Friday, March 28, 2008

Risk Management In Islam

The following are the key disciplines in risk management, from which slight modification will bring the disciplines in line with Islamic teachings.

1. Recognition of Risks
Recognition or identification of all risks is the first step in risk management. Due to the technological development in various aspects of modern human life, new risks also develop/appear. Individuals and organizations are encouraged to develop their knowledge and capability to properly recognize or identify risks that they are facing.

Questions to be answered during the process of risk recognition and identification are :

  • What could go wrong? (Hazard risk)
  • What needs to be controlled or implemented to prevent error? (Control Risk)
  • What must go right? (Known as Opportunity risk)

2. Ranking of Risks
Ranking or evaluation of each identified risk has to be carefully taken, in order to identify which of those is significant (high risk/exposure) and which represents a lower risk and so on.

Each risk must be ranked in two main areas,i.e :

  • The magnitude (severity) of the impact if the risk should occur/ become a reality
  • The likelihood (frequency) and the potential of the risk

Once the risks are ranked based on the above formula, individuals or organizations can focus on those risks that are significant in terms of both severity and frequency

3. Risk Control
The purpose of risk control basically is to review whether each identified significant risk is under adequate control. Each risk will have its original value represents the frequency and severity of its impact without any control. The owner of the risk then needs to have adequate control in place to reduce those values – up to an acceptable and affordable level.

4. Response to Significant Risk
The above risk recognition, rating and control is also known as a Risk Assessment Process. The individual or organization has to establish a proper response to the results of that assessment.

This response will fall into one of the following five categories :

a. Accept or retain risk – if the current level of the risk is already at an acceptable level, the individual or organization may decide to retain the risks (not transfer it on). Proper resources then will be required to be allocated to anticipate and compensate should the risk occur.

b. Avoid or eliminate the risk – if the risk is unacceptable then the individual or organization can decide whether to continue with the activity or business that presents such a risk. If this decision is made, then the individual or organization will need an alternative activity or business to replace the abandoned one.

c. Neutralize or hedge the risk – it is a form of balancing one risk with another risk, whereby they have opposite effects if this risk occurs. Islam will only allow if it is free of Maisir or gambling elements.

d. Control or reduce – This is an action required to improve the risk to a standard and acceptable level. A constant review is required to ensure the correct standard is adhered to.

e. Share the risk with others – for those risks that go beyond an individual's or organization's capability to retain or controls, individuals or organizations can share it with the others who have a similar nature of risk. In Islam this practice is called Takaful or mutual protection. Islam does not allow risks to be exchanged ( Total transfer of financial consequence of losses arising from risks) which is the case when using conventional insurance arrangements. This practice is not recognized as being fair to each party as it contains the element of Gharar. The current practice may lead to an over-burden of claims beyond the original intention of the insurer, or otherwise may also result in charges of unacceptable levels of premium to the insured.

5. Reaction Planning
The Organization needs to have a pro-active contingency plan or reaction planning in the event that a risk materializes. This plan should at least include disaster plans and recovery or a business continuity plan. These disaster plans should address all steps needed to be taken in the event an identified risk materializes, and how the damage should be limited and how the overall costs should be contained.

The business continuity plan is to ensure the continuity of the core business process, which may include utilization of the remaining resoures or outsourcing the core business process to a third party.

6. Risk Management System
The organization needs to ensure the early establishment of risk management, reporting and monitoring. Paper communications need to be maintaned by all parties. A systematic risk management system to monitor risk management performance may also be needed based on modern performance management tools.

7. Risk Assurance System
A proper risk management system should be implemented together with a Risk Assurance System. This involves risk reporting, overall monitoring, risk review and to some extend this could also act as a risk indicator for the organization