Without Serious Risk Management, BJR in Islamic Banks is an Illusion

In recent times, the business judgment rule (BJR) has frequently been discussed in relation to the criminalisation of bankers. The Financial Services Authority (OJK) has stressed the importance of legal certainty for banking industry players, urging that non-performing loans should not automatically be treated as criminal acts provided business decisions were made in good faith, following procedures, without conflicts of interest, and with adequate risk mitigation efforts.

This message deserves serious attention, as without such boundaries, loan disbursements could easily be hindered and risk-taking could turn into excessive caution.

However, for Islamic banking, BJR holds little meaning if merely used as a legal protection jargon. It truly comes alive only when built on serious risk management, effective internal controls, and governance that leaves clear accountability trails when needed.

My previous two articles on CNBC Indonesia focused on external safeguards: preventing non-performing loans from being criminalised and how the OJK uses BJR to distinguish between business risks and fraudulent acts.

This piece shifts the camera to the engine room. The focus is no longer on how willing regulators are to protect bankers, but whether the Islamic banking industry has prepared sufficient risk management to justify such protections.

This question is crucial because Islamic banking never operates on guaranteed returns. It functions on business risk management that is recognised, measured, and controlled from the outset. In many contracts, particularly those involving profit-sharing and risk-sharing dimensions, the possibility of loss is not an external disruption but a legitimate part of the legal structure.

At this point, a legal approach that swiftly criminalises every problematic loan risks misreading the inherent risks of the business. Conversely, calls to not automatically treat non-performing loans as crimes must not be used as a shield for weak internal governance.

This is where risk management becomes the mainstay of BJR. Through POJK No. 65/POJK.03/2016 and SEOJK No. 25/SEOJK.03/2023, the OJK mandates that Islamic commercial banks and their units must implement risk management for ten types of risks: credit, market, liquidity, operational, legal, reputational, strategic, compliance, return, and investment.

The regulations also require active supervision by the Board of Directors, Board of Commissioners, and Sharia Supervisory Board; adequate risk policies and limits; sufficient processes for identification, measurement, monitoring, and control; and comprehensive internal control systems.

In other words, regulators are sending a fundamental message: Islamic banks must not be managed merely with good intentions but with a robust and testable risk management architecture.

The issue is that in daily practice, risk management often stops at being a checklist rather than a disciplined mindset. It appears in training modules, neatly documented in policies, and fluently discussed in evaluation forums.

But when strategic decisions truly need to be made, this function isn’t always a living consideration. Often, it becomes an administrative appendix opened only after a decision is nearly finalised, as if its role is merely to stamp formal approval on choices predetermined from the start.

Recent data shows this problem cannot be overlooked. By end-2025, the OJK recorded total assets of Islamic banking at around Rp1.067 trillion, with financing at Rp705 trillion and third-party funds exceeding Rp829 trillion.

At the same time, total Islamic financial assets in Indonesia, excluding Sharia-compliant stocks, reached approximately Rp3.131 trillion. While gross NPF ratios remain around 2.1-2.2% with net NPF under 1%, figures that appear healthy at first glance.

It is precisely during such growth phases that risk discipline is most rigorously tested. As portfolios expand, small-ratio non-performing loans can still represent significant nominal amounts, and if not managed properly, quickly escalate into disputes, reputational pressure, or legal issues.

In daily industry experiences, weaknesses often go unnoticed as they seem mundane: well-formatted loan analysis memos with thin reasoning, site visits that are more ceremonial than business verification, risk function records that don’t genuinely influence final decisions, or restructuring that merely buys time without addressing root causes.

On paper, all procedures seem to function. In practice, many processes merely move to meet format requirements. Hence, for risk management to truly support BJR, Islamic banks must no longer settle for neatly structured policies and quarterly risk profile reports.

What must come first is the courage of the Board of Directors, Board of Commissioners, and Sharia Supervisory Board to make risk the primary language in every decision, not just marginal notes read after problems arise. After that, risk management policies and procedures must be practically translated into limits, authorisations, lending discipline, and information systems capable of providing early warnings.