Building Philosophy and Organizational Culture
The process of risk management should begin by building organizational culture, instilling philosophy, and integrating an institution's vision and mission into the existing system. Not only is it necessary to build physical risk management systems (e.g., socializing the jargon, the information system technology, standard operating procedures, reward and punishment systems, etc.), but also it is more important to build an awareness and culture of risk management. Each employee in an Islamic bank must be aware of and understand that risk is always with them, all the time. They need to be aware that no matter how small the risk they are exposed to, that risk is a liable threat not only to them, but also to the banks where they work. This could extend to the disturbance of daily operations, the losses experienced by a bank's business, and even to the extent of threatening the bank's continued operations.
Building Organizational Structure
Because risk management is a continuous management process, its application should be supported by a strong and effective organizational structure. An organizational structure supportive of the application of risk management does not merely form a risk management division or department. More than that, the risk management process should be arranged in a way that combines both top-down and bottom-up approaches. The responsibility and decision making related to risk-management should be formulated at every managerial level. The top-down and bottom-up approaches to the risk management of Islamic banks are done simultaneously and concurrently, as shown in Figure 2.2.
Figure 2.2 Top-Down and Bottom-Up Approaches
In a top-down approach, the top management formulates the guidelines, policy, and strategy related to risk management. Included in this are risk limit, risk mitigation, risk-return profile, and the like. These formulations are then socialized comprehensively, from the highest echelons of top management to the lowest level of the Islamic bank's structural position. The bottom-up approach, on the other hand, is done as the Islamic bank runs its daily operations in a routine and contiguous manner. In transactions done by officers in various branches of the Islamic bank, spread throughout all regions, the first part of risk exists. Risk began with the existence of the transaction itself, as the risk-return profile for each transaction must be able to be accurately estimated. The types of transactions entered by the officers are of course different from one unit (departments or division) to the next.
The simplest process of risk management usually consists of three stages: the guideline-determination process, the decision-making process and the monitoring process. In the guideline-determination process, certain guides and standards of risk management like the determination of risk limit, the delegation of tasks related to risk management, operational standards, return benchmark, etc., is determined by top management. The guidelines that have been formed are then socialized to all components of various levels in the Islamic bank. After that, the decision-making process can be handled by various components in the Islamic bank's structure. Many decisions that are directly related to risk are decisions that are related to banking transactions. Finally, all risks that emerge from various financial transactions must always be monitored and supervised to ensure that information related to the risk exposure of the Islamic bank is always up-to-date. The monitoring process can function as an early warning system. If there is a transaction whose risk contribution can drastically increase the risk exposure of the Islamic bank, then a good monitoring process should be able to detect this as it happens, enabling timely prevention or mitigation.
Preparing an Adequate Database System
The purpose of a continuous risk management process is to be well prepared to face the challenges of the evolving present. This is extremely reliant on the readiness of the database system; the adequacy of the information technology system, software, and hardware; the discipline in recording every risk-carrying event; the adequacy of reporting standards; and the construction of analysis procedure, as well as continuous and periodical evaluation.
The database system, the adequacy of the information technology system, and the discipline in recording every risk-carrying event are all-important aspects that must be the focus of the Islamic bank's attention. Without the support of all those aspects, the identification and measurement of risk will experience many obstacles. If errors do happen, but are not registered in the Islamic bank's database system, then the resulting measurement is invalid. Seen from the procurement costs, building a database and information system that are related to risk management is expensive. But the benefits received from the availability of such a risk database and information system, built according to the bank's need and specification, are much more significant compared to the cost outlay.
Organization-Based Risk Mapping
Modern risk management practice divides risk into several types. The division is very useful for Islamic banks to differentiate one type of risk from another, enabling them to more accurately identify, measure, and mitigate those risks. Other than dividing risks according to their types, Islamic banks also need to map those various risks to their sources and to the roles of various units in risk management. By mapping the risks, the Islamic bank can more easily identify, measure, and control various available risks. Figure 2.3 shows a simple risk-mapping method (only covering several types of risks) based on their sources and the responsibility of each unit in risk management.
Figure 2.3 Risk Mapping Based on Business Line and Unit Function
The source of risk can be mapped based on the line of business owned by the Islamic bank – that is, commercial bank, investment bank, and banking activity in the financial market. All transaction activity entered by a commercial bank generates credit risk, liquidity risk, and rate-of-return risk. Credit risk came from transactions channeling loans and financing done by the Islamic bank, and liquidity risk came from the Islamic bank's activity in assisting in the liquidation process of a customer's savings. All the transactions done by an investment bank also generate credit risk, liquidity risk, and rate-of-return risk, but with a degree, form, and transaction that are different from commercial banks. With mapping, the Islamic bank can more easily control its entire risk exposure. The risk management manager can easily see which line of business has contributed the most to the total risk faced by the Islamic bank; which business line has exceeded the risk limits set to them and should therefore reduce their risk exposure; and which line of business should receive special priority under certain conditions.
Measuring and Reporting Risk
After identification, risk needs to be measured consistently and presented in an easily understandable form, not just for purposes of risk mitigation by the bank, but also because it is usually required by the regulator. To ensure that a bank is not threatened by bankruptcy, the bank's capital must be ascertained to be enough in amount to weather the various risks currently faced by the bank. In evaluating whether the bank's capital is enough or not, the regulator requires that the bank calculate the potential loss that will be borne if the risk actually manifested as a real problem. Calculating risk is necessary not merely to measure the current capital adequacy ratio, but also to determine the minimum amount of additional capital that needed to be raised to fulfil it. The risk measurement model plays an important role in the entire risk management process, because from the model of risk measurement, the risk and return position of the Islamic bank can be known. Information related to risk and return is an important issue to consider in formulating the framework and guidelines of risk management applied by the Islamic bank, where they will determine every transaction done by every unit of the Islamic bank. A mistake in determining the risk measurement model will lead to a fatal consequence to the application of risk management