Back Custom print Link Text Only Rich Text Print

  • RR-3 RR-3 Reputational Risk Management

    • RR-3.1 RR-3.1 Reputational Risk Management Framework

      • RR-3.1.1

        Islamic bank licensees must adopt an approach to reputational risk management that fits the banks' profile of activities and level of sophistication, and that enables the risks affecting reputation to be consistently and comprehensively identified, assessed, controlled, monitored and reported.

        July 2018

      • RR-3.1.2

        The key elements of reputational risk management are good corporate governance, the existence of highly skilled, sincere and honest resources, effective reputational risk management processes; and adequate management of reputational events.

        July 2018

      • Good Corporate Governance

        • RR-3.1.3

          Good corporate governance forms the foundation of effective reputational risk management and provides a framework for:

          (a) Guiding banks' conduct and actions in achieving their vision, values, goals and strategies, as well as meeting stakeholder requirements and expectations; and
          (b) Ensuring robust oversight of their conduct and actions.
          July 2018

        • RR-3.1.4

          Good corporate governance can be achieved by implementing a governance infrastructure and adopting governance practices in compliance with Module HC (High-level Controls).

          July 2018

        • RR-3.1.5

          The Board must be responsible for overseeing the overall reputational risk management processes.

          July 2018

        • RR-3.1.6

          A sound governance infrastructure should have the following general attributes:

          (a) Having the right people, with the right balance of skills and experience on the Board, with suitable checks in place to ensure that no single individual can influence Board decisions;
          (b) Including a robust framework for succession planning to ensure that the business can continue to function effectively, even when there is a major management or staff turnover; and
          (c) Enabling business and management performance to be closely overseen by independent directors.
          July 2018

        • RR-3.1.7

          Islamic bank licensees should adopt a governance approach that sets out clear governance objectives and expectations on reputational risk management, as well as the authorities and responsibilities of all parties engaged in the risk management process.

          July 2018

        • RR-3.1.8

          The following elements must be included in the banks' governance practice framework:

          (a) Setting a clear and unambiguous vision, values, goals and strategies, and ensuring that they are transparent;
          (b) Developing appropriate policy, codes of conduct, guidelines and procedures to support the implementation of the bank's vision, values, goals and strategies;
          (c) Creating an open and empowering corporate culture to encourage responsible and ethical behaviour, and to support the achievement of business objectives and effective risk management;
          (d) Building up a strong, stable management team that are honest, competent, responsible, accountable and responsive to stakeholders;
          (e) Raising the risk awareness of employees and providing employees with adequate training;
          (f) Setting up effective systems and controls to manage and control all material risks (including reputational risks) faced by the bank and to monitor compliance with all applicable laws, regulatory standards, best practices and internal guidelines; and
          (g) Having adequate policy and procedures in place to ensure that all disclosures to stakeholders are clear, accurate, complete, relevant, consistent and timely, and guided by the principles of ethics, integrity and transparency.
          July 2018

      • Effective Reputational Risk Management Process

        • RR-3.1.9

          Islamic bank licensees must have adequate arrangements, strategies, policy, processes and mechanisms in place to manage reputational risk. An effective reputational risk management process must include:

          (a) Policy, definition of roles, codes of conduct, guidelines and procedures which guide staff behaviour and conduct, and set boundaries for staff actions, in particular the boundaries for unacceptable practices;
          (b) Consideration of the potential impact of its strategy and business plans and, more generally, of its behaviour on its reputation;
          (c) Addressing reputational risk in a precautionary manner, for example by setting limits or requiring approval for allocating capital to specific countries, sectors or persons and/or whether its contingency plans address the need to deal proactively with reputational issues in the event of a crisis;
          (d) Risk identification, assessment and control which provides a systematic process for identifying and assessing the risks affecting reputation, including the setting of appropriate response actions to control the risks;
          (e) Risk monitoring and reporting which ensures that the progress of carrying out agreed response plans is adequately monitored, any changes to the status of the risks concerned is regularly reviewed, and early warning systems are in place for identifying emerging threats, to ensure that prompt corrective actions are taken to address those threats;
          (f) Communications and disclosures which enable meaningful, transparent and timely information to be provided to stakeholders to better their understanding of the bank's performance and future prospects, and to retain their confidence; and
          (g) Independent reviews and audits which give assurance that the risks affecting reputation have been adequately understood and properly controlled throughout the bank.
          July 2018

      • Adequate Management of Reputational Events

        • RR-3.1.10

          Reputational events may still occur despite stringent risk control measures. As such, banks must develop a systematic and comprehensive approach for managing reputational events. This will allow bank management to be prepared to take proper measures to restore the institution's reputation and minimize any damage caused. The effectiveness of this approach would help reduce the chance of having to deal with a full-blown crisis.

          July 2018

        • RR-3.1.11

          The Islamic bank licensee's approach to manage reputational events must include:

          (a) Crisis management adoption of the key elements of effective crisis management, which includes a crisis management manual, crisis management structure, invocation of crisis management, crisis management process, internal and external communications, and pre-planning for crisis management;
          (b) Adoption of an embedded risk mitigation approach that refers to shaping products, business transactions, special investments, outsourcing arrangements, new product process, restructurings etc., which will assist in mitigating some of the potential concerns of key stakeholders by design;
          (c) Post-event reviews—the Board and senior management must conduct a post-event review to identify any lessons learnt, or problems and weaknesses revealed, from the event in order to take appropriate actions to improve the bank's approach for managing reputational risk; and
          (d) Early warning systems—a banks' implementation of early warning systems will enable them to plan actions in advance for addressing potential threats that are likely to develop into reputational events. Early recognition of impending reputational problems also means that valuable time has been won to facilitate pre-planning for future action.
          July 2018

        • RR-3.1.12

          The early warning systems must also involve developing and monitoring:

          (a) Performance indicators and other indicators reflecting stakeholder confidence, which can provide an estimate of the bank's reputation and keep track of the progress in managing associated risks; and
          (b) Early warning indicators (e.g. a sudden increase in customer complaints, breaches of internal controls, operational errors, system outages, fraudulent incidents and any significant deterioration in other performance indicators) and other triggers or thresholds for management actions, or provide signals to invoke response or contingency plans.
          July 2018

    • RR-3.2 RR-3.2 Assessment of Reputational Risk

      • RR-3.2.1

        Islamic bank licensees must conduct a regular assessment of the reputational risk to which they are exposed, leveraging their understanding of governance, business model, products and the environment in which they operate.

        July 2018

      • RR-3.2.2

        Islamic bank licensees must consider both internal and external factors or events that might give rise to reputational concerns (refer to Section RR-2.1). Banks must consider the following qualitative indicators, amongst others, in their assessment of reputational risk:

        (a) The number of sanctions from official bodies during the year;
        (b) Media campaigns and consumer-association initiatives that contribute to a deterioration in the public perception and reputation of the institution;
        (c) The number of and changes in customer complaints;
        (d) Malpractices and irregularities;
        (e) Negative events affecting the institution's peers;
        (f) Dealing with sectors that are not well perceived by the public (e.g. weapons industry, embargoed countries etc.) or people and countries on sanctions lists; and
        (g) Other 'market' indicators, for example, rating downgrades or changes in the share price throughout the year.
        July 2018

      • RR-3.2.3

        Islamic bank licensees must assess the significance of its reputational risk and how it is connected with other risks (i.e. credit, market, operational, liquidity and profit rate risks) by leveraging other risk assessments to identify any possible secondary effects in either direction (from reputation to other risks and vice versa).

        July 2018

      • Stress Testing

        • RR-3.2.4

          Islamic bank licensees must enhance their stress testing methodologies to capture the effect of reputational risk. Banks must also conduct stress testing or scenario analysis to assess any secondary effects of reputational risk (e.g. liquidity, funding costs, etc.).

          July 2018

        • RR-3.2.5

          The stress testing technique is useful for identifying events or changes that pose threats to banks, and can help develop different sets of circumstances which could potentially cause a crisis. Banks can make use of this technique to assess the likelihood of the risk materialising and the potential impact of the risk on their business and reputation under different stress scenarios (refer to Module ST on Stress Testing for guidance).

          July 2018

        • RR-3.2.6

          Islamic bank licensees should be guided by the following supplementary guidance on use of stress testing for reputational risk:

          (a) Banks employing stress testing techniques for assessing reputational risk should seek to incorporate stress scenarios for reputational risk into their institution-wide stress testing procedures and assess the impact of reputational risk on other major risks (e.g. business or liquidity risk);
          (b) In developing stress scenarios for reputational risk, banks should identify the major sources of reputational risk to which they are potentially exposed, key stakeholders that will most likely increase reputational risks in stress scenarios or an appropriate range of circumstances and events. Banks should also consider how those sources, circumstances and events may adversely affect their business prospects and financial position (including earnings, capital and liquidity), as well as generate other second round effects;
          (c) Banks may face reputational risk in other aspects, such as those arising from material weaknesses in their internal risk management processes (e.g. resulting in substantial fraudulent losses) or management's failure to respond swiftly and effectively to external threats or influences (e.g. resulting in poor strategic decisions). Banks should exercise their best judgment and apply stress scenarios and parameters that suit their own circumstances and risk profile;
          (d) Once the potential exposures arising from reputational concerns are identified, banks should estimate the amount of support (capital or liquidity) they may have to provide, as well as estimate potential loss under adverse market conditions. Banks should also assess the impact of reputational risk on other risks to which they may be exposed. This could be accomplished by including reputational risk scenarios in regular stress tests;
          (e) Banks should assess whether there is any longer term impact on their business and operations due to reputational risk (e.g. loss of market share, customer base or business revenue). Banks should also pay particular attention to the effects of reputational risk on their overall liquidity position, taking into account both possible changes in the asset side of the balance sheet and possible restrictions on funding, should the damage in reputation result in a general loss of confidence on the part of their counterparties and customers; and
          (f) Senior management should actively participate in conducting stress testing and scenario analyses for reputational risk (including the development of stress scenarios and assumptions), and review the stress testing results.
          July 2018

    • RR-3.3 RR-3.3 Management of Step-in Risk

      Bahraini Islamic bank licensees' Policy and Procedures for Identifying and Managing Step-in Risk

      • RR-3.3.1

        Bahraini Islamic bank licensees must establish and maintain, as part of their risk management framework, policy and procedures that describe the processes used to identify entities that are unconsolidated for regulatory purposes and the associated step-in risks. The policy and procedures must:

        (a) Clearly describe the identification criteria that banks use to identify the step-in risk;
        (b) Not be prescriptive or geared towards any particular type of entity. Given the case-by-case nature of the evaluation, the guidelines are envisaged as flexible enough to capture all entities that are unconsolidated for regulatory purposes and which pose significant step-in risk;
        (c) Clearly describe the specific provisions of the laws or regulations and list the types of entity covered by those laws or regulations;
        (d) Describe the internal function responsible for identifying, monitoring, assessing, mitigating and managing the potential step-in risk;
        (e) Clearly describe the bank's own definition and criteria of 'materiality', as used to exclude immaterial entities in the bank's step-in risk assessment, and their rationale;
        (f) Document the process to obtain the necessary information to conduct the regular self-assessments;
        (g) Be reviewed regularly, and whenever there is any material change in the types of entity or in the risk profile of entities; and
        (h) Require the 'Step-in Risk Self-assessment' to be included in the internal risk management processes, subject to independent controls.
        July 2018

      • Regular Step-in Risk Identification and Assessment

        • RR-3.3.2

          Bahraini Islamic bank licensees must regularly identify all entities giving rise to step-in risk. For all these entities, they must estimate the potential impact on their liquidity and capital that step-in risk could entail. The bank must use the estimation method it believes to be most appropriate. Banks must describe the method used to estimate the financial impact of step-in risk in each case.

          July 2018

      • Step-in Risk Reporting

        • RR-3.3.3

          Bahraini Islamic bank licensees must annually report the results of their self-assessment of step-in risk to the CBB on 30th September of each year. The report must contain the following information:

          (a) Per groups of similar entities, the number and types of entity that were initially identified;
          (b) The entities must be grouped under three categories: entities deemed immaterial (for which no step-in risk assessment process conducted); entities which are material, but for which step-in risk is insignificant; and entities which are material and for which step-in risk is significant; and
          (c) The nature of the step-in risk and the action taken by the bank to limit, mitigate or recognise this risk, must be reported for entities which are material and for which step-in risk is significant.
          July 2018