Risk Appetite Policy2025

The risk appetite varies from one institution to another due to the direct relationship between the expected/desired returns and the associated risks, and the degree to which these risks are accepted by the institution. Given the importance of determining acceptable risks, the bank has developed this policy and obtained approval from the Board of Directors to serve as a guide in understanding the limits of risks and whether they should be accepted or rejected based on these limits. (The accepted risk should not exceed the level deemed acceptable by the Board of Directors, and its acceptance should not threaten the bank or its reputation

Definitions

Definition	Term
Asia Iraq Islamic Bank for Investment and Finance	The bank
The Bank’s Board of Directors	The Board
The likelihood of a specific event occurring that could have a negative impact on achieving objectives, and risks are measured by their impact and the likelihood of their occurrence. (or) The likelihood of a specific threat occurring, leading to a negative impact on the institution.	The risk
It is an independent administrative activity directly reporting to the Board of Directors / Risk Management Committee. Its goal is to identify, measure, reduce, and understand the types of risks that the bank may face or has faced, assess those risks, and determine the level of risk that the bank’s management is willing to bear. Additionally, it verifies that the bank has taken the necessary measures and controls to reduce them to acceptable levels, providing reasonable assurance of achieving the bank’s objectives. This department is responsible for the ongoing and continuous monitoring of activities and operations, ensuring compliance with the set limits and levels as per both internal and external guidelines, controlling violations, and following up immediately with senior management. The Risk Department is considered one of the most important supervisory departments in the bank. Its various units aim to ensure that actual banking risks do not exceed the previously established framework, thus achieving the best possible revenue for the bank. This is done by addressing the risk elements in credit, market, and operational areas for the different operations and products offered by the bank. It establishes boundaries in coordination with the relevant parties to reduce the risk factor, increase revenues, and prevent losses in banking operations	Risk Management
The actual risks that the bank is exposed to on a specific date, which are compared to the accepted risk level, with the aim of making an appropriate decision to reassess the adequacy of the accepted risk level.	Risk Profile
is the system that the bank relies on for its management. It aims to define and achieve the bank’s institutional objectives, manage its operations securely, protect the interests of depositors, fulfill its duties towards shareholders and other stakeholders, and ensure the bank’s compliance with the regulations, systems, and instructions issued by the Central Bank of Iraq, including the governance guide, the bank’s internal policies, and the procedures for all of the bank’s operations. Corporate governance involves the comprehensive system that defines the relationships between the board of directors, the bank’s executive management, its shareholders, and other stakeholders. It covers the system through which the board directs and monitors activities, as follows: – Defining the bank’s strategy. – Managing the bank’s risk – management system. – The bank’s operations and activities. – Balancing the responsibility towards – – shareholders, protecting the interests of depositors, and considering the interests of other stakeholders. – Ensuring the bank’s compliance with – applicable laws, regulations, and standards. -Disclosure and transparency- practices.	Corporate Governance for Banks
is established by the Board of Directors and is directly responsible for overseeing the bank’s risk management functions. The committee’s primary authorities include: The committee is authorized by the Board to oversee any activity within its scope and obtain any information it requests from various units of the bank. Engage external consultants to seek advice and assistance. The committee does not perform daily supervisory tasks and does not hold executive powers; its role is strictly supervisory. The committee has the authority to hold executive management accountable for any breaches of approved risk limits. The committee’s responsibilities include, but are not limited to: Developing a comprehensive current and future strategy regarding the type and level of risks acceptable for all bank activities, obtaining Board approval, and periodically reviewing and updating it in light of local, regional, and international influences. Reviewing and approving policies and guiding principles related to identifying and measuring all major risk categories. Monitoring proposals and recommendations submitted by the Risk Management Department and ensuring compliance with risk limits for both current and new activities. Ensuring that the resources allocated to risk management are sufficient, considering the workload and its nature. Ensuring the independence of the Risk Management Department within the bank, including granting it adequate authority, resources in terms of quantity and quality, appropriate incentives, and direct access to the Board of Directors, its committees, and other departments within the bank. Approving or dismissing the Head of Risk Management and granting them specific authorities and responsibilities within the bank. Approving the roles and authorities of the Head of Risk Management and conducting annual performance evaluations. Reviewing the outcomes of risk management reports. The Risk Management Committee consists of the Chairperson and a number of members elected by the Board of Directors from among the non-executive members (those not engaged in executive activities within the bank). The majority of the committee members, including the Chairperson, must be fully independent members. The minimum number of committee members is three, and the Board reviews committee membership annually.	Risk Management Committee
Residual risks are the risks that remain after implementing measures to reduce the impact and likelihood of the risk or additional risks that arise as a result of those measures. This focuses on the necessary control activities to address such risks.	Residual Risk
It is the level of risk that the bank can bear after accounting for the residual risks.	Risk Appetite
The limits and types of risks the bank is willing to accept through its activities and transactions, taking into account the objectives of its banking operations and its commitments to stakeholders. The acceptable risk level can be expressed through quantitative and/or qualitative means, considering the various circumstances and events the bank may face. Additionally, the acceptable risk level should reflect the potential impact on revenues, capital, funding, investments, and liquid it	Acceptable Risk Level
The methods established by the bank to ensure the security of financial and accounting information, meet operational and profitability objectives, and communicate and raise awareness among all departments and business units within the bank.(or) Any action taken by management or recommended to the Board or any other entity with the purpose of managing risks and increasing the likelihood of achieving objectives and goals.	Control Measures
These are the actual risks that the bank is exposed to over a specific period, which are compared with the defined acceptable risk level, in order to make appropriate decisions to reassess the adequacy of the acceptable risk level	Risk Framework
It is the maximum level of risk that the bank can bear without affecting its financial solvency or reputation.	Risk Tolerance
It is the expression of the relationship between the components of capital, as defined by regulatory authorities and/or international standards, and the bank’s risk-weighted assets. It is considered one of the important tools for measuring the bank’s solvency and its ability to absorb losses.	Capital Adequacy CAR))
It is an examination and analysis tool used by banks as part of their risk management process. It provides senior management and the Board of Directors with insights into the impact of unexpected negative events associated with various risks and gives them indicators of the required capital size to cover losses that may result from potential financial shocks.	Stress Testing

Key Determinants When Accepting Risks

The following determinants are considered when accepting any type of risk:

Compliance with Islamic Sharia principles, legal, legislative, and regulatory requirements.
Adherence to ethical standards.
Maintaining an effective supervisory environment.
Preserving the bank’s reputation.
Ensuring the delivery of banking services with the highest quality, lowest costs, and minimal operational risks.
Comparing the costs of mitigating risks with the returns when establishing control measures and taking actions that reduce risks.
Ensuring the efficiency of the risk management process and the measures taken to reduce risk levels.
Determining the acceptable risk level that the bank can bear within its activities.
Assessing the credit risk of customers based on specific evaluation criteria for each type of customer, to calculate the necessary provisions as per Standard No. 9.
For corporate customers, risk assessment is determined based on the ten characteristics principle.

Accepted Risk Metrics

Product Volatility:
The goal is to minimize the potential negative fluctuations in the expected outcomes of the strategic plan and business plan.
Financial Solvency:
Ensuring that the willingness to take on risks is adequate and aligned with equity capital and reserves, exceeding the requirements set by regulatory authorities.
Liquidity:
Diversifying funding sources and aligning the types and maturities of funding, business types, investments, liabilities, and unrestricted investment accounts.
Concentration:
Avoiding concentration in investments and/or funding sources in a single sector or several small sectors.

Customer classification is based on the type of customer (individuals/corporates), and the process is updated periodically or as needed to ensure that the customer’s status remains stable and to take any appropriate action in case of any changes in the customer’s credit status. Additionally, the debt burden for each borrower is calculated to ensure their ability to repay, in order to avoid the risk of non-repayment.

Principles of Risk Acceptance

The following outlines the general principles for accepting risks:

Full compliance with the principles and provisions of Islamic Sharia, as well as the laws and regulations issued by supervisory and regulatory authorities.
Avoiding concentration of investments in specific sectors and adopting the principle of diversification in investment areas.
Accepting risks that align with the revenues of the bank’s investment portfolio.
Real investment in businesses and projects, relying on the cash flow results from these projects to meet obligations.
Prior knowledge of the risks and returns of new products.
Maintaining the credit quality of both current and future products.
The ability to measure acceptable risks.
Strict adherence to liquidity ratios and capital adequacy standards.

Types of Control Measures

The table below illustrates the types of control measures:

	regulatory officer
These are the actions and steps taken before performing the operation, aimed at preventing and avoiding the risk.	Preventive Control Measures
These are the measures that detect the occurrence of a risk, identify it, and determine the causes behind it.	Detective Control Measures
These are the measures taken to ensure that deviations, errors, and violations are corrected	Corrective Control Measures
These are the measures designed to deter employees from carrying out any future actions, violations, or infractions.	Deterrent Control Measures

Responsibility of the Bank’s Board of Directors

Adoption of the Acceptable Risk Level

The Board of Directors is the responsible entity for adopting the statement of the acceptable risk level within the bank, and for approving the bank’s overall strategy, which includes its operations and activities. The statement of the acceptable risk level is part of the bank’s strategy and is one of the important tools for achieving corporate governance within the bank.

Criteria for Adopting the Acceptable Risk Level by the Board of Directors

The Board of Directors takes into consideration the following factors when adopting the acceptable risk level and the risk tolerance level:

The bank’s current financial condition.
The bank’s strategic direction.
All elements of potential risks within the bank.
The level of undesirable risks.

The acceptable risk level should encompass all risk elements, ensuring consistency across all (i.e., regarding the limits of various risks that the bank may face in its daily operations). It is the responsibility of the Board of Directors to define the level of different risk elements, which form the general framework for the acceptable risk level.
Based on the bank’s general strategy, the Board of Directors reviews the statement of the acceptable risk level periodically.

Criteria for the Acceptable Risk Level

The following represents some of the general criteria that the Board of Directors can rely on when formulating its views on the acceptable risk level:

Key risk elements that the board is willing to accept and those it rejects.
Defining the strategic objectives of the bank and ensuring their clarity, including identifying explicit and implicit risk elements.
Clear vision regarding the nature of the key risk elements approved by the Board to achieve its objectives.
The Board’s clarity regarding corporate governance, particularly concerning the acceptable risk level and the risk tolerance level.
The steps the Board will take to monitor how risks are being managed.

Periodic Review by the Board of the Different Limits of Acceptable Risk Elements

The Board is committed to conducting a periodic review of the adequacy of the various limits of risk elements that make up the acceptable risk level and the risk tolerance level. When reviewing, the Board must consider the following:

Changes in the external environment of the bank.
Increase in the volume of activities and operations carried out by the bank.
The level and efficiency of the bank’s control environment.
Previous losses.
The extent and size of the established limits.

The Board should monitor the compliance of the executive management with the acceptable risk level and the risk tolerance level. It should direct management in a timely manner on how to address any breaches of the acceptable risk levels.

Responsibilities of the Risk Management Department

The following outlines the responsibilities of the Risk Management Department in the bank:

Ensuring that employees within the department possess the expertise and competence related to control measures.
Ensuring the availability of appropriate tools to identify risk areas within the bank.

· Using appropriate metrics to measure risk quantitatively.

· Identifying acceptable and unacceptable risks.

· Conducting stress tests and analyzing them, as follows:

Ensure that stress tests are comprehensive, covering all potential risks the bank might face.
Include scenarios that assess the bank’s financial solvency and its ability to continue operations, in order to identify any uncovered underlying risks.
Utilize the results of stress tests to develop contingency plans to mitigate various risks.
The Risk Management Department reviews the policy annually or whenever needed.
Amendments must be approved by the Risk Committee derived from the Board of Directors.
The policy is validated and approved by the Board of Directors after any modifications.
Employees in the department are informed about the updated policy.

Shariah Compliance and Audit Department:

The following outlines the role of the Shariah Compliance and Audit Department in general:

Assessing risks and ensuring that they fall within the accepted risk limits.
Discussing with the executive management if the risk level exceeds the accepted limits and informing the Audit Committee if there is no response.

Framework for the Accepted Risk Level – General Rules

Comprehensiveness of the Accepted Risk Level:

The general framework for the accepted risk level is characterized by its comprehensiveness. Failing to give the necessary attention to determining this risk level may lead to consequences. Therefore, it is better to identify and deal with the complexities of the overall risk level rather than ignoring it.
One of the key characteristics of the accepted risk level is that it should be measurable.

Rules Governing the Framework of the Accepted Risk Level:

The accepted risk level is determined within the overall risk management framework and should be one of the fundamental components of the bank’s control environment, governed by the following rules:

Executive managers should understand the overall risk level and the interconnection between the various risk elements the bank faces, enabling them to decide whether to accept or reject them.
Managers should understand the degree of risks the bank may face as a result of decisions made in their roles, in addition to the acceptable risk levels. It is essential that the statement of the accepted risk level is realistic, guiding and assisting managers in making informed decisions about the risks.
The board of directors and senior executive management should understand the overall risk level and the interconnection of the different risk elements on the bank’s overall level.
Executive managers should understand that the accepted risk level is not fixed but varies depending on the changes in the operational environment and daily circumstances. It is crucial to always provide some degree of flexibility in the risk levels adopted by the board of directors.

Accepted Risk Level in Corporate Governance

The following outlines the role of the accepted risk level in corporate governance:

The use of the accepted risk level by the Board of Directors as a tool to control the performance of the bank’s various departments.
The accepted risk level represents an agreement between the Board of Directors and senior executive management, where the achievement of objectives is measured based on the executive management’s adherence to the accepted risk level approved by the Board of Directors.
Converting risk measurement methods and risk management approaches into operational procedures that facilitate decision-making and the preparation of necessary reports.
Providing an overall framework through which performance, proposals, and strategic changes in the bank are evaluated.

Accepted Risk Level and How to Address It

Type of Risk Approach to Address It Not determining the acceptable risk level for new products or services Establish policies and procedures for reviewing and approving new products, services, and activities. Ensure that the acceptable risk level for these products and activities is defined. Failure to dedicate sufficient care in determining the overall framework for acceptable risk, leading to severe consequences and unexpected losses Conduct thorough studies and analysis to address the complexities before determining the framework for the acceptable risk level. Ensure it is comprehensive, detailed, and inclusive of all potential risks. Inability to measure the acceptable risk level, rendering its implications ineffective Ensure that the acceptable risk level is measurable by the risk management team to ensure it provides valuable insights and is effective in decision-making and monitoring.

Components of the Accepted Risk Level

The table below outlines the quantitative and qualitative elements of the acceptable risk level:

Quantitative Elements	Qualitative Elements
Capital adequacy	Reputation risk
Fluctuations in bank revenues	Compliance with regulatory authorities’ instructions
Exposure concentration limits	Sufficiency and efficiency of available resources
Non-performing loan ratios	Credit rating
Minimum liquidity assets to be held at all times	Maintaining a minimum credit rating

Key Components of the Accepted Risk Level
Elements of Setting the Accepted Risk Level:

The current situation of the bank’s capital.
The bank’s revenues.
The bank’s ability to manage outcomes under economic conditions.

Accepted Credit Limits
The accepted risk level for credit risk is determined based on the maximum permissible risk limits according to the bank’s credit policy

Accepted Risk Level for Credit Facilities

The accepted risk level for granting direct and indirect credit facilities to a customer (individual or corporate) should not exceed 20% of the bank’s capital (with reference to the Central Bank of Iraq’s instructions on the maximum concentration limits).

Credit Concentration Cases
The following outlines cases of credit concentration:

A customer granted credit facilities exceeding 10%.
A group of customers granted credit facilities exceeding 10%, but the total does not exceed eight (8) times the bank’s regulatory capital.
The credit facilities for a single customer, where the credit facilities granted to that customer should not exceed 25% of the bank’s regulatory capital.
The accepted risk level for credit facilities granted to the top 10 customers, where this risk level should account for 35% of the total credit granted by the bank.

Accepted Risk Level in Real Estate
The accepted risk level for the total direct working credit granted for real estate development (for purposes like expansion, purchase, etc.) is set at 20% of the total customer deposits. If this percentage is exceeded, part of the capital should be allocated to cover it.

Accepted Risk Level in Stocks

The accepted risk level for investment in shares of all companies funded from the investment account (whether direct or indirect funding) should not exceed 70% of the bank’s regulatory capital.
The accepted risk level for investment in shares of a single company funded from the investment account (whether direct or indirect funding) should not exceed 5% of the bank’s regulatory capital.
The accepted risk level for investment in industrial sector shares should not exceed 50% of the portfolio’s value.
The accepted risk level for investment in services sector shares should not exceed 40% of the portfolio’s value.
The accepted risk level for investment in commercial sector shares should not exceed 15% of the portfolio’s value.
The accepted risk level for investment in financial sector shares should not exceed 40% of the portfolio’s value.
The accepted risk level for investment in real estate sector shares should not exceed 15% of the portfolio’s value.

Accepted Risk Level for Standard Ratios

The accepted risk level for the capital adequacy ratio should not be less than 15% of the risk-weighted assets.
The liquidity coverage ratio should not be less than 100%.
The stable funding ratio should not be less than 100%.
The leverage ratio should not be less than 3%.
Accepted Risk Level for Company Capital and Facilities Granted
The accepted risk level for investment in the capital of a specific company, as well as the facilities granted to it, should not exceed 20% of the bank’s

Accepted Risk Level for Investment in Foreign Currencies

The percentage of investment in foreign currencies in the issuance of investment bonds should not exceed 10% of the total issuance size.
The percentage of funds invested in foreign currencies in stocks and equity funds should not exceed 10% of the available investment funds.
The maximum limit for foreign currency positions should not exceed 15% of total shareholders’ equity or 50% of total foreign currency liabilities, whichever is greater.
The maximum limit for funds invested in foreign currencies in industries and mining is 60%, in commercial sectors is 30%, and in real estate is 10%. Any increase in these percentages must be approved by the Risk Committee (if applicable).

Liquidity Ratios
The Central Bank of Iraq’s instructions set the legal liquidity ratio for the Iraqi dinar at 70%, and for the Iraqi dinar and other currencies at 100%. Therefore, the accepted risk level for liquidity in the Iraqi dinar is set at 80%, and for the Iraqi dinar and other currencies at 105%.

Accepted Risk Level for Operational Risks
The accepted risk level for operational risks is calculated at 1% of net income.

Accepted Risk Level for Other Risks
The accepted risk level for other unmentioned risks is calculated at 0.5% of annual net income.

Miscellaneous

The basic rule in monitoring the accepted risk level is that the Risk Department should obtain complete data related to the accepted risk levels that have been prepared and calculated and create a database for it.
The bank’s regulatory capital should be calculated on a monthly basis.
A list of companies in which the bank has invested capital and granted banking facilities should be prepared to ensure that the investment in their capital and the facilities granted to them remain within the accepted risk levels.

Monthly Data Required – Credit Facilities

Credit facilities (direct and indirect) granted to a specific customer (individual or corporate).
Credit facilities (direct and indirect) granted to the top 10 customers.
Credit facilities (direct and indirect) that are non-performing or about to be classified as non-performing.

Monthly Data Required – Investments

The amount of funds available for investment.
Investment activities in the shares of all companies funded from investment accounts.
Investment activities distributed by sector (industrial, services, financial, commercial, real estate).

Monthly Data Required – Foreign Currency Investments

Investments in foreign currencies.
Funds invested in foreign currencies in stocks and equity funds.
Foreign currency positions.
Total foreign currency liabilities of the bank.

Monthly Data Required – Shareholders’ Equity and Net Income

Total shareholders’ equity.
Net income.

Once the monthly data is obtained, the Risk Management Department calculates the risk level and compares it with the approved ratios for the accepted risk level, identifying deviations.

Regarding the calculation of credit concentration cases, the department compares the actual figures with the approved ratios for the accepted risk level and determines different concentration cases, then takes appropriate decisions regarding capital allocation to cover these cases.
For legal liquidity ratios, the department calculates the legal liquidity ratios for the Iraqi dinar and other currencies, as well as other standard ratios, and compares them with the accepted risk level.
The Risk Management Department reports to senior management on the deviations and proposed solutions to address them.

Other Responsibilities of the Risk Management Department

The department continuously studies the bank’s operational conditions and studies the possibility of suggesting adjustments to the accepted risk levels based on the study.
If the department receives directives from senior management regarding the Board of Directors’ reviews of the accepted risk levels, it prepares the calculations for the accepted risk level ratios accordingly.
The department continues to receive instructions from the Central Bank of Iraq regarding risk management and reflects this on the accepted risk levels, recalculating the risk acceptance ratios accordingly.
The department proposes the accepted risk level for new products and services.

attachments

Report No. (1) Monthly Report on Acceptable Risk Levels

	Actual Level	Approved Level
	20% of the bank’s regulatory capital	Direct and Indirect Credit Facilities
	should not exceed 25% of the bank’s regulatory capital	credit facilities granted to a single customer.
	A customer granted credit facilities exceeding 10% of the bank’s regulatory capital	Credit Concentration Cases
	A group of customers granted credit facilities exceeding 10%, with the total not exceeding eight times the bank’s regulatory capita
	8% of the bank’s regulatory capital (in the case where the credit facilities granted to a single customer exceed this threshold
	20% of the total customer deposits in Iraqi dinar	The total direct credit in the real estate sector
	Not less than 15% of risk weighted assets	the acceptable risk level for the capital adequacy ratio
	· The liquidity coverage ratio should not be less than 100%.”	Accepted Risk Level for Standard Ratios
	· The stable funding ratio should not be less than 100%.”
	· The leverage ratio should not be less than 3%.
	60٪	· The maximum amount invested in foreign currencies (industry and mining)
	30٪	· The maximum amount invested in foreign currencies (trade)
	10٪	· The maximum amount invested in foreign currencies (real estate)
	70٪	· Legal liquidity for the Iraqi dinar

Report Number (2) – Monthly Concentrations

Comments	Actual Level		Approved Level
	10% of the bank’s regulatory capital	Customers granted facilities exceeding 10% of the regulatory capital
			Customer names will be added
	10% of the bank’s regulatory capital for each customer, with the total not exceeding 8 times the bank’s regulatory capital	customers granted facilities exceeding 10%, but not exceeding 8 times the regulatory capital
			Customer names will be added
		Customers exceeding the maximum limit for total credit facilities granted to customers classified under credit concentrations (8) times the bank’s regulatory capital
		Customer names will be added