Central Bank of Libya Circular 14/2023: Guiding Principles for the General Risk Management Framework for Islamic Banks

Central Bank of Libya P.O. Box 1103 | Telex: CBL-LIBYA - Tripoli, Libya

Reference: B.S.R.N. 804 Circular No. (14/2023) Date: 8 Ramadan 1444 Corresponding to: March 30, 2023

To: Chairmen of the Boards of Directors of Banks To: General Managers of Banks

Subject: The General Risk Management Framework for Islamic Banks

---

Based on the provisions of Law No. (1) of 2005 concerning Banks and its amendments, and in accordance with the standards issued by the Islamic Financial Services Board (IFSB) regarding risk management for Islamic banks.

And with reference to Circular B.S.R.N. No. (2022/7) issued on October 6, 2022, regarding the establishment of a unit to monitor the implementation of supervisory directives issued by the Basel Committee on Banking Supervision.

Therefore, we attach to you the General Risk Management Framework for Islamic Banks in accordance with the requirements of the standards issued by the IFSB, after considering all comments regarding it, to commence implementation within the jurisdiction of the unit implementing Basel Committee directives, and to forward us the results achieved. We will also subsequently provide you with detailed and specific directives for each of the risk categories mentioned in this framework.

Peace be upon you,

Naji Mohammed Eissa Director of Banking and Currency Supervision Department

Copies to: The Governor The Deputy Director of Banking and Currency Supervision Department The Deputy Director of Banking and Currency Supervision Department for Office Supervision and Compliance Monitoring The Deputy Director of Banking and Currency Supervision Department for Inspection Affairs The Deputy Director of Banking and Currency Supervision Department for Islamic Finance Affairs The Banking Supervision, Benghazi The Directors of Compliance Departments in Banks (for follow-up) The Directors of Risk Management Departments in Banks

Basel Directives Phone: +218 3591 333, Fax: +218 444 21 1488, www.cbl.gov.ly, swift code: CBLJLYLX

---

Central Bank of Libya CENTRAL BANK OF LIBYA

Banking Supervision Department Banking Supervision Department

Guiding Principles for the General Risk Management Framework in Islamic Banks

Page 1 of 9

---

Banking Supervision Department

Guiding Principles for the General Risk Management Framework in Islamic Banks

The safety and soundness of banks depend on the effectiveness of risk management supervision. Risk management lies at the core of all financial institutions, including banks, and encompasses all activities affecting the risk structure. The risks to which banks are exposed, along with the technical methods used to identify, measure, monitor, and control them, are important factors considered when evaluating Islamic banks. Accordingly, the Central Bank of Libya attaches great importance to the adequacy of risk management in Islamic banks, including their internal control systems, as stipulated by Banking Law No. 1 of 2005 and its amendments. If these guiding principles provide a set of best practices for establishing and implementing an effective risk management framework in banks and financial institutions, the IFSB-derived risk framework specifies directives for the effective management of risks for:

a. Islamic banks. b. Banks undergoing full transition to Islamic finance. c. Partially transitioning banks to Islamic finance. d. Non-bank financial institutions subject to the supervision and oversight of the Central Bank of Libya.

This framework must be applied at the bank level or on an individual basis for branches and Islamic finance windows within the bank. Furthermore, Islamic banks must recognize that this risk management framework does not cover all possible risk control and supervisory procedures. Therefore, Islamic banks should refer to other directives issued by the Central Bank of Libya regarding risk management. This framework is comprehensive for risk management but does not aim to cover all details of risk categories, as detailed and specific directives will be issued for each mentioned risk category. In addition to general risk management requirements and related procedures, this framework includes measures that must be applied to the following banking risk categories:

• Financing risks.
• Market risks.
• Liquidity risks.
• Investment in equity shares (stocks) risks.
• Interest rate/yield rate risks.
• Operational risks.

Page 1 of 8

---

Banking Supervision Department

Islamic banks must ensure that their risk management includes all arrangements, procedures, and systems aimed at identifying the type of risks to which the bank is exposed, evaluating them, determining their magnitude, monitoring their development, and establishing necessary controls to manage and control their size while preparing reports on them. They must also consider risks arising from developments in external markets, counterparties, or products, as well as changes in the economic and political environment in which they operate that directly affect their business plans and financial positions. Furthermore, the evaluation of each type of risk must be supported by:

• Technical, quantitative, and qualitative mechanisms suitable for the bank's size, nature of operations, and degree of activity complexity.
• High-quality data for risk measurement.
• Sufficient internal control systems ensuring risk mitigation. Islamic banks must also adopt a risk matrix covering various types of risks in each Islamic financial instrument or contract, and the risk matrix must clearly indicate the implications of those risks for the bank.

The following presents practical details for identifying, measuring, mitigating, monitoring, reporting on, and tracking risks.

First: General Requirements for the Risk Management Process:

• Islamic banks must implement comprehensive risk management and reporting procedures, including appropriate supervision by boards of directors and executive management. This aims to identify, measure, monitor, report on, and track risks to maintain sufficient capital to cover them. This process must consider taking appropriate steps to comply with Islamic Sharia principles and disclosure requirements issued by the Central Bank of Libya regarding risks.

This process requires the following executive measures: a. Establishing appropriate risk management policies and procedures. b. Implementing these policies and procedures appropriately, including setting risk limits and effective management information systems for internal reporting on those risks, assisting in making decisions appropriate to the banks' activities, complexity, and nature. c. A sound risk management framework must include at minimum the following basic characteristics:

1. Supervision by management and senior management.
2. Establishing necessary policies, procedures, and appropriate risk limits.
3. Identifying, measuring, mitigating, controlling, monitoring, and reporting on risks comprehensively and in a timely manner.

Page 2 of 8

---

Banking Supervision Department

4. Adopting a suitable management information system at both individual and consolidated levels.
5. Establishing comprehensive internal control systems.

Second: Supervision by the Board of Directors, Sharia Supervisory Board, and Executive Management: The board of directors, Sharia supervisory board, and executive management in Islamic banks are responsible for determining and adopting the risk tolerance levels of Islamic banks. They also bear the responsibility of adopting a risk management framework and applying detailed policies that set prudent risk limits, either individually or on a consolidated basis, aligned with the banks' risk tolerance. A list of acceptable risks must also be established, consistent with the existing risk structure and the banks' capacity to bear various types of risks.

Role of the Board of Directors: Boards of directors in banks and financial institutions must ensure an effective structure dedicated to risk management. This is to carry out banking activities, ensure the existence of systems adequate for measuring, monitoring, reporting on, and controlling risk exposures. They must:

• Establish policies and procedures related to risks and supervise their implementation.
• Approve risk management objectives and strategies.
• Work to establish an effective organizational structure for risk management.
• Set financing caps at various levels to limit concentration risks of all types (client, sector, instrument, geographic distribution...) in addition to setting caps for market activities.
• Establish a system to follow up, monitor, and evaluate executive management.
• Establish a risk reporting and management information system, reviewing strategies periodically.
• Form specialized committees under the board of directors to supervise risks, with the board determining their tasks and monitoring their activities (Investment Committee, Asset and Liability Management Committee, Risk Management Committee, etc.).

Role of the Sharia Supervisory Board: Sharia supervisory boards in Islamic banks must continuously ensure that Islamic banks comply with the approved Sharia standards and controls.

Page 3 of 8

---

Banking Supervision Department

Role of Executive Management:

1. Executive management in Islamic banks must continuously implement the strategic directions set by boards of directors, clearly defining lines for exercising authorities and responsibilities to manage, monitor, and report on risks.
2. Executive management must ensure that existing financial and investment activities fall within approved limits, and they must obtain board of directors' approval for these activities.
3. Executive management in banks and financial institutions must establish risk management procedures that are not limited to (liquidity risks, financing risks, operational risks) but should cover all material risks.

Third: Policies, Procedures, Limits, and Controls: Islamic banks must clearly document the strategies, policies, and procedures they establish to deal with risks within a risk management framework suitable for the bank's activity size. These policies and procedures should provide specific guiding principles to implement the bank's stated objectives, in addition to implementing the bank's and its group's strategies. They should also set internal limits for various types of risks to which the bank may be exposed. The board of directors bears the responsibility for determining risk tolerance, and must adopt limits regarding all financial and investment exposures to avoid risk concentration. The board of directors should also periodically review the adequacy of risk management activities and make appropriate adjustments as necessary. Approved limits by the board of directors should include:

1. They are determined at an acceptable level within risk tolerance capacity, considering the interests of customers (clients), shareholders, and investment account holders, as well as paying attention to capital requirements and other supervisory directives specified by the Central Bank of Libya.
2. Business activities and legal entities that can be dealt with, generally expressed as their impact on revenues, capital, liquidity, or other matters, such as growth rate and volatility degree in banking activities.
3. Material risk concentrations at the bank and financial institution level, consolidated subsidiary units level, business activity level, and legal entity levels according to their relevance (e.g., counterparty, industry, country, region, type of collateral, product).
4. The limits set should not be overly complex, vague, or subjective.

Page 4 of 8

---

Banking Supervision Department

5. They are monitored and followed up periodically by the board of directors, Sharia supervisory board, and executive management, each within its jurisdiction.
6. It is necessary that the established policies, procedures, and limits include: a. Identifying risks imposed by financing, investment, commercial, credit activities, off-balance sheet activities, and other important activities at business line and operational levels. These policies and procedures must also stipulate the measurement, monitoring, control, and mitigation of those risks. b. Clearly mapping responsibility boundaries and authority levels in various activities, ensuring a clear separation between business activities and the (risk management) responsible unit. c. These policies and procedures are reviewed and updated as needed.

Fourth: Risk Identification, Measurement, Monitoring, and Reporting: Risk identification is a qualitative process important to the bank and financial institution, recorded through a risk register (all material risks and foreseeable events that may affect the bank's financial conditions). After identifying risks, they should be appropriately measured using suitable risk measurement tools, such as (risk rating scale methodologies, Value at Risk determination, and stress testing). It is essential for Islamic bank management to understand the underlying assumptions of each type of risk and the limits set for them.

1. It must be considered that any risk measurement framework, especially those using (quantitative technical methods / quantitative models), is only as good as the quality of its underlying assumptions and the strength of its analytical methodologies.
2. It must be ensured that all material risks specific to the bank are included in the risk management framework.
3. The risk management framework must cover (risk transformation) processes across various stages of investment cycles, as it is one of the key characteristics of Islamic banking.
4. Each type of risk should not be viewed in isolation from other risks, as the degree of each type may rise or fall due to interactions among these risks. Risk management procedures should reflect risk interactions across all business activities as needed, requiring the adoption of a risk matrix showing the relationship between each type of risk and others.
5. The board of directors, its committees, the Sharia supervisory board, compliance unit, internal audit department, and Sharia audit management must perform their duties to provide necessary advice and guidance for implementing the risk management framework as needed.

Page 5 of 8

---

Banking Supervision Department

6. The current status of identified risks must be tracked and monitored using adequate management information systems. These systems must provide the board of directors and executive management with clear and accurate relevant risk information when available, as well as the main assumptions used in aggregating risks. These systems must also be capable of tracking violations of risk limits set by the bank. In this context, it is necessary to take executive measures regarding reporting risk violations to the bank's executive management.
7. The bank must have comprehensive executive procedures for reporting all risks it faces. Reporting procedures must cover all internal and external risk reporting requirements, including how to track appropriate and reliable risk information at an adequate level of detail for each level of information users, including the bank's executive management, board risk committee, Sharia supervisory board, compliance and Sharia audit departments, as well as any public disclosure requirements or regulatory authority requirements.

Fifth: Internal Controls: Risk management procedures at the bank or financial institution must be monitored, followed up, and tested periodically by independent bodies, such as external auditors. This follow-up and testing include: a. The information underlying decisions is accurate and fully reflects executive measures for policies and operational regulations. b. Periodic risk reporting, which includes reporting on limit violations and other exceptional risk reports. The bank's risk management must be completely independent of other business activities to ensure appropriate segregation of duties and avoid conflicts of interest.

Sixth: Independence of Risk Management: To apply these directives, each bank must have an independent and effective risk management department operating under the guidance of a Chief Risk Officer, independent of business lines and decisions resulting in banks' risk tolerance, with the ability to report directly to the bank's board of directors through its Risk Management Committee. In this regard, the bank's board of directors must appoint a Chief Risk Officer with sufficient and extensive expertise regarding Islamic financing specifics and inherent risks, in accordance with the Corporate Governance directives issued by the Central Bank of Libya. The Group's Chief Risk Officer may also communicate directly with the boards of directors of banks or financial institutions under the parent bank, reporting on their material risks, concentrations, and limit breaches or risk-bearing capacity limits, as well as the ability to communicate with risk heads at each bank or financial institution under the parent bank.

Page 6 of 8

---

Banking Supervision Department

Seventh: Risk Reporting and Disclosure: An effective risk management governance framework requires communication between bank units and the adoption of a clear system for reporting risk reports and disclosing them to the board of directors and executive management. Appropriate disclosures related to risk management that the bank must disclose at minimum include:

1. A description of objectives, strategies, policies, and procedures for risk management by each type of risk, as well as on an aggregated basis.
2. The existence of a clear structure and organization supporting the risk management framework and its functions.
3. A description of the scope and nature of the risk measurement and reporting system.
4. Policies and procedures related to risk mitigation, which include tracking the ongoing effectiveness of risk mitigation factors. Additionally, the bank must disclose its operations in a timely and appropriate manner, including disclosing information to investment account holders, so that investors can evaluate the risks and potential returns from their investments, and to protect their interests in decision-making.

Regarding disclosures, the bank must comply with standards and directives issued by the Central Bank of Libya in this regard, follow Islamic Financial Services Board (IFSB) standards concerning disclosure requirements, as well as standards issued by the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI), international standards such as financial reporting under (IFRS); in addition to those used by Islamic banks for risk measurement and reporting concerning risk measurement and disclosure requirements.

Eighth: Contingency Planning and Review of the Risk Management Framework: The Islamic bank must have a working mechanism to identify stressful situations before they occur, and plan to deal with abnormal situations in a timely and effective manner. Stressful situations covered by the risk management framework must include all types of risks. It is necessary to review contingency plans periodically to ensure they include mechanisms for dealing with reasonably possible events that may affect banks or financial institutions, and to test these plans regarding their suitability and response capability, reporting them to higher management levels, and reporting on their effects on the bank's conditions and various units.

Page 7 of 8

---

Banking Supervision Department

The bank must adopt procedures to review and modify the risk management framework periodically, ensuring its safety and quality in light of any changes in risk portfolios, as well as developments and changes in risk management. It is also necessary for the bank's risk management, internal audit, and Sharia audit departments to keep pace with changes in risk portfolios and developments in the banking industry.

Emphasizing the responsibility of boards of directors, Sharia supervisory boards, and executive management in Islamic banks, each within its jurisdiction, to formulate policies and take necessary executive measures to implement this framework, the Central Bank of Libya will conduct periodic reviews of the implementation of the risk management framework as part of supervisory review and a comprehensive evaluation of banks' risk management departments in light of these directives, with continuous updates to keep pace with banking industry developments. Each bank must submit a copy of its risk management policies to the Banking and Currency Supervision Department, and report any amendments made to them.

End,

Page 8 of 8