Operational Risk
Operational Risk Types & Definitions
Operational risk is the risk of inefficiencies related to failed systems in an MFI’s daily operations. As MFIs decentralize and offer a wider range of financial products, the operational risks multiply and it becomes increasingly important to manage them effectively. Two subcategories have been identified within operational risk: transaction risk, and legal and compliance risk.
• Legal and Compliance Risk – Legal and compliance risk refers to the risk of inefficiencies caused by non-compliance with regulations and laws.
• Transaction Risk – Transaction risk refers to the risk of inefficiencies related to by fraud, human or technology errors and external events in an MFI’s daily operations.
• Fraud Risk – Fraud risk refers to the risk of inefficiencies caused by dishonesty, theft, manipulation of data or abuse of office.
• Human Error Risk – Human error risk refers to the risk of inefficiencies caused by inadequate staff capacity and discipline.
• External Events Risk – External events risk refers to the risk of inefficiencies caused by an external event whose occurrence is difficult for an MFI to control (for example earthquakes, fires, robberies).
• Information Technology Risk – Information technology risk refers to the risk of inefficiencies caused by technology systems that result in errors or delays in data processing.
–
–
Legal and Compliance Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Commitment to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: |
• Policies and procedures in line with legal and regulatory requirements | • Policies and procedures in line with legal and regulatory requirements | • Policies and procedures in line with legal and regulatory requirements |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
External support to manage legal and compliance risk | External support to manage legal and compliance risk | Dedicated area to manage legal and compliance risk |
Quantitative operational risk methodology with implementation of action plans |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Legal and compliance risk matrix | Up-to-date legal and compliance risk matrix | |
Annual mapping of external events risks | ||
Periodic reports of legal and compliance risk | Monthly reports of legal and compliance risk | |
Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
Quarterly reports of quantitative operational risk methodology, including: | ||
• Inherent loss analysis | ||
• Residual loss analysis |
Fraud Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Formal set of policies and procedures to manage fraud risk, including: | Formal set of policies and procedures to manage fraud risk, including: | Formal set of policies and procedures to manage fraud risk, including: |
• Policies concerning cash transactions and handling inside the branch and on the field. | • Policies concerning cash transactions and handling inside the branch and on the field. | • Policies concerning cash transactions and handling inside the branch and on the field. |
• Dual signature policy | • Dual signature policy | • Dual signature policy |
• Human resources policies that discourage fraud (for example selection, remuneration) | • Human resources policies that discourage fraud (for example selection, remuneration) | • Human resources policies that discourage fraud (for example selection, remuneration) |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Separation of functions: | Separation of functions: | Separation of functions: |
• Existence of at least a CEO, a person in charge of finance, a person in charge of credit/business, and a part-time internal audit function./td> | • Existence of at least a CEO, finance department, credit/business department and internal audit. | • Existence of at least a CEO, finance department, credit/business department, internal audit department and risk management department (as well as other departments depending on structure, for example human resources, technology, social responsibility). |
• Clear definition of functions and responsibilities./td> | • Clear definition of functions and responsibilities. | |
Formalization and dissemination of policies: | Formalization and dissemination of policies: | Formalization and dissemination of policies: |
• Existence of up-to-date credit manuals, financial management manuals and functions manual. | • Existence of up-to-date credit manuals, financial management manuals, functions manual as well as manuals covering other main processes. | • Existence of up-to-date credit manuals, financial management manuals, functions manual, internal control manuals as well as manuals covering all other processes. |
• Availability of all relevant manuals to personnel. | • Availability of all relevant manuals to personnel. | • Availability of all relevant manuals to personnel. |
• Periodic training of staff on relevant policies and procedures. | • Periodic training of staff on relevant policies and procedures. | • Systematic training of staff on relevant policies and procedures. |
• Periodic evaluation of personnel’s knowledge of relevant manuals. | • Periodic evaluation of personnel’s knowledge of relevant manuals. | |
Strict supervision structure, including: | Strict supervision structure, including: | Strict supervision structure, including: |
• Branch manager and credit/business manager. | • Branch manager, regional manager and credit/business manager. | |
• Cross-checking controls. | • Cross-checking controls. | • Cross-checking controls. |
• Operational Plan. | • Operational Plan. | • Business Plan and Operational Plan (consolidated and by department). |
• Individual goals and objectives for field personnel. | • Individual goals and objectives for field personnel. | • Individual goals and objectives for all personnel. |
• Periodic monitoring of fulfillment of institutional and individual goals and objectives. | • Systematic monitoring of fulfillment of institutional and individual goals and objectives. | • Systematic monitoring of fulfillment of institutional and individual goals and objectives. |
Ex-post controls | Ex-post controls | Ex-post controls |
• Internal audit controls based on annual work plan | • Internal audit controls based on annual work plan | • Internal audit controls based on annual work plan |
• Surprise visits to branches | • Surprise visits to branches | • Surprise visits to branches |
• Visits to clients | • Visits to clients | • Visits to clients |
Dedicated area for operational risk management | ||
Internal control unit for ex-ante controls | ||
Adequate information technology platform that reduces the risk of fraud | Optimal information technology platform that minimizes the risk of fraud | |
Quantitative operational risk methodology with implementation of action plans | ||
Implementation of internal audit recommendations and action plans | Implementation of internal audit recommendations and action plans | Implementation of internal audit recommendations and action plans |
Education campaigns to clients that creates consciousness on the risk of fraud |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Annual mapping of fraud risks | ||
Fraud risk matrix | Up-to-date fraud risk matrix | |
Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
Quarterly reports of quantitative operational risk methodology, including: | ||
• Inherent loss analysis | ||
• Residual loss analysis |
Human Error Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Commitment to manage human resources risk | Formal set of policies and procedures to manage human resources risk, including: | Formal set of policies and procedures to manage human resources risk, including: |
• Staff training | • Staff training | |
• Policies to avoid work overload | • Policies to avoid work overload |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Adequate information technology platform that reduces human error risk. | Optimal information technology platform that minimizes human resources risk. | |
Quantitative operational risk methodology with implementation of action plans. | ||
Dedicated area for operational risk management. | ||
Periodic training of staff on relevant policies and procedures. | Periodic training of staff on relevant policies and procedures. | Systematic training of staff on relevant policies and procedures. |
Periodic testing on personnel’s knowledge of relevant manuals. | Periodic evaluation of personnel’s knowledge of relevant manuals. |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Annual mapping of human resources risks | ||
Human resources risk matrix | Up-to-date human resources risk matrix | |
Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
Quarterly reports of quantitative operational risk methodology, including: | ||
• Inherent loss analysis | ||
• Residual loss analysis |
External Events Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Commitment to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: |
• Policies concerning cash transactions inside the branch and on the field, including cash transfers | • Policies concerning cash transactions inside the branch and on the field, including cash transfers | • Policies concerning cash transactions inside the branch and on the field, including cash transfers |
• Branch security | • Branch security policies | • Branch security policies/td> |
• Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
• Risk mitigation policies (for example insurances, outsourcing) | • Risk mitigation policies (for example insurances, outsourcing) | • Risk mitigation policies (for example insurances, outsourcing) |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: |
• In the safes and vaults | • In the safes and vaults | • In the safes and vaults |
• At the cash desks | • At the cash desks | • At the cash desks |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Cash transfers in armoured vehicle | ||
Security measures at each branch, including: | Security measures at each branch, including: | Security measures at each branch, including: |
• Safes and vaults | • Safes and vaults | • Safes and vaults with time-delayed opening mechanisms |
• Cameras | ||
Quantitative operational risk methodology with implementation of action plans | ||
Dedicated area for operational risk management |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Dedicated area for operational risk management | ||
External events risk matrix | Up-to-date external events risk matrix | |
Annual mapping of external events risks | ||
Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
Quarterly reports of quantitative operational risk methodology, including: | ||
• Inherent loss analysis | ||
• Residual loss analysis |
Information Technology Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Commitment to manage information technology risk | Formal set of policies and procedures to manage information technology risk, including: | Formal set of policies and procedures to manage information technology risk, including: |
• Data back-ups | • Data back-ups | • Data back-ups |
• Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
• Security policies (for example access to network and software) | • Security policies (for example access to network and software) |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Dedicated area to manage information technology risk | Dedicated area to manage information technology risk | |
Basic information technology platform, including: | Adequate information technology platform, including: | Optimal information technology platform, including: |
• Accounting and portfolio modules with periodic conciliation of data | • Integrated accounting and portfolio modules | • Integrated accounting and portfolio modules |
• Other main modules also integrated (for example human resources, operations, banks, investments, loans, risk) | ||
• Headquarters and all branches online for real-time data transfer | • Headquarters and all branches online for real-time data transfer | |
• Flexible system for user-friendliness and personalization of reports | • Flexible system for user-friendliness and personalization of reports | |
• Weekly manual back-ups | • Daily manual back-ups | • Daily automatic back-ups |
• UPS | • Generators and UPS | |
Quantitative operational risk methodology with implementation of action plans | ||
Dedicated area for operational risk management | ||
Annual systems audit |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
Information technology risk matrix | Up-to-date information technology risk matrix | |
Annual mapping of information technology risks | ||
Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
Quarterly reports of quantitative operational risk methodology, including: | ||
• Inherent loss analysis | ||
• Residual loss analysis |
Evaluate
–
–