ERM at
your institution.
47% of the surveyed group had proactive Boards at
all levels of risk intelligence while 20% are indifferent
and not engaged in the risk function. Boards and
management are required to design a best practice
risk oversight structure – with clearly-de?ned roles,
responsibilities and accountability, as well as ways to
continuously improve this process. They should also
support the risk governance process with subject-matter
experts for in-depth analysis and solutions.
Who is primarily driving the interest in ERM
in your institution?
Boards and executive management appear to be the
prime driver of interest in ERM, while the Management
Committee and Risk Management Committee also have
signi?cant interest in ERM.
29%
29%
29%
6%
7%
Board of Directors
Management Committee
Risk Management Committee
SVP regulatory services
Holding company (to follow
group minimum standards)
47%
20%
33%
Proactive and preemptive at all levels of risk intelligence
Indifferent and not engaged
Reactive and engaged as required
12 | Managing risk in uncertain times
If considering developing ERM in your institution,
who would lead this initiative?
CEOs tend to lead ERM in IIFS (24%), followed by
Boards (15%). However, more than a third of the
surveyed group (38%) indicated that ERM was led by
‘Other’ which presumably includes professional service
?rms and consultants.
Rating and credit assessment
Has your institution received an external rating?
About two thirds (63%) of the surveyed group
reported that they hadn’t received any external rating.
It is important to emphasize here the role of external
credit analysis in light of Basel II requirements (for the
standardized approach). IIFS are required to adopt this
new set of requirements and update their internal
reviews and control systems.
Has your institution received an external rating?
Among those IIFS who received external ratings, 50%
of them received a rating from S&P and 25% of them
received a rating from Fitch.
Has your institution considered an external rating
from an Islamic Rating Agency before?
The majority (89%) of the IIFS group surveyed have not
considered an external rating from an Islamic Rating
Agency. This ?nding clearly needs to be investigated
further and it appears that there is a gap between
Islamic rating agencies and the IIFS in understanding
the importance and need for Islamic rating, its
methodologies and approach. The majority (80%) of
the institutions are not considering applying for a
credit rating in the near future.
8%
Board of Directors
Chief Executiver Of?cer
Consulting Firm
Chief Financial Of?cer
Other
38%
15%
24%
15%
Yes No
37%
63%
12%
S&P
Fitch
JCR-VIS Pakistan
Moody
50%
25%
13%
Yes No
89%
11%
Managing risk in uncertain times | 13
Enterprise Risk Management (ERM)
implementation
In the entire group surveyed, IIFS have a formal risk
management function that manages the risk activities,
In the majority of the institutions (83%), a risk
committee oversees all risks. It is also observed that in
87% of the IIFS participants, ‘management members’
form the members of the risk committee.
Are you planning the implementation of an ERM
program, or any risk management activities in
the near future?
65% of IIFS surveyed are considering the development
of an ERM program. 29% of them have not yet
considered it, while 6% of them have decided to
implement an ERM program. This ?nding is important
and clearly indicates that the IIFS are lagging behind in
the implementation of ERM. Therefore, boards and
executives are advised to develop an intelligence risk
strategy and develop appropriate action plans.
Risk scope and best practices
Does your institution implement the IFSB’s
Guiding Principles of Risk Management?
Our group’s case studies and survey show that only
59% of the IIFS have implemented the IFSB’s Risk
Management Standard. This ?nding highlights the
challenge faced by standard-setters such as the IFSB,
AAOIFI and the IIFM to ensure that standards and best
practices are followed and implemented. It is probably
true to say that national regulators such as central banks
and capital market authorities, in markets where Islamic
Finance has evolved, should play a more effective role
to ensure this.
Considering developing
Have not yet considered
Considered, decided not to proceed at this time
65%
6%
29%
Yes No
41%
59%
0% 20% 40% 60% 80% 100%
87%
27%
7%
40%
Management
members
Board members
Audit Committee
members
Sharia’a Supervisory
Board members
14 | Managing risk in uncertain times
Does your institution implement the IFSB’s
Guiding Principles on Sharia’a Governance?
In contrast, 71% of the group surveyed have
implemented the IFSB’s Guiding Principles on Sharia’a
Governance. Key causes of Sharia’a compliance risks
include non-standardized practices, diverse Sharia’a
interpretations, and the lack of enforcement of Sharia’a
laws in many jurisdictions.
Please rank the following drivers for undertaking
risk management activities.
Regulatory compliance (87%) is the prime reason
for undertaking risk management activities followed
by ‘Strategic reasons’, ‘Business continuity’, ‘Operational
performance’, ‘Standard-setter compliance’ and ‘Public
image’.
Yes No
71%
29%
Composite
score
Rank
Regulatory compliance (for
example, market regulators)
87 1
Strategic reasons (for example,
development of competitive
advantage)
78 2
Business continuity (protection
against hazards such as
economic downturn,
environmental crises, Sharia’a
compliance, etc.)
70 3
Operational performance
(ef?ciency and effectiveness of
business processes)
69 4
Standard-setter compliance (for
IFSB, AAOIFI, and IIFM)
44 5
Public image 29 6
Managing risk in uncertain times | 15
What are the primary goals regarding ERM that
you would like to realize in the future?
‘Align risk appetite and strategy’ is the primary goal
(75%) regarding ERM followed by ‘Link growth, value,
risk and return’, ‘Provide integrated responses to
multiple risks’, ‘Minimize operational surprises and
losses’, and ‘Seize opportunities’.
Please rank the following realized bene?ts
of ERM
‘Creating a risk-aware culture’ is considered the most
(68%) important bene?t of ERM followed by ‘Reducing
vulnerability to adverse events’. Surprisingly, ‘Focusing
integrated management reporting on the risks that
matter most’, was ranked least important.
What is the scope of your risk management?
(Please select all the risks covered by your
institution.)
A key risk area covered by many IIFS is compliance. The
survey reveals that 89% of the IIFS consider compliance
as an important risk to cover, followed by external
factors and ethics. Corporate responsibility is the area
least covered by risk management.
0% 20% 40% 60% 80% 100%
89%
Compliance
Sharia’a governance
79%
External factors
Reporting
79%
Ethics
Legal
79%
74%
74%
68%
68%
68%
63%
63%
58%
Strategy
Corporate governance
Corporate assets
Information technology
Finance
Planning
Product development
Corporate responsibility
Sales, marketing
and communications
Human resources
53%
47%
47%
21%
Composite
score
Rank
Creating a risk-aware culture 68 1
Reducing vulnerability to
adverse events
56 2
Enhancing risk response decisions
and mitigation plans
55 3
Identifying and managing cross-
enterprise or interdependent risks
49 4
Focusing integrated management
reporting on the risks that matter
most
42 5
Composite
score
Rank
Align risk appetite and strategy 75 1
Link growth, value, risk and
return
72 2
Provide integrated responses to
multiple risks
49 3
Minimize operational surprises
and losses
46 4
Seize opportunities 28 5
16 | Managing risk in uncertain times
What is the extent of risk management
integration in your decision-making process?
(Please indicate the degree to which risk
management is integrated into your
decision-making process in each of the
departments below.)
Most of the survey respondents either fully or partially
incorporated risk management in all the processes
listed above. However, ‘Takaful / Insurance’ and
‘Environmental health and safety’ are the two areas
where the institutions need to incorporate the risk
management process more ef?ciently.
Does your risk manager (or person responsible
for ERM activities), perform other functions
besides ERM?
In 53% of institutions the risk manager does not
perform any other functions besides ERM, while
in other organizations he performs functions
such as compliance and a few other tasks.
Are there any risk management activities
outsourced to an external party?
83% of the IIFS in the surveyed group do not
outsource any risk management activities.
0% 20% 40% 60% 80% 100%
53%
No other functions
are performed
26% Compliance
5% Internal Audit
5% Takaful
21% Other
Fraud Management 0%
Sharia’a compliance
and review audit
0%
Yes No
17%
83%
20%30% 10% 40%50%60%70%80%90%100%
Internal Audit
Asset management
Finance department
(incl. Treasury)
Strategic planning
Legal
Product
development
Sharia’a governance
and audit
Ethics and
compliance
ICT
Takaful/ Insurance
Environmental
health and saftey
72 22 6
65 29 6
61 6 33
47 33 20
53 41 6
53 35 6 6
50 38 6 6
50 38 6 6
60 28 6 6
44 12 6 38
13 13 44 30
Fully incorporated
Partially incorporated
Plan to incorporate within 12 months
No plans to incorporate
Managing risk in uncertain times | 17
Process
Do you have a clearly de?ned and documented
risk management process to execute risk
management activities?
89% of the IIFS participants have a clearly de?ned and
documented risk management process to execute risk
management activities.
How frequently are risk assessments conducted?
within your institution?
67% of the IIFS conduct risk assessment
at least once every quarter.
What kind of risk assessment methods and
methodologies do you use for risk analysis?
‘Self-assessment’ is the most popular methodology
(used by 83% of the institutions) while ‘Failure mode
and effects analysis’ is the least preferred (56% of the
institutions have no plans to incorporate this).
Currently in use
Plan to use
Plan to incorporate
in next 12 months
No plans to
incorporate
0% 20%30% 10% 40%50%60%70% 80%90%100%
82
44 13 13 30
Self-assessments
Scenario analysis
Stress-test
Key risk indicators
Industry benchmark
/ loss experience
Economic metrics
Probabilistic analysis
Third party
assessments
Failure mode and
effects analysis
65 17 18
67 16 6 11
50 19 19 13
53 24 12 11
70 12 12 6
6 6 6
38 19 6 37
13 13 55 19
Yes No
11%
89%
16%
Quarterly
Monthly
Semi-annually Ad hoc
Annually
11%
11%
11%
51%
18 | Managing risk in uncertain times
Do you use quantitative risk analysis methods
in your institution?
Two thirds of the IIFS participants use quantitative
risk analysis methods.
In which functions/areas do you apply
quantitative risk analysis?
58% of the IIFS that responded to our survey report
that they use quantitative risk analysis in the ‘Asset
management’ area while 16% of them said they use
it in Finance and Zakat/Tax.
What kind of risk measures do you use?
42% of survey respondents use Value at Risk (VaR)
followed by 37% that use Cash ?ow at risk, 32% using
NPV/IRR and 21% using Economic Value Added (EVA).
Please rank in order the following challenges
with respect to quantitative risk analysis.
‘Identifying and applying effective quantitative risk
measuring techniques’ is the top challenge (56%),
followed by ‘Implementing supporting tools for
quantitative risk measuring techniques’, ‘Identifying the
required data for your quantitative risk analysis’,
‘Effectiveness of data capturing’, and ‘Finding quali?ed
quantities modeling experts’.
Composite
score
Rank
Identifying and applying effective
quantitative risk measuring
techniques
55 1
Implementing supporting tools
for quantitative risk measuring
techniques
45 2
Identifying the required data for
your quantitative risk analysis
37 3
Effectiveness of data capturing 35 4
Finding quali?ed quantities
modeling experts
31 5
0% 20% 40% 60% 80% 100%
58%
16%
5%
11%
0%
0%
Asset management
Finance and
Zakat / Tax
ICT
Environmental health
and safety
Other
Commodity trading /
Sourcing
0% 20% 40% 60% 80% 100%
42%
37%
32%
11%
11%
21%
Value at Risk (VaR)
Cash ?ow at risk
NPV/ IRR
Economic Value
Added (EVA)
Other
RAROC
Yes No
33%
67%
Managing risk in uncertain times | 19
Which of the following ERM best practices
require improvement/attention? (Select all
that apply)
63% of respondents believe that strong commitment
from board and management is required to improve
ERM followed by improving the risk governance system,
developing the right talent and risk education program
and understanding the risk culture. The boards and
executive management of IIFS are advised to work with
an experienced ERM advisor to accelerate buy-in and
ensure knowledge transfer throughout the process.
People
Who is involved in your ERM training program?
(Please select only one answer that is most
applicable to your institution.)
Roughly half of the institutions provide ERM training
programs. In 42% of institutions all employees directly
involved in risk management activities are involved in an
ERM training program, while in 33% of institutions only
specialists perform this activity.
0% 20% 10% 30%40%50%60%70%80%90%100%
63%
58%
58%
26%
47%
53%
Strong commitment from
board and management
Improve risk
governance system
Develop the right talent and
risk education program
Understanding of
risk culture
Develop the right
processes and procedures
Build effective and robust
ERM which address your
institution’s risks
All employees directly involved in risk
management activities
All employees
Only specialists who perform speci?c
risk management activities
Don’t know (no structured
training plan)
8%
33%
17%
42%
20 | Managing risk in uncertain times
Technology
Do you have risk management software
or tool(s)?
56% of institutions have risk management software
while the remainder don’t. In addition, 62% of the
institutions built their risk management tool in-house.
Risk exposures
Which of the following activities are
performed at your institution using the risk
management tool?
Our analysis shows that the top three activities
performed are ‘Assess risks/control activities’, ‘Report
risks/control activities’ and ‘Document risks/control
activities’ respectively. In addition, ‘Asset performance
risk’ is the top risk that the institutions are facing,
followed by ‘Credit, liquidity and market risks’. ‘Ethics
risk’ ranked last among respondents.
‘Ineffective risk oversight and governance’ are the most
likely hindrance to Islamic Finance Institutions’ risk
management effectiveness followed by ‘Absence of a
clear ERM strategy’, ‘Lack of Sharia’a-compliant risk
mitigating instruments’, ‘Poor execution of ERM
strategy’, ‘Lack of skilled risk management personnel’
and ‘Irrelevance of IT systems and processes’.
Yes No
44%
56%
0% 20% 40% 60% 80% 100%
47%
42%
37%
32%
11%
21%
21%
Assess risks /
control activities
Report risks /
control activities
Document risks /
control activities
Monitor risks /
control activities
Document process
?ows / narratives
Other
Integrated performance
management (Balance
scorecard, KPI)
Managing risk in uncertain times | 21
Empowering the Risk Intelligence Enterprise
Overall Assessment of the ‘ERM Capabilities’, the
Deloitte Maturity Model:
*For illustrative purposes we have drawn a line at 54
to represent the midpoint of the maturity model.
*Note that the composite score range is from 18 to 90.
Our overall assessment of the risk maturity to the group
studied exhibits least maturity on ‘Technology’. It should
also be noted that the risk maturity on the other three
pillars is also lacking. For example, ‘Governance’, in the
20-IIFS group, tends to range in the midpoint. Similarly
in the ‘Process’ and ‘People’ capabilities, the analysis
reveals that the IIFS didn’t go beyond the range of the
midpoint. This allows for room improvement in the ERM
capabilities discussed. Thus the IIFS are required to build
their risk capabilities and competencies to ensure an
effective risk management function that addresses their
unique risks and operational models.
30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60
Governance
Process
People
Technology
Composite Score
Overall Assessment of the ‘ERM Capabilities’,
the Deloitte Maturity Model
22 | Managing risk in uncertain times
Thought leaders’ perspective on Risk
Management
To sum up our report, Deloitte IFKC organized
‘intellectual knowledge dialogue’ with Islamic Finance
thought leaders from the two key markets of MENA and
SEA. The debate revolved around the four key areas of
importance in risk intelligence: governance, process,
people, and technology. By doing this, we aimed to
engage industry regulators, practitioners, academics
and professionals in an exchange of benchmarks, views,
and insights with the aim of hopefully bridging gaps in
industry practices and regulation. Moreover, Deloitte
IFKC supported an executive roundtable on ‘Risk
Management in Islamic Finance’, held in Manama in
December, 2011, organized by the IFSB and hosted by
the Central Bank of Bahrain, The following comments
are extracts from our ‘Intellectual knowledge dialogue’
with Islamic Finance thought leaders.
Governance
“Regulators need to promote good governance
principles (e.g corporate governance codes and IFSB
risk management principles.” Richard Ellis, Advisor,
Banking Supervision, Central Bank of Bahrain.
“Recent events, whether affecting conventional or
Islamic Finance, have revealed that there are still
de?ciencies in the management of risk. The technical
issues of the identi?cation, measurement and reporting
of risk are the subject of detailed scrutiny by the
various Risk Professionals’ Institutes and research in
?rms and universities worldwide. More worrying is the
ongoing challenges faced by several institutions to fully
adapt to the new governance requirements and
technology implications of the crisis.” Professor John
Board, Dean, Henley Business School, University of
Reading, UK
“Uni?ed laws for close-out netting, insolvency and
ownership rights are required not only for existing
transactions but will also greatly facilitate the required
innovation in Islamic hedging and liquidity
management segment of the industry.” Ijlal Alvi,
CEO, IIFM.
“One of the beauties of Sharia’a is that it allows
interpretation as situations demand. It is open for
ijtihad. However, a Takaful operator domiciled under
one jurisdiction and wanting to grow and write
business under another is highly likely to face different
interpretations of the governing Sharia’a regime
regulations. Perhaps practitioners should plead with
regulators to try and consider a form of consensus.”
Mahomed Akoob, Managing Director, Hannover
ReTakaful.
“In Islamic Finance the development of governance
framework is still relatively slow and in need of serious
attention. The regulators should obtain inputs from
industry, Sharia’a scholars and academicians in
developing a robust framework.” Daud Vicary,
President and CEO, INCEIF, Malaysia.
“The regulator should play an important role in
developing a robust governance framework with input
from the industry, Sharia’a scholars and academicians.
A robust Sharia’a governance framework is needed in
order to ensure a due process is observed in ensuring
the integrity of Sharia’a is preserved. In this regard,
lessons can be learnt from the jurisdictions which have
developed a strong Sharia’a governance framework
such the Sharia’a Governance Framework (SGF)
developed by The Central Bank of Malaysia.”
Dr. Mohamad Akram Laldin, Executive Director,
ISRA, Malaysia.
Recent events, whether affecting
conventional or Islamic Finance, have
revealed that there are still defciencies
in the management of risk
Managing risk in uncertain times | 23
“Full disclosure of corporate governance practice should
be published in annual reports of IFIs.” Sohail Jaffer,
Partner, International Business Development, FWU AG
International, Luxembourg.
“The central theme of corporate governance for an IIFS
is its basic framework which nests around the SSB and
the internal controls which support it.” Moineddin
Malim, CEO, Mashreq Al Islamic Finance Co.
“The business model of most Islamic commercial
banks is based on mobilizing funds in pro?t sharing
investment accounts (PSIA), which are governed by
the Mudaraba contract. This poses many governance
challenges to which Islamic banks should pay attention.
Whilst PSIA holders are exposed to the risk of loss of
their equity, absent misconduct and negligence, they
enjoy weak governance structure. PSIA holders have
no say in the appointment/dismissal of the bank's
management, external auditors or members of the
Sharia'a board. It is important to create awareness of
this issue.” Professor Datuk Rifaat Abdel Karim,
INCEIF, Malaysia Visiting Professor, ICMA Centre,
Henley Business School, University of Reading, UK,
Adjunct Research Professor.
“Until the beginning of the ?nancial crisis hardly anyone
was arguing that ?nancial reporting standards should
be written with the objective of ?nancial stability in
mind.” Prof. Dr. Necdet ?ENSOY, Central Bank of the
Republic of Turkey.
Process
“There are differences between the conventional
?nancial system as compared to the Islamic ?nancial
system in terms of core operational and business
processes; for example, in conventional derivative
products the risk is detached from the balance sheet
items and is traded separately while in the case of
Islamic hedging, the requirement is directly linked to
economic activity or balance sheet items and there is
no trading of risk.” Ijlal Alvi.
“Core operational and business process differences need
to be addressed by the market practitioner in
conjunction with the regulator.” Daud Vicary.
“The necessity of disciplined underwriting and risk-
commensurate pricing in the face of severe
competition among Takaful operators themselves and
with conventional insurers is a tightrope that Takaful
and retakaful operators alike are walking.” Mahomed
Akoob.
“In the realm of Islamic banking, the ?duciary
responsibility of the staff becomes paramount when
compared to their peers in conventional banking in
view of their role as Mudaribs [trustees] of the
depositors and investors.” Faiz Afzaluddin, Head of
Operational Risk, Dubai Islamic Bank.
For an effective process in risk management, Shaji
Chandrasena, Director, Financial Risk Supervision,
Monetary Authority of Singapore, believes that IIFS
should "carry out consistent independent and rigorous
valuation practices across the ?rm".
The business model of most Islamic
commercial banks is based on
mobilizing funds in proft sharing
investment accounts (PSIA), which are
governed by the Mudaraba contract
24 | Managing risk in uncertain times
People
“The industry already has a shortage of human capital
and the complexity of Islamic Finance (and associated
?nancial statements) requires more oversight and
attention.” Khalid Howladar, Senior Credit Of?cer,
Islamic Finance, Moody.
“IIFS need to implement a policy to develop, mentor
and retain talent. A consistent approach is needed to
develop ?rst-class talent in the relevant disciplines and
a meritocracy created to promote and reward such
professionals.” Sohail Jafar.
“The industry lacks practitioners who are Sharia’a savvy
and Sharia’a experts who are market savvy. This
process can only be carried out by educational
institutions like INCEIF where speci?c course modules
and programs that combine the two areas are taught.
Simultaneous training of the current workforce in the
market in such modules would be necessary for the
practitioners to understand how IF products work and
in turn communicate to the public.” Daud Vicary.
“Training of the Islamic Finance workforce in the market
would be necessary for the practitioners to understand
how Islamic Finance products work and in turn
communicate to the public.” Daud Vicary.
“Any employer looks for two aspects in recruitment:
high caliber and retention thereof. With the relative
scarcity of quali?ed Islamic Finance professionals and
the sheer competition over this limited talent pool,
operational risk needs careful monitoring.”
Mahomed Akoob.
Technology
“The hedging tools to mitigate certain risk such as
currency and rate of return mismatches as well as
enabling law reforms are the most crucial and
challenging areas in the Islamic ?nancial services
industry.” Ijlal Alvi.
“Customized risk management technology is necessary
to be in place. Genuine efforts are needed to develop
such platforms and need to come through a
combination of market practitioner, academic and
Sharia’a scholar.” Daud Vicary.
“Speci?c technological ability is important for IF as much
of the existing technology is the result of ‘tweaking’
of conventional technology. Genuine effort is needed
with the combination of effort from Sharia’a scholars,
market practitioners and academics to ensure a
genuine technological product.” Dr. Mohamad
Akram Laldin.
“In Takaful, as in conventional insurance, you need to
know exactly where you stand at all times. Investing
in real-time exposure and accumulation monitoring
systems is no longer a luxury or a value added. It is
not even a necessity. It is a condition for survival.”
Mahomed Akoob.
“A Management Information System should be based
on ‘group exposure’ for all allied industries and the
correlation impact be computed in risk modeling and
risk capital estimation.” Ahmed Adil, Global Head of
Risk Management, Arcapita Bank, Bahrain.
Training of the Islamic Finance
workforce in the market would be
necessary for the practitioners to
understand how Islamic Finance
products work and in turn
communicate to the public
Managing risk in uncertain times | 25
Conclusion
This report examines three closely-linked issues: risk
governance, regulatory pressures and accountability,
and the challenges faced by IIFS to develop effective risk
intelligence. The report shows that risk management in
Islamic Finance and conventional ?nance probably have
more in common than is sometimes suggested. The
cash-rich industry of Islamic Finance may have much
to offer to the troubled conventional ?nance industry.
However, careful consideration and risk assessment and
analysis should be observed in areas where Islamic
Finance differs in operations and practice.
The analysis in this report highlights several challenges
faced by IIFS and Islamic ?nancial regulators alike.
Global and regional jurisdictional regulatory reforms
are continuing. How this regulation will affect the
Islamic Finance industry and the role of IIFS in the
economy is yet to be seen. One thing is certain – the
traditional operations and management of Islamic
Finance will need to change. IIFS around the globe
will not only need to deal with risk management but
will also need operational effectiveness and a skilled
workforce to empower risk intelligence in Islamic
Finance and deal with managing business and ?nancial
risks at all times.
Responding to these new realities may require effective
risk governance. IIFS Boards, Sharia’a Supervisory Boards
and executives have an important role to play in
providing proactive oversight of risk management and
risk strategy. The executive risk of?cers equally play an
important role in coordinating risk management
implementation and activities between boards and SSBs
and other business supporting units in the institution.
The report shows that risk management
in Islamic Finance and conventional
finance probably have more in common
than is sometimes suggested
26 | Managing risk in uncertain times
Deloitte in the Middle East
ME Representative Office
Regional office
Gefinor Center, Block D
Clemenceau Street
P.O.Box 113-5144
Beirut, Lebanon
Phone +961 (0) 1 748 444
Fax +961 (0) 1 748 999
ME Consulting
Regional office
Arabia House
131 Phoenicia Street
P.O. Box 11-0961
Riad El-Solh, Beirut
1107 2060 Lebanon
Phone +961 (0) 1 366 844
Fax +961 (0) 1 367 738
ME Enterprise Risk Services
Regional office
Emaar Business Park
Building 1, Sheikh Zayed Road
P.O. Box 282056
Dubai, UAE
Phone +971 (0) 4 369 8999
Fax +971 (0) 4 369 8998
ME Financial
Advisory Services
Regional office
DIFC, Currency House
Building 1 - Level 5
PO Box 282056
Dubai, UAE
Phone +971 (0) 4 506 4700
Fax +971 (0) 4 327 3637
ME Tax Services
Regional office
Currency House
Building 1 - Level 5
P.O. Box 282056
Dubai, UAE
Phone +971 (0) 4 506 4700
Fax +971 (0) 4 327 3637
The Deloitte ME Islamic Finance
Knowledge Center (IFKC)
Al Zamil Tower. Government Avenue,
Manama, Kingdom of Bahrain
Phone +973 17214490 Ext 2018
Fax +973 17214550
Bahrain
Manama
Al Zamil Tower
Government Avenue
P.O. Box 421
Manama, Kingdom of Bahrain
Phone +973 (0) 17 214 490
Fax +973 (0) 17 214 550
Egypt
Cairo
95 C, Merghany Street,
Heliopolis 11341, Cairo, Egypt
Phone +20 (0) 2 2290 3278
Fax +20 (0) 2 2290 3276
Alexandria
Madinet El Sayadla
Building No 10,
Smouha, Alexandria
Phone +20 (0) 3 426 4975
Fax +20 (0) 3 426 4975
Iraq
Deloitte & Touche
Management Consulting W.L.L.
6 Royal City
Erbil, Iraq
Phone +964 (0) 770 694 6554
Jordan
Amman
Jabal Amman, 190, Zahran
Street, Amman, Jordan
P.O. Box 248
Amman 11118, Jordan
Phone +962 (0) 6 5502200
Fax +962 (0) 6 5502210
Kuwait
Kuwait City
Fahad A l-Salem Street
Salhia Complex
Kuwait City, Kuwait
P.O. Box 23049
Safat 13091, Kuwait
Phone +965 (0) 2243 8060
Fax +965 (0) 2245 2080
Ahmed Al-Jaber Street,
Dar Al-Awadi Complex,
7th Floor
P.O. Box 20174, Safat 13062
Sharq, Kuwait
Tel +965 22408844
Fax +965 22408855
Lebanon
Beirut
Arabia House,
131 Phoenicia Street
P.O. Box 11-961 Beirut
Riad El-Solh, Beirut
1107 2060 Lebanon
Phone +961 (0) 1 364 700
Fax +961 (0) 1 367 087
Oman
Muscat
MBD Area
Muscat International Center
Muscat, Sultanate of Oman
P.O. Box 258, Ruwi
Postal Code 112
Sultanate of Oman
Phone +968 (0) 2481 7775
Fax +968 (0) 2481 5581
Palestinian Territories
Ramallah
Al Mashreq, Insurance Building
P.O. Box 447
Ramallah, Palestinian
Controlled Territories
Phone +970 (0) 2 295 4714
Fax +970 (0) 2 298 4703
Qatar
Doha
Al Ahli Bank Building
Sheikh Suhaim Bin Hamad Street
P.O. Box 431, Doha, Qatar
Phone +974 (0) 4434 1112
Fax +974 (0) 4442 2131
Saudi Arabia
Deloitte & Touche
BakrAbulkhair & Co.
Riyadh
Al-Salam Building,
Prince Turki Bin Abdullah
Al-Saud Street
Sulaimania Area
P.O. Box 213, Riyadh 11411
Phone +966 1 2828400
Fax +966 1 2828428
Al Khobar
ABT Building, Al Khobar
Saudi Arabia
P.O. Box 182
Dammam 31411, Saudi Arabia
Phone +966 (0) 3 887 3937
Fax +966 (0) 3 887 3931
Jeddah
Saudi Business Center
Madinah Road
P.O. Box 442
Jeddah, 21411, Saudi Arabia
Phone +966 (0) 2 657 2725
Fax +966 (0) 2 657 2722
Syria
Damascus
9 Fardos Street
P.O. Box 12487
Damascus, Syria
Phone +963 (0) 11 221 5990
Fax +963 (0) 11 222 1878
Rawda
38 Rawda Street
P.O. Box 12487
Damascus, Syria
Phone +963 (0) 11 331 1212
Fax +963 (0) 11 332 2304
United Arab Emirates
Abu Dhabi
11th Floor
Al Sila Tower
Sowwah Square
P.O. Box 990 Abu Dhabi,
United Arab Emirates
Phone +971 2 4082424
Fax +971 2 4082525
Dubai
1001 City Tower 2
Sheikh Zayed Road
P.O. Box 4254
Dubai, UAE
Phone +971 (0) 4 331 3211
Fax +971 (0) 4 331 4178
Fujairah
Al-Fujairah
Insurance Co. Building
P.O. Box 462
Fujairah, UAE
Phone +971 (0) 9 222 2320
Fax +971 (0) 9 222 5202
Ras Al-Khaimah
Ras Al-Khaimah, Insurance
Building, Al-Nakheel,
Ras Al-Khaimah UAE
P.O. Box 435
Ras Al-Khaimah, UAE
Phone +971 (0) 7 227 8892
Fax +971 (0) 6 574 1053
Sharjah
Corniche Plaza 2,
Al Buhairah Corniche
P.O. Box 5470
Sharjah, UAE
Phone +971 (0) 6 574 1052
Fax +971 (0) 6 574 1053
Yemen
Sana’a
Sana’a Trade Center Eastern
Tower, Algeria Street
P.O. Box 15655
Sana’a, Yemen
Phone +967 (0) 1 448 374
Fax +967 (0) 1 448 378
For Libya and Mauritania
inquiries, please contact the
ME Representative Office.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee, and its network of member ?rms, each of which is a legally separate and independent entity.
Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member ?rms.
Deloitte provides audit, tax, consulting, and ?nancial advisory services to public and private clients
spanning multiple industries. With a globally connected network of member ?rms in more than 150
countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights
they need to address their most complex business challenges. Deloitte's approximately 182,000
professionals are committed to becoming the standard of excellence.
Deloitte's professionals are uni?ed by a collaborative culture that fosters integrity, outstanding value
to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an
environment of continuous learning, challenging experiences, and enriching career opportunities.
Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust,
and making a positive impact in their communities.
About Deloitte & Touche (M.E.)
Deloitte & Touche (M.E.) is a member ?rm of Deloitte Touche Tohmatsu Limited (DTTL) and is the ?rst
Arab professional services ?rm established in the Middle East region with uninterrupted presence for
over 85 years. Deloitte is among the region’s leading professional services ?rms, providing audit, tax,
consulting, and ?nancial advisory services through 26 of?ces in 15 countries with over 2,500 partners,
directors and staff. It is a Tier 1 Tax advisor in the GCC region (International Tax Review World Tax
2010, 2011 and 2012 Rankings) and was recognized as the 2010 Best Consulting Firm of the Year
in the Complinet GCC Compliance Awards. In 2011, the ?rm received the Middle East Training and
Development Excellence Award by the Institute of Chartered Accountants in England and Wales (ICAEW).
© Deloitte & Touche (M.E.). All rights reserved. Member of Deloitte Touche Tohmatsu Limited
doc_605966957.pdf
Intelligence in
Islamic Finance
Managing risk in
uncertain times
2 | Managing risk in uncertain times
Managing risk in uncertain times | 3
Contents
Foreword 4
Executive summary 5
Introduction 6
Risk governance in Islamic Finance 6
Key challenges facing Islamic Financial institutions 10
Empowering the Risk Intelligence Enterprise 21
4 | Managing risk in uncertain times
The global ?nancial crisis continues to hit hard, with
almost all markets of the world economy, and indeed
almost all sectors, having been directly or indirectly
impacted by this major economic turbulence. The
?nancial services - including Islamic Finance - are facing
a catalogue of regulatory and practice-related reforms.
This new wave of regulatory reforms, aimed at
upholding best practices, has renewed emphasis on
prudential oversight and good governance. These
changes resulted greater pressure on ?nancial
institutions offering Islamic ?nancial services (IIFS)
to galvanize their risk exposures and governance
capabilities. Moreover, the complexity of Sharia’a-
compliant debt and equity instruments has evolved,
and types of risks, issues and investors, as well as
market conditions, have emerged, all of which have
made it imperative for IIFS to develop and adopt
integrated risk management strategies, in order to
protect their businesses and stakeholders.
In many jurisdictions there is now heightened awareness
and scrutiny by national regulators and industry
standard-setters to safeguard the interest of investors
and customers. Key to this is the importance of public
awareness and market education. Hence, Deloitte
Islamic Finance Knowledge Center (IFKC) is committed
to producing relevant and timely thought leadership in
Islamic Finance, which addresses and investigates
important issues in practice and regulation. The prime
objective of this approach is to produce timely relevant
insights from the industry practice and to strive to
promote the value of best practices amongst
stakeholders. Lastly, this report focuses on the
governance and structural aspects of an effective risk
management framework in Islamic Finance. It presents
an analysis of case studies developed, new insights in
risk management practice to empower risk intelligence
in Islamic Finance and suggests ways to manage risk in
troubled times.
Regards,
Hatim El Tahir, director, Islamic Finance Knowledge
Center (IFKC), Deloitte in the Middle East
Foreword
Managing risk in uncertain times | 5
The Islamic Finance Risk Intelligence survey, published by
IFKC at Deloitte Middle East, assesses the status quo of
risk management practice in the Islamic Finance
industry. The report is based on a survey and group of
case studies developed during the second half of 2011
encompassing 20 Islamic Financial institutions from
the Middle East and South East Asia, with aggregate
assets of more than $50 billion, and representing a
range of Islamic Financial institutions. In addition,
several interviews were conducted with industry leaders
and risk management executives. The analysis included
cross reference analysis of Deloitte’s research and
analysis in risk management and made use of Deloitte’s
Risk Intelligence Maturity Model in developing point of
views on Islamic Finance risk intelligence. Needless to
say, the overall questions and issues discussed with
institutions and risk executives were structured around
Deloitte’s four enterprise risk management (ERM)
capabilities, namely Governance, Process, People,
and Technology. Finally the report similarly bene?ted
from revelations and re?ections of the ‘Executive
Roundtable on Risk Management’, organized by the
Islamic Financial Services Board (IFSB), hosted by the
Central Bank of Bahrain and supported by Deloitte IFKC,
in December, 2011.
In summary, the following key challenges warrant the
attention of Islamic Finance industry leaders and
stakeholders:
1. 63% of respondents believe that strong commitment
from Boards, Sharia’a Supervisory Boards and
Management is required to improve ERM in Islamic
Finance.
2. 65% of the institutions offering Islamic Financial
Services (IIFS) that participated in our study are
considering the development of an ERM program.
3. Only 59% of the IIFS that participated have
implemented the IFSB’s Risk Management Standard;
63% reported that they have not received any
external rating, and less than quarter of the
respondents had considered or received external
rating from an Islamic rating agency. This constitutes
a real challenge posed to industry participants and
standard-setters such as the IFSB, AAOIFI, IIFM and
the IIRA, to enforce best practices.
4. Creating a risk-aware culture is considered the most
(68%) important bene?t of ERM. The IIFS lack skilled
risk experts, and institutions are required to invest in
building capabilities in key risk management pillars -
People, Process, Technology and Governance.
5. 56% of the group studied have risk management
software, and 44% of them lag behind in automation
of risk information management.
6. Risk function executives and policy-makers are faced
with new international regulatory and governance
requirements and are required to fully adapt to
international best practices.
63% of respondents believe that
strong commitment from Boards,
Sharia’a Supervisory Boards and
Management is required to improve
ERM in Islamic Finance
Executive summary
6 | Managing risk in uncertain times
Introduction
As Islamic Finance continues to evolve, institutions
offering Islamic ?nancial services (IIFS) have continued
to face many challenges on the operational and
management fronts. Questions and issues relating to
best practices in risk management and effective risk
functions have surfaced as a result of this important
dialogue. Many Islamic and traditional ?nancial
institutions are reviewing their risk management
functions and models. Executive directors, Sharia’a
Supervisory Board members, and boards of directors,
are more actively engaged in the risk management
decision-making process than ever before. The
regulatory coordination and harmonization of standards
and Sharia’a fatwas is inevitable and market and
practice synergy is an aspiration of all stakeholders.
This report is structured around three sections. First,
it introduces risk governance in Islamic Finance and
underscores the key factors underpinning its practice.
The report then moves to discuss the key results of
the Deloitte IFKC Survey on risk intelligence conducted
between March and July, 2011. The discussion and
analysis encompasses industry and practice revelations
in two key markets, the Middle East and South East
Asia. It highlights new insights that have emerged
from the case studies which were developed and
tested against Deloitte’s ERM maturity model. The
case studies included a group of 20 institutions offering
Islamic ?nancial services (IIFS), operating globally from
nine countries. The surveyed group had total assets of
more than $50 billion and included IIFS in commercial
and investment banking and Takaful sectors. Half of the
institutions have assets totaling less than $1000 million;
a quarter of them have assets totaling between $1000
million and $10,000 million. Finally, the report concludes
with insightful complementary points of views from
prominent industry thought leaders around the world to
share their contextual perspective on risk management.
Risk governance in Islamic Finance
The pro?le of risks affecting the IIFS today is vastly
different than that of the risks impacting them a
decade ago. Globalization and changes in technology,
product offerings, process, and the nature of business
transactions create new types of challenges and risk
to the Boards and executives of these institutions.
Risk drivers in Islamic Finance stem from common
conventional known types of risks, as well as the unique
Sharia’a compliance risk that shapes the operations of
the IIFS business. The latter constitutes a fundamental
prerequisite factor for developing any risk management
strategy for the IIFS whether in sourcing of funds or
use of funds. It is, however, the role of Boards and
executives that ensures compliance to Sharia’a principles
in all levels of IIFS operations and management of their
assets. In discussing risk governance in Islamic Finance,
two key factors warrant consideration – ?rst the
embodied element of the ?duciary relationship between
the SSB, Board, management and other stakeholders
of the institution and secondly the importance of
transparency and disclosure in these unique operational
and management relations.
The essence of the ?duciary relationship
The ?duciary relationship between the shareholders,
investors and other stakeholders is paramount in
understanding the regulatory needs of risk management
and its practice. The common theme in this unique
relationship is good governance and an adequate
?nancial and management reporting mechanism. Key
to this is the role of Sharia’a Supervisory Boards (SSBs)
in vetting business suitability to comply with Sharia’a
principles, and its obligation to safeguard the interest of
investors, management and clients. This important role
is galvanized by support from interdependent business
units and functions such as legal, human resources,
tax/Zakat, information technology, and ?nance. These
interdependent units harness the task of identifying,
Managing risk in uncertain times | 7
measuring, managing, and monitoring risks, in four
main ways:
• Strategy: developing institution-wide policies and
procedures and controls that help build risk
governance
• Planning: providing required resources and
information management
• Transparency: ensuring homogenous ?ow of
information and standardized practice
• Education and training: identifying training needs
and skills development within the institution.
These four areas of coordination are affecting the
decisions made in all areas of operations, management,
risk management and business strategy. Strategic risk
dialogue begins with engaging management and
business support units. Prudential oversight, good
corporate governance and ?nancial reporting and
disclosure are key factors to ensure effective risk
management in Islamic Finance. The three-party
interdependent approach of disclosure and reporting in
Islamic Finance consists of interaction and coordination
between three main parties. The coordination between
the SSB, internal audit and external audit is a similarly
important process in risk management which ensures
consistency, standardization and Sharia’a-compliance
at all levels of the institution’s operation.
Consequently, Islamic Finance risk executives are
required to develop risk management strategies that
address the full spectrum of risks, including industry-
speci?c ones such as Sharia’a compliance, competition,
community development, strategic, reporting, and
operational. IIFS’s boards and executive management
should invest in risk management practices that are
infused into the corporate culture, and design risk
strategy and decision-making that evolve out of a
risk-informed process rather than assuming risk
considerations. Along with this expectation, four
key categories of risk areas are identi?ed:
1. Enhance risk governance strategy aligned with
Board’s support and oversight.
2. Enhance operational risk assessment and process
standardization.
BOD
Sharia’a
supervisory
board (SSB)
Executive
management
Business units and
supporting functions
The ?duciary relationship in Islamic Finance
• SSB is unique to the
IIFS’s governance
• It plays the important
role of ensuring
Sharia’a compliance
in the entire
operational system
of the IIFS
External
Audit
SSB
Internal
Audit
Transparency, Disclosure and Reporting framework (TDR)
• Standardized policies and
procedures of reporting
practices
• Identify and align standard
business transparency
practices
• Update of regulatory
practices and accounting
standards
Internal Audit
• Consistency in practices,
concerning transparency
and information disclosure
• Holds additional responsibility
as ‘Sharia’a Compliance
Inspectors’
External Audit
• Coordinate with external
auditors to ensure Sharia'a
compliance in areas
concerning operations
and accounting practices
SSB
8 | Managing risk in uncertain times
3. Integrate Sharia’a compliance in all operational risks
and process strategies.
4. Standardize and enhance disclosure and reporting
procedures.
The Islamic Finance Risk Management
capability model
The implementation of an integrated and holistic
risk management approach in Islamic Finance is a
compelling need to empower the risk function and
operate an effective risk practice. The following key
steps propose the building blocks of an effective
enterprise-wide risk management system in Islamic
Finance. Seven key areas of risk capabilities are identi?ed
as shown in the following diagram:
The Islamic Finance Risk Management capability model
The seven building blocks
Source: Deloitte ME IFKC
Sharia’a
compliance
planning
Risk
planning
Risk
ownership
and support
Risk
culture and
education
Risk
reporting
Risk
governance
and oversight
Risk
infrastructure
and management
Strategic
risk
Strategic risk
Financial
risk
Sharia’a
compliance
risk
Operational
risk
Enhance risk governance strategy supported by Board oversight
Financial risk
Standardize disclosure procedures. Reporting, valuation,
liquidity, market and credit risks
Sharia’a compliance risk
Integrate Sharia’a Compliance in process and operational risks
Operational risk
Enhance coordination between process, people, technology
and Sharia’a compliance that impact overall performance of
IIFS
Risk categories in Islamic Finance: four key areas of risks
Managing risk in uncertain times | 9
Introduction to Deloitte IFKC’s risk intelligence in
Islamic Finance:
This section is based on the ?ndings of a survey
conducted in 2011. The questions and interviews with
risk executives across the region were structured around
Deloitte’s four ERM capabilities:
• Governance
• Process
• People
• Technology
Governance: The governance capability focuses on
the structure and organization of the risk management
function (even if no risk manager position formally
exists) in order to make risk-intelligent decisions and
execute those decisions in a timely and effective
manner. A company needs to de?ne roles and
responsibilities of the board and its committees,
management, internal audit and risk management
functions with respect to risk management. Risk
management policies such as risk appetite, tolerance
and delegation of authority need to be formally
documented and communicated.
Process: The process capability focuses on the process
in place to execute risk management. This includes core
operational and infrastructure business processes
necessary to run the risk management in an ef?cient
manner to create and protect value.
People: The people capability focuses on having the
right number of people with the appropriate training
and awareness to execute the risk management process.
This includes trained people at all levels and a company-
wide risk awareness culture.
Technology: The technology capability focuses on
IT systems used to analyze and communicate risk
information throughout the organization as well
as to enable risk-intelligent decision-making in a
timely manner.
Risk intelligence
to create and
preserve value
Sustain and
continuously
improve
Develop
and deploy
strategies
Access and
measure
risks
Identify
risks
Respond
to risks
Design
and test
controls
Monitor,
assure and
escalate
Governance
T
e
c
h
n
o
l
o
g
y
Process
P
e
o
p
l
e
Deloitte ERM capability model
TM
10 | Managing risk in uncertain times
Key challenges facing Islamic
Financial institutions
Enterprise Risk Management (ERM) is relatively new
in the Islamic Finance industry. 79% of the institutions
that took part in the survey have a risk department
established in the last ?ve years. Only 5% of the IIFS’
risk departments were set up more than 10 years ago.
Governance
Risk governance and oversight
The case studies and survey shared with IIFS in the
Middle East and South East Asia have shown that many
IIFS have strengthened or adopted risk governance
frameworks and assigned Boards and senior executives
to the role of risk management.
Who, at executive level, has been assigned
accountability for the ERM program?
In 32% of institutions the CEO is accountable for the
ERM program while 27% have the Chief Risk Of?cer and
13% have the Head of Risk Management accountable.
Thus, IIFS management and decision-makers should
support the risk governance process with subject matter
experts for in-depth analysis and adequate selection of
risk solutions and strategies.
32%
7%
7%
7%
7%
13%
27%
Chief Executive Of?cer
Chief Financial Of?cer
GM
GM - C&RM
SVP regulatory services
Head of Risk Management
Chief Risk Of?cer
16%
5%
79%
1-5 years ago 6-10 years ago 11-15 years ago
When did you set up your risk department?
Managing risk in uncertain times | 11
Select the level of the Board of Directors’
oversight and engagement in ERM at
your institution.
47% of the surveyed group had proactive Boards at
all levels of risk intelligence while 20% are indifferent
and not engaged in the risk function. Boards and
management are required to design a best practice
risk oversight structure – with clearly-de?ned roles,
responsibilities and accountability, as well as ways to
continuously improve this process. They should also
support the risk governance process with subject-matter
experts for in-depth analysis and solutions.
Who is primarily driving the interest in ERM
in your institution?
Boards and executive management appear to be the
prime driver of interest in ERM, while the Management
Committee and Risk Management Committee also have
signi?cant interest in ERM.
29%
29%
29%
6%
7%
Board of Directors
Management Committee
Risk Management Committee
SVP regulatory services
Holding company (to follow
group minimum standards)
47%
20%
33%
Proactive and preemptive at all levels of risk intelligence
Indifferent and not engaged
Reactive and engaged as required
12 | Managing risk in uncertain times
If considering developing ERM in your institution,
who would lead this initiative?
CEOs tend to lead ERM in IIFS (24%), followed by
Boards (15%). However, more than a third of the
surveyed group (38%) indicated that ERM was led by
‘Other’ which presumably includes professional service
?rms and consultants.
Rating and credit assessment
Has your institution received an external rating?
About two thirds (63%) of the surveyed group
reported that they hadn’t received any external rating.
It is important to emphasize here the role of external
credit analysis in light of Basel II requirements (for the
standardized approach). IIFS are required to adopt this
new set of requirements and update their internal
reviews and control systems.
Has your institution received an external rating?
Among those IIFS who received external ratings, 50%
of them received a rating from S&P and 25% of them
received a rating from Fitch.
Has your institution considered an external rating
from an Islamic Rating Agency before?
The majority (89%) of the IIFS group surveyed have not
considered an external rating from an Islamic Rating
Agency. This ?nding clearly needs to be investigated
further and it appears that there is a gap between
Islamic rating agencies and the IIFS in understanding
the importance and need for Islamic rating, its
methodologies and approach. The majority (80%) of
the institutions are not considering applying for a
credit rating in the near future.
8%
Board of Directors
Chief Executiver Of?cer
Consulting Firm
Chief Financial Of?cer
Other
38%
15%
24%
15%
Yes No
37%
63%
12%
S&P
Fitch
JCR-VIS Pakistan
Moody
50%
25%
13%
Yes No
89%
11%
Managing risk in uncertain times | 13
Enterprise Risk Management (ERM)
implementation
In the entire group surveyed, IIFS have a formal risk
management function that manages the risk activities,
In the majority of the institutions (83%), a risk
committee oversees all risks. It is also observed that in
87% of the IIFS participants, ‘management members’
form the members of the risk committee.
Are you planning the implementation of an ERM
program, or any risk management activities in
the near future?
65% of IIFS surveyed are considering the development
of an ERM program. 29% of them have not yet
considered it, while 6% of them have decided to
implement an ERM program. This ?nding is important
and clearly indicates that the IIFS are lagging behind in
the implementation of ERM. Therefore, boards and
executives are advised to develop an intelligence risk
strategy and develop appropriate action plans.
Risk scope and best practices
Does your institution implement the IFSB’s
Guiding Principles of Risk Management?
Our group’s case studies and survey show that only
59% of the IIFS have implemented the IFSB’s Risk
Management Standard. This ?nding highlights the
challenge faced by standard-setters such as the IFSB,
AAOIFI and the IIFM to ensure that standards and best
practices are followed and implemented. It is probably
true to say that national regulators such as central banks
and capital market authorities, in markets where Islamic
Finance has evolved, should play a more effective role
to ensure this.
Considering developing
Have not yet considered
Considered, decided not to proceed at this time
65%
6%
29%
Yes No
41%
59%
0% 20% 40% 60% 80% 100%
87%
27%
7%
40%
Management
members
Board members
Audit Committee
members
Sharia’a Supervisory
Board members
14 | Managing risk in uncertain times
Does your institution implement the IFSB’s
Guiding Principles on Sharia’a Governance?
In contrast, 71% of the group surveyed have
implemented the IFSB’s Guiding Principles on Sharia’a
Governance. Key causes of Sharia’a compliance risks
include non-standardized practices, diverse Sharia’a
interpretations, and the lack of enforcement of Sharia’a
laws in many jurisdictions.
Please rank the following drivers for undertaking
risk management activities.
Regulatory compliance (87%) is the prime reason
for undertaking risk management activities followed
by ‘Strategic reasons’, ‘Business continuity’, ‘Operational
performance’, ‘Standard-setter compliance’ and ‘Public
image’.
Yes No
71%
29%
Composite
score
Rank
Regulatory compliance (for
example, market regulators)
87 1
Strategic reasons (for example,
development of competitive
advantage)
78 2
Business continuity (protection
against hazards such as
economic downturn,
environmental crises, Sharia’a
compliance, etc.)
70 3
Operational performance
(ef?ciency and effectiveness of
business processes)
69 4
Standard-setter compliance (for
IFSB, AAOIFI, and IIFM)
44 5
Public image 29 6
Managing risk in uncertain times | 15
What are the primary goals regarding ERM that
you would like to realize in the future?
‘Align risk appetite and strategy’ is the primary goal
(75%) regarding ERM followed by ‘Link growth, value,
risk and return’, ‘Provide integrated responses to
multiple risks’, ‘Minimize operational surprises and
losses’, and ‘Seize opportunities’.
Please rank the following realized bene?ts
of ERM
‘Creating a risk-aware culture’ is considered the most
(68%) important bene?t of ERM followed by ‘Reducing
vulnerability to adverse events’. Surprisingly, ‘Focusing
integrated management reporting on the risks that
matter most’, was ranked least important.
What is the scope of your risk management?
(Please select all the risks covered by your
institution.)
A key risk area covered by many IIFS is compliance. The
survey reveals that 89% of the IIFS consider compliance
as an important risk to cover, followed by external
factors and ethics. Corporate responsibility is the area
least covered by risk management.
0% 20% 40% 60% 80% 100%
89%
Compliance
Sharia’a governance
79%
External factors
Reporting
79%
Ethics
Legal
79%
74%
74%
68%
68%
68%
63%
63%
58%
Strategy
Corporate governance
Corporate assets
Information technology
Finance
Planning
Product development
Corporate responsibility
Sales, marketing
and communications
Human resources
53%
47%
47%
21%
Composite
score
Rank
Creating a risk-aware culture 68 1
Reducing vulnerability to
adverse events
56 2
Enhancing risk response decisions
and mitigation plans
55 3
Identifying and managing cross-
enterprise or interdependent risks
49 4
Focusing integrated management
reporting on the risks that matter
most
42 5
Composite
score
Rank
Align risk appetite and strategy 75 1
Link growth, value, risk and
return
72 2
Provide integrated responses to
multiple risks
49 3
Minimize operational surprises
and losses
46 4
Seize opportunities 28 5
16 | Managing risk in uncertain times
What is the extent of risk management
integration in your decision-making process?
(Please indicate the degree to which risk
management is integrated into your
decision-making process in each of the
departments below.)
Most of the survey respondents either fully or partially
incorporated risk management in all the processes
listed above. However, ‘Takaful / Insurance’ and
‘Environmental health and safety’ are the two areas
where the institutions need to incorporate the risk
management process more ef?ciently.
Does your risk manager (or person responsible
for ERM activities), perform other functions
besides ERM?
In 53% of institutions the risk manager does not
perform any other functions besides ERM, while
in other organizations he performs functions
such as compliance and a few other tasks.
Are there any risk management activities
outsourced to an external party?
83% of the IIFS in the surveyed group do not
outsource any risk management activities.
0% 20% 40% 60% 80% 100%
53%
No other functions
are performed
26% Compliance
5% Internal Audit
5% Takaful
21% Other
Fraud Management 0%
Sharia’a compliance
and review audit
0%
Yes No
17%
83%
20%30% 10% 40%50%60%70%80%90%100%
Internal Audit
Asset management
Finance department
(incl. Treasury)
Strategic planning
Legal
Product
development
Sharia’a governance
and audit
Ethics and
compliance
ICT
Takaful/ Insurance
Environmental
health and saftey
72 22 6
65 29 6
61 6 33
47 33 20
53 41 6
53 35 6 6
50 38 6 6
50 38 6 6
60 28 6 6
44 12 6 38
13 13 44 30
Fully incorporated
Partially incorporated
Plan to incorporate within 12 months
No plans to incorporate
Managing risk in uncertain times | 17
Process
Do you have a clearly de?ned and documented
risk management process to execute risk
management activities?
89% of the IIFS participants have a clearly de?ned and
documented risk management process to execute risk
management activities.
How frequently are risk assessments conducted?
within your institution?
67% of the IIFS conduct risk assessment
at least once every quarter.
What kind of risk assessment methods and
methodologies do you use for risk analysis?
‘Self-assessment’ is the most popular methodology
(used by 83% of the institutions) while ‘Failure mode
and effects analysis’ is the least preferred (56% of the
institutions have no plans to incorporate this).
Currently in use
Plan to use
Plan to incorporate
in next 12 months
No plans to
incorporate
0% 20%30% 10% 40%50%60%70% 80%90%100%
82
44 13 13 30
Self-assessments
Scenario analysis
Stress-test
Key risk indicators
Industry benchmark
/ loss experience
Economic metrics
Probabilistic analysis
Third party
assessments
Failure mode and
effects analysis
65 17 18
67 16 6 11
50 19 19 13
53 24 12 11
70 12 12 6
6 6 6
38 19 6 37
13 13 55 19
Yes No
11%
89%
16%
Quarterly
Monthly
Semi-annually Ad hoc
Annually
11%
11%
11%
51%
18 | Managing risk in uncertain times
Do you use quantitative risk analysis methods
in your institution?
Two thirds of the IIFS participants use quantitative
risk analysis methods.
In which functions/areas do you apply
quantitative risk analysis?
58% of the IIFS that responded to our survey report
that they use quantitative risk analysis in the ‘Asset
management’ area while 16% of them said they use
it in Finance and Zakat/Tax.
What kind of risk measures do you use?
42% of survey respondents use Value at Risk (VaR)
followed by 37% that use Cash ?ow at risk, 32% using
NPV/IRR and 21% using Economic Value Added (EVA).
Please rank in order the following challenges
with respect to quantitative risk analysis.
‘Identifying and applying effective quantitative risk
measuring techniques’ is the top challenge (56%),
followed by ‘Implementing supporting tools for
quantitative risk measuring techniques’, ‘Identifying the
required data for your quantitative risk analysis’,
‘Effectiveness of data capturing’, and ‘Finding quali?ed
quantities modeling experts’.
Composite
score
Rank
Identifying and applying effective
quantitative risk measuring
techniques
55 1
Implementing supporting tools
for quantitative risk measuring
techniques
45 2
Identifying the required data for
your quantitative risk analysis
37 3
Effectiveness of data capturing 35 4
Finding quali?ed quantities
modeling experts
31 5
0% 20% 40% 60% 80% 100%
58%
16%
5%
11%
0%
0%
Asset management
Finance and
Zakat / Tax
ICT
Environmental health
and safety
Other
Commodity trading /
Sourcing
0% 20% 40% 60% 80% 100%
42%
37%
32%
11%
11%
21%
Value at Risk (VaR)
Cash ?ow at risk
NPV/ IRR
Economic Value
Added (EVA)
Other
RAROC
Yes No
33%
67%
Managing risk in uncertain times | 19
Which of the following ERM best practices
require improvement/attention? (Select all
that apply)
63% of respondents believe that strong commitment
from board and management is required to improve
ERM followed by improving the risk governance system,
developing the right talent and risk education program
and understanding the risk culture. The boards and
executive management of IIFS are advised to work with
an experienced ERM advisor to accelerate buy-in and
ensure knowledge transfer throughout the process.
People
Who is involved in your ERM training program?
(Please select only one answer that is most
applicable to your institution.)
Roughly half of the institutions provide ERM training
programs. In 42% of institutions all employees directly
involved in risk management activities are involved in an
ERM training program, while in 33% of institutions only
specialists perform this activity.
0% 20% 10% 30%40%50%60%70%80%90%100%
63%
58%
58%
26%
47%
53%
Strong commitment from
board and management
Improve risk
governance system
Develop the right talent and
risk education program
Understanding of
risk culture
Develop the right
processes and procedures
Build effective and robust
ERM which address your
institution’s risks
All employees directly involved in risk
management activities
All employees
Only specialists who perform speci?c
risk management activities
Don’t know (no structured
training plan)
8%
33%
17%
42%
20 | Managing risk in uncertain times
Technology
Do you have risk management software
or tool(s)?
56% of institutions have risk management software
while the remainder don’t. In addition, 62% of the
institutions built their risk management tool in-house.
Risk exposures
Which of the following activities are
performed at your institution using the risk
management tool?
Our analysis shows that the top three activities
performed are ‘Assess risks/control activities’, ‘Report
risks/control activities’ and ‘Document risks/control
activities’ respectively. In addition, ‘Asset performance
risk’ is the top risk that the institutions are facing,
followed by ‘Credit, liquidity and market risks’. ‘Ethics
risk’ ranked last among respondents.
‘Ineffective risk oversight and governance’ are the most
likely hindrance to Islamic Finance Institutions’ risk
management effectiveness followed by ‘Absence of a
clear ERM strategy’, ‘Lack of Sharia’a-compliant risk
mitigating instruments’, ‘Poor execution of ERM
strategy’, ‘Lack of skilled risk management personnel’
and ‘Irrelevance of IT systems and processes’.
Yes No
44%
56%
0% 20% 40% 60% 80% 100%
47%
42%
37%
32%
11%
21%
21%
Assess risks /
control activities
Report risks /
control activities
Document risks /
control activities
Monitor risks /
control activities
Document process
?ows / narratives
Other
Integrated performance
management (Balance
scorecard, KPI)
Managing risk in uncertain times | 21
Empowering the Risk Intelligence Enterprise
Overall Assessment of the ‘ERM Capabilities’, the
Deloitte Maturity Model:
*For illustrative purposes we have drawn a line at 54
to represent the midpoint of the maturity model.
*Note that the composite score range is from 18 to 90.
Our overall assessment of the risk maturity to the group
studied exhibits least maturity on ‘Technology’. It should
also be noted that the risk maturity on the other three
pillars is also lacking. For example, ‘Governance’, in the
20-IIFS group, tends to range in the midpoint. Similarly
in the ‘Process’ and ‘People’ capabilities, the analysis
reveals that the IIFS didn’t go beyond the range of the
midpoint. This allows for room improvement in the ERM
capabilities discussed. Thus the IIFS are required to build
their risk capabilities and competencies to ensure an
effective risk management function that addresses their
unique risks and operational models.
30 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60
Governance
Process
People
Technology
Composite Score
Overall Assessment of the ‘ERM Capabilities’,
the Deloitte Maturity Model
22 | Managing risk in uncertain times
Thought leaders’ perspective on Risk
Management
To sum up our report, Deloitte IFKC organized
‘intellectual knowledge dialogue’ with Islamic Finance
thought leaders from the two key markets of MENA and
SEA. The debate revolved around the four key areas of
importance in risk intelligence: governance, process,
people, and technology. By doing this, we aimed to
engage industry regulators, practitioners, academics
and professionals in an exchange of benchmarks, views,
and insights with the aim of hopefully bridging gaps in
industry practices and regulation. Moreover, Deloitte
IFKC supported an executive roundtable on ‘Risk
Management in Islamic Finance’, held in Manama in
December, 2011, organized by the IFSB and hosted by
the Central Bank of Bahrain, The following comments
are extracts from our ‘Intellectual knowledge dialogue’
with Islamic Finance thought leaders.
Governance
“Regulators need to promote good governance
principles (e.g corporate governance codes and IFSB
risk management principles.” Richard Ellis, Advisor,
Banking Supervision, Central Bank of Bahrain.
“Recent events, whether affecting conventional or
Islamic Finance, have revealed that there are still
de?ciencies in the management of risk. The technical
issues of the identi?cation, measurement and reporting
of risk are the subject of detailed scrutiny by the
various Risk Professionals’ Institutes and research in
?rms and universities worldwide. More worrying is the
ongoing challenges faced by several institutions to fully
adapt to the new governance requirements and
technology implications of the crisis.” Professor John
Board, Dean, Henley Business School, University of
Reading, UK
“Uni?ed laws for close-out netting, insolvency and
ownership rights are required not only for existing
transactions but will also greatly facilitate the required
innovation in Islamic hedging and liquidity
management segment of the industry.” Ijlal Alvi,
CEO, IIFM.
“One of the beauties of Sharia’a is that it allows
interpretation as situations demand. It is open for
ijtihad. However, a Takaful operator domiciled under
one jurisdiction and wanting to grow and write
business under another is highly likely to face different
interpretations of the governing Sharia’a regime
regulations. Perhaps practitioners should plead with
regulators to try and consider a form of consensus.”
Mahomed Akoob, Managing Director, Hannover
ReTakaful.
“In Islamic Finance the development of governance
framework is still relatively slow and in need of serious
attention. The regulators should obtain inputs from
industry, Sharia’a scholars and academicians in
developing a robust framework.” Daud Vicary,
President and CEO, INCEIF, Malaysia.
“The regulator should play an important role in
developing a robust governance framework with input
from the industry, Sharia’a scholars and academicians.
A robust Sharia’a governance framework is needed in
order to ensure a due process is observed in ensuring
the integrity of Sharia’a is preserved. In this regard,
lessons can be learnt from the jurisdictions which have
developed a strong Sharia’a governance framework
such the Sharia’a Governance Framework (SGF)
developed by The Central Bank of Malaysia.”
Dr. Mohamad Akram Laldin, Executive Director,
ISRA, Malaysia.
Recent events, whether affecting
conventional or Islamic Finance, have
revealed that there are still defciencies
in the management of risk
Managing risk in uncertain times | 23
“Full disclosure of corporate governance practice should
be published in annual reports of IFIs.” Sohail Jaffer,
Partner, International Business Development, FWU AG
International, Luxembourg.
“The central theme of corporate governance for an IIFS
is its basic framework which nests around the SSB and
the internal controls which support it.” Moineddin
Malim, CEO, Mashreq Al Islamic Finance Co.
“The business model of most Islamic commercial
banks is based on mobilizing funds in pro?t sharing
investment accounts (PSIA), which are governed by
the Mudaraba contract. This poses many governance
challenges to which Islamic banks should pay attention.
Whilst PSIA holders are exposed to the risk of loss of
their equity, absent misconduct and negligence, they
enjoy weak governance structure. PSIA holders have
no say in the appointment/dismissal of the bank's
management, external auditors or members of the
Sharia'a board. It is important to create awareness of
this issue.” Professor Datuk Rifaat Abdel Karim,
INCEIF, Malaysia Visiting Professor, ICMA Centre,
Henley Business School, University of Reading, UK,
Adjunct Research Professor.
“Until the beginning of the ?nancial crisis hardly anyone
was arguing that ?nancial reporting standards should
be written with the objective of ?nancial stability in
mind.” Prof. Dr. Necdet ?ENSOY, Central Bank of the
Republic of Turkey.
Process
“There are differences between the conventional
?nancial system as compared to the Islamic ?nancial
system in terms of core operational and business
processes; for example, in conventional derivative
products the risk is detached from the balance sheet
items and is traded separately while in the case of
Islamic hedging, the requirement is directly linked to
economic activity or balance sheet items and there is
no trading of risk.” Ijlal Alvi.
“Core operational and business process differences need
to be addressed by the market practitioner in
conjunction with the regulator.” Daud Vicary.
“The necessity of disciplined underwriting and risk-
commensurate pricing in the face of severe
competition among Takaful operators themselves and
with conventional insurers is a tightrope that Takaful
and retakaful operators alike are walking.” Mahomed
Akoob.
“In the realm of Islamic banking, the ?duciary
responsibility of the staff becomes paramount when
compared to their peers in conventional banking in
view of their role as Mudaribs [trustees] of the
depositors and investors.” Faiz Afzaluddin, Head of
Operational Risk, Dubai Islamic Bank.
For an effective process in risk management, Shaji
Chandrasena, Director, Financial Risk Supervision,
Monetary Authority of Singapore, believes that IIFS
should "carry out consistent independent and rigorous
valuation practices across the ?rm".
The business model of most Islamic
commercial banks is based on
mobilizing funds in proft sharing
investment accounts (PSIA), which are
governed by the Mudaraba contract
24 | Managing risk in uncertain times
People
“The industry already has a shortage of human capital
and the complexity of Islamic Finance (and associated
?nancial statements) requires more oversight and
attention.” Khalid Howladar, Senior Credit Of?cer,
Islamic Finance, Moody.
“IIFS need to implement a policy to develop, mentor
and retain talent. A consistent approach is needed to
develop ?rst-class talent in the relevant disciplines and
a meritocracy created to promote and reward such
professionals.” Sohail Jafar.
“The industry lacks practitioners who are Sharia’a savvy
and Sharia’a experts who are market savvy. This
process can only be carried out by educational
institutions like INCEIF where speci?c course modules
and programs that combine the two areas are taught.
Simultaneous training of the current workforce in the
market in such modules would be necessary for the
practitioners to understand how IF products work and
in turn communicate to the public.” Daud Vicary.
“Training of the Islamic Finance workforce in the market
would be necessary for the practitioners to understand
how Islamic Finance products work and in turn
communicate to the public.” Daud Vicary.
“Any employer looks for two aspects in recruitment:
high caliber and retention thereof. With the relative
scarcity of quali?ed Islamic Finance professionals and
the sheer competition over this limited talent pool,
operational risk needs careful monitoring.”
Mahomed Akoob.
Technology
“The hedging tools to mitigate certain risk such as
currency and rate of return mismatches as well as
enabling law reforms are the most crucial and
challenging areas in the Islamic ?nancial services
industry.” Ijlal Alvi.
“Customized risk management technology is necessary
to be in place. Genuine efforts are needed to develop
such platforms and need to come through a
combination of market practitioner, academic and
Sharia’a scholar.” Daud Vicary.
“Speci?c technological ability is important for IF as much
of the existing technology is the result of ‘tweaking’
of conventional technology. Genuine effort is needed
with the combination of effort from Sharia’a scholars,
market practitioners and academics to ensure a
genuine technological product.” Dr. Mohamad
Akram Laldin.
“In Takaful, as in conventional insurance, you need to
know exactly where you stand at all times. Investing
in real-time exposure and accumulation monitoring
systems is no longer a luxury or a value added. It is
not even a necessity. It is a condition for survival.”
Mahomed Akoob.
“A Management Information System should be based
on ‘group exposure’ for all allied industries and the
correlation impact be computed in risk modeling and
risk capital estimation.” Ahmed Adil, Global Head of
Risk Management, Arcapita Bank, Bahrain.
Training of the Islamic Finance
workforce in the market would be
necessary for the practitioners to
understand how Islamic Finance
products work and in turn
communicate to the public
Managing risk in uncertain times | 25
Conclusion
This report examines three closely-linked issues: risk
governance, regulatory pressures and accountability,
and the challenges faced by IIFS to develop effective risk
intelligence. The report shows that risk management in
Islamic Finance and conventional ?nance probably have
more in common than is sometimes suggested. The
cash-rich industry of Islamic Finance may have much
to offer to the troubled conventional ?nance industry.
However, careful consideration and risk assessment and
analysis should be observed in areas where Islamic
Finance differs in operations and practice.
The analysis in this report highlights several challenges
faced by IIFS and Islamic ?nancial regulators alike.
Global and regional jurisdictional regulatory reforms
are continuing. How this regulation will affect the
Islamic Finance industry and the role of IIFS in the
economy is yet to be seen. One thing is certain – the
traditional operations and management of Islamic
Finance will need to change. IIFS around the globe
will not only need to deal with risk management but
will also need operational effectiveness and a skilled
workforce to empower risk intelligence in Islamic
Finance and deal with managing business and ?nancial
risks at all times.
Responding to these new realities may require effective
risk governance. IIFS Boards, Sharia’a Supervisory Boards
and executives have an important role to play in
providing proactive oversight of risk management and
risk strategy. The executive risk of?cers equally play an
important role in coordinating risk management
implementation and activities between boards and SSBs
and other business supporting units in the institution.
The report shows that risk management
in Islamic Finance and conventional
finance probably have more in common
than is sometimes suggested
26 | Managing risk in uncertain times
Deloitte in the Middle East
ME Representative Office
Regional office
Gefinor Center, Block D
Clemenceau Street
P.O.Box 113-5144
Beirut, Lebanon
Phone +961 (0) 1 748 444
Fax +961 (0) 1 748 999
ME Consulting
Regional office
Arabia House
131 Phoenicia Street
P.O. Box 11-0961
Riad El-Solh, Beirut
1107 2060 Lebanon
Phone +961 (0) 1 366 844
Fax +961 (0) 1 367 738
ME Enterprise Risk Services
Regional office
Emaar Business Park
Building 1, Sheikh Zayed Road
P.O. Box 282056
Dubai, UAE
Phone +971 (0) 4 369 8999
Fax +971 (0) 4 369 8998
ME Financial
Advisory Services
Regional office
DIFC, Currency House
Building 1 - Level 5
PO Box 282056
Dubai, UAE
Phone +971 (0) 4 506 4700
Fax +971 (0) 4 327 3637
ME Tax Services
Regional office
Currency House
Building 1 - Level 5
P.O. Box 282056
Dubai, UAE
Phone +971 (0) 4 506 4700
Fax +971 (0) 4 327 3637
The Deloitte ME Islamic Finance
Knowledge Center (IFKC)
Al Zamil Tower. Government Avenue,
Manama, Kingdom of Bahrain
Phone +973 17214490 Ext 2018
Fax +973 17214550
Bahrain
Manama
Al Zamil Tower
Government Avenue
P.O. Box 421
Manama, Kingdom of Bahrain
Phone +973 (0) 17 214 490
Fax +973 (0) 17 214 550
Egypt
Cairo
95 C, Merghany Street,
Heliopolis 11341, Cairo, Egypt
Phone +20 (0) 2 2290 3278
Fax +20 (0) 2 2290 3276
Alexandria
Madinet El Sayadla
Building No 10,
Smouha, Alexandria
Phone +20 (0) 3 426 4975
Fax +20 (0) 3 426 4975
Iraq
Deloitte & Touche
Management Consulting W.L.L.
6 Royal City
Erbil, Iraq
Phone +964 (0) 770 694 6554
Jordan
Amman
Jabal Amman, 190, Zahran
Street, Amman, Jordan
P.O. Box 248
Amman 11118, Jordan
Phone +962 (0) 6 5502200
Fax +962 (0) 6 5502210
Kuwait
Kuwait City
Fahad A l-Salem Street
Salhia Complex
Kuwait City, Kuwait
P.O. Box 23049
Safat 13091, Kuwait
Phone +965 (0) 2243 8060
Fax +965 (0) 2245 2080
Ahmed Al-Jaber Street,
Dar Al-Awadi Complex,
7th Floor
P.O. Box 20174, Safat 13062
Sharq, Kuwait
Tel +965 22408844
Fax +965 22408855
Lebanon
Beirut
Arabia House,
131 Phoenicia Street
P.O. Box 11-961 Beirut
Riad El-Solh, Beirut
1107 2060 Lebanon
Phone +961 (0) 1 364 700
Fax +961 (0) 1 367 087
Oman
Muscat
MBD Area
Muscat International Center
Muscat, Sultanate of Oman
P.O. Box 258, Ruwi
Postal Code 112
Sultanate of Oman
Phone +968 (0) 2481 7775
Fax +968 (0) 2481 5581
Palestinian Territories
Ramallah
Al Mashreq, Insurance Building
P.O. Box 447
Ramallah, Palestinian
Controlled Territories
Phone +970 (0) 2 295 4714
Fax +970 (0) 2 298 4703
Qatar
Doha
Al Ahli Bank Building
Sheikh Suhaim Bin Hamad Street
P.O. Box 431, Doha, Qatar
Phone +974 (0) 4434 1112
Fax +974 (0) 4442 2131
Saudi Arabia
Deloitte & Touche
BakrAbulkhair & Co.
Riyadh
Al-Salam Building,
Prince Turki Bin Abdullah
Al-Saud Street
Sulaimania Area
P.O. Box 213, Riyadh 11411
Phone +966 1 2828400
Fax +966 1 2828428
Al Khobar
ABT Building, Al Khobar
Saudi Arabia
P.O. Box 182
Dammam 31411, Saudi Arabia
Phone +966 (0) 3 887 3937
Fax +966 (0) 3 887 3931
Jeddah
Saudi Business Center
Madinah Road
P.O. Box 442
Jeddah, 21411, Saudi Arabia
Phone +966 (0) 2 657 2725
Fax +966 (0) 2 657 2722
Syria
Damascus
9 Fardos Street
P.O. Box 12487
Damascus, Syria
Phone +963 (0) 11 221 5990
Fax +963 (0) 11 222 1878
Rawda
38 Rawda Street
P.O. Box 12487
Damascus, Syria
Phone +963 (0) 11 331 1212
Fax +963 (0) 11 332 2304
United Arab Emirates
Abu Dhabi
11th Floor
Al Sila Tower
Sowwah Square
P.O. Box 990 Abu Dhabi,
United Arab Emirates
Phone +971 2 4082424
Fax +971 2 4082525
Dubai
1001 City Tower 2
Sheikh Zayed Road
P.O. Box 4254
Dubai, UAE
Phone +971 (0) 4 331 3211
Fax +971 (0) 4 331 4178
Fujairah
Al-Fujairah
Insurance Co. Building
P.O. Box 462
Fujairah, UAE
Phone +971 (0) 9 222 2320
Fax +971 (0) 9 222 5202
Ras Al-Khaimah
Ras Al-Khaimah, Insurance
Building, Al-Nakheel,
Ras Al-Khaimah UAE
P.O. Box 435
Ras Al-Khaimah, UAE
Phone +971 (0) 7 227 8892
Fax +971 (0) 6 574 1053
Sharjah
Corniche Plaza 2,
Al Buhairah Corniche
P.O. Box 5470
Sharjah, UAE
Phone +971 (0) 6 574 1052
Fax +971 (0) 6 574 1053
Yemen
Sana’a
Sana’a Trade Center Eastern
Tower, Algeria Street
P.O. Box 15655
Sana’a, Yemen
Phone +967 (0) 1 448 374
Fax +967 (0) 1 448 378
For Libya and Mauritania
inquiries, please contact the
ME Representative Office.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee, and its network of member ?rms, each of which is a legally separate and independent entity.
Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member ?rms.
Deloitte provides audit, tax, consulting, and ?nancial advisory services to public and private clients
spanning multiple industries. With a globally connected network of member ?rms in more than 150
countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights
they need to address their most complex business challenges. Deloitte's approximately 182,000
professionals are committed to becoming the standard of excellence.
Deloitte's professionals are uni?ed by a collaborative culture that fosters integrity, outstanding value
to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an
environment of continuous learning, challenging experiences, and enriching career opportunities.
Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust,
and making a positive impact in their communities.
About Deloitte & Touche (M.E.)
Deloitte & Touche (M.E.) is a member ?rm of Deloitte Touche Tohmatsu Limited (DTTL) and is the ?rst
Arab professional services ?rm established in the Middle East region with uninterrupted presence for
over 85 years. Deloitte is among the region’s leading professional services ?rms, providing audit, tax,
consulting, and ?nancial advisory services through 26 of?ces in 15 countries with over 2,500 partners,
directors and staff. It is a Tier 1 Tax advisor in the GCC region (International Tax Review World Tax
2010, 2011 and 2012 Rankings) and was recognized as the 2010 Best Consulting Firm of the Year
in the Complinet GCC Compliance Awards. In 2011, the ?rm received the Middle East Training and
Development Excellence Award by the Institute of Chartered Accountants in England and Wales (ICAEW).
© Deloitte & Touche (M.E.). All rights reserved. Member of Deloitte Touche Tohmatsu Limited
doc_605966957.pdf