Skip to main content
Back Custom print Text Only Rich Text Print

  • Risk Management Standards

    C 153-2018 STA Effective from 27/6/2018

    • Introduction

      1. 1. These Standards form part of the Risk Management Regulation. All banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
      2. 2. A bank's board of directors is in ultimate control of the bank and accordingly, ultimately responsible for the bank’s comprehensive approach to risk management. There is no one-size-fits-all or single best solution. Accordingly, each bank could meet the minimum requirements of the Regulation and Standards in a different way and thus may adopt an organisational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented a comprehensive approach to risk management. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards1.
      3. 3. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

      1 The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

    • Article 1: Definitions

      1. 1. Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity or of the power to direct or cause the direction of the management of another entity.
      2. 2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
      3. 3. Board: The Bank’s board of directors.
      4. 4. Central Bank: The Central Bank of the United Arab Emirates.
      5. 5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
      6. 6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
      7. 7. Group: A group of entities that includes an entity (the 'first entity') and:
        1. a. any Parent of the first entity;
        2. b. any Subsidiary of the first entity or of any Parent of the first entity; and
        3. c. any Affiliate.
      8. 8. Parent: An entity (the 'first entity') which:
        1. a. holds a majority of the voting rights in another entity (the 'second entity');
        2. b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
        3. c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;

          Or;

        4. d.  if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
      9. 9. Risk appetite: The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
      10. 10. Risk capacity: The maximum amount of risk a bank is able to assume given its capital base, risk management and control measures, as well as its regulatory constraints.
      11. 11. Risk culture: A bank’s norms, attitudes and behaviors related to risk awareness, risk taking and risk management and controls that shape decisions on risks, influence the decisions of management and employees during day-to-day activities and is reflected in the risks they assume.
      12. 12. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the board and management establish and make decisions about the bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
      13. 13. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
      14. 14. Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank and, if applicable, group-wide basis.
      15. 15. Risk profile: Point in time assessment of the bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
      16. 16. Senior management: The executive management of the bank responsible and accountable to the board for the sound and prudent day-to-day management of the bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
      17. 17. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
        1. a. holds a majority of the voting rights in the first entity;
        2. b. is a shareholder of the first entity and has the right to appoint or remove a majority of the board or managers of the first entity; or
        3. c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;

          Or;

        4. d. if the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.

    • Article 2: Risk Governance Framework

      1. 1. A bank must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risk. The risk governance framework consists of policies, processes, procedures, systems and controls.
      2. 2. The risk governance framework must be documented and approved by the Board and must provide for a sound and well-defined framework to address the bank's risks.
      3. 3. The risk governance framework will vary with the specific circumstances of the bank, particularly the risk profile, nature, size and complexity of its business and structure. A bank must incorporate the following minimum elements into its risk governance framework or demonstrate to the Central Bank that its framework meets the requirements for a comprehensive approach to risk management without the presence of all of the elements set out below:
        1. a. Board: the board must approve, maintain and oversee the bank’s risk governance framework, including the risk appetite statement, risk limits by legal entity, business line or management units consistent with the risk appetite statement and policies and procedures to implement a comprehensive approach to risk management.
        2. b. Board risk committee: pursuant to a charter or terms of reference approved by the board, the board risk committee must (a) review and recommend the establishment of and revisions to the bank’s risk governance framework and (b) oversee its implementation by senior management.
        3. c. Board audit committee: pursuant to a charter or terms of reference approved by the Board, the board audit committee must oversee the independent assessment of the risk governance framework by the internal audit function and the internal audit function’s independent assessment of implementation of the bank’s comprehensive approach to risk management.
        4. d. Management risk committee: the management risk committee must develop and recommend the overall risk strategy, the risk governance framework and the risk appetite statement to the board or to the board risk committee and must be accountable for an effective bank-wide approach to risk management and for the communication of the comprehensive approach to risk management across the bank.
        5. e. Risk management function: headed by the chief risk officer (CRO) or equivalent, the risk management function must develop metrics relevant to the risk appetite statement, monitor and report on the risk metrics, escalate breaches and conduct stress tests.
        6. f. Compliance function: the compliance function must verify that compliance policies are observed and must report to senior management or the board, as appropriate, on how the bank is managing its compliance risk.
        7. g. Internal audit function: the internal audit function must provide independent assurance to the board and senior management on the quality and effectiveness of a bank’s internal control and risk management policies, procedures and systems, including measurement methodologies and assumptions. It reports directly to the board audit committee.
        8. h. Business line management: must receive and operationalize risk limits, establish procedures to identify and control risks including monitoring and escalation of breaches and report on risk metrics.
      4. 4. In defining and assessing risks, a bank must consider both the probability of the risk materializing and its potential impact on the bank. In assessing the potential impact of a risk, a bank must assess factors including but not limited to: (a) potential disruption of the bank’s business operations; (b) effect on profitability, liquidity, capital adequacy and regulatory compliance; and (c) ability of the bank to meet its obligations to its customers or other counterparties.
      5. 5. A Bank’s risk governance framework must address all material risks, which, at a minimum, must include the following items:
        1. a. Credit risk;
        2. b. Market risk;
        3. c. Liquidity risk
        4. d. Operational risk;
        5. e. Risks arising from its strategic objectives and business plans; and
        6. f. Other risks that singly, or in combination with different risks, may have a material impact on the bank.
      6. 6. A Board is responsible for the implementation of an effective risk culture and internal controls across the bank and its subsidiaries, affiliates and international branches. The board approved risk governance framework must incorporate a “three lines of defense” approach including senior management of the business lines, the control functions of risk management and compliance and an independent and effective internal audit function:
        1. a. Business line management - identification and control of risks
          1. i. Manage and identify risks in the activities of the business line;
          2. ii. Ensure activities are within the bank’s risk appetite, risk management policies and limits;
          3. iii. Design, implement and maintain effective internal controls; and
          4. iv. Monitor and report on business line risks.
        2. b. Risk management function - sets standards and challenges business lines
          1. i. Headed by the CRO or equivalent;
          2. ii. Establish bank-wide or, if applicable, group-wide risk and control strategies and policies;
          3. iii. Provide oversight and independent challenge of business line accountabilities;
          4. iv. Develop and communicate risk and control procedures; and
          5. v. Monitor and report on compliance with risk appetite, policies and limits.
        3. c. Compliance function - assess bank-wide adherence to requirements
          1. i. Develop and communicate compliance policies and procedures; and
          2. ii. Monitor and report on compliance with laws, corporate governance rules, regulations, regulatory codes and policies to which the bank is subject.
        4. d. Internal audit function - independent assurance
          1. i. Independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; and
          2. ii. Independently assess the effectiveness of business line management in fulfilling their mandates and managing risk.
      7. 7. The Board must ensure that the risk management, compliance and internal audit functions are properly staffed and resourced and carry out their responsibilities independently and effectively. This includes unrestrained access to all kinds of information needed for the risk management, compliance and internal audit functions to fulfil their tasks.
      8. 8. The Board must review policies annually and controls on a regular basis with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues, as well as determine areas that need improvement.
      9. 9. The Board must provide oversight of senior management. It must hold members of senior management accountable for their actions and enumerate the consequences if those actions are not aligned with the board’s expectations. This includes adhering to the bank’s values, risk appetite and risk culture, regardless of financial gain or loss to the bank.
      10. 10. Senior management must implement, consistent with the direction given by the board, policies, procedures, systems and controls for managing the risks to which the bank is exposed and for complying with laws, Central Bank regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions, as well as an effective overall system of internal controls.
      11. 11. Senior management must provide the board with the information it needs to carry out its responsibilities, including the supervision of senior management and assessment of the quality of senior management’s performance.

      • Risk Appetite Statement

        1. 12. The risk appetite statement is a written articulation of the aggregate level and types of risk that a bank will accept or avoid in order to achieve its business objectives. At a minimum, it must include the following items:
          1. a. For each material risk, the maximum level of risk that the bank is willing to operate within, expressed as a limit in terms of:
            1. i. Quantitative measures expressed relative to earnings, capital, liquidity or other relevant measures as appropriate; and
            2. ii. Qualitative statements or limits as appropriate, particularly for reputation, compliance and legal risks.
          2. b. Delineation of any categories of risk the bank is not prepared to assume;
          3. c. The process for ensuring that risk limits are set at an appropriate level for each risk, considering both the probability of loss and the magnitude of loss in the event that each material risk is realized;
          4. d. The process for monitoring compliance with each risk limit and for taking appropriate action in the event that it is breached; and
          5. e. The timing and process for review of the risk appetite and risk limits.
        2. 13. Quantitative risk limits and metrics may include, but are not limited to:
          1. a. Capital targets beyond regulatory requirements, such as economic capital or capital-at-risk;
          2. b. Various liquidity ratios and survival horizons;
          3. c. Net interest income volatility;
          4. d. Earnings-at-risk;
          5. e. Value at risk (VaR);
          6. f. Risk concentrations by internal or external rating;
          7. g. Expected loss ratios;
          8. h. Growth ceilings by asset type, business line or type of exposure;
          9. i. Economic value added; and
          10. j. Stressed targets for capital, liquidity and earnings.

      • Policies and Procedures

        1. 14. A bank must have a board approved risk management policy, which includes identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating all internal and external sources of material risk. The overarching risk management policy document must reflect an understanding of the risks arising from the bank’s business activities and the relationships among those risks.
        2. 15. A bank’s documented policies and procedures for risk management must, at a minimum, address the following:
          1. a. Details of board oversight of risk management, including regular review of risk management policies, review and approval of the risk appetite statement and regular and ad hoc reporting on risk management by senior management, the risk management function, compliance function and internal audit to the Board or committee of the board;
          2. b. The role and responsibilities of the board risk committee, documented through an appropriate charter or terms of reference;
          3. c. A process for the identification of material risks, which is likely to be undertaken by a senior management committee overseen by the Board or board risk committee;
          4. d. A process for ensuring there is a bank-wide or, if applicable, group-wide view that includes identifying, measuring, evaluating, monitoring and controlling risks and that the risk culture is disseminated throughout the bank or, if applicable group, which will involve senior executives, often through a management risk committee or other senior executive committee, as well as the risk management function;
          5. e. Establishment of an effective control environment including measures embedded in the business lines such as delegated levels of authority, segregation of duties and physical controls such as dual custody, as well as the role of the risk management function in setting standards and challenging the business lines, an independent compliance function to monitor adherence to legal and regulatory requirements as well as internal compliance policies and internal audit to provide independent assurance; and
          6. f. Ensuring that the bank’s data architecture and information technology systems adequately support the bank’s comprehensive approach to risk management with timely and accurate reporting in readily usable formats.
        3. 16. A bank must have an appropriate level of granularity in its policies and procedures. Smaller banks with minimal trading activities may address market risks in a single set of policies and procedures, while larger and more complex banks must address market risks in detailed policies and procedures for individual types of market risk. A bank that outsources functions must have specific risk management policies and procedures related to the outsourcing.

      • Internal Capital Adequacy Assessment Process (ICAAP)

        1. 17. A bank must have a formal documented process for assessing its overall capital adequacy in relation to its risk profile and a strategy for maintaining its capital levels above regulatory minimum requirements. The assessment must be documented and submitted annually to the Central Bank for review (ICAAP Report).
        2. 18. A bank must demonstrate the following in its documented ICAAP:
          1. a. Board and senior management oversight;
          2. b. Elements of a sound capital assessment process. This includes policies and procedures designed to ensure that the bank identifies, measures and reports all material risks, policies and procedures relating to capital and capital adequacy goals to the level of risk and policies and procedures for internal control to ensure the integrity of the overall management process;
          3. c. Comprehensive assessment of risks; notably credit, market, operational, interest rate, concentration, liquidity and other;
          4. d. Monitoring and reporting of risk exposure and related capital needs; and
          5. e. Internal control review, including the role of internal and external audit where appropriate.

    • Article 3: Risk Management Function

      1. 1. The head of the risk management function, the CRO or equivalent, must be of sufficient seniority and stature within the bank, to credibly challenge the heads of business lines and functions. The risk management function is responsible for assisting the Board, board committees, executive committee (including the credit committee) and senior management to develop and maintain the risk governance framework.
      2. 2. Appointment or dismissal of the CRO must be approved by the Board or board risk committee. If the CRO is removed, the bank must immediately advise the Central Bank of the reasons for such a removal.
      3. 3. The CRO, or equivalent, must:
        1. a. Not have a decision-making role in the bank’s risk-taking functions, including credit underwriting, or the finance function;
        2. b. Have no revenue-generating responsibilities;
        3. c. Not have remuneration based on the performance of any of the bank’s risk-taking functions;
        4. d. Not be the chief executive of the bank, or head of the finance, compliance or internal audit function;
        5. e. Have a direct reporting line to the Board or board risk committee and appropriate reporting lines to senior management; and
        6. f. Have unfettered access directly to the board risk committee, including the ability to meet without other senior executives present.
      4. 4. Key activities of the risk management function must include, but are not limited to:
        1. a. Identifying material individual, aggregate and emerging risks;
        2. b. Assessing these risks and measuring the bank’s exposure to them;
        3. c. Supporting the Board in its implementation, review and approval of the bank-wide or if applicable, group-wide risk governance framework;
        4. d. Ongoing monitoring to ensure risk-taking activities and risk exposures are in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs;
        5. e. Establishing an early warning or trigger system as part of ongoing monitoring to ensure that breaches of the board-approved risk appetite and risk limits are reported on a timely basis to senior management, the Board or board risk-committee as required by board-approved policies;
        6. f. Influencing and, when necessary, challenging material risk decisions; and
        7. g. Reporting to senior management and the Board or board risk committee in accordance with the risk governance framework.

    • Article 4: Risk Measurement and Use of Models

      1. 1. A bank must use risk measurement methodologies commensurate with the risk profile, nature, size and complexity of the business and the structure of the bank. These could include VaR analysis, scenario analysis and stress testing and single counterparty and concentration limits. Common metrics must be employed on a bank (or group)-wide basis to foster a bank (or group)-wide approach and effective identification and monitoring of risks across the Bank (or Group).
      2. 2. Risk measurement and modeling techniques must be used in addition to qualitative risk analysis and monitoring. The comprehensive approach to risk management must include policies and procedures for the development and internal approval for use of models or other risk measurement methodologies. Where the models, or data for the models, are supplied by a third party, there must be a process for validation of the model and data relative to the specific circumstances of the bank.
      3. 3. A bank must perform regular validation and testing of models. This must include evaluation of conceptual soundness, ongoing monitoring including process verification and benchmarking and outcomes analysis, including back-testing. Stress-testing and scenario analysis must be used to take into account the risk of model error and the uncertainties associated with valuations and concentration risks. Widely recognized weaknesses in VaR such as dependence on historical data and inadequate volatility estimates must be explicitly addressed by banks in developing and implementing VaR methodologies. Banks employing VaR or other model methodologies must regularly back-test actual performance against model predictions and adjust their methodologies in light of experience.
      4. 4. Model-based approaches must be supplemented by other measures. These include qualitative assessment of the logic, judgment and types of information used in models as well as assessments of policies, procedures, risk limits and exposures, especially with respect to difficult to quantify risks such as operational, compliance and reputational.

    • Article 5: Stress-Testing of Material Risks

      1. 1. A bank must have a forward looking stress testing program that addresses credit, market and operational risk with the bank taking into account that its risk profile is likely to require capital in excess of the minimum capital requirements. The stress testing program must also include any risk that is material for the bank given the nature of its business. These may include but are not limited to: concentration risk; interest rate risk in the banking book; liquidity risk; currency risk; reputation and compliance risks; contagion risk; country and transfer risks; legal risk; and strategic risk.
      2. 2. The requirement for a bank to use stress tests and scenario analysis to better understand potential risk exposures under a variety of adverse circumstances is common to both the risk governance framework and ICAAP. A bank must have a comprehensive approach to stress-testing that meets its ICAAP and other risk management requirements. Stress-testing within business lines can be a useful part of the program, however, there must be a means to capture correlations across business lines and obtain a bank-wide or, if applicable, a group-wide overview of performance in stress scenarios.
      3. 3. A bank’s stress-testing program must be undertaken on a regular basis to facilitate the tracking of trends over time and developments in key risk factors and exposure amounts, in addition to ad hoc stress tests as required. The program must cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management and, as applicable, the Board or board risk committee must review and approve the scenarios. The specifics of the program must be tailored to the risk exposures of the bank and, at a minimum, must take into account the following factors:
        1. a. Bank and Group-specific and system-wide events;
        2. b. Extreme but plausible shocks as well more gradual changes in key risk parameters such as interest and exchange rates;
        3. c. Potential reputational risk implications of the bank’s actions in a stress scenario;
        4. d. Potential for loss of key sources of funding; and
        5. e. Potential outflows related to customer activity.
      4. 4. Stress test program results must be periodically reviewed by the Board or the board risk committee. Results must be incorporated into reviews of the risk appetite, the bank’s ICAAP and capital and liquidity planning processes. The risk management function is responsible for recommending any action required, for example adjustments to risk limits or contingency arrangements, based on stress test results. The results of stress tests and scenario analysis must be communicated to the relevant business line management and functional heads within the bank to assist them in understanding and mitigating the risks inherent in their activities. Stress test program results must factor in the bank’s contingency planning, particularly liquidity risk management and contingency funding.
      5. 5. The identification and management of all material risks must be consistent on a bank-wide and if applicable, group-wide basis. This is of particular importance with respect to a bank’s and, if applicable, a group’s ICAAP, given the significant intersection and mutual reinforcement of risk management and capital adequacy. For example, capital and liquidity implications need to be considered in the determination of risks the bank is prepared to assume and the limits for those risks established in the risk appetite statement. Similarly, the impact on capital and liquidity is an important element of a bank’s procedures for review of new products or business lines or acquisitions.
      6. 6. From the perspective of capital planning, the ICAAP must explicitly incorporate all material risks, which a bank identifies through its comprehensive approach to risk management. Stress test results must be considered in developing liquidity plans, particularly contingency funding arrangements.

    • Article 6: Information Systems and Internal Reporting

      1. 1.  A bank’s comprehensive approach to risk management must include policies and procedures designed to provide risk data aggregation and reporting capabilities appropriate for the risk profile, nature, size and complexity of the bank's business and structure. The policies and procedures for risk data aggregation and reporting must provide for the design, implementation and maintenance of a data architecture and information technology infrastructure that supports the bank’s monitoring and reporting needs in normal times and periods of stress.
      2. 2. A bank’s systems must support supervisory reporting requirements and provision of risk reports to all relevant parties within the bank on a timely basis and in a format commensurate with their needs. The scope of reporting must be proportionate to the business activities and complexity of the bank. Ideally, banks will have a highly automated process, however, certain circumstances may mean that manual intervention is required to aggregate risk data and produce supervisory and internal risk management reports.
      3. 3. The processes for aggregating the necessary data and producing supervisory and internal risk management reports must be fully documented and establish standards, cutoff times and schedules for report production. The aggregation and reporting process must be subject to high standards of validation through periodic review by the internal audit function using staff with specific systems, data and reporting expertise, particularly where the process requires substantial manual intervention.
      4. 4. Banks are encouraged to adopt centralized databases with single identifiers and/or uniform naming conventions for legal entities, counterparties, customers and accounts to facilitate accessing multiple records of risk data across the bank or group in a timely manner. Bank systems must be adequate to compile gross and net exposures to institutional counterparties (i.e. interbank, central counterparties) and to capture credit risk concentrations on a bank-wide or, if applicable, group-wide basis, including on and off-balance sheet exposures, for individual counterparties, groups of related counterparties and other concentrations relevant to the bank’s business such as by currency, industry sector or geographic region. Banks are encouraged to have this information available on a daily basis.

    • Article 7: Strategic and Operational Decisions

      1. l. A bank must have approval procedures for new products, material modification to existing products and strategic or major operational initiatives such as changes in systems, business models or acquisitions. The procedures must ensure that strategic and major operational decisions require approval by the board or a committee of the board. Approval authority for new products or material changes to existing projects may be delegated by the Board to the appropriate level of management, although the Board remains ultimately responsible.
      2. 2. In addition to providing for reporting that enables the Board and senior management to monitor the associated risks on an ongoing basis, the procedures must include at a minimum:
        1. a. An assessment of risks under a variety of scenarios, particularly with more pessimistic assumptions than the base-line case;
        2. b. An assessment of the extent to which the bank’s risk management, legal and regulatory compliance, information technology, business line and internal control functions have the necessary expertise, systems and other tools to measure and manage the associated risks, if necessary withholding approval if the required measures are not in place; and
        3. c. An ongoing assessment of risk and performance relative to initial projections and if necessary adapting the risk management treatment in light of experience.
      3. 3. Mergers and acquisitions, disposals and other changes to bank or group structure can pose special risk management challenges. Risks can arise from conducting insufficient due diligence that fails to identity post-transaction risks or activities conflicting with the bank’s strategic objectives or Risk Appetite. The risk management function must be actively involved in assessing the risks of such transactions and must report its findings directly to the Board or a committee of the board.

    • Article 8: Group Risk Management

      1. 1. A bank for which the Central Bank is the primary regulator is required to meet the objectives of the Regulation and Standards on a solo and group-wide basis. Subsidiaries and affiliates, including non-bank entities, must be captured by the bank’s comprehensive approach to risk management and must be part of the overall risk governance framework to ensure that the policies, business strategies, procedures and controls of the subsidiaries and affiliates are aligned with those of the group.
      2. 2. The boards and senior management of subsidiaries and affiliates remain responsible for their entities’ risk management. The methods and procedures applied by subsidiaries and affiliates must support risk management on a group-wide basis. Parent banks must conduct group-wide risk management and prescribe group policies and procedures, while the boards and senior management of subsidiaries and affiliates must have input with respect to the local or regional application of these policies and procedures and the assessment of local or regional risks.
      3. 3. Parent banks are responsible for ensuring that the risk management function in subsidiaries and affiliates is adequately resourced and that group reporting lines support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines throughout the group. Parent banks are responsible for ensuring that reporting to the group by subsidiaries and affiliates is sufficiently detailed and timely to support effective group-wide risk management.
      4. 4. Where the Central Bank is not the primary regulator of a bank that operates a branch in the U.A.E., the branch must have a risk governance framework and risk management function that meets the requirements of the Regulation and Standards. The “three lines of defense” approach must be incorporated within the branch. This will require a senior risk officer, compliance officer and senior internal audit officer with stature within the branch comparable to the business line managers2.
      5. 5. Reporting relationships between officers of the branch and group business lines and functions must support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines. These branches must provide the Central Bank with unfettered access to any staff of the group involved in the risk management of the branch and any group reports or data that the Central Bank may request.

      2 Considering the principle of proportionality and the role of group functions in overseeing the branch, a bank may demonstrate to the Central Bank that it meets the requirements of the Regulation and Standards in some other way.

    • Article 9: Disclosures

      1. 1. A Bank must comply with the disclosure requirements. A bank must have a board-approved disclosure policy. A bank must describe in its disclosures its risk management objectives and policies including the following items:
        1. a. Strategies and processes (for each material risk);
        2. b. Structure and organization of its risk governance;
        3. c. Scope and nature of risk reporting and/or measurement systems;
        4. d. Policies for hedging and/or mitigating risk; and
        5. e. Strategies and processes for monitoring the continuing effectiveness of hedges/mitigants.

    • Article 10: Islamic Banking

      1. 1. The Board offering Islamic financial services must ensure that the comprehensive approach to risk management ensures compliance with Sharī’ah provisions in addition to meeting the other requirements of the Regulation and Standards. The risk governance framework must specifically identify and address for each relevant risk any elements arising from the use of Islamic financial instruments, as well as risks specific to Islamic instruments and agreements. At a minimum, the risk governance framework of a bank offering Islamic financial services must address:
        1. a. Identifying, monitoring and mitigating potential credit risk exposures that may arise at different stages of the various financing agreements;
        2. b. Requiring a due diligence review in respect of counterparties prior to deciding on the choice of an appropriate Islamic financing instrument;
        3. c. Considering separately and on an overall basis liquidity exposures with respect to each category of current account, unrestricted and restricted investment accounts;
        4. d. Ensuring adequate recourse to Sharī’ah-compliant funds to mitigate liquidity risk;
        5. e. Identifying and managing equity investment risk including appropriate and consistent valuation methodologies agreed between the bank and its equity investment partners and exit strategies with respect to equity investment activities;
        6. f. Ensuring compliance with Sharī’ah provisions to mitigate the risk of income having to be donated to charity rather than recognized;
        7. g. Implementing a comprehensive approach to assessing and reporting on the potential impacts of market factors affecting rates of returns on assets relative to the expected rates of return to investment account holders (rate of return risk);
        8. h. Using appropriate measures to safeguard the interests of all fund providers which will include but is not limited to ensuring that when investor funds are comingled with the bank’s funds, the basis for asset, revenue, expense and profit allocations are established, applied and reported in a manner consistent with the bank’s fiduciary responsibilities; and
        9. i. Ensuring that risks arising from the provision of Islamic financial services are appropriately captured in the bank's forward-looking stress-testing program.