SHARIAH RISK MANAGEMENT PROCESS FOR ISLAMIC FINANCIAL INSTITUTIONS IN THE CONTEXT OF SHARIAH GOVERNANCE FRAMEWORK 2010

Shariah compliance is the backbone of Islamic banks. As an institution established within the ambit of Shariah, Islamic banks are expected to ensure that their aims, activities, operations and

management adhere to the Shariah principles and values.Failure to comply with Shariah, will expose Islamic Financial Institutions (IFIs) to Shariah non-compliance risk.Subsequently, it is an essential duty of the IFIs to manage Shariah risk properly.In order to effectively manage the risk vulnerability of the IFIs, proper measures for risk management have been put in place in different frameworks that are either domestic or international based.In the Malaysian context, IFIs are guided by relevant regulations such as the Shariah Governance Framework 2010, IFSB principles and Islamic Financial Services Act 2013 with regards to Shariah risk management.This research examined the regulatory requirements of the Shariah risk management process for Islamic financial institutions that operate in Malaysia, in the context of the Guidelines on Shariah Governance Framework 2010 issued by the Central Bank of Malaysia.The paper discusses the concept of "risk", "Shariah risk" and "Shariah non-compliant risk" in the context of Islamic Financial Institutions and also examines the process adopted by the Malaysian IFIs in managing the Shariah risk.The hypotheses that the paper seeks to establish are that there are differences between the concept of Shariah risk and Shariah non-compliant risk; and that the Shariah risk management process adopted by the IFIs are different than the conventional risk management process due to the unique features and requirements of the IFIs.

INTRODUCTION
It is an undeniable fact that IFIs face more types of risk than their conventional counterparts.The IFIs have to bear all sorts of risk that are faced by conventional banks.In addition to that, the requirement of Shariah compliance places another burden on the IFIs to ensure all their its activities and operations comply with Shariah rules and precepts.This fact can be seen in the light of the risk exposure of IFIs.The IFIs are exposed to all kinds of risk faced by the conventional banks such as credit risk, market risk, liquidity risk and operational risk.However, the list of risk exposure for IFIs does not stop there since the IFIs face some other unique risks relating to the failure to adhere to Shariah principles in their businesses and operations.

SHARIAH RISK IN IFIS
Most literature equate Shariah risk to Shariah non-compliance risk.Both terms refer to same meaning that relates to the risk that will arise due to the violation of Shariah rules or rulings made by the regulator.On the other hand, the IFSB-1 considers Shariah noncompliance risk as a subset of operational risk. 1 According to Balz, Shariah risk can be regarded as "the chance that an Islamic financial transaction is challenged on the grounds that it does not comply with 1 See IFSB 1 (2005) on discussion about Operational risk, 39 which were not initially presented to the Shariah board during the approval.The last category relates to the differences of opinion among the scholars in the interpretation of the Shariah principles.The product may be declared null and void by other scholars or regulatory bodies due to the defects in product formulation or the differences in the interpretation of the Shariah principles, procedures and processes.
This study suggests that Shariah risk should be defined as the weaknesses in the overall Shari'ah control processes which may lead to events that adversely impact IFIs.It covers the end -to-end process from Shariah decision-making stages to the implementation of the decision and also the occurrence of Shariah non-compliance events due to lapses or failures in the processes, people, system and external facts or circumstances.

SHARIAH RISK MANAGEMENT FRAMEWORK
The Oxford Dictionary for Business defines risk management as "a process that aims to help organizations to understand, evaluate, and take actions on all their risk.8Similarly, risk management can be defined as "the process by which managers satisfy the need to manage Bank's risk exposure by identifying key risk factors; obtaining consistent, understandable, operational risk measures; choosing which risk to reduce, and which to increase and by what means; and establishing procedures to monitor the resulting risk positions.9Basel Committee for Banking Supervision (2001) defines financial risk management as a sequence of four processes: (1) The identification of events into one or more broad categories of market, credit, operational and other risks into specific subcategories; (2) The measurement and assessment of risks using data and risk model; (3) The monitoring and reporting of the risk assessments on a timely basis; and (4) The control of these risks by senior management.
An identical definition for risk management was provided under IFSB 1 (2005) where risk management was defined as a process that consists of risk identification, measurement, mitigation, monitoring, reporting and control.On the other hand, Shariah Governance Framework defines Shariah risk management as "a function that consists of identifying, measuring, monitoring and controlling the Shariah non-compliance risks in order to mitigate the risks arising from non-compliance events". 10The Shariah risk management must be systematic to enable the bank to have an effective business and activities without being exposed to unacceptable risks. 11Thus, apart from credit, market, liquidity and operational risk management, Shariah risk management control function must form one of the parts in IFI's integrated risk management framework. 12This technical and complex function requires qualified or experienced risk management officers who have good Shariah knowledge to effectively perform such function. 13The Shariah noncompliance risk management function as outlined by the SGF in summary involves the following 14 : i.
Facilitating the process of identifying, measuring, controlling and monitoring Shariah non-compliance risks inherent in the IFI's operation.ii.
Formulating and recommending appropriate Shariah noncompliance risk management practices and guidelines; and iii.Developing and implementing processes for Shariah noncompliance risk awareness in the IFI.
The first function mentioned in the above paragraph generally involves a flow of process.The process flow of such structure begins with the identification of the potential Shariah non-compliance risk, followed by assessment and measurement of the risk. is monitoring and controlling the Shariah non-compliance risk and finally the reporting process 15 .The diagram below shows the process flow of a Shariah non-compliance risk management structure in IFIs.

Risk Identification
Risk identification relates to process of understanding the nature and impact of the risk to current and future activities of the institution. 16he main purpose of the identification process is to identify the main causal factors that lead to the non-compliance events.The main causal factors that contribute to the occurrence of noncompliance events are people, process and system.Any weaknesses or shortcomings arising from the incompetency of people, insufficiency of process or an ineffective system may lead to events that can trigger Shariah non-compliance risk.The people mentioned above are the people that are responsible in the management of IFIs.Any weaknesses or shortcomings arising from lack of qualified personnel to carry out the task in maintaining the compliance with Shariah in all activities and operations of IFIs are the risk that need to be properly managed.Thus, it is incumbent on the management of IFI to provide comprehensive training and also to establish an efficient standard operating procedure and policies within the IFI to reduce the occurrence of mistakes and negligence among the staffs.The enrichment of human capital in the IFI will definitely reduce the occurrences of mistakes by the staffs in the commission of their tasks. 17 iii.
Developing and implementing processes for Shariah non-compliance risk awareness in the IFI.
The first function mentioned in the above paragraph generally involves a flow of process.
The process flow of such structure begins with the identification of the potential Shariah non-compliance risk, followed by assessment and measurement of the risk.The next step is monitoring and controlling the Shariah non-compliance risk and finally the reporting process 15 .The diagram below shows the process flow of a Shariah non-compliance risk management structure in IFIs.
Figure 1.Shariah Risk Management Process

Risk Identification
Risk identification relates to process of understanding the nature and impact of the risk to current and future activities of the institution. 16The main purpose of the identification process is to identify the main causal factors that lead to the non-compliance events.The main causal factors that contribute to the occurrence of non-compliance events are people, process and system.Any weaknesses or shortcomings arising from the incompetency of people, insufficiency of process or an ineffective system may lead to events that can Process is another risk factor that needs to be managed by the IFIs.
Process in this context refers to the process involved in product development adopted in the operation of IFIs either the pre-product approval, i.e. process of product structuring and developing prior to introduction to the market as well as the post-product approval process, i.e. process after the product has been offered to the customers and transactions have been carried out). 18The process adopted in the pre-product approval involves the issuance of Shari'ah decisions, product structuring, vetting of contracts and agreements as well as compliance checks before the product is offered to the customers.On the other hand, the process involved in the postproduct approval includes Shariah audit and Shariah review that are conducted to ensure compliance with Shariah in the implementation of every product offered to the customers.Shariah non-compliance risk may occur during these processes due to unclear processes, policies, procedures, or responsibilities; inadequate internal Shariah governance arrangements; and/or insufficient disclosure and transparency.As such SGF requires that all IFIs shall put in place the appropriate mechanism to ensure that all key functions are able to effectively discharge their responsibilities.Apart from that, the board is also expected to perform diligent oversight of the effective functioning of Shariah governance within IFIs, 19 including the appointment of the Shariah committee. 20The most important thing that must be established in the mind of each organ working within the IFI is the effective communication between the organs.All organs in the IFI must work together in ensuring adherence to Shariah in all activities and operations.The summary of the factors contributing to the ineffective process are as follows: System inefficiency may also expose the IFIs to great risk.
Information Technology system plays a vital part in the operation of IFIs.It is well known that IFI pledges to ensure all its activities will be in line with Shariah.Similarly, the products offered to the public must be guaranteed to be in line with Shariah.Therefore, the IT system used by the IFIs must have Shariah compliance status that is capable of ensuring strict adherence to Shariah in all contracts entered into by the IFIs. 21However, most IFIs adopt the IT system modules that are created for conventional banking and thus are not suitable for IFIs.Inexperienced vendors, non-timely support, nonuser-friendly system, and system mistakes are the most common factors that expose IFIs to Shariah non-compliant risk. In

Risk Measurement and Assessment
The next step in risk management is the measurement and assessment of risk.This study suggests that Shariah non-compliance risk in the context of IFIs should be measured according to the status of aqad or contracts entered into by the IFIs due to the fact that the main activities of the IFIs are offering specific aqad in the form of financing, 21 Ahcene Lahsasna, 15 investment and any other activity.This is the fact that distinguishes IFIs from their conventional counterparts where the latter do not base their business according to aqad.As such, any non-compliant events that occurrs is to be measured whether it renders the aqad to be either void (batil), irregular (fasid) or permissible (sahih). 22The measurement of Shariah non-compliance risk according to the status of contract is be summarized in the following diagram: The risk will be classified as 'severe' if the non-compliance event leads to the invalidation of contracts or non-recognition of income. 23 contract entered into by the IFI and the customer that involves non-halal income like financing gambling activities is one of clear example of severe risk.The middle type of risk (medium) relates to a situation where conditions of the aqad are not fulfilled 24 such as when the parties have inserted unreasonable conditions into the contract.The tolerable risk, on the other hand, relates to the events that do not lead to the consequences mentioned under the severe and medium risks. 25For example, indecent mode of attire among the IFIs staffs may lead to reputational risk since the staffs of Islamic Bank are expected to wear decent attire.Similarly, improper marketing through indecent posters made by IFI may also tarnish the reputation of the institution.

Risk Monitoring
The last stage in the risk management process deals with risk monitoring and controlling.Risk monitoring can be used to ensure 22 Hassan Ahmed Yusuf, Shariah non-compliance risk: Measurement and  treatment, Islamic Finance News, Vol.8, Issue 39, 5 Oct 2011, accessed  The next step in risk management is the measurement and assessment of risk.This study suggests that Shariah non-compliance risk in the context of IFIs should be measured according to the status of aqad or contracts entered into by the IFIs due to the fact that the main activities of the IFIs are offering specific aqad in the form of financing, investment and any other activity.This is the fact that distinguishes IFIs from their conventional counterparts where the latter do not base their business according to aqad.As such, any non-compliant events that occurrs is to be measured whether it renders the aqad to be either void (batil), irregular (fasid) or permissible (sahih). 22The measurement of Shariah non-compliance risk according to the status of contract is be summarized in the following diagram: The risk will be classified as 'severe' if the non-compliance event leads to the invalidation of contracts or non-recognition of income. 23A contract entered into by the IFI and the customer that involves non-halal income like financing gambling activities is one of clear example of severe risk.The middle type of risk (medium) relates to a situation where conditions of the aqad are not fulfilled 24 such as when the parties have inserted unreasonable conditions into the contract.The tolerable risk, on the other hand, relates to the events that do not lead to the consequences mentioned under the severe and medium 22 Hassan Ahmed Yusuf, Shariah non-compliance risk: Measurement and treatment, Islamic Finance News, Vol.8, Issue 39, 5 Oct 2011, accessed via < http://www.islamicfinancenews.com/print_ID.asp?nm=23913> 24 March 2014. 23Ibid. 24Ibid.
• the non-compliance events lead to invalidation of contract and non-recognition of income.
• financing gambling activities or investment in production of alcohol and liquor.Severe • contract with defect in accessory attribute (wasf).
• example: existence of invalid condition in contract, problem with the delivery of the subject matter, insufficient information about the suject matter (jahalah).

Medium
• the events that do not lead to the consequences mentioned under high and medium type of risk.
• example: improper advertisement about product and indecent attire among the staffs.Tolerable that risk management practices are sound and effective.Proper risk monitoring also helps IFIs to discover mistakes an early stage rather than suffering the bad consequences from dormant untraceable risks. 26The risk monitoring mechanism must monitor the variables and factors that can lead to Shariah non-compliance risk.The monitoring process utilizes data collected from the previous audit or inspection. 27e of the tools used in risk monitoring is Key Risk Indicator (KRI).KRI is a mathematical formula that includes all parameters that describe the operational variation of specific operations within specific business lines. 28KRI can be used as a tool in measuring the actual value of the cause and effect arising from non-compliance events.KRI will predict possible occurrences of non-compliance events to enable the IFIs to take reasonable preventive and corrective measures to avoid any loss arising from such non-compliance events.Young states that KRIs are mostly quantitative measures intended to provide insight into operational risk exposures and control measures. 29r example, on previous occasions, the Shariah non-compliance risk was discovered from the employees' mistake and negligence.The risk monitoring mechanism will focus on ensuring that a similar risk will not happen again in the future.The risk monitoring mechanism will check and analyze the sources of the risk to ensure that the events leading to risk from such factors will not occur again.The application of this tool depends heavily on the information and data that refers to the Key Risk Indicators.
In the table below, we will provide some examples of KRI to monitor potential sources of Shariah non-compliance risk.Commercial Banks, Finance India, Vol.XVI, No. 3, 2002, pp.1045

REGULATORY REQUIREMENT ON REPORTING
The requirement to report to the relevant authority about potential risks that may take place within IFI is a statutory requirement under Malaysian law, i.e. in Section 28 of the IFSA, whereby failure to notify the non-compliance with Shariah may render any person liable to a huge amount of penalty. 30The reporting requirement will ensure that any weakness or shortcoming within the IFI is properly disclosed to the relevant authority.The Shariah Committee is under obligation to report any non-compliance with Shariah to the board 30 Section 28(5) provides that failure to report the Shari'ah non-compliance within the IFI may render a person liable to imprisonment for a term not exceeding eight years or to a fine not exceeding twenty-five million ringgit or to both.UUMJLS 8, 1-15 (2017)   to get that matter rectified 31 .If the above step is not sufficient to cure the non-compliance, then the matter should be brought to the BNM. 32ere are two types of non-compliance events, namely potential and actual that must be reported.When the IFI realizes or suspects that if is dealing with non-compliance business or activities, the management of IFI must immediately bring such matter to the attention of the Shariah committee.The Shariah committee shall, upon such report, deliberate and investigate on such matter to ascertain whether that the event is potential or actual Shariah non-compliant.In the event the Shariah committee concludes that such event is actual Shariah non-compliant, then the IFI shall immediately notify the board and BNM about the matter.The immediate rectification plan to cure the non-compliance must be made made within 30 days from the date on which the non-compliance event was realized by the IFI.
On the other hand, if the Shariah committee concludes that the reported event is a potential Shariah non-compliance, the IFI must also notify the matter to Bank Negara Malaysia.An event will be considered as potential non-compliance when the Shariah committee is still deliberating and investigating the matter.The event shall be reported to Bank Negara Malaysia as potential Shariah noncompliance until a final decision on the matter has been reached by the Shariah committee.The rationale behind the mandatory reporting obligation for potential non-compliance is to put the IFIs on the same level playing field in the management of Shariah noncompliance.If the reporting of potential non-compliance is not obligatory, there is a possibility that many IFIs will treat most of the non-compliance events as potential to evade the reporting process to Bank Negara.Therefore, the mandatory nature of reporting potential non-compliance will inculcate a healthy treatment of Shariah non-compliance in all IFIs in the sense that any non-compliance, regardless of whether it is actual or potential, must be disclosed to Bank Negara Malaysia.Reports about potential Shariah noncompliance events shall be made on a monthly basis based on the calendar year.The report must be made to Bank Negara Malaysia within two weeks after the end of each month.We can see that the 31 Principle 3.6 of SGF 32 Principle 3.7 of SGF timeline for reporting of potential Shariah non-compliance is more flexible and lenient as compared to the reporting of actual noncompliance since the IFIs have enough time to deliberate on the matter.

CONCLUSION
Shariah risk management is a process that is essential to IFIs as it facilitates the IFIs to prevent any occurrence of Shariah noncompliance events that can lead to direct loss as well as indirect loss.The direct loss arising from a Shariah non-compliance risk may be due to breaches and violations of the terms of the contract that cause invalidation of the contract.In contrast, the legal and reputational risk is the indirect factor that potentially leads to loss.A legal suit brought against an IFI for Shariah non-compliance in their operation is an example of indirect loss since the loss is still subject to the judgement of court.Thus, the IFIs are required to ensure that the process adopted in Shariah risk management is effective and efficient.The IFIs may utilise a similar risk management process as that applied in the risk management of a conventional bank as long as they comply with Shariah principles.The main exception to the above assertion relates to the way should be measured Shariah noncompliance risk.This study suggests that measurement of Shariah non-compliance risk should be made based on the status of aqad.This exception relies on the unique feature of Islamic Finance where every single transaction entered into by the IFIs must be in line with Shariah to avoid any events that can affect the validity of a contract. 15
The next step 12Principle 7.16 of SGF 13 Principle 7.17 of SGF 14 Principle of 7.18 of SGF (Further details should be referred to SGF)UUMJLS 8, 1-15 (2017) David B. Hertz and Howard Thomas, Risk analysis and its applications, (Chichester: Wiley, 1983),11 12Principle 7.16 of SGF 13 Principle 7.17 of SGF 14 Principle of 7.18 of SGF (Further details should be referred to SGF) 15 Mohd Nazri, "Shariah Governance Framework -Shariah Compliance Risk Management", Bank Islam, < http://www.bankislam.com.my/en/Documents/cinfo/2013-4thAsiaIslamicBankingConference-CRM.pdf>(accessed 25 November, 2013)16 addition to the above factors, there are possible factors that externally endanger IFIs operation.Factors such as lack of supervision by the regulators and unclear laws and regulations are the most frequent factors in this category.The following table simplifies the events that can lead to Shariah non-compliance risk: via http://www.islamicfinancenews.com/print_ID.asp?nm=2391324 March 2014. 23Ibid.24Ibid. -1057.