Islamic banks and financial institutions face number of risks, some are common to both conventional and Islamic banks and financial institutions, while others are specific to Islamic only. Among these risks, operational risk is more difficult to quantify. Being the potential risk that may arise due to inadequate or failed internal processes, people and systems, or external events, it is by its very nature general and hence difficult to monitor and measure. It has been a relatively recent focus in the context of banking and finance, and hence methods to quantify it are imperfect and in developing phase. Following Basel II and increased awareness of Basel III, Islamic Financial Services Board (IFSB) has started incorporating concerns regarding operational risks in the corporate governance standards it has been issuing since its inception in 2002.
Operational risk is defined as the risk of loss resulting from the inadequacy or failure of internal processes, related to people and systems, or from external risks [Van Greuning and Iqbal (2008), p. 174]. IFSB includes Shari’a (non-compliance) risk under the definition of operational risk. Shari’a risk is the risk that arises from an IFI’s failure to comply with the Shari’a rules and principles determined by its Shari’a Board or the relevant body in the jurisdiction in which the IFI operates. Operational risks facing IBFIs are summarized in Figure 1.
Some of the general operational risks facing Islamic banks and financial institutions are:
- Failure to open branch(es) in time (part of people risk)
- Misinformation to customers
- Theft (stationery, equipment etc.) and misuse
- Technology breakdown
- Electricity shutdown
- Bad weather
- Accidents
- Acts of terrorism
- An adverse Shari’a opinion about a product
- Withdrawal of funds
- A senior (Muslim) member of the executive management team of an Islamic bank is seen drinking alcohol on an international flight and someone has uploaded a video on YouTube with a caption: Is it Islamic? Islamic Banks’ Non-Islamic Bankers.
- Somehow, online banking system has a loophole and some online search engines have started picking up cache pages of some of the customers who view their accounts using a particular internet browser.
The operational risks may not be detected in time if effective and efficient risk monitoring, measurement and control mechanisms are not in place in an organization. They become visible only when a particular event may take place. Figure 2 summarises the causes, events and effects of operational risks facing IBFIs.
A comprehensive operational risk management framework for IBFIs (like any other business organization) must have the following essential elements:
- Identification
- Measurement
- Monitoring
- Reporting
- Control and
- Mitigation
In this section, we focus on the identification and measurement of operational risks, while other aspects will be covered in the section on regulatory treatment of operations risks.
Identification
Identification of operational risk management starts with simple questions about operations of an IBFI. In the context of technology, for example, it is important to ask the following basic questions:
- How many servers are hosting the data and IT systems?
- Is there a backup server?
- Is the backup server in the same place (building/street/city/country)?
- How many people are responsible for server management and maintenance?
- What is the frequency of system back-ups?
- Where are the backup tapes / CDs kept?
To put the importance of technology related to operational risks in context, computer failures costs for Royal Bank of Scotland were GBP100 million in 2012.
Similarly, in the context of sales, it is important for bank personnel’s to understand fully what they are selling to their customers. Advertisements on print and electronic media, one-on-one sale pitches and all other marketing and sales material must go through strict scrutiny. Telephone sale calls must be recorded and scrutinized by the senior management to identify “conversations” that may lead to potential losses. In the UK context, misspelling of Payment Protection Insurance (PPI) has already costed British banks billions of pounds (in addition to loss of reputation and loss of time) and the process continues.
Legal documentation of Islamic financial transactions is complex and in the context of Western banks offering Islamic financial services, it is likely that two sets of documentation are used – legal documents and Shari’a documents. It is imperative that all the legal documents used for Islamic financial products are vetted by competent personnel well-versed in Shari’a and law. In a lot of cases, law firms preparing documents for Islamic financial contracts adapt/amend the templates that they otherwise use for conventional financial products; this may for e.g., leave reference to “interest”, penalty etc. unchanged, which may make the contract Shari’a non-compliant.
For conventional banks involved in IBF, it is important to ensure that the Shari’a documents are executed and a proper record of the same is maintained, in addition to the legal documentation required conventionally.
There are two main approaches to quantify operational risk management:
Î Basic Indicator Approach [BIA]
Î Standardised Approach [STA]
The BIA is based on the following simple formula:
KBIA= α.GI
where
KBIA = Capital charge under BIA
α = the pre-defined scaling factor set by Basel Committee on Banking Supervision (BCBS) (typically 15%) GI = average gross income over the last three years
Gross income is used as a measure of operational risk because:
Î It is a reasonable indicator of the size of the activities;
Î It is readily available;
Î It is verifiable;
Î It is reasonably consistent and comparable across jurisdictions; and
Î It has the advantage of being counter-cyclical. The gross income is the sum of:
Î Net interest income
Î Net non-interest income
Î Net trading income
Î Other income
For Islamic banks, the gross income can be calculated as the sum of:
Î Net income from service-based activities
Î Net trading income from the murabaha, salam, and ijara based transactions
Î Other income may include investments in Shari’a-compliant securities, including sukuk, and mudaraba and musharaka based investments
The STA is a more detailed approach that classifies bank’s activities into eight business lines:
Î Corporate finance Î Trading and sales Î Retail banking
Î Commercial banking
Î Payment and settlements
Î Agency services Î Asset management Î Retail brokerage
The STA is based on the following modified formula:
K = Σ β G
8
STA i=1 i i
Where
KSTA = Capital charge under the SIA
Gi = Average annual level of income in the last three years
βi = Beta values for each business line
β values for different business lines are given as follows:
Î Corporate finance = β1 = 0.18 Î Trading and sales = β2 = 0.18 Î Retail banking = β3 = 0.12
Î Commercial banking = β4 = 0.15
Î Payment and settlements = β5 = 0.18
Î Agency services = β6 = 0.15 Î Asset management = β7 = 0.12 Î Retail brokerage = β8 = 0.12
Given the complexity of Islamic banking transactions, the probability of incidence of operational risk is higher than what may otherwise be observed in conventional banking. Further operational risks different in nature and magnitude in various Islamic financial contracts (see Figure 3). A typical murabaha transaction must exemplify this Figure 4 presents various steps involved in a murabaha-based financing, namely;
- Customer’s order;
- Bank’s purchase;
- Bank’s sale; and
- Payment by the customer.
These four steps involve all types of risks a bank may face in their day-to-day operations, i.e., operational risk, market risk, credit risk and reputational risk. In case of murabaha, inventory risk, Shari’a risk and some aspects of default risk are unique to Islamic financial transactions.
An example of operational risk between stage 1 and 2 will be committing mistake in recording an order. For example, if the customer has ordered a red color car, and if the order-taking employee recorded it white colored by mistake, this is expected to delay the sale and subsequent delivery of the car to the customer. This type of mistakes are expected if the IBFI employs manual methods rather than automating the whole process, and integrating its system with that of the vendor.
Inventory risk between stage 2 and 3 can very well be an outcome of a mistake made in stage 1 or 2. If so, then it should be covered; otherwise it could very well be due to default on part of the customer for some similar reasons.
Operational risk between stage 2 and 3 could be substantial if the IBFI’s personnel are not directly involved in the purchase of the item to be sold later on a murabaha basis to the customer. In one particular case, a UAE- based Islamic bank was involved in the purchase of a used car and its subsequent sale to the customer on a murabaha basis. Subsequently, the car was found to be stolen and the local police returned it to the original owner. The customer demanded the bank to return all the amount he had already paid to the bank. The bank, however, wanted the customer to pay the remainder of the price. After internal discussion and feedback from the Shari’a board, the bank had to return the amount received from the customer, because in that case the bank personnel failed to carry out due diligence on the item to be purchased, and the bank ended up buying a stolen car. This is certainly a real example of operational risk in case of murabaha.
There could be various other instances of operational risk in murabaha. In international trade financing, care must be taken to open an LC (letter of credit), as release of funds on the free on board (FOB) shipment port and FOB destination port may have substantially different risk implications.
Treatment of default in muarabaha transactions may give rise to the risk specific to IBF (see Box 9 in Chapter 8 for more examples of the risks specific to IBF), and this is a focus of the next section.
Treatment of Default
IBF has a special treatment of default. In the classical fiqh, there is no room for a default penalty; however in the contemporary practice of IBF, it is allowed to impose a default penalty provided that the creditor does not benefit from it, directly or indirectly. Given this provision, IBFIs impose default penalty and give away the amount to an independent charity (net of any administrative costs).
As default penalty is a sensitive issue, it is important to exercise care when calculating it. There is no doubt that the customers of an IBFI will exhibit moral hazard problem by way of default, in the absence of a default penalty. Nevertheless, it is equally important to use an amount of penalty that is not exorbitantly higher as compared with the default penalty conventional banks and financial institutions impose in the market.
As mentioned above, default penalty is not recognized in the classical Islamic law; so there is nothing Islamic about imposing a penalty or choosing a specific amount of penalty, even if a bulk of the penalty amount is going to a charity.
Consider the example given in Figure 5. Suppose a murabaha transaction gives rise to a debt of US$110,000 that a customer has to pay in 12 months (365 days). Financing rate is assumed to be 10% (i.e., the purchase price of the item sold by the bank was US$100,000). If the customer defaults after 30 days, an IBFI would impose a penalty like a conventional bank. If the IBFI chooses the same penalty rate as its conventional counterpart, it will end up charging lot more than the conventional bank. In all likelihood the customer will not like this and in fact the public at large will perceive this to be exorbitantly high and hence, unfair.
The regulatory preference (e.g., in Malaysia) that an Islamic bank should not charge more by way of default penalty than its conventional peers is not entirely satisfactory. It makes the practice of IBF even closer to conventional finance, which indeed is already a matter of adverse reputation.
Acceleration of the contract could be a better option. Whenever a customer may default, the IBFI should have an option to accelerate the contract partially or fully.
For example, if a customer defaults on the 30th day, then IBFI should accelerate payment of part or all of the amount outstanding, without imposing any penalty. Even in this way (i.e., without imposing a penalty), the IBFI will be better off as compared to a conventional bank, which will require the customer to settle an amount of US$99,123.29 while IBFI will seek settlement of the amount outstanding of the murabaha price, i.e., US$100,958.90.
This treatment of default is cleaner and can be justified as reasonable, given that the customer is not required to pay more than what was initially agreed between the two parties. Furthermore, an IBFI will not suffer any additional loss due to default of its customers, as it will charge exactly the same amount as agreed, but possibly in a shorter period of time. This, in fact, is expected to increase profitability of the IBFI.
Regulatory Treatment of Operational Risks in IBF
IFSB has come up with a standard formula for calculating risk-weighted capital requirements (RWCR) in the wake of operational risk, which is given below:
RWCR =K/(A+B-C) ≥ 8%
Where
RWCR = Risk-weighted capital requirement K = Eligible capital
A = Total risk-weighted assets [credit + market risks]
B = Operational risks
C = Risk-weighted assets funded by Profit Sharing Investment Accounts (PSIAs)
For those regulators who would like to distinguish between restricted and unrestricted PSIAs, a slightly discretionary formula is recommended by IFSB:
RWCR=K/(A+B-(1-α).D-α.E)≥8%
Where
0 ≤ α ≤ 1
D = Risk-weighted assets funded by Unrestricted Profit Sharing Investment Accounts (UPSIAs)
E = Risk-weighted assets funded by Restricted Profit Sharing Investment Accounts (RPSIAs)
In a nutshell, the impact of the inclusion of operational risk on capital adequacy requirement (CAR) will be that the banks will be required to have more capital to fulfil the 8% minimum CAR. In addition, internal risk management of a bank may advise to keep aside 15% of the average gross income over the last three years.
Figures 6 and 7 may help in understanding the capital requirement and operational risk management for an Islamic bank.
It is vital that the operational risk is not only identified but its measurement should be precise as well. The BIA and STA are criticized for being too simplistic for its limited capability of measuring operational risk. The question arises if it is adequate to capture the incidence of operational risk through gross income only. Deeming size of an organization (as evident from its gross income) an important measure of operational risk may be similar to saying, “Eating fried shrimps lead to capital punishment.” Gross income may very well be a spurious factor in the measurement of operational risk. Other factors like number of products and investments, stability/volatility of income, number of employees, and number of clients may in fact be more relevant to quantify operational risk. Instead of relating the operational risk to the size of the organization (gross income), it is recommended to look into the management function deeply to come up with a measure of operational risk. For example, a one-man firm (an owner-managed firm) should have less incidence of operational risk as compared to a firm with multiple personnel (owners as well as managers). Hence, the complexity of the organization should be considered as a factor that may affect the operational risk. More complex organizations should be more prone to operational risk. Hence, in complex organizations, both the management and control functions should be strong to reduce incidence of operational risk. In Islamic financial institutions, there should be an additional control function around Shari’a compliance to fully manage operational risk.
A management approach to measure operational risk management may require creating a detailed operations grid, listing all the operational activities an Islamic bank is involved in. These operational activities should be comprehensive to include everything from security of premises, technology, behaviour of employees, and dealing with the customers and clients, etc. All these functions should be identified, monitored, measured and quantified objectively, and the quantified risk should be reported effectively within the bank. For example, the use of information technology must allow an Islamic bank to determine on an ongoing basis how many of its employees are late on a daily basis and by how many minutes. This information should be used to quantify the impact of the late coming on the loss of earning. Similarly, all the incidence of technology failure should be logged in instantaneously to quantify their impact on the loss of earning.
The operations grid can be used to quantify a management-based weight (we may call it gi, ranging from 0 to 1 (with 1 associated with the strongest management and control), for each and every category). These gi can then be used to calculate weighted βi for all the activities listed in the STA. Thus, if g1 is 0.75 for bank A, it will be considered a better managed and controlled bank than another bank B for which g2 is 0.56. The modified βi for the two banks are given in Table 1.
This is indeed a better approach to operational risk management than the simpler BIA and STA. It is recommended that IBFIs should adopt such sophisticated measures to quantify and control operational risk management.
The operational risk grid should be made available to the top management on a frequent basis. There should be dedicated personnel working for the risk management and operational management teams. As a further measure, it might not be a bad idea to develop an operational risk score that could be updated on a daily basis. This score could be made available throughout the organization. If the score is in red zone (below a threshold), all the employees should take additional measures to ensure that the score improves to an acceptable level.
| A ( g1 = 0.75) | B ( g2 = 0.56) | |
| Identification | Excellent | Good |
| Measurement | Very Good | Average |
| Monitoring | Excellent | Average |
| Reporting | Good | Bad |
| Mitigation | Good | Good |
| Control | Good | Good |
| β1 | 0.06 | 0.15 |
| β2 | 0.06 | 0.15 |
| β3 | 0.04 | 0.10 |
| β4 | 0.05 | 0.12 |
| β5 | 0.06 | 0.15 |
| β6 | 0.05 | 0.12 |
| β7 | 0.04 | 0.10 |
| β8 | 0.04 | 0.10 |
