Back Custom print Link Text Only Rich Text Print

  • HC-8.1 HC-8.1 Risk Management Function

    • HC-8.1.1

      Islamic bank licensees must have an effective and independent risk management function commensurate with the bank’s size, complexity and risk profile, under the direction of a chief risk officer (CRO) or equivalent, with sufficient stature, independence and skilled resources.

      Added: April 2023

    • HC-8.1.2

      Branches of foreign bank licensees have the choice of having an in-house risk management function in Bahrain, or subject to the CBB’s approval to outsource such role to their regional or head office.

      Added: April 2023

    • HC-8.1.3

      The risk management function must:

      (a) Be sufficiently independent of the business units, thus ensuring that it is not involved in revenue generation;
      (b) Be responsible for overseeing risk-taking activities across the licensee and must have authority within the organisation to do so;
      (c) Have procedures in place to identify and assess the possible increased reputational risk to the licensee if it offers products or carries out activities outside Bahrain;
      (d) Have access to all business lines that have the potential to generate risk to the licensee as well as to relevant risk-bearing subsidiaries, associated companies and overseas branches;
      (e) Challenge business units effectively regarding all aspects of risk arising from the licensee’s activities; and
      (f) Have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines, and are subject to regular training.
      Added: April 2023

    • HC-8.1.4

      Key activities of the risk management function must include:

      (a) Implementing an enterprise-wide risk governance framework that includes appropriate policies, procedures and limits;
      (b) Identifying material individual, aggregate and emerging risks, including risks arising from potential mergers and acquisitions and hard to quantify risks, such as reputational risk;
      (c) Regularly and on an ad-hoc basis, evaluating the risks faced by the licensee and its overall risk profile. The risk assessment process must include ongoing analysis of existing risks as well as the identification of new or emerging risks. The results of such assessments must be reported to both the Risk Committee and senior management;
      (d) Ongoing monitoring of the risk-taking activities and risk exposures in line with the Board-approved risk policies and appetite;
      (e) Establishing an early warning or trigger system for breaches of the licensee’s risk appetite or limits;
      (f) Using risk measurement and modelling techniques in addition to qualitative risk analysis and monitoring;
      (g) Evaluating possible ways to mitigate risk exposures;
      (h) Reporting regularly to the risk committee and senior management on risks, including but not limited to, material exemptions and risk-mitigating actions;
      (i) Regularly comparing actual performance against risk estimates (i.e. Backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments; and
      (j) Challenging decisions that give rise to material risk.
      Added: April 2023

    • HC-8.1.5

      Licensees must have adequate risk management and approval processes for new or expanded products or services, lines of business and markets, outsourcing arrangements as well as for large and complex transactions. If such processes are not in place, a new product, service, business line or third-party relationship or major transaction must be delayed. There must also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. The risk management function must provide input on risks as part of such processes and on the outsourcer’s ability to manage risks and comply with legal and regulatory obligations. Such processes must entail the following:

      (a) A full assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the licensee’s risk management and internal controls to effectively manage associated risks; and
      (b) An assessment of the extent to which the licensee’s risk management, legal and regulatory compliance, information technology, internal control and business functions have adequate tools and the expertise necessary to measure and manage related risks.
      Added: April 2023

    • HC-8.1.6

      Licensees must appoint a chief risk officer (CRO) or equivalent with an overall responsibility for the licensee’s risk management function.

      Added: April 2023

    • HC-8.1.7

      The CRO must:

      (a) Be actively engaged, together with management, in monitoring performance relative to risk-taking and risk limit adherence;
      (b) Manage and participate in key decision-making processes (e.g. Strategic planning, capital and liquidity planning, new products and services, compensation design and operation);
      (c) Be independent and have duties distinct from other executive function. This means that he must not have managerial or financial responsibility or approval authority related to any business lines or revenue-generating functions, and there must be no “dual hatting”, i.e. other approved persons within senior management must not serve as the CRO.
      (d) Have access to any information necessary to perform his duties;
      (e) Report directly to the risk committee without impediment, and administratively to the CEO;
      (f) Have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the risk committee and senior management in a constructive dialogue on key risk issues;
      (g) Meet regularly with the non-executive directors, the board or its risk committee without executive directors and the CEO being present;
      (h) Keep the risk committee and senior management apprised of the assumptions used in and potential shortcomings of the licensee’s risk models and analyses;
      (i) Consistently remind all staff, through a regular process, under the sponsorship of the CEO, of the risk management requirements to ensure a common understanding of these requirements across the licensee; and
      (j) Ensure that:
      i. Risk reporting to the risk committee is carefully designed to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting must accurately communicate risk exposures and results of stress tests or scenario analyses and must provoke a robust discussion of, for example, the bank’s current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting must also include information about the external environment to identify market conditions and trends that may have an impact on the bank’s current or future risk profile;
      ii. Material risk-related ad-hoc information that requires immediate decisions or reactions is promptly presented to senior management and, as appropriate, the risk committee, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage; and
      iii. The licensee has accurate internal and external data to be able to identify, assess and mitigate risks.
      Added: April 2023