Risk management is one of the significant tools in the operation of banks. Banks need a comprehensive and efficient approach to mitigate risks and develop effective governance strategies and techniques for risk management for their financial stability. In the UAE, the UAE Central Bank regulates all financial and banking sectors. It provides guidelines and strategies to improve the banking industry and economy. In 2018, the Central Bank of UAE (the CBUAE) introduced the Risk Management Regulations (Regulations) for the UAE Banks. As per CBUAE, risk management along with internal audit and compliance comprises an essential control function in banks.
The motive of CBUAE behind the introduction of the Regulations is to ensure the banks’ approaches to risk management are in line with the leading international standard practices. The Regulations are intended to establish an overarching prudent framework for risk management in banks. The Regulations are applicable to all banks established in the UAE. The Regulations require banks to implement a practical framework for risk management. That would provide a bank-wide view of all material risks, including procedures, policies, processes, systems, and control to identify, measure, control, monitor, and mitigate material sources of risk timely.
The Board of Directors (the Board) is fully authorized and responsible for ensuring the comprehensive risk governance framework’s suitability according to the risk profile, nature, size, and complexity of the bank’s structure and business. The risk governance framework shall provide a risk appetite statement approved by the Board, documents defining roles and responsibilities of different parts of the banks involved in risk management, policies and procedures to identify all the material risks are identified, measured, managed, and reported in proper time, business continuity plans and contingency funding plans for coping risks situations.
The Regulations insist on the inclusion of sufficiently resourced compliance and internal audit functions to assess the bank’s observance of the relevant legislation and policies and assurance regarding the implementation and effectiveness of the risk management policies, procedures, systems, and controls. The senior management and the Board are absolutely responsible and accountable for implementing and complying with the relevant legislation and policies. And to do so the Board can take the assistance of a group of legal experts who are prepared to carry out auditing.
The banks need to have an independent, adequately resourced Risk Management Function headed by a chief risk officer or equivalent, who will directly report to the Board or a board’s risk committee. The risk exposures should align with the bank’s strategy and business plans. If banks notice any major change or deviation from their board-approved risk appetite or other relevant factors, they need to inform the Central Bank immediately.
The Regulations emphasize over usage of different models for risk management and measurement of component risks. The Board should have enough expertise regarding risk management systems, including models, and can understand and monitor it. According to the size of exposure to the bank’s risk, banks should have a stress-testing program as part of their comprehensive risk management approach. It should include adverse scenarios for a range of material risks. Banks must have an information system and internal reporting system to expose and assess the size and composition of material risks and report it to the Board or senior management to manage and mitigate risks timely.
Banks need to have policies and procedures to ensure the risk of strategic and operational initiatives. Banks having groups such as subsidiaries, affiliates, or international branches should develop a mechanism for control, measurement, evaluation, control, and mitigating internal and external sources of material risks across the group. In group risk management, the CBUAE is not the primary regulator of a bank, which is a part of a group. The banks should conduct group-wide risk management and prescribe group-wide basis policies and procedures for group-wide risk management. Banks offering Islamic financial services should comply with the sharia provisions while implementing risk management measures. Its risk governance framework should address the possibilities of risks arising out of the Islamic finance instruments and risk to reputation and operation due to failure to comply with the Sharia provisions. The Regulations require banks to publish information on their risk management framework and the nature and extent of their risk exposure on their websites or annual report for public information. If any bank violates any provision of the Risk Management Regulations, it shall be subject to the supervisory action as deemed appropriate by the Central Bank of the UAE.