enterprise risk management: commercial banks vis-a vis

ENTERPRISE RISK MANAGEMENT: COMMERCIAL BANKS VIS-À-VIS ISLAMIC BANKING

Fauziah Hanim Tafri,

Faculty of Information Technology and Quantitative Sciences,

Universiti Teknologi Mara Malaysia, 40450 Shah Alam, Selangor, Malaysia

*Email: [email protected]

Ahamed Kameel Mydin Meera,

Kulliyyah of Economics and Management Sciences

International Islamic University Malaysia, P.O. Box 10, 50728 Kuala Lumpur, Malaysia

Mohd Azmi Omar,



Zarinah Hamid



*Email: [email protected]

* corresponding authors

mailto:[email protected]

mailto:[email protected]

ENTERPRISE RISK MANAGEMENT: COMMERCIAL BANKS VIS-À-VIS ISLAMIC BANKS

Abstract

This paper seeks to conduct a comparative study on enterprise risk management (ERM) of the

conventional banks and Islamic banks in Malaysia as well as the Islamic banks outside Malaysia. The

results show that Islamic banks have not fully adopted ERM. Collectively, the conventional and

Islamic banks face moderate level of adequacy of risk management tools. However, Islamic banks

indicate that the three most critical areas are lack of information technology (IT) professionals with

relevant expertise, IT systems to cater for each Islamic instrument and the capacity of human capital

in the highly technical areas of risk management. The findings provide an indication that more

innovations are needed for the Islamic banking in managing risk.

Keywords: Comparative management, organizational structure, organizational culture, corporate

governance, risk management, enterprise risk management.

INTRODUCTION

Enterprise risk management (ERM) emphasizes a comprehensive view of risk and risk management

which moves away from the “silo” approach of managing different risks within an organization. The

key features of the ERM or the new risk management paradigm is that it is integrated as compared to

the old paradigm whereby the risks are managed independently by each department (Barton et

al.,2002).

According to Lam1 (1999) there are seven components of ERM that an organization needs to

consider, namely corporate governance, line management, portfolio management, risk transfer, risk

analysis, data and technology resources and stakeholders management. The practice of risk

management keeps on evolving over time from the classical risk management practices which consist

of setting up risk limits while ensuring that business remains profitable to modern best practices

which are more risk sensitive through the quantification of risk (Bessis, 2002). The financial

conglomerates embrace ERM as it provides the competitive edge against those who are lagging

behind in adopting it and is considered as “the final destination for companies wanting to demonstrate

advanced capabilities” (Deloitte Touche Tohmatsu, 2004: 17). Furthermore ERM recognises not only

the downside of risk but also the upside nature of risk (Miccolis et al., 2001, COSO, 2004).

1 He is the first person to use the title “Chief Risk Officer” at GE Capital in 1993, quoted in “A Short History of

Risk Management: 1900 to 2002” which is an adaptation from Risk Management Reports, Vol. 26, No.12,

December 1999.

2

This paper is organized as follows: The next section discusses about the objectives of the

study while the following section discusses about some of the previous studies on ERM. This is

followed by the research methodology and results while the last section concludes the paper.

OBJECTIVES AND HYPOTHESES

As the concept of ERM is still evolving and the definition (COSO 2003, CAS 2003, Miccolis

et al., 2001) and implementation varies widely and has not reached its full maturity, this study

explores the status of adoption of ERM, the motivating factors, the benefits in implementing ERM

and also the level of adequacy of risk management tools and instruments. This paper seeks to conduct

a comparative study on ERM of the conventional banks and Islamic banks in Malaysia as well as the

Islamic banks outside Malaysia. As most countries practice dual banking system whereby the Islamic

banks operate hand in hand with the conventional banks, it is interesting to compare and contrast the

way both systems manage their risks. Are there any major differences between the practices of the

Islamic and conventional banks? In principle, Islamic banks are different from the conventional ones

due to the prohibition of riba’2 and the need to comply with the Shari’ah

3. As such the nature and

characteristics of risks that the Islamic banks are exposed to should be different from the conventional

banks. However, in practice, Islamic banks offer products, which are quite similar to the conventional

banks and emulate the practices of the conventional banks. With regards to the tools used in

managing risks, this study would like to see whether there are any differences and similarities in the

practice of ERM between Islamic banking and conventional banks.

Most of the big conventional banks (Deloitte Touche Tohmatsu, 2004; KPMG International,

2004) in the developed countries have adopted the ERM concept of risk management. It is expected

that most banks in Malaysia are also embracing this concept. As ERM is the latest development in

managing the risks of the banking sector, the researcher would like to know the factors (drivers) that

2 Literally, an increase or addition. Technically it denotes, in a loan transaction, any increase or advantage

obtained by the lender as a condition of the loan. In a commodity exchange it denotes any disparity in the

quantity or time of delivery. 3 Islamic canon law derived from these sources – the Qur’an (The Muslim Holy Book), the Hadith (sayings of

the Prophet Muhammad (saw), and the Sunnah (practice and traditions of the Prophet Muhammad (saw)), Ijma

(concensus), Qiyas (reasoning by analogy) and Maslaha (consideration of the public good or common need)

3

motivate the adoption of ERM by the conventional banks in Malaysia as well as Islamic banks. Thus

the relevant hypotheses are:

Hypothesis 1: There is a significant difference in the primary drivers that motivates the

implementation of ERM between the Islamic and conventional banks

Hypothesis 2: There is a significant difference in the level of extensiveness of the usage of risk

management procedures between Islamic banks and conventional banks

Hypothesis 3: The level of adequacy of risk management tools and system of Islamic banks is

significantly different from the conventional banks.

PREVIOUS STUDIES

There are not many studies done on ERM for the banking sector. Two of the relevant studies mention

here are the ones conducted by Deloitte Touche Tohmatsu (2004) and Miccolis et al. (2001). Deloitte

Touche Tohmatsu’s global risk management survey on financial institutions conducted in 2004

received responses from 162 organizations across the globe with assets of nearly USD19 trillion. The

survey covers issues of risk governance, regulatory and economic capital, ERM, credit risk

management, market risk and ALM, operational risk management, risk systems and technology.

Miccolis et al. (2001) conducted a survey on ERM to gauge the current state of ERM across

various industries and their achievements. It was found that quite a number of organizations

especially the larger ones are undertaking ERM. Some of these organizations have successfully

integrated ERM with other processes while some have successfully developed new tools and metrics.

However, ERM is still in its early stage as none of them have acknowledged having completed the

process.

Miccolis et al., (2001) also conducted a multi industry global benchmark survey in 2000 to

better understand the issues that surround ERM. The survey indicated that some of the success factors

and drivers are strong support from the senior management and also a dedicated group of cross-

functional staff to drive ERM implementation and continue to push it in its operational stage. They

believe that ERM should be introduced as an enhancement to the existing process and not as a new

stand alone process.

4

At the present moment, there is not much literature on the risk management practices of

Islamic banking especially on empirical works. The current study looks at the comparison between

the conventional banks, conventional banks with Islamic banking windows and full fledged Islamic

banks, in the implementation of ERM as no comparative studies have been previously conducted in

this area. Therefore this study hopes to enhance and enrich the literature in this area.

METHODOLOGY AND DATA

Survey method is used in this study whereby the samples are the commercial and Islamic banks in

Malaysia and Islamic banks outside Malaysia. This study on ERM is part of the researcher’s major

study on risk management (Fauziah Hanim, 2008). Thus the questions (see appendix II for the

questions) on ERM are part of the main survey questionnaire. The questions on ERM were aimed at

extracting information about the banks’ implementation of ERM.

Parametric tests were employed whereby, specifically the one-sample t-test was conducted on

all the banks surveyed while the ANOVA test was used for the comparison between the banks

groups. Fisher’s LSD test was also conducted in order to identify the pair that contributed to the

difference.

In order to study the level of strength of the primary drivers to the bank’s ERM activities,

level of adequacy of the risk management tools and systems regarding the risk management practices,

Three ranges of composite scores with equal class interval were applied. The scale scores were

developed by subtracting the minimum score (of the responses on a five-point Likert scale ranging

from 1 to 5) from the maximum score and dividing it by three.

FINDINGS

Forty-five survey questionnaires were sent out, of which 25 were distributed to the risk managers of

local commercial banks and Islamic banks in Malaysia whilst 20 were sent out to the risk managers of

Islamic banks outside Malaysia. Only one questionnaire was sent out to each bank. The response rate

of 34 usable replies is 75.6%, which is very encouraging. The summary of the response is presented in

Table 1.

5

[insert table 1 here]

Questions 1 to 7 extracted information about the organizational structure of risk management of the

banks especially the organizational approach and organizational culture that they employ. In terms of

the organizational culture, all the conventional banks with Islamic banking (windows) surveyed used

the combination approach while 50% of the conventional and Islamic banks surveyed used the

centralised approach (Table 2).


However, for organizational approach, 69.7% of the banks surveyed embrace the combination of

top-down and bottom-up approach. Specifically this approach is being used by all the conventional

banks with Islamic banking (windows), 75% of the conventional banks and 57.9% of the Islamic

banks.

The current level of adoption of ERM is extracted from question 8 and the results are

tabulated in Table 3. Although ERM is still in its early stages of application most banks have

implemented some form of ERM activities. However, not many organizations have fully

implemented a full-scale ERM program. On the whole, 40% of the banks surveyed have fully

implemented the ERM framework, 26.7% have partially implemented, 23.3% do not have ERM

framework but plan to implement one, 6.7% are still investigating the framework while 3.3% do not

have and do not intend to implement the ERM framework.


In comparing between the types of banks, 62.5% of the conventional banks have fully implemented

ERM framework while for conventional banks with Islamic banking windows and Islamic banks, it is

66.7% and 25.0%, respectively. 12.5% of the conventional banks have partially implemented ERM

framework while 25% do not have ERM framework yet, however they are planning to implement it.

As for the conventional banks with Islamic banking (windows), 16.7% of them have partially

implemented the ERM framework while another 16.7% of them do not have any ERM framework yet,

but are planning to implement the framework.

In the case of Islamic banks, the percentages of implementation is lower than the

conventional, of which 40.0% have a partial ERM framework while 20.0% of them do not have ERM

6

framework, but they are planning to implement one. On the other hand, 10.0% of the Islamic banks

are still investigating the concept of ERM while 5.0% claimed that they do not have ERM framework

and have no intention of implementing it.

As ERM is a multidimensional activity, there are various implementation approaches.

Banks can implement ERM globally and holistically across all risk factors and business units or they

can take incremental approaches by focusing on specific risks and/or specific operations and /or

specific risk management processes. Thus Question 10 identifies the banks approaches to the

implementation of ERM. Table 3 shows that 54.3% of the banks surveyed have implemented ERM

globally and in a holistic manner while 35.5% have done it on an incremental basis by business

segment, 12.9% by region and 32.3% by type of risk.

Looking at each specific type of banks, 75% of the conventional banks and 100% of the

conventional banks with Islamic banking scheme respectively have implement them on a holistic

manner. Not many of them have implemented ERM on an incremental basis. The opposite is true for

Islamic banks whereby only 29.4% have done it in on a holistic manner while 47.1% of the Islamic

banks have implemented ERM on an incremental basis by types of risk, 41.2% by business segment,

and 11.8% by region.

Question 9 elicited information about the duration of adoption of ERM framework since its

inception. This is presented in Table 4. It can be seen that, all the conventional banks have fully

implement the ERM framework whereby 60% of the conventional banks have adopted it for more

than five years, while 40% have adopted it between 3 to 4 years. On the other hand, all of the

conventional banks that have partially implemented ERM framework have been operating it for more

than five years.


As for the conventional banks with Islamic banking (windows), 50% of those that have fully

implemented ERM have been operating under this framework for more than 5 years, while 25% of

them have been operating it between 1 to 2 years and between 3 to 4 years. As for those that have

partially implemented ERM framework, they have been operating it under the framework between 3

to 4 years.

7

In the case of Islamic banks, 40% of those who have fully implemented ERM framework

have been operating under this framework between 3 to 4 years and more than 5 years respectively,

while 20% of them were operating between 1 to 2 years. On the other hand, the banks that have

partially implemented the framework, 87.5% of those have been operating between 1 to 2 years while

another 12.5% of them have been operating for about 3 to 4 years.

Many factors have motivated the banks in the adoption of ERM framework. Some of the

factors are external factors while some are internal factors. The objective of Question 11 is to seek

information about the factors that motivate ERM activity of the banks The motivating factors that

have been identified are shown in Table 5.


From the table, it can be seen that all respondents of the conventional banks agreed that the main

motivating factor in the adoption of ERM framework is the desire for unifying framework for risk

management and capital management. Other motivating factors are compliance with Basel II

guidelines (87.5%), asset allocation (75%), compliance with Central Bank’s guidelines (75%), desire

for earnings stability (62.5%), price volatility (50%) and mandate from Board of Directors (50%).

As for the conventional banks with Islamic banking windows the main factors that motivate

the banks to adopt ERM are their desire for unifying framework for risk management and capital

management with 83.3% of respondents agreeing with that statement. This is followed by

competitive pressure (66.7%), desire for earnings stability (66.7%), mandate from Board of Directors

(66.7%), compliance with Basel II guidelines (66.7%), asset allocation (50%), compliance with

IFSB’s guidelines (50.0%), deregulation (33.3%), ‘price volatility’ (33.3%). Meanwhile the factors

that motivate most of the Islamic banks respondents are compliance with Basel II guidelines (94.7%),

compliance with Central Bank’s guidelines (89.5%), desire for unifying framework for risk

assessment (73.7%), compliance with IFSB’s guidelines (52.6%) and desire for unifying framework

for capital management (52.6%).

The benefits of ERM framework have been explored with the objective of indicating the

strength of the primary drivers that help to motivate the ERM activities of the banks. Question 12

deliberated on the benefits of ERM framework. In Table 6, all ERM potential benefits are significant

8

to all the three types of bank. All the banks surveyed agreed that ERM helps to align risk appetite and

strategy. Other significant potential benefits of ERM are that it helps to minimize operational

surprises and losses, helps to identify and manage cross-enterprise risks, links growth, risk and return,

enhances risk response decision, and provides integrated response to multiple tasks. The banks also

perceived that ERM helps them to seize opportunities and rationalizes their capital.


Table 7 shows the frequency of responses for the strength of the primary drivers to the bank’s

activities according to the types of bank. Conventional bank’s respondents responded that almost all

primary drivers have very strong influence towards the bank’s activities, the least being seizing

opportunities (mean 3.87).


In the case of the conventional banks with Islamic banking (windows), all the factors have means

above three indicating that these are strong drivers to the banks whereby six drivers have means above

4.00. The six primary drivers are; align risk appetite and strategy, link growth, risk and return,

enhance risk response decision, minimize operational surprises and losses, identify and manage cross-

enterprise risks and rationalize capital.

For Islamic banks, four of the primary drivers have mean scores above 3.00 while another

four have mean scores of above 4.00 indicating that these drivers have very strong influence to the

banks. The drivers that have very strong influence towards the bank’s activities are align risk appetite

and strategy, link growth, risk and return, minimize operational surprises and losses and identify and

manage cross-enterprise risks.

Table 8 represents the results of the comparison of means between types of bank. The

ANOVA test result shows that the p-value is 0.348 which is greater than 0.05. Therefore there is not

enough statistical evidence to reject the null hypothesis that there is no difference in the primary

drivers that motivates the implementation of enterprise wide risk management between the Islamic

and conventional banks. Thus the result does not support the research hypothesis 1.


9

The minimum and maximum scores of the responses are 22 and 40 respectively. By categorising the

scores into three levels of low, medium and high with each level ranging between 22-28, 29-35 and

36-42 respectively, it can be seen in Table 9 that majority of the respondents for the three types of

commercial banks considered that these benefits provide moderate drivers to the banks’ activities.


In managing risk, banks are moving towards the more advanced procedures in relation to firm

wide risk management. Information about the level of extensiveness of the usage of these risk

management procedures employed by the banks has been extracted. Question 13 identified the level

of extensiveness of the usage of risk management procedures employed by the banks. The results

tabulated in Table 10 shows that Islamic banks do not extensively used these risk management

procedures as compared to the conventional banks and also conventional banks with Islamic

windows.

[insert table 10]

The ANOVA test conducted to determine whether there is any significant difference in the level of

extensiveness of the usage of the risk management procedures employed by the banks. The result

indicated in Table 11 shows that the difference is significant at 1% level of significance. Thus there is

enough statistical evidence to reject the null hypothesis, implying that there is a significant difference

in the level of usage of risk management procedures between the conventional and Islamic banks.

Since the ANOVA result is significant, Fisher’s LSD test was conducted.


The LSD test result in Table 12 indicates that there is a significant difference in the level of usage of

the risk management procedures between the conventional bank and Islamic banks and also

significant difference in the level of usage between the conventional banks with Islamic banking

(windows) and Islamic banks. This confirms the earlier results which show that the Islamic banks

have not extensively use these advance procedures as compared to the conventional banks. For most

of the procedures listed, the Islamic banks are still in the planning stage whereby they intend to use

the procedures in the future as compared to the conventional banks which have already adopted most

of the procedures. Most of the procedures are the procedures used in managing risk at the enterprise

10

level; this indicates that collectively the Islamic banks are still in the earlier stage of the adoption of

ERM.


This section attempts to test research hypothesis 3. The information extracted about the level

of adequacy of risk management tools and systems of all the banks surveyed is tabulated in table 13.


Table 13 indicates that statements 1,2,3,4 and 8 are highly significant at 1% level of significance;

statements 9 and 10 significant at 5% level of significance and statements 7 and 11 are significant at

10% level of significance. This implies that the banks’ respondents agreed with these statements

that relate to the adequacy of risk management tools, and systems of the banks. The factors are

bank’s on going risk monitoring and periodic reporting capabilities, bank’s on going risk monitoring

and real-time reporting on changing conditions capabilities, bank’s internal communication channels

in the risk management process, bank’s external communication channels in the risk management

process, bank’s on going training of human capital in technical areas of risk management, bank’s on

going training of human capital on Islamic business ethics and work culture, and bank’s employees

understanding of the different types of bank’s risks.

From table 14, it can be seen that the entire mean of the responses for the conventional banks

ranges from 2.67 to 4.00. The conventional banks surveyed agreed that the tools and systems for their

risk management practices are adequate. As for the conventional banks with Islamic banking

(windows), the entire mean of the responses ranges from 2.83 to 4.33. The highest mean is for bank’s

on going risk monitoring and periodic reporting capabilities and bank’s internal communication

channels in the risk management processes while the lowest mean is for IT systems to cater for each

Islamic instrument.


In the case of Islamic banks, the entire mean of the responses for Islamic banks ranges from 2.75 to

3.60 indicating that the tools and systems for risk management practices are barely adequate. The

three most critical areas are the lack of IT professionals with relevant expertise in the process

11

integration and risk analytics, IT systems to cater for each Islamic instrument and also the capacity of

human capital in the highly technical areas of risk measurement.

Table 15 indicates that the risk management tools and systems regarding the risk management

practices for the three types of banks are at a moderate level of adequacy.


Furthermore, the analysis of variance (ANOVA) test conducted to evaluate whether there is

any significant difference in the agreement about the level of adequacy of risk management tools and

systems between the different types of banks showed a p-value of 0.348. Since this value is greater

than 0.05, there is not enough statistical evidence to reject the null hypothesis that the level of

adequacy of risk management tools and systems of Islamic banks is the same as the conventional

banks (refer to Table 16). Thus the result of the one-way ANOVA implies that the level of adequacy

of risk management tools and systems of Islamic bank is statistically the same as the conventional

banks.


PROBLEMS AND LIMITATION OF THE STUDY

Two main problems faced by the researcher were the limited number of respondents and the problem

of getting the banks to participate and subsequently to complete the questionnaire. The data

collection process took about six months which was from November 2006 to April 2007. The limited

number of respondents is due to the fact that the unit of analysis is the bank, meaning that only one

questionnaire is answered by each bank, thus the number is very small. In the case of Islamic banks

outside Malaysia, most of the addresses of the banks were obtained through their websites. However,

not many of the Islamic banks have their own websites. Thus the researcher had to be contented with

the limited number of banks with websites.

CONCLUSIONS

Based on the results of the survey questionnaire, it can be seen that the level of adoption of ERM by

the Islamic banks is lower than the conventional banks. In fact some of the Islamic banks have not

implemented it. In the process of implementing ERM, there is no statistical difference between the

banks with regards to the reasons and the drivers in implementing it. However, it is found that there

12

are differences in the level of adoption of those risk management procedures between the

conventional and Islamic banks. The Islamic banks have not extensively used those procedures yet as

compared to the conventional banks. Most of the Islamic banks are still in the planning stage of

adopting these procedures. A study conducted by Miccolis et al. (2001) on ERM found that the items

listed in table 17 were considered important while the most important items are to conduct firm-wide

risk identification and rank the materiality of individual risks from the firm-wide perspective as

agreed by 82% and 86% the respondents, respectively. The respondents also agreed that it is

important to use a coherent framework to guide the risk management activities. The key to the

successful implementation is a structured approach (Warrier and Chandrashekhar, 2006). As

profitability is the bottom line of any financial institutions, it is imperative for the banks to practice

effective risk management as “superior risk management practices are really good for the bottom-

line” (Bird and Skinner, 2005: 10).

The conventional as well as the Islamic banks agree that the tools and systems for risk

management practices are barely adequate. In the case of Islamic banks, the three most critical areas

are lack of IT professionals with relevant expertise in the process integration and risk analytics, IT

systems to cater for each Islamic instrument and also the capacity of human capital in the highly

technical areas of risk measurement. Since the finding shows that risk management tools for Islamic

banking are inadequate, the Islamic banks should innovate or develop more tools which are Shari’ah

compliant to cater for the needs of the Islamic banking. As the existing products such as derivatives

and credit derivatives are not Shari’ah compliance, similar products which are Shari’ah compliance

should be in the top priority list. This should be the driving factor to the Islamic banks. Innovation of

new products, requires properly trained and qualified personnel. Thus the Islamic banks should

allocate greater resources for research and development.

With regards to ERM, findings show that now most banks are still in the early stage of

implementation. Therefore in the future, it is interesting to study the impact, the costs and benefits to

the banks after many years of implementation. There are still a lot of avenues and opportunities to

explore further in this area. As a matter of fact, further studies should not be limited to the banking

industry only but should also be extended to other industries as well.

13

REFERENCES

Barton, T. L., Shenkir, W. G., & Walker, P. L. (2002). Making Enterprise Risk Management Pay Off.

USA: Prentice Hall PTR/ Financial Times.

Bessis, J. (2002). Risk Management in Banking. England: John Wiley & Sons, Inc.

Bird, A., & Skinner, T. H. (2005). Enterprise Risk Management Not for You? Wrong. American

Banker, 170(67).

Casualty Actuarial Society (2003), Overview of Enterprise Risk Management, Casualty Actuarial

Society Enterprise Risk Management Committee.

COSO (2004), Enterprise Risk Management – Integrated Framework: Executive Summary.

http://www.coco.org/Publications/ERM/COSO_ERM.ExecutiveSummary.pdf

Deloitte Touche Tohmatsu. (2004). 2004 Global Risk Management Survey.

Fauziah Hanim Tafri (2008), Risk Management Practices and Profitability of Commercial Banks vis-a

vis Islamic Banks. Unpublished doctoral dissertation, International Islamic University Malaysia,

Kulliyah of Economics and Management Sciences.

KPMG International (2004). Ready for Basel II – How Prepared Are Banks?

Lam, James (2000), Enterprise Risk Management and the Role of Chief Risk Officer. ERisk.com

http://www.erisk.com/Learning/Research/011_lamriskoff.pdf retrieved 18/6/08.

Miccolis, J. A., Hively, K., & Merkly, B. W. (2001). Enterprise Risk Management: Trends and

Emerging Practices. USA: The Institute of Internal Auditors Research Foundation.

Warrier, S.R. & Chandrashekhar, P. (2006), Enterprise Risk Management: From the Boardroom to

Shop Floor. Paper presented in the Asia Pacific Risk and Insurance Conference, Tokyo

2006.

http://www.coco.org/Publications/ERM/COSO_ERM.ExecutiveSummary.pdf

http://www.erisk.com/Learning/Research/011_lamriskoff.pdf retrieved 18/6/08

14

Table 1

Response to the Survey

Subjects Distributed Received Usable Replies

(n)

Usable Response Rate (%)

Conventional Banks in Malaysia 15 12 12 80%

Islamic Banks in Malaysia 10 8 8 80%

Foreign Islamic Banks (Outside Malaysia) 20 15 14 70%

Total 45 35 34 75.6%

Table 2 The Organizational Culture of the Banks in Terms of Risk Management

According to Types of Bank

Types of Bank

Conventional Banks

Conventional Bank with

Islamic Banking

Islamic Banks Overall

(%) (%) (%) (%) Organizational Culture

Decentralised Approach 12.5 0.0 10.0 8.8

Combination Approach 37.5 100.0 40.0 50.0

Centralised Approach 50.0 0.0 50.0 41.2

Organizational Approach

Top down approach 25.0 0.0 36.8 27.3

Bottom-up approach 0.0 0.0 5.3 3.0

Combination of top-down and

bottom-up approach

75.0 100.0 57.9 69.7

Table 3 Status and Mode of Implementation of ERM Framework

Types of Bank

Conventional Banks

Conventional Banks with

Islamic Banking

Islamic Banks

Overall

(%) (%) (%) (%)

Status of Implementation of ERM

We have a fully implemented ERM

framework currently in place 62.5 66.7 25.0 41.2

We have a partial ERM framework

currently in place 12.5 16.7 40.0 29.4

We do not have ERM framework now, but

we are planning to implement one 25.0 16.7 20.0 20.6

We are investigating the concept of ERM. 0.0 0.0 10.0 5.9

We do not have ERM) framework and we 0.0 0.0 5.0 2.9

APPENDIX I

15

are not planning to implement one

Mode of Implementation of ERM

Globally and holistically 75.0 100.0 29.4 54.8

Incrementally, by business segment 25.0 33.3 41.2 35.5

Incrementally, by region 12.5 16.7 11.8 12.9

Incrementally, by type of risk 0.0 33.3 47.1 32.3

Incrementally, others 0.0 0.0 11.8 6.5

Table 4 Duration of Implementation of ERM Framework According to Types of Bank

Types of Bank

Conventional Banks


Islamic Banking Islamic Banks

Status of Implementation of

ERM No. of Years

(%) (%) (%)

< 1 year 0.0 0.0 0.0

1-2 years 0.0 25.0 20.0

3-4 years 40.0 25.0 40.0

Fully Implemented

ERM Framework

> 5 years 60.0 50.0 40.0

< 1 year 0.0 0.0 0.0

1-2 years 0.0 0.0 87.5

3-4 years 0.0 100.0 12.5

Partially

Implemented ERM

Framework

> 5 years 100.0 0.0 0.0

Table 5 Frequency of Responses for Factors that Motivate ERM

Types of Bank

Motivating Factors Conventional Banks


Islamic Banking

Islamic Banks

Overall

(%) (%) (%) (%)

Deregulation 37.5 33.3 10.5 21.2

Price volatility 50.0 33.3 31.6 36.4

Asset allocation 75.0 50.0 36.8 48.5

Competitive pressure 12.5 66.7 31.6 33.3

Recent catastrophic event 25.0 33.3 15.8 21.2

Desire for earnings stability 62.5 66.7 42.1 51.5

Mandate from Board of Directors 50.0 66.7 36.8 45.5

Compliance with Basel II guidelines 87.5 66.7 94.7 87.9

Compliance with IFSB’s guidelines 0.0 50.0 52.6 39.4

Compliance with Central Bank ’s guidelines 75.0 33.3 89.5 75.8

Desire for unifying framework for risk

assessment

100.0 83.3 73.7 81.8

Desire for unifying framework for capital

management

100.0 83.3 52.6 69.7

16

Table 6 Descriptive Statistics for ERM Potential Benefits

Item N Mean Standard Deviation

t-statistic p-value

Align Risk Appetite and Strategy 32 4.28 0.772 9.390 0.000***

Link Growth, Risk and Return 32 4.38 0.707 11.000 0.000***

Enhance Risk Response Decision 31 4.06 0.629 9.422 0.000***

Minimize Operational Surprises and Loses 32 4.25 0.672 10.522 0.000***

Identify and Manage Cross-Enterprise Risks 31 4.26 0.631 11.105 0.000***

Provide Integrated Response to Multiple

Tasks

31 3.90 0.790 6.368 0.000***

Seize Opportunities 32 3.63 0.833 4.245 0.000***

Rationalize Capital 32 3.97 0.782 7.006 0.000***

Note. ***, **, and * indicate significance at the 1%, 5% and 10% levels, respectively.

Table 7

Frequency of Responses for the Strength of the Primary Drivers to the Bank’s Activities According to the Types of Banks

Type of Bank

Item Type of Banks 1 2 3 4 5

Mean Score

Conventional Bank 1 0.0 0.0 12.5 50.0 37.5 4.25


Align Risk

Appetite and

Strategy Islamic Bank 0.0 0.0 27.8 27.8 44.4 4.17



Link Growth,

Risk and Return

Islamic Bank 0.0 0.0 16.7 33.3 50.0 4.33



Enhance Risk

Response

Decision Islamic Bank 0.0 5.9 5.9 70.6 17.6 4.00



Minimize

Operational

Surprises and

Loses Islamic Bank 0.0 0.0 11.1 55.6 33.3 4.22



Identify and

manage cross-

enterprise risks Islamic Bank 0.0 0.0 17.6 47.1 35.3 4.18



Provide

integrated

response to

multiple tasks Islamic Bank 0.0 5.9 29.4 47.1 17.5 3.76



Seize

opportunities

Islamic Bank 0.0 5.6 55.6 27.8 11.1 3.44



Rationalize

capital

Islamic Bank 0.0 0.0 44.4 33.3 22.2 3.78

Note. Response:

1 = not very strong, 2 = not strong, 3 = neutral, 4 = strong, 5 = very strong

Conventional Bank 1 = Conventional bank without Islamic Banking

Conventional Bank 2 = Conventional bank with Islamic Banking

17

Table 8 Results of ANOVA Test for the Primary Drivers to the Bank’s Activities

According to the Types of Banks

Aspect Type of Banks N Mean F-

Statistics p-

value Conclusion

Conventional Banks 8 4.13

Conventional Banks

with Islamic Banking 6 4.35

ERM Framework

provides benefits

that are primary

drivers to bank’s

activities Islamic Banks 18 3.98

1.096 0.348 No

Difference

Table 9

Level of Strength of the Primary Drivers to the Bank’s ERM Activities According to the Types of Banks

Types of Bank

Conventional Banks


Islamic Banking

Islamic Banks

Aspect Level of Strength

No. % No. % No. %

Low (22 – 28) 2 25.0 0 0.0 5 27.8

Moderate (29 – 35) 6 75.0 6 100.0 13 72.2

Drivers that

motivates the bank’s

ERM Framework High (36 – 42) 0 0.0 0 0.0 0 0.0

Table 10 Frequency of Responses of the Usage of the Risk Management

Procedures Employed According to Types of Bank

Responses (%) Item Type of Banks

1 2 3 4 5 Mean Conventional Bank 1 0.0 0.0 12.5 37.5 50.0 4.37

Conventional Bank 2 0.0 0.0 0.0 33.3 66.7 4.67 1

Islamic Bank 0.0 0.0 36.8 42.1 21.1 3.84



Islamic Bank 0.0 0.0 26.3 73.7 0.0 3.74



Islamic Bank 0.0 11.1 38.9 33.3 16.7 3.56



Islamic Bank 0.0 15.8 36.8 36.8 10.5 3.42



Islamic Bank 0.0 10.5 63.2 15.8 10.5 3.26



Islamic Bank 0.0 0.0 52.6 36.8 10.5 3.58

7 Conventional Bank 1 0.0 0.0 50.0 0.0 50.0 4.00

18

Responses (%) Item Type of Banks

1 2 3 4 5 Mean Conventional Bank 2 0.0 0.0 33.3 16.7 50.0 4.17

Islamic Bank 0.0 0.0 57.9 21.1 21.1 3.83



Islamic Bank 0.0 5.3 68.4 21.1 5.3 3.26



Islamic Bank 0.0 0.0 57.9 31.6 10.5 3.53



Islamic Bank 0.0 0.0 63.2 31.6 5.3 3.42



Islamic Bank 0.0 5.3 73.7 21.1 18.2 3.16

12 Conventional Bank 1 0.0 12.5 12.5 50.0 25.0 3.88


Islamic Bank 0.0 5.3 47.4 47.4 0.0 3.42



Islamic Bank 5.3 10.5 42.1 36.8 5.3 3.26



Islamic Bank 5.3 15.8 52.6 21.1 5.3 3.05



Islamic Bank

0.0 10.5 36.8 47.4 5.3 3.47



Islamic Bank 0.0 0.0 52.6 26.3 21.1 3.68

Note. Response:

1 = no plan to use, 2 = do not use, 3 = plan to use, 4 = somewhat used, 5 = extensively used



Item:

1 Conducting Formal, Firm-Wide Risk Identification

2 Ranking the materiality of individual risks from a firm-wide perspectives

3 Consolidating the ranking of various risks using a common metric

4 Incorporating formal risk assessment into the bank's due diligence process for mergers, acquisition or

major investments

5 Using probabilistic modeling techniques to measure relevant risks

6 Measuring portfolio effect or diversification benefit of combining independent and/or negatively

correlated risks

7 Using economic capital as capital allocation

8 Calculating economic capital using RAROC

9 Evaluating performance of your risk management strategies in light of your risk/return requirements

10 Using portfolio enhancement techniques

11 Incorporating risk management into your personnel management and/or executive compensation programs

12 Implementing risk management programs through formal change management approaches

13 Exploiting integrated risk financing products (e.g. insurance/capital market solution)

14 Securitizing risks

15 Delegating risk assessments and response duties to operating units

16 Using a coherent framework to guide the above activities

19

Table 11 Results of ANOVA Test for Usage of the Risk Management Procedures According to Types of Banks

Aspect Type of Banks N Mean F-

Statistics p-value Conclusion

Conventional Banks 8 4.05

Conventional Banks

with Islamic Banking 6 4.23

Usage of the

Risk

Management

Procedures Islamic Bank 19 3.46

6.763 0.004*** Significant

Difference


Table 12 Result of LSD Test for Usage of the Risk Management Procedures

LSD Test Type of Banks Conventional Banks


Islamic Banking

Islamic Banks

Conventional Banks 1.000 0.531 0.012*

Conventional Banks

with Islamic Banking 0.531 1.000 0.004*

Usage of the Risk

Management

Procedures Islamic Bank 0.012* 0.004* 1.000


Table 13 Descriptive Statistics for the level of Adequacy of Risk Management Tools and Systems of the Banks

No. Statement n Mean Std Dev

t-

stats p-value

1. Bank’s on going risk monitoring and

periodic reporting capabilities 34 3.76 0.819 5.447 0.000***

2.

Bank’s on going risk monitoring and real-

time reporting on changing conditions

capabilities

34 3.53 1.022 3.020 0.005***

3.

Your bank’s internal communication

channels in the risk management process? 34 3.79 0.845 5.480 0.000***

4.

Your bank’s external communication

channels in the risk management process? 34 3.59 0.821 4.179 0.000***

5.

IT professionals with relevant expertise in

process integration and risk analytics 34 3.12 0.844 0.812 0.422

6.

Capacity of human capital in highly

technical area of risk measurement 34 3.15 0.958 0.895 0.377

7.

Capability of human capital in highly

technical area of risk measurement 34 3.29 0.970 1.768 0.086*

8.

Bank’s on going training of human capital

in technical areas of risk management. 34 3.62 0.922 3.908 0.000***

9.

Bank’s on going training of human capital

on Islamic business ethics and work culture 32 3.38 0.907 2.339 0.026**

10.

Bank’s employees understanding of the

different types of bank’s risks 33 3.39 0.966 2.342 0.026**

20

No. Statement n Mean Std Dev

t-

stats p-value

11. IT systems to cater for each Islamic

instruments 32 2.75 0.803 -1.761 0.088*


Table 14 Percentage of Responses to the Level of Adequacy of Risk Management Tools and Systems in the Banks

Responses (%)

Statement Type of Banks 1 2 3 4 5

Mean



Bank’s on going risk

monitoring and periodic

reporting capabilities Islamic Bank 0.0 15.0 30.0 45.0 10.0 3.50



Bank’s on going risk

monitoring and real-time

reporting on changing

conditions capabilities Islamic Bank 0.0 15.0 30.0 45.0 10.0 3.35



Bank’s internal

communication channels

in the risk management

process Islamic Bank 0.0 10.0 35.0 45.0 10.0 3.55



Bank’s external

communication channels

in the risk management

process Islamic Bank 0.0 15.0 40.0 35.0 10.0 3.40



IT professionals with

relevant expertise in

process integration and

risk analytics Islamic Bank 0.0 30.0 50.0 15.0 5.0 2.95



Capacity of human

capital in highly

technical area of risk

measurement Islamic Bank 0.0 35.0 45.0 15.0 5.0 2.90



Capability of human

capital in highly

technical area of risk

measurement Islamic Bank 0.0 30.0 35.0 25.0 10.0 3.15



Bank’s on going training

of human capital in

technical areas of risk

management. Islamic Bank 0.0 10.0 40.0 30.0 20.0 3.60



Bank’s on going training

of human capital on

Islamic business ethics

and work culture Islamic Bank 0.0 15.0 35.0 35.0 15.0 3.50



Bank’s employees

understanding of the

different types of bank’s

risks Islamic Bank 5.3 10.5 57.9 15.8 0.0 3.16

Conventional Bank 1 0.0 33.3 66.7 0.0 0.0 2.67 IT systems to cater for

each Islamic instruments Conventional Bank 2 16.7 16.7 33.3 33.3 0.0 2.83

21

Responses (%) Statement Type of Banks

1 2 3 4 5 Mean

Islamic Bank 0.0 40.0 50.0 5.0 0.0 2.75

Note. Response:

1 = not concern, 2 = least concern, 3 = concern, 4 = great concern, 5 = greatest concern



Table 15 Level of Adequacy of the Risk Management Tools and Systems Regarding the Risk Management

Practices of the Banks.

Conventional Banks


Islamic Banking Islamic Banks

Factor Level of Adequacy

n. % n % n %

Low (21 – 32) 0 0.0 1 16.7 5 25.0

Moderate (33 – 44) 7 87.5 3 50.0 12 60.0 Risk Management

Tools and Systems

High (45 -56) 1 12.5 2 33.3 3 15.0

Table 16 Result of ANOVA Test of the Adequacy of risk management Tools, and Systems

With Regards to the Risk Management Practices in Banks

Issue Type of Banks N Mean F-

Statistics p-

value Conclusion

Conventional Bank 8 3.65


Islamic Banking 6 3.61

Adequacy of

Risk

Management

Tools and

Systems Islamic Bank 20 3.26

1.092 0.348 No

Difference

22

Survey Questions on ERM

1. What is the organizational approach of risk management embraced by

your organization?

Decentralized approach Combination approach

Centralized approach

2. What is the organizational culture of your bank in terms of risk management?

Top-Down Approach Bottom-Up Approach

Combination of Top-Down Approach and Bottom-Up Approach

3. What is the percentage of total employees principally assigned to risk management

tasks?

% 4. With reference to question 3, what is the proportion assigned to the following risk?

Credit Risk: % Market Risk: % Operational Risk: %

5. Who accepts the overall responsibility for managing risk in the bank? (Please tick

all that apply)

Board of Directors

Board Level Risk Committee

Chief Risk Officer

Management Level Risk Committee

Chief Executive Officer

Head of Business Units

Chief Financial Officer

Internal Auditor

Independent Risk Oversight (IRO)

Other (please specify)

6. Please indicate your managerial and/or board committees that regularly deal with

risk management and compliance issues. (Please tick all that apply)

Audit Committee Risk Management Committee

Investment committee Asset/Liability management committee

Executive committee Compliance/market conduct committee


APPENDIX II

23

7. How are your various risk management and compliance committees/activities coordinated overall? (Please tick all that apply)

Report to single executive officer (please specify which officer)

Chief Executive Officer (CEO)

Chief Financial Officer (CFO)

Chief Risk Officer (CRO)

Chief Auditor

Chief Legal Officer


Activities guided by board mandate


Not coordinated or informal coordination

8. Which of the following best describes the status of your bank’s risk management

framework (Please tick one).

We have a fully implemented Enterprise-Wide Risk Management (ERM)

framework currently in place

We have a partial Enterprise-Wide Risk Management (ERM) framework

currently in place

We do not have an Enterprise-Wide Risk Management (ERM) framework now,

but we are planning to implement one (please go to question 10)

We are investigating the concept of Enterprise-Wide Risk Management (ERM).

(please go to question 11)

We do not have an Enterprise-Wide Risk Management (ERM) framework and

we are not planning to implement one (please go to question 14)

9. How long have your organization been operating under this framework (Please tick

one)

Less than a year One or two years

Three or four years Five years or more

10. How did you implement, or how do you plan to implement, your Enterprise-Wide Risk

Management (ERM) activities? (Please tick all that apply)

Globally and holistically Incrementally, by business segment

Incrementally, by region Incrementally, by type of risk

Incrementally, others

24

11. What motivated your Enterprise-Wide Risk Management (ERM) activity? (Please tick

all that apply)

Deregulation

Price volatility

Asset allocation,

Competitive pressure

Recent catastrophic event

Desire for earnings stability

Mandate from Board of Directors

Compliance with Basel II guidelines

Compliance with IFSB’s guidelines

Compliance with Central Bank ’s guidelines

Desire for unifying framework for risk assessment

Desire for unifying framework for capital management


12. The Enterprise-Wide Risk Management (ERM) framework provides several potential benefits. The following benefits are ‘primary drivers’ (i.e. motivates management) to your bank’s activities. Please indicate the strength of the driver by circling the appropriate number based on the following scale:

Not very strong

Not strong Neutral Strong Very Strong

1 2 3 4 5

a. Align risk appetite and strategy 1 2 3 4 5

b. Link growth, risk and return 1 2 3 4 5

c. Enhance risk response decision 1 2 3 4 5

d. Minimize operational surprises and losses 1 2 3 4 5

e. Identify and manage cross-enterprise risks 1 2 3 4 5

f. Provide integrated response to multiple tasks 1 2 3 4 5

g. Seize opportunities 1 2 3 4 5

h. Rationalize capital 1 2 3 4 5

25

For question 13, please identify the level of extensiveness of the usage of the risk management procedures employed by your bank by circling/highlighting the appropriate number using the following coding:

No plan to use

Do not use Plan to use Somewhat used

Extensively used

1 2 3 4 5

13. How extensiveness is the usage of the risk management procedure listed below?

a. Conducting formal, firm-wide risk identification 1 2 3 4 5

b. Ranking the materiality of individual risks from a 1 2 3 4 5

firm-wide perspective

c. Consolidating the ranking of various risks using a 1 2 3 4 5

common metric

d. Incorporating formal risk assessment into the 1 2 3 4 5

bank’s due diligence process for mergers, acquisition

or major investments

e. Using probabilistic modeling techniques to measure 1 2 3 4 5

relevant risks

f. Measuring the portfolio effect or diversification 1 2 3 4 5

benefit of combining independent and/or negatively

correlated risks (i.e., natural hedges)

g. Using economic capital as capital allocation 1 2 3 4 5

h. Calculating economic capital using RAROC 1 2 3 4 5

i. Evaluating performance of your risk management 1 2 3 4 5

strategies in light of your risk/return requirements

j. Using portfolio enhancement techniques 1 2 3 4 5

k. Incorporating risk management into your personnel 1 2 3 4 5

management and/or executive compensation programs

l. Implementing risk management programs through 1 2 3 4 5

formal change management approaches

m. Exploiting integrated risk financing products (e.g. 1 2 3 4 5

insurance/ capital markets solution)

n. Securitizing risks 1 2 3 4 5

o. Delegating risk assessments and response duties to 1 2 3 4 5

operating units

p. Using a coherent framework to guide the above 1 2 3 4 5

activities

enterprise risk management: commercial banks vis-a vis

Documents