Operational Risk
Operational Risk Types and Definitions
Operational risk is the risk of financial losses and negative social performance related to failed people, processes, and systems in an MFI’s daily operations. As MFIs decentralize and offer a wider range of financial products and alternative delivery channels, the operational risks multiply and it becomes increasingly important to manage them effectively. There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.
- People Risk – People risk is the risk of financial losses and negative social performance related to inadequacies in human capital and the management of human resources. This encompasses the inability to attract, manage, motivate, develop, and retain competent resources and often results in human errors, fraud, or other unethical behavior, both internal and external to the institution.
- Process Risk – Process risk is the risk of financial losses and negative social performance related to failed internal business processes within every aspect of the business. This can include product design flaws and internal project failures.
- Systems Risk – Systems risk is the risk of financial losses and negative social performance related to failed internal systems. This encompasses inter-branch connectivity, management information and core banking systems, information technology systems, power backup systems, and other technical systems.
- External Events Risk – External events risk is the risk of financial losses and negative social performance related to the occurrence of external events typically outside of an MFI’s control. This encompasses both natural disasters such as hurricanes, flooding, earthquakes, and fires, as well as man-made events such as civil disruptions, war, robberies, arson, road blockades, and terrorist attacks.
- Legal and Compliance Risk – Legal and compliance risk is the risk of financial losses and negative social performance related to non-compliance with internal and external regulations and laws. This encompasses non-compliance with microfinance regulations, anti-money laundering (AML) requirements, tax laws, human resource laws, mandatory vehicle registration, internal codes of ethical conduct, and other regulations.
People Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: |
| • Transparent remuneration policies (including incentives and benefits) for staff and board members | • Transparent remuneration policies (including incentives and benefits) for staff and board members | • Transparent remuneration policies (including incentives and benefits) for staff and board members |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Mapping of people risks (at least every two years) | Mapping of people risks (at least every two years) | Annual mapping of people risks |
| Dual controls of relevant processes documented | Dual controls of relevant processes documented | Dual controls of relevant processes documented |
| Job descriptions for all staff | Job descriptions for all staff | Job descriptions for all staff |
| Periodic training of staff on relevant policies and procedures | Periodic training of staff on relevant policies and procedures | Systematic training of staff on relevant policies and procedures |
| Risk awareness training for all new staff | Risk awareness training for all new staff and lessons learned shared in the organization | Risk awareness training for all new staff, periodic risk awareness training for existing staff, and lessons learned shared in the organization |
| Structured communication lines | Structured communication lines | Structured communication lines |
| Periodic testing on personnel’s knowledge of relevant policy manuals | Periodic evaluation of personnel’s knowledge of relevant policy manuals | |
| Authorization matrices | Role-based authorization matrices |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
| Periodic staff satisfaction review | ||
| Individual objective-setting in accordance with the strategy and risk framework |
Processes Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage process risks, including: | Formal set of policies and procedures to manage process risks, including: | Formal set of policies and procedures to manage process risks, including: |
| • Risk-tracking policy | • Risk-tracking policy | • Risk-tracking policy |
| • Policies regarding cash transactions and handling; transport, at branch level, in the field | • Policies regarding cash transactions and handling; transport, at branch level, in the field | • Policies regarding cash transactions and handling; transport, at branch level, in the field |
| • Use of insurance policy | • Use of insurance policy | • Use of insurance policy |
| • Incident reporting policy | ||
| • Risk Self-Assessment policy | ||
| • Key Risk Indicator policy |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Mapping of process risks (at least every two years) | Mapping of process risks (at least every two years) | Annual mapping of process risks |
| Reconciliation of transactions and accounts | Reconciliation of transactions and accounts | Reconciliation of transactions and accounts |
| Business Continuity Plan (BCP), including: | Business Continuity Plan (BCP), including: | Business Continuity Plan (BCP), including: |
| • Backup testing | • Backup testing | • Backup testing |
| • Building evacuation drills | • Building evacuation drills | • Building evacuation drills |
| • Call tree | • Call tree | |
| • BCP testing and follow up process | ||
| Insurance for key assets | Insurance for key assets | Insurance for key assets |
| Security, including: | Security, including: | Security, including: |
| • Asset register | • Asset register | • Asset register |
| • Fire, theft, access controls monitoring | • Fire, theft, access controls monitoring | |
| Product approval and review process for new products and services | Product approval and review process for new products and services, as well as annual review of existing products | |
| Key controls embedded in business for crucial processes | Key controls embedded in business for crucial processes | |
| Risk & Control Self-Assessment process | Risk & Control Self-Assessment process | |
| Annual scenario analysis | ||
| Tender process for purchases |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Monitoring of dormant accounts | Monitoring of dormant accounts | Monitoring of dormant accounts |
| Monitoring of suspense accounts | Monitoring of suspense accounts | Monitoring of suspense accounts |
| Risk tracking for all internal and external reporting | Risk tracking for all internal and external reporting | Risk tracking for all internal and external reporting |
| Checking compliance with management controls | Checking compliance with management controls | Checking compliance with management controls |
| Key Risk Indicator dashboard for some key processes (including early warning signals for fraud) | Key Risk Indicator dashboard for all key processes (including early warning signals for fraud) | |
| Incident reporting | Incident reporting (including historical loss database and lessons learned process) |
Systems Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage system risks | Formal set of policies and procedures to manage system risks | Formal set of policies and procedures to manage system risks |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Integrated information systems (loans/savings and accounting modules) | Integrated information systems (loans/savings and accounting modules) as well as partial integration of other aspects | Integrated information systems (loans/savings and accounting modules) as well as full integration of other aspects |
| Mapping of system risks (at least every two years) | Mapping of system risks (at least every two years) | Annual mapping of system risks |
| Quarterly checking authorization matrices | Quarterly checking authorization matrices | Quarterly checking authorization matrices |
| Daily backups / mirroring | Daily backups / mirroring | Daily backups / mirroring |
| Uninterruptible Power Supply (UPS) | Uninterruptible Power Supply (UPS) | Uninterruptible Power Supply (UPS) |
| Generator | Generator | Generator |
| User access arranged per person | User access arranged per person | User access arranged per person |
| Branches connected online / in real time | Branches connected online / in real time | |
| Ethical hacking | ||
| Encryption of network | ||
| Audit trails | ||
| Development, test, training, and production environment separated | ||
| Automated controls | ||
| IT infrastructure library processes in place and documented |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Virus checking | Virus checking | Virus checking |
| Electronic Data Process audit (at least every two years) | Annual Electronic Data Process audit | |
| Stress-testing | ||
| Exception reporting checking |
External Events Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: |
| • Outsourcing policy | • Outsourcing policy | • Outsourcing policy |
| • Security | • Security | • Security |
| • Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
| • Crisis management |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: |
| • In the safes and vaults | • In the safes and vaults | • In the safes and vaults |
| • At the cash desks | • At the cash desks | • At the cash desks |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Mapping of external event risks (at least every two years) | Mapping of external event risks (at least every two years) | Annual mapping of external event risks |
| Security measures at each branch, including: | Security measures at each branch, including: | Security measures at each branch, including: |
| • Safes and vaults | • Safes and vaults | • Safes and vaults with time-delayed opening mechanisms |
| • Guards | ||
| • Cameras | ||
| Business continuity plan strategy | ||
| Cash transfers in armored vehicle |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Outsourcing monitoring | ||
| Backup testing | Backup testing | Backup testing |
| BCP testing | ||
| Transaction monitoring | ||
| Building evacuation drills | Building evacuation drills | Building evacuation drills |
| UPS/generator testing | UPS/generator testing | UPS/generator testing |
Legal and Compliance Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: |
| • Complaint handling | • Complaint handling | • Complaint handling |
| • Anti-money laundering (AML) policy | • Anti-money laundering (AML) policy | |
| • Whistleblower policy | ||
| • Suspicious transactions | ||
| Legal charter: inventory of all applicable legislation (including tax laws) | Legal charter: inventory of all applicable legislation (including tax laws) | Legal charter: inventory of all applicable legislation (including tax laws) |
| Code of ethical conduct | Code of ethical conduct | Code of ethical conduct |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Mapping of legal and compliance risks (at least every two years) | Mapping of legal and compliance risks (at least every two years) | Annual mapping of legal and compliance risks |
| Financial Action Task Force list-checking | Financial Action Task Force list-checking | |
| Quarterly reports of legal and compliance risk | Monthly reports of legal and compliance risk | |
| Transaction monitoring |
Evaluate