Back Custom print Link Text Only Rich Text Print

  • HC-6.6 HC-6.6 Risk Management

    • Bank-wide Risk Management Framework

      • HC-6.6.1

        Islamic bank licensees must establish a sound risk management framework commensurate with the bank's size, complexity and risk profile. A risk management framework must have the following key features:

        (a) active Board and senior management oversight;
        (b) independent risk management function;
        (c) a Board driven sound risk management culture that is established throughout the bank;
        (d) appropriate policy, procedures and limits;
        (e) comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;
        (f) appropriate management information systems ('MIS') at a business and bank-wide level; and
        (g) comprehensive internal controls.
        Added: July 2018

      • HC-6.6.2AA

        Further to the requirement in Paragraph HC-B.1.2, branches of foreign bank licensees must demonstrate that the activities of the Bahrain branch are subject to appropriate risk management oversight commensurate with the size, complexity, nature and the risk profile of the branch.

        Added: October 2019

      • HC-6.6.2

        More specifically, the risk management framework generally encompasses the process of:

        (a) developing and implementing the enterprise-wide risk governance framework, Subject to the review and approval of the board, which includes the bank's risk culture, risk appetite and risk limits;
        (b) identifying key risks to the bank including material individual, aggregate and emerging risks;
        (c) assessing the key risks and measuring the bank's exposures to them;
        (d) ongoing monitoring and assessing of the risk taking activities, decisions and risk exposures in line with the board-approved risk strategy, risk appetite, risk limits and determining the corresponding capital or liquidity needs (i.e. capital planning) on an ongoing basis;
        (e) reporting to senior management, and the board or risk committee as appropriate, on all the items noted in this Paragraph including but not limited to proposing appropriate risk-mitigating actions;
        (f) establishing an early warning or trigger system for breaches of the bank's risk appetite or limits; and
        (g) influencing and, when necessary, challenging decisions that give rise to material risk.
        Added: July 2018

      • HC-6.6.3

        Senior management must establish a risk management process that is not limited to credit, market, rate of return risk in the banking book (RRRBB), liquidity and operational risks, but which incorporates all material risks. This includes reputational and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks, could lead to material losses.

        Added: July 2018

    • Independent Risk Management Function and Chief Risk Officer

      • HC-6.6.4

        All Islamic bank licensees must establish an independent Risk Management function and appoint a head of risk management function, referred to as Chief Risk Officer ('CRO') or any equivalent title. The function must be independent of the individual business lines and report directly to the Board of Directors or its Audit or Risk Committees and administratively to the Chief Executive Officer ('CEO'). The role of the CRO must be independent and distinct from other executive functions and business line responsibilities, and there must be no 'dual hatting' (i.e. the chief operating officer, CFO, chief auditor or other senior management personnel must not also serve as the CRO).

        Added: July 2018

      • HC-6.6.5

        For branches of foreign bank licensees, and where no local board of directors exists, all references in this Module to the board of directors should be interpreted as the Head Office/ Regional Office.

        Added: July 2018

      • HC-6.6.6

        [This Paragraph was deleted in October 2019].

        Deleted: October 2019
        Added: July 2018

      • HC-6.6.7

        Branches of foreign bank licensees operating in Bahrain have the choice of having an in-house risk management function in Bahrain or to outsource such role to their regional or Head offices.

        Amended: October 2019
        Added: July 2018

      • HC-6.6.8

        The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. The CRO should also not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions. Interaction between the CRO and the board should occur regularly and be documented adequately. Non-executive board members should have the right to meet regularly — in the absence of senior management — with the CRO.

        Added: July 2018

      • HC-6.6.9

        The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management framework. This includes the ongoing strengthening of risk management staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board and the Risk Committee, as appropriate, in its engagement with and oversight of the development of the bank's risk strategy, risk appetite statement ('RAS') and for translating the risk appetite into a risk limits structure.

        Added: July 2018

      • HC-6.6.10

        The risk management function must have access to all business lines that have the potential to generate material risk to the Islamic bank licensee as well as to relevant risk-bearing subsidiaries.

        Added: July 2018

      • HC-6.6.11

        The CRO, together with management, must be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include participating in key decision-making processes (e.g. strategic planning, capital and liquidity planning, new products and services development and compensation design and operation).

        Added: July 2018

      • HC-6.6.12

        The CRO must have sufficient organisational stature, authority, seniority within the organisation and necessary skills to oversee the bank's risk management activities.

        Added: July 2018

      • HC-6.6.13

        Appointment, dismissal and other changes to the CRO position must be approved by the board or its Risk/ Audit Committee. If the CRO is removed from his or her position for any reason, this must be disclosed publicly. The bank must also discuss the reasons for such removal with the CBB. The CRO's performance, compensation and budget must be reviewed and approved by the board Remuneration Committee.

        Added: July 2018

    • Board Risk Committee

      • HC-6.6.14

        Further to HC-1.8.1, all Bahraini Islamic bank licensees must establish a board risk committee composed of at least three independent directors. Such board risk committee must be responsible for supporting the board in its oversight and decisions related to the bank's risk management framework.

        Added: July 2018

      • HC-6.6.15

        The risk committee must meet the following requirements:

        (a) must be chaired by an independent director;
        (b) include a majority of members who are independent of day to day risk taking activities;
        (c) include members who have experience in risk management issues and practices;
        (d) develop a committee charter which among other matters include its role in the discussions of risk strategies, both at an aggregated basis and by type of risk and make recommendations to the board thereon, and on the risk appetite and risk limits;
        (e) review and revise as may be required, the bank's policies from a risk management perspective, at least every three years, unless there are material changes in the relevant Rulebook requirements or to the business conducted by the bank and / or its risk profile;
        (f) review and recommend the appointment or removal of Chief Risk Officer; and
        (g) oversee that the bank has in place processes to promote the bank's adherence to the approved risk policies.
        Added: July 2018

    • Role of Board and Senior Management

      • HC-6.6.16

        The Board must define the Islamic bank licensee's risk appetite and ensure that the bank's risk management framework is aligned with the bank's strategic, capital strategies and financial plans and compensation practices and includes detailed policy that sets specific bank-wide prudential limits on the bank's activities. The bank's risk appetite must be clearly conveyed through an RAS that can be easily understood by all relevant parties, the board itself, senior management and bank employees.

        Added: July 2018

      • HC-6.6.17

        The Islamic bank licensee's RAS must:

        (a) include both quantitative and qualitative considerations;
        (b) establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity;
        (c) define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and
        (d) be communicated effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank.
        Added: July 2018

      • HC-6.6.18

        Developing and conveying the bank's risk appetite is essential to reinforcing a strong risk culture. The risk governance framework should outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification.

        Added: July 2018

      • HC-6.6.19

        The development of an effective RAS should be driven by both top-down board leadership and bottom-up management involvement. While the definition of risk appetite may be initiated by senior management, successful implementation depends upon effective interactions between the board, senior management, risk management and operating businesses, including the chief financial officer (CFO).

        Added: July 2018

      • HC-6.6.20

        The Board must ensure that:

        (a) a sound risk management culture is established throughout the bank;
        (b) appropriate limits are established that are consistent with the bank's risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff;
        (c) policy and processes are developed for risk-taking, that are consistent with the Risk Management Strategy and the established risk appetite;
        (d) uncertainties attached to risk measurement are recognised; and
        (e) senior management is taking all necessary steps to monitor and control all material risks consistent with the approved strategies and risk appetite.
        Added: July 2018

      • HC-6.6.21

        The Board of Directors and senior management must possess sufficient knowledge of all major business lines to ensure that appropriate policy, controls and risk monitoring systems are implemented effectively. They must have the necessary expertise to understand the activities in which the bank is involved — such as securitisation and off-balance sheet activities — and the associated risks. The Board and senior management must remain informed, on an on-going basis, about these risks as financial markets, risk management practices and the bank's activities evolve. In addition, the Board and senior management must ensure that accountability and lines of authority are clearly delineated.

        Added: July 2018

      • HC-6.6.22

        Before embarking on new lines of business or activities, the Board and senior management must identify and review the changes in risk profile arising from these potential new activities and ensure that the infrastructure and the internal controls necessary to manage any related risks, are in place.

        Added: July 2018

      • HC-6.6.23

        Before embarking on new or complex products, senior management must identify and review the changes in risk profile arising from these potential new products and ensure that the infrastructure and internal controls necessary to manage any related risks, are in place.

        Added: July 2018

      • HC-6.6.24

        For purposes of paragraphs HC-6.6.22 and HC-6.6.23, senior management must understand the underlying assumptions regarding accounting treatment, business models, valuation and risk management practices. In addition, senior management must evaluate the potential risk exposure if those assumptions fail.

        Added: July 2018

      • HC-6.6.25

        As part of the Board members annual training program, Islamic bank licensees must include training to enable Board members to better analyse risk and question strategic decisions, policy and transactions. Banks must also provide adequate training for all staff across the business units on risk management related matters.

        Added: July 2018

    • Policy, Procedures, Limits and Controls

      • HC-6.6.26

        An Islamic bank licensee's policy and procedures must provide specific guidance for the implementation of broad risk management strategies and must establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. These limits must consider the bank's role in the financial system and be defined in relation to the bank's capital, total assets, earnings or where adequate measures exist, its overall risk level.

        Added: July 2018

      • HC-6.6.27

        An Islamic bank licensee's policy, procedures and limits must:

        (a) Provide for adequate and timely identification, measurement, monitoring, control and mitigation of all risks, including the risks posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and bank-wide levels;
        (b) Ensure that the economic substance of a bank's risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank's risk management processes;
        (c) Be consistent with the bank's stated goals and objectives, as well as its overall financial strength;
        (d) Clearly delineate accountability and lines of authority across the bank's various business activities, and ensure there is a clear separation between business lines and the Risk Management function;
        (e) Escalate and address breaches of internal position limits;
        (f) Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines, to ensure that the bank is able to manage and control the activity, prior to it being initiated; and
        (g) Include a schedule and process for reviewing the policy, procedures and limits, and for updating them as appropriate.
        Added: July 2018

    • Monitoring and Reporting of Risk

      • HC-6.6.28

        An Islamic bank licensee's MIS must provide the Board and senior management with timely and relevant information concerning their risk profile, in a clear and concise manner. This information must include all risk exposures, including those that are off-balance sheet. Senior management must understand the assumptions behind, and limitations inherent in, specific risk measures

        Added: July 2018

      • HC-6.6.29

        Islamic bank licensees must establish appropriate risk management methodologies, tools and models and systems commensurate with the nature and complexity of their business.

        Added: July 2018

      • HC-6.6.30

        Where Islamic bank licensees use models to measure components of risk, they must establish model governance frameworks including regulatory validation and testing.

        Added: July 2018

      • HC-6.6.31

        Islamic bank licensees must have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products, countries, region, etc. and counterparties. These reports must reflect the bank's risk profile, capital and liquidity needs, and are provided on a timely basis to the bank's Board and senior management. A bank's MIS must be capable of capturing limit breaches, and there must be procedures in place to promptly report such breaches to senior management, as well as to ensure that the appropriate follow-up actions are taken.

        Added: July 2018

      • HC-6.6.32

        The CRO must consistently remind staff, through a regular process under the sponsorship of the CEO, of the risk management requirements and enhance a common understanding of these requirements across the bank in order to create a culture of risk awareness.

        Added: July 2018

    • Independent Review

      • HC-6.6.33

        Islamic bank licensees must ensure that their risk management frameworks are subject to a comprehensive independent review by a third-party consultant, other than their external auditors:

        (a) Upon first implementation of a new or revised module on specific risk management requirements;
        (b) When there are material changes to certain Rulebook requirements and the CBB requires such a review;
        (c) When there are material changes to the business conducted by the bank or its risk profile and the CBB requires such a review; or
        (d) In case of a major failure of controls or major adverse changes in relevant business environment and the CBB requires such a review.
        Amended: January 2022
        Added: July 2018

      • HC-6.6.34

        With regards to HC-6.6.33(a), the relevant modules are the following:

        (a) Module IC;
        (b) Module CA;
        (c) Module DS;
        (d) Module CM;
        (e) Module OM;
        (f) Module ST;
        (g) Module LM; and
        (h) Module RR.
        Amended: January 2022
        Added: July 2018

      • HC-6.6.35

        Resources involved in the independent third-party review must be competent and appropriately trained. The independent third party must not have been previously involved in the development, implementation and operation of the bank’s risk management framework.

        Added: January 2022

      • HC-6.6.36

        The independent review reports must be presented to the Board or a designated committee of the Board. The agreed action planning steps to remedy any material weaknesses must be documented. The independent report together with the action plan must be provided to the CBB within one month of the date of the report.

        Added: January 2022