RR-3.1 RR-3.1 Reputational Risk Management Framework
RR-3.1.1
Islamic bank licensees must adopt an approach to reputational risk management that fits the banks' profile of activities and level of sophistication, and that enables the risks affecting reputation to be consistently and comprehensively identified, assessed, controlled, monitored and reported.July 2018RR-3.1.2
The key elements of reputational risk management are good corporate governance, the existence of highly skilled, sincere and honest resources, effective reputational risk management processes; and adequate management of reputational events.
July 2018Good Corporate Governance
RR-3.1.3
Good corporate governance forms the foundation of effective reputational risk management and provides a framework for:
(a) Guiding banks' conduct and actions in achieving their vision, values, goals and strategies, as well as meeting stakeholder requirements and expectations; and(b) Ensuring robust oversight of their conduct and actions.July 2018RR-3.1.4
Good corporate governance can be achieved by implementing a governance infrastructure and adopting governance practices in compliance with Module HC (High-level Controls).
July 2018RR-3.1.5
The Board must be responsible for overseeing the overall reputational risk management processes.
July 2018RR-3.1.6
A sound governance infrastructure should have the following general attributes:
(a) Having the right people, with the right balance of skills and experience on the Board, with suitable checks in place to ensure that no single individual can influence Board decisions;(b) Including a robust framework for succession planning to ensure that the business can continue to function effectively, even when there is a major management or staff turnover; and(c) Enabling business and management performance to be closely overseen by independent directors.July 2018RR-3.1.7
Islamic bank licensees should adopt a governance approach that sets out clear governance objectives and expectations on reputational risk management, as well as the authorities and responsibilities of all parties engaged in the risk management process.July 2018RR-3.1.8
The following elements must be included in the banks' governance practice framework:
(a) Setting a clear and unambiguous vision, values, goals and strategies, and ensuring that they are transparent;(b) Developing appropriate policy, codes of conduct, guidelines and procedures to support the implementation of the bank's vision, values, goals and strategies;(c) Creating an open and empowering corporate culture to encourage responsible and ethical behaviour, and to support the achievement of business objectives and effective risk management;(d) Building up a strong, stable management team that are honest, competent, responsible, accountable and responsive to stakeholders;(e) Raising the risk awareness of employees and providing employees with adequate training;(f) Setting up effective systems and controls to manage and control all material risks (including reputational risks) faced by the bank and to monitor compliance with all applicable laws, regulatory standards, best practices and internal guidelines; and(g) Having adequate policy and procedures in place to ensure that all disclosures to stakeholders are clear, accurate, complete, relevant, consistent and timely, and guided by the principles of ethics, integrity and transparency.July 2018Effective Reputational Risk Management Process
RR-3.1.9
Islamic bank licensees must have adequate arrangements, strategies, policy, processes and mechanisms in place to manage reputational risk. An effective reputational risk management process must include:(a) Policy, definition of roles, codes of conduct, guidelines and procedures which guide staff behaviour and conduct, and set boundaries for staff actions, in particular the boundaries for unacceptable practices;(b) Consideration of the potential impact of its strategy and business plans and, more generally, of its behaviour on its reputation;(c) Addressing reputational risk in a precautionary manner, for example by setting limits or requiring approval for allocating capital to specific countries, sectors or persons and/or whether its contingency plans address the need to deal proactively with reputational issues in the event of a crisis;(d) Risk identification, assessment and control which provides a systematic process for identifying and assessing the risks affecting reputation, including the setting of appropriate response actions to control the risks;(e) Risk monitoring and reporting which ensures that the progress of carrying out agreed response plans is adequately monitored, any changes to the status of the risks concerned is regularly reviewed, and early warning systems are in place for identifying emerging threats, to ensure that prompt corrective actions are taken to address those threats;(f) Communications and disclosures which enable meaningful, transparent and timely information to be provided to stakeholders to better their understanding of the bank's performance and future prospects, and to retain their confidence; and(g) Independent reviews and audits which give assurance that the risks affecting reputation have been adequately understood and properly controlled throughout the bank.July 2018Adequate Management of Reputational Events
RR-3.1.10
Reputational events may still occur despite stringent risk control measures. As such, banks must develop a systematic and comprehensive approach for managing reputational events. This will allow bank management to be prepared to take proper measures to restore the institution's reputation and minimize any damage caused. The effectiveness of this approach would help reduce the chance of having to deal with a full-blown crisis.
July 2018RR-3.1.11
The
Islamic bank licensee's approach to manage reputational events must include:(a) Crisis management adoption of the key elements of effective crisis management, which includes a crisis management manual, crisis management structure, invocation of crisis management, crisis management process, internal and external communications, and pre-planning for crisis management;(b) Adoption of an embedded risk mitigation approach that refers to shaping products, business transactions, special investments, outsourcing arrangements, new product process, restructurings etc., which will assist in mitigating some of the potential concerns of key stakeholders by design;(c) Post-event reviews—the Board and senior management must conduct a post-event review to identify any lessons learnt, or problems and weaknesses revealed, from the event in order to take appropriate actions to improve the bank's approach for managing reputational risk; and(d) Early warning systems—a banks' implementation of early warning systems will enable them to plan actions in advance for addressing potential threats that are likely to develop into reputational events. Early recognition of impending reputational problems also means that valuable time has been won to facilitate pre-planning for future action.July 2018RR-3.1.12
The early warning systems must also involve developing and monitoring:
(a) Performance indicators and other indicators reflecting stakeholder confidence, which can provide an estimate of the bank's reputation and keep track of the progress in managing associated risks; and(b) Early warning indicators (e.g. a sudden increase in customer complaints, breaches of internal controls, operational errors, system outages, fraudulent incidents and any significant deterioration in other performance indicators) and other triggers or thresholds for management actions, or provide signals to invoke response or contingency plans.July 2018
