Risk Matrix Assessment

Bank Risk Matrix Assessment

Risk Risk Adequacy
Risk Type Sub-Type Risk Definition Objectives Controls Tests Rating Likelihood of Control Inadequacy Comments
Organisational Policies & Failure to set and maintain adequate Ensure high standard of industry practice Policies and procedures are to be well documented and Review the procedures manual and inspect for evidence that Low H Inadequate Control Understanding and knowledge of Sharia law product is a
Procedures policies and procedures to achieve and compliance with established continually monitored and updated all relevant staff have access to and are aware of the specialised skill, typically local employees in Guernsey and
objectives of business and effectively procedures. Education and training of staff existence of the manual. the other proposed locations would have limited
manage significant risk to ensure compliance with procedures. knowledge. Therefore increased reliance on procedures
(activities, process steps and validations/authorisations)
would be needed. The governance would have to be
extremely detailed to fulfil the risk mitigation. Furthermore,
staff should have training on policies and procedures
before starting in this department.

Organisational Policies & Non-Compliance with policies and Strict adherence to policies and established Policies and procedures include checks and controls to Extemal audit annually to carry out a review of all processes Low L Inadequate Test These fall under normal internal and external audit
Procedures procedures internal procedures ensure compliance and confirm that checks and controls are being adhered to. processes. Provided those processes are carried out
correctly, additional effort would not be required. However,
there should also be some internal compliance checks, and
the Bank will need to agree with the external auditors that
they will be testing these procedures.

Resourcing Staffing Insufficient staff with appropriate skills Ensure sufficient coverage with suitably Only suitably trained and qualified staff to perform roles. HR annually to carry out a review that staff involved in this Low M Inadequate Test HR should have training plans as well as key requirements
and knowledge available in the right qualified and trained staff. Staff performance All staff to undergo ongoing training, professional business have the appropriate training. upon hiring people. Existing staff need to receive and
place at the right time to be monitored and training courses made education and annual performance appraisal. maintain training certificates, if any. It also should be noted
available. that this procedure only covers training post-deals.

Financial Transactions Transaction processing - unauthorised, Avoid errors, omissions, and ultimately Policies and procedures in place including approval and Being complied with including the new objective test. Medium M Inadequate Test The test proposed by Bank is not made clear and does not
incorrect, duplicate, untimely execution losses by the bank. checking processes, authorised signatures and cut off propose how it will fulfil the effectiveness requirement of
of instructions times. the control.
Any errors and losses are fully investigated and if
necessary the procedures updated
Financial Capital Insufficient capital to ensure no breach To keep sufficient capital for the level of A good margin of authorised but not issued capital in Substantial profits are also added to Capital base each year or Medium M Adequate The capital requirements for the bank are managed in its
takes place of the Banks prescribed risk business activity desired to be performed in place. See ICAAP document earlier if necessary. usual business and not specific to the Sharia products
asset ratio Guernsey. being offered.
Operational The use of Value Rights Contract to a To provide the client with a receipt for his The VRC will be held by the Bank account holding office Part of annual Internal Audit of the Bank account holding Low L Adequate Bank should not be entering into transactions with any
party undisclosed to Guernsey funds and a promise to pay at maturity. who will give a certificate to Bank stating they hold CDD office. parties undisclosed to them and should be using a risk
on the client. The account holding office will have robust based approach to ensure that a certificate from their HQ
CDD policies and procedures in place. is satisfactory to fulfil CDD requirements.

Operational Transactions Client instructs the Bank to buy precious To secure all parts of the transaction are Client instructions for all parts of the transaction are held The bank account holding office will ensure that Low L Adequate Investments are only made after delivery of the precious
metal, but before Murabaha is committed to in advance of the start of the in advance. If the precious metal is not delivered, then documentation in advance for all parts of the transactions are metals, therefore there is little financial risk to the bank if
completed, decides to keep precious process the investment in the Murabaha product is cancelled. held before the process begins. the precious metal is kept by the customer.
metal.
Operational Bank through other office instructs To ensure that Bank is hedged to guarantee Internal Audit to periodically review records to ensure To be covered under an SLA with Bank HQ. Medium M Inadequate Test The SLA with the bank HQ is not provided. It should list the
Financial Engineering company to the value at maturity compliance investments available for hedging and ensure that they are
purchase a hedge in the case of a Sharia compliant.
Maraya
Operational Policies & Procedures manual out of date with To give best practice in accordance with Bank to review all procedures manuals regularly Bank will ensure that policy and procedures are being Low M Adequate It will be necessary for members of the internal audit team
Procedures information/procedures/processing established procedures followed. The Internal Audit team are to carry out a review to go through training to be familiar with Sharia principles.
periodically.
Operational Marketing Misselling financial products causing a To sell Sharia compliant financial products All Bank offices to ensure that clients are correctly To be covered under an SLA with Bank HQ. Medium M Inadequate Test The SLA with the bank HQ is not provided. As well as
loss or threat of legal action to expert clients classified as 'Expert' correctly identifying 'expert' clients, investment policies
need to be clearly defined in the product brochures.
Legal Sharia Product is not Sharia compliant or To ensure that client receives a Sharia Sharia Committee is in place to approve all transactions To be covered under an SLA with Bank HQ. Medium M Inadequate Control The SLA with the bank HQ is not provided.
Compliance becomes non-compliant. An action can compliant product throughout its life - The approval by the Bank's Sharia committee does not
be brought against the bank if either guarantee that the transaction will be compliant. There are
happens. differing schools of thought on what constitutes a Sharia
compliant investment, and therefore products/investments
are subject to constant debate with other worldwide Sharia
'authorities'. Certain products however have reached a
concensus and constitute a less risky approach to Sharia
investments.
- The wording of the control activity suggests that the
Sharia committee would be available to approve ALL
transactions. What would be the process to guarantee the
feasibility. (re: committee members hold other positions
and activities)
Legal Compliance Failure to keep records of instructions, Document instructions, decisions and Bank to ensure that a formal filing and archiving system Bank Internal Audit to review a random sample of product files Low L Adequate
decisions and actions taken actions is in place to ensure this is being complied with. A programme should be agreed with the IAS team to clarify
what this test means in practice.
Regulatory Policies & Failure to comply with any bank policy. To ensure that services are promoted and Bank to ensure strict observance of policy and Bank Internal Audit are to carry out a review periodically to Medium M Inadequate Control/Test 1 - The control is not detailed enough and does not
Procedures Failure to comply with any relevant performed in accordance with regulations, procedures ensure that policy and procedures are being followed. describe the steps / activities that the bank is proposing to
legislation and regulatory requirement policies and legislation On-going training in new legislation/policy take to mitigate the risk.
2 - The IAS team should be trained or knowledgable in
Sharia products and processes.

Reputational Competition Failure to deliver appropriate standards To be a leading specialist provider of Sharia Bank to undertake - Annual appraisal of staff members, To be performed by Bank. Low L Adequate
of service compliant products continued staff training, Monitoring/analysis of client
complaints, errors and losses, Recourse to disciplinary
action for underperforming staff
MIS Incomplete/incorrect/out of date To ensure correct product is available at all Bank CI to ensure that pricing information is updated as To be performed by Bank Internal Audit and External Auditors. Medium M Inadequate Test Test does not verify that the application has automated
management and product information times necessary. Computer generated reports analysed for Various cross checks have been built into the process to verify controls to prevent potentially non-compliant transactions
accuracy on a regular basis and updated as required. correctness of report (dual process) with trend reporting. from being processed.
Rates updated automatically as a feed. Carried out in Adapting 'western' systems to Islamic banking principles is
Basel in an overnight process. risky since it does not guarantee that the Sharia law
Periodic reviews of interest margins and financial compliance is carried from A - Z in the process.
products for profitability/relevance. A programme should be agreed with the IAS team to clarify
what this test means in practice.
This test also suggests that external auditors would bear
some of the responsibility for the result of the testing. This
would need to be agreed with the auditors.

MIS Incorrect calculation of balances held on To ensure database is reliable as a Bank's accountant receives daily reports detailing To be performed by Bank Internal Audit and External Auditors. Medium M Adequate A programme should be agreed with the IAS team to clarify
books management tool account balances which are checked for anomalies Various cross checks have been built into the process to verify what this test means in practice.
correctness of report (dual process) with trend reporting. This test also suggests that external auditors would bear
some of the responsibility for the result of the testing. This
would need to be agreed with the auditors.
Disruption Business Inability to continue business due to loss Continuity of business during a crisis Bank to have in place a tried and tested BCP Bank to update plans and test annually Low L Adequate
Continuity or unavailability of key resources and
facilities
Confidentiality Unauthorised access or disclosure of To maintain total client confidentiality Bank to ensure System held data is subject to password Periodical audit by Bank Internal Audit. Medium H Inadequate Control The Sharia committee should also be required to sign a
bank and client information access according to seniority and job requirements. secrecy declaration, especially as they sit on the Sharia
Security controlled access to building and restricted committees for a number of different banks offering Islamic
access to security areas. financial products.
Staff are required to sign a secrecy declaration.
Shredding of all confidential paperwork on a regular
basis.

Outsourcing Appointed service providers not Dependency of knowledge and skills. Ability Easy to switch to a new outsourcer. SLA reviewed annually. Meeting of parties held at least Low M Inadequate Control There are insufficient details on exactly what functions will
providing service to the satisfaction of to resolve disputes between parties. Established SLA between parties. annually. be outsourced, as well as the content of the SLAs.
Bank - specific to Financial Engineering Outsourcers to be respected and well established Outsourcing firms may also need to be familiar with Sharia
and Islamic Finance Departments providers of services. products.
Gap Assessment
Suggestions Assessment

Risk Type Sub-Type Risk Definition Objectives Controls Tests Risk Likelihood Inadequacy Comments
Organisational Sharia Compliance Failure to keep Sharia funds To ensure Sharia compliance for murabaha Keep separate accounts and departments for Sharia the Bank internal audit to review compliance with this M Addition/Gap Additional risks should be identified on the ability to
sufficiently segregated from regular and muraya products products requirement regularly segregate the Sharia funds from regular banking activities.
banking activities
Organisational Policies and Failure to comply with AML legislation To ensure that AML procedures are complied On-going training in new legislation/policy Keep training records for all staff to be reviewed periodically M Addition/Gap Due to the nature of the product on offer, there is a
Procedures with and that staff are fully trained by the Bank Internal Audit probability that clients may come from higher risk
backgrounds/jurisdictions. As such greater focus needs to
be placed on AML/CFT procedures.
Resourcing Staffing People risk - arising from either To avoid losses borne out of either fraud or All staff to undergo annual training on the risks and Internal Audit to check periodically that staff have completed L Addition/Gap Fraud risk shouldalready have been considered by the
negligence or fraud negligence costs of fraud and negligence. Records should be kept the training by checking records kept. Bank - another key risk will be negligence due to
of when training was attended by which staff. infamiliarity with the new products, or making non-sharia
compliant investments. As such procedures would be
needed to ensure compliance.
Financial Investments Making investments that are not To ensure that all investments made are Have written policies and procedures in place to vet all Internal and external auditors should be able to see evidence M Addition/Gap There are a large number of requirements for an
considered Halal by the Sharia Halal. investments before transactions are entered into. of the procedures being followed, such as checklists and investment to be Halal (legal in terms of Sharia law),
committee. signoffs. including a debt to equity ratio of less than 33%. Other
restrictions are avoiding investments involved in gambling,
pornography, arms dealing and other immoral activities.

Financial Investments Displaced commercial risk - the risk of To ensure that there are sufficient funds in Set aside reserves out of profits to cover any M Addition/Gap
having to pay out of equity when place to cover maturing deposits made by necessary payments in case of future bad performance As the payout to the customer is a fixed amount, there is
profits from investments are lower customers. potential for greater losses to the Bank if bad investments
than expected are made, because this risk is not borne by the customer.

Financial Investments The possibility of losing money on To ensure that investments are sufficiently Limits on size of trading positions taken M Addition/Gap
market exposures / trading positions hedged/diversified As the payout to the customer is a fixed amount, there is
potential for greater losses to the Bank if bad investments
are made, because this risk is not borne by the customer.

Operational Transparency All investment techniques and policies should be fully A review of all promotional material should be performed and L Addition/Gap Additional control activities should be added to complete
explained and disclosed in the prospectus/promotional validated by the compliance/legal/TBD by the Bank the framework regarding this risk.
material. management.
Legal Sharia Compliance The precious metals to be bought are To ensure that the rules of a Murabaha Ensure that ownership of the precious metals is External/Internal audit to review these procedures L Addition/Gap A Murabaha transaction requires actual transfer of
not sufficiently segregated by the transaction are abided by and therefore is actually transferred to the Bank before being sold back periodically. ownership. As the precious metal is being sold back to the
seller and therefore cannot be Sharia compliant - if not separated then the to the supplier/market. Have a checklist to say that supplier a question arises on the physical location of the
identified. transactions are void under Sharia law ownership has been received before selling on. inventory and on the true transfer of ownership.
Additional information would be required on either the
process or the control that the Bank offers to apply to verify
that transfer has indeed occurred.