Operational risk is the risk of financial losses and negative social performance related to failed people, processes, and systems in an MFI’s daily operations. As MFIs decentralize and offer a wider range of financial products and alternative delivery channels, the operational risks multiply and it becomes increasingly important to manage them effectively. There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.
- People Risk– People risk is the risk of financial losses and negative social performance related to inadequacies in human capital and the management of human resources. This encompasses the inability to attract, manage, motivate, develop, and retain competent resources and often results in human errors, fraud, or other unethical behavior, both internal and external to the institution.
- Process Risk– Process risk is the risk of financial losses and negative social performance related to failed internal business processes within every aspect of the business. This can include product design flaws and internal project failures.
- Systems Risk– Systems risk is the risk of financial losses and negative social performance related to failed internal systems. This encompasses inter-branch connectivity, management information and core banking systems, information technology systems, power backup systems, and other technical systems.
- External Events Risk –External events risk is the risk of financial losses and negative social performance related to the occurrence of external events typically outside of an MFI’s control. This encompasses both natural disasters such as hurricanes, flooding, earthquakes, and fires, as well as man-made events such as civil disruptions, war, robberies, arson, road blockades, and terrorist attacks.
- Legal and Compliance Risk– Legal and compliance risk is the risk of financial losses and negative social performance related to non-compliance with internal and external regulations and laws. This encompasses non-compliance with microfinance regulations, anti-money laundering (AML) requirements, tax laws, human resource laws, mandatory vehicle registration, internal codes of ethical conduct, and other regulations.
Financial and Social Goals
Financial Risk: Deposit-Taking MFIs
People Risk
- Policies
- Limits
- Risk Management Tools
- Risk Monitoring Tools
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: |
• Transparent remuneration policies (including incentives and benefits) for staff and board members | • Transparent remuneration policies (including incentives and benefits) for staff and board members | • Transparent remuneration policies (including incentives and benefits) for staff and board members |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Not applicable | Not applicable | Not applicable |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Mapping of people risks (at least every two years) | Mapping of people risks (at least every two years) | Annual mapping of people risks |
Dual controls of relevant processes documented | Dual controls of relevant processes documented | Dual controls of relevant processes documented |
Job descriptions for all staff | Job descriptions for all staff | Job descriptions for all staff |
Periodic training of staff on relevant policies and procedures | Periodic training of staff on relevant policies and procedures | Periodic training of staff on relevant policies and procedures |
Risk awareness training for all new staff | Risk awareness training for all new staff and lessons learned shared in the organization | Risk awareness training for all new staff, periodic risk awareness training for existing staff, and lessons learned shared in the organization |
Structured communication lines | Structured communication lines | Structured communication lines |
Periodic testing on personnel’s knowledge of relevant policy manuals | Periodic testing on personnel’s knowledge of relevant policy manuals | |
Authorization matrices | Role-based authorization matrices |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
Periodic staff satisfaction review | ||
Individual objective-setting in accordance with the strategy and risk framework |
Processes Risk
- Policies
- Limits
- Risk Management Tools
- Risk Monitoring Tools
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: |
• Risk-tracking policy | • Risk-tracking policy | • Risk-tracking policy |
• Policies regarding cash transactions and handling; transport, at branch level, in the field | • Policies regarding cash transactions and handling; transport, at branch level, in the field | • Policies regarding cash transactions and handling; transport, at branch level, in the field |
• Use of insurance policy | • Use of insurance policy | • Use of insurance policy |
• Incident reporting policy | ||
• Risk Self-Assessment policy | ||
• Key Risk Indicator policy |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Not applicable | Not applicable | Not applicable |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Mapping of process risks (at least every two years) | Mapping of process risks (at least every two years) | Annual mapping of people risks |
Reconciliation of transactions and accounts | Reconciliation of transactions and accounts | Reconciliation of transactions and accounts |
Business Continuity Plan (BCP), including: | Business Continuity Plan (BCP), including: | Business Continuity Plan (BCP), including: |
• Backup testing | • Backup testing | • Backup testing |
• Building evacuation drills | • Building evacuation drills | • Building evacuation drills |
• Call tree | • Call tree | |
• BCP testing and follow up process | ||
Insurance for key assets | Insurance for key assets | Insurance for key assets |
Security, including: | Security, including: | Security, including: |
• Asset register | • Asset register | • Asset register |
• Fire, theft, access controls monitoring | • Fire, theft, access controls monitoring | |
Product approval and review process for new products and services | Product approval and review process for new products and services | |
Key controls embedded in business for crucial processes | Key controls embedded in business for crucial processes | |
Annual scenario analysis | ||
Tender process for purchases |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Monitoring of dormant accounts | Monitoring of dormant accounts | Monitoring of dormant accounts |
Monitoring of suspense accounts | Monitoring of suspense accounts | Monitoring of suspense accounts |
Risk tracking for all internal and external reporting | Risk tracking for all internal and external reporting | Risk tracking for all internal and external reporting |
Checking compliance with management controls | Checking compliance with management controls | Checking compliance with management controls |
Key Risk Indicator dashboard for some key processes (including early warning signals for fraud) | Key Risk Indicator dashboard for some key processes (including early warning signals for fraud) | |
Incident reporting | Incident reporting (including historical loss database and lessons learned process) |
Systems Risk
- Policies
- Limits
- Risk Management Tools
- Risk Monitoring Tools
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Commitment to manage system risks | Formal set of policies and procedures to manage system risks | Formal set of policies and procedures to manage system risks |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Not applicable | Not applicable | Not applicable |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Integrated information systems (loans/savings and accounting modules) | Integrated information systems (loans/savings and accounting modules) as well as partial integration of other aspects | Integrated information systems (loans/savings and accounting modules) as well as partial integration of other aspects |
Mapping of system risks (at least every two years) | Mapping of system risks (at least every two years) | Annual mapping of system risks |
Quarterly checking authorization matrices | Quarterly checking authorization matrices | Quarterly checking authorization matrices |
Daily backups / mirroring | Daily backups / mirroring | Daily backups / mirroring |
Uninterruptible Power Supply (UPS) | Uninterruptible Power Supply (UPS) | Uninterruptible Power Supply (UPS) |
Generator | Generator | Generator |
User access arranged per person | User access arranged per person | User access arranged per person |
Branches connected online / in real time | Branches connected online / in real time | |
Ethical hacking | ||
Encryption of network | ||
Audit trails | ||
Development, test, training, and production environment separated | ||
Automated controls | ||
IT infrastructure library processes in place and documented |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Virus checking | Virus checking | Virus checking |
Electronic Data Process audit (at least every two years) | Annual Electronic Data Process audit | |
Stress-testing | ||
Exception reporting checking |
External Events Risk
- Policies
- Limits
- Risk Management Tools
- Risk Monitoring Tools
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: |
• Outsourcing policy | • Outsourcing policy | • Outsourcing policy |
• Security | • Security | • Security |
• Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
• Crisis management |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: |
• In the safes and vaults | • In the safes and vaults | • In the safes and vaults |
• At the cash desks | • At the cash desks | • At the cash desks |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Mapping of external event risks (at least every two years) | Mapping of external event risks (at least every two years) | Annual mapping of external event risks |
Security measures at each branch, including: | Security measures at each branch, including: | Security measures at each branch, including: |
• Safes and vaults | • Safes and vaults | • Safes and vaults with time-delayed opening mechanisms |
• Guards | ||
• Cameras | ||
Business continuity plan strategy | ||
Cash transfers in armored vehicle |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Outsourcing monitoring | ||
Backup testing | Backup testing | Backup testing |
BCP testing | ||
Transaction monitoring | ||
Building evacuation drills | Building evacuation drills | Building evacuation drills |
UPS/generator testing | UPS/generator testing | UPS/generator testing |
Legal and Compliance Risk
- Policies
- Limits
- Risk Management Tools
- Risk Monitoring Tools
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Commitment to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: |
• Complaint handling | • Complaint handling | • Complaint handling |
• Anti-money laundering (AML) policy | • Anti-money laundering (AML) policy | |
• Whistleblower policy | ||
• Suspicious transactions | ||
Legal charter: inventory of all applicable legislation (including tax laws) | Legal charter: inventory of all applicable legislation (including tax laws) | Legal charter: inventory of all applicable legislation (including tax laws) |
Code of ethical conduct | Code of ethical conduct | Code of ethical conduct |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Not applicable | Not applicable | Not applicable |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Not applicable | Not applicable | Not applicable |
| Tier 3 Guidelines | Tier 2 Guidelines | Tier 1 Guidelines |
|---|---|---|
Mapping of legal and compliance risks (at least every two years) | Mapping of legal and compliance risks (at least every two years) | Annual mapping of legal and compliance risks |
Financial Action Task Force list-checking | Financial Action Task Force list-checking | |
Quarterly reports of legal and compliance risk | Monthly reports of legal and compliance risk | |
Transaction monitoring |
