Central Bank Of Nigeria

GUIDANCE NOTES ON SUPERVISORY REVIEW PROCESS FOR NON-INTEREST FINANCIAL INSTITUTIONS IN NIGERIA AUGUST, 2018

	Table of Contents
DEFINITION OF TERMS
BACKGROUND
1.1	INTRODUCTION.
1.2	OBJECTIVE OF THE GUIDANCE NOTES .
1.3	SCOPE .
2.0	SUPERVISORY REVIEW PROCESS. .
3.0	INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS .
3.1	GENERAL RULES FOR THE ICAAP .
3.2	PROPORTIONALITY IN THE ICAAP .
3.3	FEATURES OF THE ICAAP .
3.3.1	Comprehensive Identification of Risks:.
3.3.2	Sound Capital Assessment: .
3.3.3	Stress testing
3.3.4	Corporate Governance in the ICAAP .
3.3.5	Monitoring and Reporting
3.3.6	Internal Control Review
3.4	REGULATORY REPORTING OF THE ICAAP .
3.4.1	Content and structure
3.4.2	Frequency of ICAAP reporting.
4.0	SUPERVISORY REVIEW AND EVALUATION PROCESS .
	GENERAL RULES FOR THE SREP
4.1
4.2	STAGES OF THE SREP
5.0	THE SREP PROCESS.
5.1	REGULATORY CAPITAL REQUIREMENTS .......................................................................................................................... ERROR! BOOKMARK NO
5.2	RISK EXPOSURE COVER .
5.3	COMPONENTS OF CAPITAL .
5.4 SLOTTING METHOD ON THE RISK WEIGHTS APPLICABLE TO MUSHARAKAH AND MUDARABAH FINANCING14
5.5	ADDITIONAL CAPITAL CHARGE FOR OPERATIONAL RISK
6.0	GOVERNANCE AND RISK MANAGEMENT
6.1	CORPORATE GOVERNANCE
6.2	SHARI' AH GOVERNANCE
6.3	AUDIT AND COMPLIANCE
6.4	RISK MANAGEMENT PROCESS .
6.4.1	Board and Senior Management Oversight .
6.4.2	Policies, Procedures and Limit of Controls .
6.4.3	Identifying, Measuring, Monitoring and Reporting of Risks .
6.4.4	Internal Controls .
6.5	RELATED PARTY TRANSACTIONS
6.6	SHARI' AH-COMPLIANT SECURITISATION EXPOSURES
6.7	RISK CONCENTRATION
7.0	ISLAMIC WINDOW OPERATIONS .
ANNEX A .
ANNEX B .

Definition Of Terms

Advisory Committee of Experts (ACE)	An independent body set up by Non-Interest Financial Institutions (NIFIs), as part of their Shari'ah governance system, to supervise and ensure compliance with the Shari'ah.
Business and	The risk of loss caused by changes in the business environment or
Strategic Risk	erroneous decisions and	inadequate implementation of decisions or
	poor response to competition.
Counter Party	This is a risk that arises where the counter party to a transaction could
Credit Risk	default before the final settlement of the transactions cash flows.
Credit Concentration Risk	The risk arising from exposures to counterparties, group of connected counterparties, and counterparties in the same economic sector or which engage in the same activity or are from the same geographic region.
Credit Risk	Credit risk is the potential loss arising from a counterparty's failure to meet its obligations in accordance with agreed terms.
Displaced Commercial Risk (DCR)	Displaced Commercial Risk refers to the extent of additional risk (volatility of returns) borne by NIFIs' shareholders compared to the situation where profit sharing investment account holders assume all commercial risks as specified in the Mudarabah contract.
Fiduciary Risk	Fiduciary risk is the risk arising from a NIFI's failure to safeguard the best interests of all fund providers.
Internal Capital	This is the amount of capital that is related to risk which a NIFI is carrying.
Legislative Risk	This is the risk arising from the enactment of new laws.
Liquidity Risk	This risk arises from either difficulties in obtaining cash at reasonable cost from borrowings (Funding liquidity risk) or sale of assets (asset liquidity risk).
Market Risk	Market risk is defined as the risk of loss in on and off-balance sheet positions arising from movements in market prices.
Model Risk	This arises due to limitations of data inputs or weaknesses in model structures under advanced approaches.
Murabahah	(Cost
Plus	Mark-Up
Sale)	A sale contract whereby the institution offering Islamic financial services sells to a customer a specified kind of asset that is already in its possession, whereby the selling price is the sum of the original price and an agreed profit margin.
Musharakah	(	A contract between the NIFI	and a customer whereby both would
Partnership)	contribute capital to an enterprise, whether existing or new, or to ownership of a real estate or movable asset, either on a temporary or permanent basis. Profits generated by that enterprise or real estate/asset are shared in accordance with the terms of the Musharakah agreement, while losses are shared in proportion to each partner's share of capital.3

Operational Risk	This is the risk of loss resulting from inadequate or failed internal processes, people, and technology or from external events.
Rate of Return	Rate-of-return risk is the risk of facing a lower rate of return on assets
Risk	than that currently expected by UIAHs
Related Party	This is a transfer of resources, services or obligations between a NIFI
Transaction	(s) and a related party, regardless of whether a price is charged. It include on- and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease (Ijarah) contracts, financings, borrowings (through Qard) and write-offs. They also include transactions that are entered into in situations in which an unrelated party with whom the NIFIs have an existing exposure subsequently becomes a related party.
Reputational Risk	The current or prospective risk of a decline in profits or capital should customers, counterparties, shareholders, investors or supervisors take a negative view of the NIFI.
Shari'ah NonCompliance Risk	The risk that arises from the bank's failure to comply with the Shari'ah rules and principles.
Sukuk (Islamic Investment Certificates)	Certificates that represent a proportional undivided ownership right in tangible assets, or a pool of assets that are Shari`ah- compliant. Sakk is the singular of Sukuk

1.0 Background 1. 1 Introduction

. This Guidance Notes on Supervisory Review Process adopts a risk-based approach to supervisory review process in line with Basel 2 Pillar 2 and Islamic Financial Services Board's (IFSB) Standard Number 16 issued for Islamic Financial Institutions. The Guidance Notes covers capital adequacy, risk management, capital management, corporate governance and internal controls.

1.2 Objectives Of The Guidance Notes

2. The objectives of this Guidance Notes are as follows: To specify the role of Non-Interest Financial Institutions (NIFIs) on the computation of internal capital and capital management; and To specify the role of the CBN in ensuring the maintenance of adequate capital for the level of risks the NIFIs are exposed to.

1.3 Scope Of The Guidance Notes

3. This Guidance Notes is applicable to Non-Interest Banks and Other Financial Institutions under the supervisory purview of the CBN.

2.0 Supervisory Review Process

4. Supervisory Review Process is a formalised and structured strategy which staff of regulatory authorities shall follow when conducting off-site surveillance and on-site examinations of financial institutions.

5. The Supervisory Review Process (SRP) is structured along the following two separate but complementary stages: i) The Internal Capital Adequacy Assessment Process (ICAAP). This requires NIFIs to perform an independent and complete assessment of the risks to which they are exposed and calculate an internal capital requirement, and ii) The Supervisory Review and Evaluation Process (SREP). This is a process by which the CBN reviews and assesses the ICAAP. It also analyses the NIFIs' own assessment of risk profile, risk management practices, corporate governance system as they relate to the ICAAP and the internal control system. It further verifies the overall compliance with prudential rules in calculating internal capital.

3.0 Internal Capital Adequacy Assessment Process

6. The ICAAP is based on appropriate risk management systems that require adequate corporate and Shari'ah governance mechanisms, an organisational framework with clear lines of responsibility, and effective internal control systems. It should be noted that capital cannot be regarded as a substitute for sound risk management processes.

7. The ICAAP shall be documented, understood and shared by all NIFI's structures and shall be subject to independent internal review.

8. The Board of Directors (BOD) is ultimately responsible for the ICAAP. It is expected to independently establish the design and organisation in accordance with the risk appetite of the NIFI. BOD is also responsible to ensure the implementation and the annual update of the ICAAP and the resulting calculation of internal capital in order to ensure its conformity with the NIFIs operations and environment.

9. On an annual basis, NIFIs shall render returns to the CBN on the key features of the ICAAP, their risk exposures and the level of capital deemed adequate to support those risks. The report shall also contain a self-assessment of the ICAAP, areas for improvement, any deficiencies in the process and the corrective measures to be taken.

10. On regular basis, NIFIs are required to hold capital in excess of the minimum regulatory requirement that is commensurate to the level of their risk exposures.

3.1 General Rules For The Icaap

11. NIFIs shall have a process for determining the total capital, currently and prospectively necessary to support all material risks. This process shall be: Formalized and documented; Subject to internal review and approval by board and management; and Proportionate to the nature, scale and complexity of business operations.

12. The calculation of total capital requires an assessment of all the risks to which a NIFI is or may be exposed, including those not considered in calculating the capital requirement under Pillar 1.

13. NIFIs shall determine the risks, other than credit, market and operational risks, for which the adoption of quantitative methodologies that can be used in determining internal capital would be appropriate, and those for which control and mitigation measures, in combination or alternatively, would be more suitable.

3.2 Proportionality In The Icaap

14. Proportionality is the principle under which systems, processes, mechanisms and determination of capital shall be proportionate to the nature, scale and complexity of the business conducted by the NIFI.

15. The principle of proportionality shall apply to the following aspects: The methodologies used in measuring/assessing risks and in the determination of the related internal capital; The type and nature of the stress tests adopted; The treatment of correlation among risks and the determination of total internal capital; The organisational structure of the risk control systems; and The scope and detail of ICAAP reporting to the CBN.

3.3 Features Of The Icaap

16. In developing the ICAAP, NIFIs shall be able to demonstrate that chosen internal capital targets are well founded and are consistent with its overall risk profile and current operating environment (i.e. the current business cycle in which the NIFI is operating).

17. The main features of the ICAAP are summarized below: Comprehensive Identification of Risks Sound Capital Assessment Stress testing Corporate and Shari'ah Governance Internal Control Review Monitoring and Reporting

3.3.1 Comprehensive Identification Of Risks:

18. All material risks faced by NIFIs shall be addressed in the capital assessments process.

a) NIFIs shall independently identify the range of relevant material risks to which they are exposed, taking into consideration their operations and the markets in which they operate.

b) This analysis shall consider at a minimum, the risks listed in Annex A (which is not exhaustive). The identification of any further risk factors connected with its specific operations is left to the prudent assessment of each NIFI.

c) NIFIs shall clearly identify the sources of the various forms of risk and where these are to be found at the level of operating units, enterprise-wide or from external counterparties. This makes it possible to ascertain whether the regulatory capital requirements calculated at the individual level for the most significant legal entities adequately cover the risks effectively faced by these entities.

19. All NIFIs are required to design a robust risk management process taking note of the specificities of their operations and risk categories such as credit risk, equity investment risk, market risk, liquidity risk, rate of return risk, displaced commercial risk, operational risk, Shari'ah non-compliance risk and fiduciary risk.

20. For each risk identified, NIFI shall ensure that appropriate risk assessments are supported by; a) Consistent and robust risk assessment approaches (i.e. quantitative and qualitative techniques) commensurate with the NIFI size, nature of business and complexities of activities; and b) Quality data used for the risk measurement in ICAAP. The assessment should also cover the adequacy and robustness of the NIFI's internal controls for mitigating risk.

3.3.2 Sound Capital Assessment:

21. Based on the risk identified, a NIFI is required to assess its overall capital adequacy, and develop a strategy for maintaining adequate capital levels consistent with its risk profile and taking into account current and anticipated changes in the risk profile. This shall be reflected in the NIFI's capital planning process and the setting of internal capital targets.

22. In order to calculate internal capital, NIFIs shall have: i. Designed policies and procedures that clearly identify, measure and report all material risks; ii. A process that relates capital adequacy to the level of risks assumed; iii. A process that relates capital adequacy goals (with respect to risk) with the NIFIs strategic focus and business plan; iv. A process of internal controls that reviews and audits continuously the activities of the NIFIs to ensure robustness and integrity of the overall risk management process; v. For credit, market and operational risks, a methodological starting point is provided by the regulatory systems for calculating capital requirements for such forms of risk; vi. To calculate the exposure and any internal capital related to concentration risk (for individual borrowers or groups of connected customers) and to the rate of return risk in the banking book, NIFIs may refer to the simplified methodologies set out in Annexes B; vii. With regard to rate of return risk, all NIFIs shall assess the impact of hypothetical shocks on the rate of return exposure of the banking book. Where this should cause a significant reduction of a NIFI's regulatory capital, the CBN shall examine the results with the NIFI and may adopt appropriate actions; and viii. The ICAAP of a NIFI shall show how total capital reconciles with the definition of regulatory capital. Specifically, they shall explain the use of capital instruments that may not be included in regulatory capital but are included in the calculation of internal capital.

23. The capital planning process shall be dynamic and forward-looking in relation to the NIFIs' risk profile. Also, in assessing capital adequacy, NIFIs are required to evaluate the quality and capacity of its capital to absorb losses.

3.3.3 Stress Testing

24. Stress tests are quantitative and qualitative techniques used by NIFIs to assess their vulnerability to exceptional but plausible events. They involve assessing the impact on NIFIs' exposures to specific events ranging from mild to very severe shocks or joint movements of a set of economic and financial variables under adverse scenarios.

25. NIFIs shall conduct stress test of their risk mitigation and control systems and, where necessary, the adequacy of their internal capital, in order to enhance the assessment of their exposure to risks.

3.3.4 Corporate Governance In The Icaap

26. The Board and management of NIFIs shall be responsible for the ICAAP. 27. The board and management shall establish a framework for assessing the various risks, develop a system to relate risk to the NIFIs' capital level, and establish a method for monitoring compliance with internal policies. It is equally important that the Board of Directors adopts and supports strong internal controls, written policies and procedures and ensuring that management effectively communicates these throughout the organization.

27. The Board shall ensure that senior management discharges its responsibilities for the development and effective implementation of the ICAAP. Senior management is responsible for understanding the nature and level of risk being taken by the NIFIs and responsible for ensuring that the sophistication of the risk management processes is appropriate in the light of the risk profile and business plan.

3.3.5 Monitoring And Reporting

29. NIFIs are required to have an adequate system for continuous monitoring and reporting risk exposures and assessing how their changing business risk profiles affect their capital needs. Such a system shall incorporate internal triggers to serve as early warning signals of deviation from internal capital targets and breaches of regulatory capital requirements.

30. Senior management shall, on regular basis, provide to the Board reports on the NIFI's risk profile and capital needs in a manner appropriate to facilitate informed conduct of responsibilities. They are therefore required to: i. Evaluate the level and trend of material risks and their effects on capital levels; ii. Evaluate the sensitivity and reasonableness of the key assumptions used in capital assessment; iii. Determine that they hold sufficient capital against the various risks and ensure compliance with established capital adequacy goals; and iv. Assess future capital requirements based on reported risk profiles and indicate any necessary adjustments to be made to the NIFI's strategic plan.

3.3.6 Internal Control Review

31. An effective ICAAP requires that the relationship between risks and capital levels is monitored.

32. The Board shall ensure that NIFI's system of internal control is adequate to monitor its operations.

33. NIFI shall ensure conduct of periodic reviews of its risk management and capital management process relating to ICAAP to ensure its integrity, accuracy, consistent applications and reasonableness of its risk management process. Such reviews shall cover: Appropriateness of the ICAAP, given the nature, scope & complexities of its activities; Identification of large exposures and risk concentrations; Accuracy, quality and completeness of data inputs to the ICAAP; Reasonableness and validity of scenarios used in the assessment; Stress testing and analysis of assumptions / inputs; Robustness of risk monitoring and reporting systems; Performance and appropriateness of the use of third-party vendors, products, services and information; and The review shall be performed by units not directly involved in the preparation of ICAAP.

3.4 Regulatory Reporting Of The Icaap 3.4.1 Content And Structure

i) The ICAAP report will enable the CBN to conduct a complete, documented assessment of the key qualitative features of the capital planning process, the overall exposure to risks and the consequent calculation of total internal capital.

ii) The report shall be transmitted to the CBN along with the relevant Board resolutions and senior management reports containing their comments on the ICAAP, in accordance with their respective responsibilities and functions.

iii) The report shall be organised, at a minimum, into the areas specified in Annex B.

3.4.2 Frequency Of Icaap Reporting

34. On an annual basis, NIFIs shall, not later than the end of April, submit to the CBN the ICAAP report as at 31 December of the previous year.

35. Based on the capital reported at the close of the previous year, the ICAAP document shall provide the NIFI's strategies for taking on risk and ensuring that the related capital needs through the end of the current year are met.

4.0 Supervisory Review And Evaluation Process

36. The Supervisory Review and Evaluation Process (SREP) is informed by the principle of proportionality, under which: Corporate and Shari'ah governance systems, risk management processes, internal control mechanisms and the determination of capital deemed adequate to cover risks shall be proportionate to the nature, scale and complexity of the business conducted by the NIFIs; and The frequency and the comprehensiveness of the SREP shall have regard to the systemic importance, nature, size and complexity of NIFIs.

4.1 General Rules For The Srep

37. The SREP shall be conducted on NIFIs on an annual basis in order to verify that they have established capital and organisational arrangements that are appropriate for the risks they face and ensures overall operational equilibrium.

4.2 Stages Of The Srep

38. The SREP is organised into the following five main stages: a) Analysis of exposure to all material risks and the relative control systems; b) Verification of compliance with capital requirements and other supervisory rules; c) Assessment of the procedure for calculating total internal capital and of the adequacy of total capital in relation to the NIFI's risk profile; d) Issuance of specific opinions for each form of risk and of an overall opinion on the situation of the NIFI; and e) Determination of any supervisory response.

5.0 The Srep Process

39. The CBN, as part of its Risk-Based Supervisory process, will review and evaluate the soundness of NIFIs' ICAAP against the expectations set out under the features of ICAAP in this Guidance Notes. This review will also consider the comprehensiveness of the ICAAP and the quality of risk management to form a view on the appropriateness of the NIFIs' internal capital targets and their capacity for meeting the targets. Based on these reviews, the CBN may require all NIFIs to, among other things, take action to improve their capital and risk management processes if it is not satisfied with the NIFIs' ICAAP.

40. While the Board and senior management of NIFIs maintain primary responsibility for their institutions' capital adequacy, the CBN reserves the power to intervene at an early stage to prevent a NIFI's capital from falling below the level that it deems adequate to support its risks. The CBN may require rapid remedial action if adequate capital is not restored. This may include the following: i) Altering the risk profile of the NIFI through business or operational restrictions; ii) Directing NIFIs to raise additional capital; iii) Strengthening of the systems, procedures and processes concerning risk management, control mechanisms and internal assessment of capital adequacy; iv) Prohibition of distribution of profits or other elements of capital; v) Holding of an amount of regulatory capital greater than the legal minimum for credit, market and operational risks; and vi) Other measures as contained in the CBN Supervisory Intervention Framework (SIF) and BOFIA.

41. As part of the risk based supervisory approach, the CBN in assessing the NIFI's ICAAP shall consider among others the following elements: i. The NIFI's regulatory capital requirements (components and quality); ii. Internal Capital Adequacy Assessment Process (ICAAP); iii. Corporate and Shari'ah Governance, risk management and other controls; iv. Related party transactions; v. Shari'ah-Compliant Securitization Risk and Related Off-balance sheet Exposures; vi. Transparency and market discipline; vii. Non-interest Window operations; viii. Concentration Risk; and ix. Supervisory Transparency and Accountability.

5.1 Regulatory Capital Requirements

42. CBN will ensure that NIFIs meet the applicable minimum capital adequacy requirements. An assessment of the appropriate level of the capital adequacy requirements for NIFIs shall be based on an analysis of the risk exposures arising from the underlying asset portfolio, as well as off-balance sheet exposures and the results of the supervisory review process, taking into account rate of return risk and other risks that may give rise to displaced commercial risk.

43. NIFI may be required to set aside additional capital over and above the normal minimum requirements; CBN will set out the factors that are the basis for such additional capital requirements. Such factors may include, inter alia: i. any precedents of material Shari'ah non-compliance; ii. the robustness of the NIFI's existing internal Shari'ah governance systems to check (ex-ante) and monitor (ex-post) potential Shari'ah non-compliance; iii. the presence of internal Shari'ah audit and the enforcement of relevant Shari'ah audit standards; iv. the availability of a Shari'ah review function, including the Shari'ah reviewers responsible for assessment of the Shari'ah compliance of transactions, as determined by the NIFI's ACE or FRACE; v. income smoothing and usage of reserves; and vi. value of alpha.

5.2 Risk Exposure Cover

44. CBN will require each NIFI to demonstrate that its capital is commensurate with the level of its overall risk exposures, including exposures to assets such as real estate or commodities not used as part of financial intermediation, whether these activities are carried out by the NIFI itself or through a subsidiary.

45. CBN will require all NIFIs to have in place an appropriate risk management control techniques in mitigating risk exposures to various contracts and the sharing of risks between the NIFI and the IAHs (with particular reference to displaced commercial risk).

5.3 Components Of Capital

46. CBN will ensure that NIFIs demonstrate and take into account the applicable criteria for various components of capital (particularly, those components other than common equity), as well as regulatory adjustments and deductions attached to these components. The definition of (regulatory) eligible capital (i.e. the sum of Tier 1 and Tier 2 capital) for NIFIs as provided in CBN Guidance Notes on Regulatory Capital, and should be referred to by NIFIs in determining the numerator to be used in calculating the Capital Adequacy Ratio (CAR) formula.

5.4 Slotting Method On The Risk Weights Applicable To Musharakah And Mudarabah Financing

47. CBN will take into consideration in the review of the NIFIs slotting method applicable to Musharakah or Mudarabah (financing) contracts. The review should take into account, among other matters, restrictions (e.g. legal, tax, rights of shareholders and IAHs interest, foreign exchange), significant exposure to risks, or influence by virtue of their participation as a Musharakah and/or Mudarabah partner.

5.5 Additional Capital Charge For Operational Risk

48. Additional capital charge for operational risk may be required by the CBN in order to cater for Shari'ah non-compliance risk from time to time.

49. In determining regulatory capital requirements, reference should be made to the CBN Guidance Notes on Regulatory Capital, the treatment of IAHs and Income Smoothing.

6.0 Governance And Risk Management 6.1 Corporate Governance

50. Sound Corporate Governance is a vital element in ensuring the soundness and prudent management of an organisation. Board of Directors are required to set up a robust Corporate Governance policies and processes that are commensurate with the NIFI's risk profile and systemic importance. There shall also be an independent, permanent and effective Internal Audit/Compliance Functions charged with the following, among others: Assessing whether the existing policies, processes and internal controls (including risk management, compliance, and corporate governance processes) are effective, appropriate and remain sufficient for the NIFIs business; Ensuring that policies and procedures are fully complied with.

51. To effectively discharge the above functions by the Auditor/Compliance Officer, reference should be made to the CBN, NIFI, ACE and code of Corporate Governance guideline which specify, among others, the following; i. Compliance with Shari'ah rules and principles; ii. Roles of the Advisory Committee of Experts in the Governance, the roles of auditors in terms of independence and accountability; iii. Roles of Governance Committees and process of controls for protecting the right of IAHs; iv. Transparency of financial reporting in respect of investment accounts.

52. While Board are expected to approve and oversee the implementation of the NIFI's strategic direction, risk appetite and strategy, the CBN shall be required to review the controls and the quality of internal governance that have been put in place to ensure that the NIFI's control environment is: i. Consistent with the general framework; and ii. Commensurate with the size, complexity and nature of the business operations.

6.2 Shari'Ah Governance

53. There shall be a proper and functional Shari'ah governance system, which demonstrates clear terms of reference of the ACE, reporting line and responsibilities. CBN will ensure that NIFI's Shari'ah governance system covers the relevant ex-ante (including issuance and dissemination of Shari'ah pronouncements/resolution and compliance checks before products are offered to customers) and ex-post process (internal Shari'ah review and Shari'ah governance reporting).

6.3 Audit And Compliance

54. CBN will ensure that NIFIs have an independent, permanent and effective internal audit function, including internal Shari'ah audit charged with: i. Assessing whether existing policies, processes and internal controls (including risk management, compliance, and corporate & Shari'ah governance processes) are effective, appropriate and remain sufficient for the NIFI's business; and ii. Ensuring that policies and processes are complied with.

iii. Ensuring that product, policies and processes of the NIFI are and remain Shari'ah compliant.

55. The internal audit function shall have a reporting line to the BOD through board audit committee, and the head shall have appropriate status within the NIFI to ensure that Senior Management (SM) acts upon its recommendations. The NIFI's BOD has the ultimate responsibility for ensuring that SM establishes and maintains an adequate, effective, efficient internal control framework and internal Shari'ah audit.

6.4 Risk Management Process

56. As part of the risk based approach, CBN shall ensure that NIFIs put in place a robust and sound Enterprise-wide Risk Management (ERM) Framework which defines risk appetite of the NIFI and recognises all material risks, including the risks posed by concentrations, securitisation, off-balance sheet exposures, valuation practices and other risks exposures that are peculiar to Islamic banking operations.

57. The ERM framework shall consist of the following key features:

6.4.1 Board And Senior Management Oversight

58. It is the responsibilities of the Directors and Senior Management to define and approve the NIFIs risk appetite. There should also be risk management process put in place to monitor and control/mitigate various types of risks, taken into consideration the specificities of the NIFIs operations. These shall not be limited to only credit, market, liquidity, and operational risks, but shall incorporate all material risks such as reputational, strategic, equity investment, rate of return , displaced commercial, Shari'ah non-compliant, fiduciary and other risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses.

59. As part of the implementation of the ERM, NIFIs are required to have an internal risk function and a Chief Risk Officer (CRO), or equivalent position with a good understanding of the specificities of Islamic Finance. The Risk function and CRO shall be independent of the individual business lines and direct reporting to the Board through Risk committee with an administrative reporting relationship to the Chief Executive Officer (CEO).

6.4.2 Policies, Procedures And Limit Of Controls

60. NIFIs are required to document risk policies and strategies that are appropriate to the nature and scale of its activities.

6.4.3 Identifying, Measuring, Monitoring And Reporting Of Risks

61. There shall be an appropriate system in place that is adequate (both under normal circumstances and in period of stress) for identifying, measuring, assessing and reporting on the size, composition and quality of exposures on a NIFI-wide basis across all risks types, products and counter-parties taken into consideration the risk profile, capital and liquidity needs.

6.4.4 Internal Controls 62. Risk management process of a NIFI shall be frequently monitored and tested by an independent control unit, and by both internal and external auditors. This is to ensure: i. that the information on which decision are based is accurate so that processes fully reflect management policies; and ii. the regular reporting, including limit breaches and other exception based reporting, is undertaken effectively.

63. To ensure the effectiveness of a NIFIs ERM framework, CBN shall: (a) Ensure that the framework is adequate and provides a comprehensive "business-wide" view of risk across all material risk types taking account of the risk profile and systemic importance of the NIFIs; and (b) Assess risks arising from the macroeconomic environment affecting the markets in which the NIFI operates and incorporate such assessments into their evaluation of the NIFI's risk management process.

64. Where appropriate, CBN will seek verification or demonstration of the BOD's role in approving the firm's risk appetite statement - for instance, by reviewing BOD minutes or through discussions with directors and management - to ensure that the BOD did not merely "rubber stamp" management's recommendation. CBN will also look for evidence in BOD papers and minutes, the risk appetite statement documents, metrics, reporting and other activities, that the BOD understands how management interprets and applies the risk appetite and risk limits. Other materials may also be reviewed, such as strategy and planning documents and board reports, to ensure that risk-taking is aligned in practice with the board-approved risk appetite statement.

6.5 Related Party Transactions

65. A related party transaction is a transfer of resources, services or obligations between a NIFI and a related party, regardless of whether a price is charged. Related party transactions include on- and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease (Ijarah) contracts, financings, borrowings (through Qard) and write-offs. They also include transactions that are entered into in situations in which an unrelated party with whom the IIFS has an existing exposure subsequently becomes a related party.

66. The CBN will ensure that NIFIs have policies and processes to identify individual exposures to transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent review or audit process.

67. The CBN will also need to satisfy itself that the NIFI's related party transactions are conducted on an arm's-length basis and that the NIFI takes appropriate steps to control or mitigate the related risks. In this context, as part of its review process, the CBN needs to satisfy itself, through on-site inspection or external auditors, as to appropriate evidence of the accounting and disclosure of any material transactions with related parties.

6.6 Shari'Ah-Compliant Securitisation Exposures

68. NIFIs engaging in Shari'ah-Compliant Securitisation shall design an assessment of risk exposure, based on the understanding of structure of the transaction. The Board shall oversee and set up the scope and purpose of its involvement in the activities. There shall be an appropriate assessment for identifying various types of triggers, credit events and other legal provisions that may affect the performance of the whole exposure (both on and off-balance sheet).

69. Risk to be identified and managed shall include but not limited to: a) Credit, market, liquidity and reputational risk of each exposure; b) Potential delinquencies and losses on the underlying securitised exposures; c) Exposures from credit lines or liquidity facilities to SPEs; and d) Exposures from Kafalah (guarantees) provided by mono-line and other third parties.

70. CBN will ensure that all activities undertaken by NIFIs in securitisation are compliant with applicable regulatory and prudential requirements as well as appropriate Shari'ah governance.

6.7 Risk Concentration

71. NIFIs are required to put in place effective internal policies, systems and controls to identify, measure, monitor and control their risk concentration in a timely manner. In order to mitigate the concentration risk, NIFIs are required to set a limit of exposures in relation to their capital, total assets or, where adequate measure exist, its overall risk level. The risk concentration limit of exposures shall take into account Real Estate Investment for NIFIs engaging in real estate business.

72. CBN, with respect to SREP, shall review the risk concentration of NIFIs in the following areas: (a) risk concentration analysed at the level of NIFI and/or on a consolidated basis; (b) risk concentration viewed in the context of a single or a set of closely related risk-drivers that may have different impacts on the NIFI; (c) the NIFI's compliance with defined limits for large individual exposures and for exposures in total; (d) a framework for managing credit risk concentrations that clearly documents and includes a definition of the credit risk concentration relevant to a NIFI; and (e) Different forms of credit risk concentration to which a NIFI may be exposed.

7.0 Islamic Window Operations

73. An Islamic window is part of a conventional financial institution that mobilises deposits and provides fund management (investment accounts), financing and investment, and other banking services that are Shariah compliant, with proper segregation of funds from the parent unit.

74. Conventional banks with Window operations shall have a transparent system that separate Islamic assets and funds from non-Shari'ah compliant assets. It is required for Window operations to have an internal systems, procedures and controls to provide reasonable assurance that: i. the transactions and dealings of the Windows are in compliance with Shari'ah rules and principles; ii. the Window shall avoid commingling investors' funds with the funds of the conventional parent entity; and iii. Appropriate risk management policies and practices are followed.

75. In-line with the requirement of Guidance Notes on Regulatory Capital for NIFIs in Nigeria, Windows are required to maintain a notional capital fund. The operations may be required to hold additional notional capital fund that is commensurate with their level of risk exposures.

76. The parent bank is required to disclose publicly, among other things: a) Sources of funds to cover a liquidity deficit of the Window, if any. b) Capital adequacy related disclosures; c) Risk management and governance; d) Appointment of Advisory Committee of Experts; and e) Shari'ah compliance reporting covering the mechanisms established to provide Shari'ah oversight of the Window operations.

77. CBN shall ensure that Banks with Window operations have internal systems and controls to provide reasonable assurance that; (a) The transactions and dealings of the windows are in compliance with Shari'ah rules and principles (b) the Window shall avoid commingling investors' funds with the funds of the conventional parent entity; and (c) Appropriate risk management policies and practices are followed.

78. The Supervisory Review Process is to examine the Window first as a unit of the entity, then on a consolidated basis in terms of capital adequacy, corporate governance, risk management, disclosure and accounting treatment.

ANNEX A RISKS SUBJECT TO ICAAAP

A) Types Of Risks Under Pillar 1:

Credit risk; Market risks; Operational risk.

B) Types Of Risk Not Fully Captured Under Pillar 1:

Shari'ah-Compliant Securitization exposure risk: the risk that the economic substance of a securitization is not fully reflected in risk assessment and management decisions; Model risk which arises due to limitations of data inputs or weaknesses in model structures under advanced approaches.

c) Other Types of Risks not covered by Pillar 1: Displaced Commercial Risk: Liquidity risk Credit Concentration risk Rate of Return risk Residual risk Business and Strategic risk Reputational risk : the current or prospective risk of a decline in profits or capital should customers, counterparties, shareholders, investors or supervisors take a negative view of the NIFI; Counter Party Credit Risk (CCR):- This is a risk that arises where the counter party to a transaction could default before the final settlement of the transactions cash flows.

Compliance with minimum standards and disclosure requirements; Factors external to the NIFI, e.g., business cycle effects Legislative Risk Legal Risk Shariah Non-Compliance Risk Equity Investment Risk Fiduciary Risk.

d) Changes in External Factors: such as regulatory, economic or business enviroment that may affect an NIFIs risk profile over time.

ANNEX B GUIDE FOR ICAAP REPORTING

1) Strategies And Forecasting Horizon Adopted

a) Business plan and annual budgets; schedule of reviews of business plan and its components; extraordinary events necessitating review; b) Reconciliation between time horizon of business plan and capital plan; c) Ordinary and extraordinary sources of capital. 2) Corporate governance, organizational arrangements and internal control systems connected with the ICAAP b. Description of the process for the preparation and updating of the ICAAP; c. Description of the process for reviewing the ICAAP; d. Definition of the role and functions assigned to the board and senior management bodies for the purposes of the ICAAP; e. Definition of the role and functions assigned to various corporate functions for the purposes of the ICAAP (for example, internal auditing, compliance, planning, risk management, and other units such as head office and branch network commercial units, accounting and audit); f. Description of organizational and contractual safeguards relating to any elements of the ICAAP that are outsourced; g. Indication of internal regulations relevant to the ICAAP.

3) Risk Exposures, Risk Measurement And Aggregation Methodologies, Stress Testing

a) Risk mapping: illustration of the position of the NIFI in respect of Pillar 1 and Pillar 2 risks; b) Risk mapping in relation to NIFIs operating units and/or legal entities of the group; c) Techniques for risk measurement, internal capital determination and stress testing; d) Description, for every category of measurable risk, of the main characteristics of the main risk control and mitigation instruments; e) General description of systems for control and mitigation of non-measurable risks.

4) Components, Estimation And Allocation Of Internal Capital

a) Quantification of internal capital for each risk and total internal capital; b) Any methods for allocating internal capital (by operating unit and/or legal entity). 5) Reconciliation of internal capital, regulatory requirements and regulatory capital a) Reconciliation of total internal capital and regulatory requirements; b) Listing and definition of capital components covering internal capital; c) Eligibility of components covering internal capital to be calculated for supervisory purposes; explanation of inclusion of ineligible components; d) Estimate of cost of using other capital sources in addition to those used.

6) Self -Assessment Of Icaap

a) Identification of the areas of the process amenable to improvement; b) Planning of capital or organizational actions.

7) Organization Of The Icaap Report

1.	Executive Summary
2.	Structure and Operations
3.	Governance Structure
4.	Risk Assessment and Capital Adequacy
5.	Stress Testing
6.	Capital Planning
7.	Design, Approval, Review, and Use of ICAAP
8.	Challenges and Further Steps
9.	Summary of Internal Capital Adequacy Assessment Process
10.	Risk Appetite Statement
11.	Use of Internal Models for Capital Assessment
12.	Review of ICAAP