Operational Risk
Operational Risk Types & Definitions
Operational risk is the risk of inefficiencies related to failed systems in an MFI’s daily operations. As MFIs decentralize and offer a wider range of financial products, the operational risks multiply and it becomes increasingly important to manage them effectively. Two subcategories have been identified within operational risk: transaction risk, and legal and compliance risk.
• Legal and Compliance Risk – Legal and compliance risk refers to the risk of inefficiencies caused by non-compliance with regulations and laws.
• Transaction Risk – Transaction risk refers to the risk of inefficiencies related to by fraud, human or technology errors and external events in an MFI’s daily operations.
• Fraud Risk – Fraud risk refers to the risk of inefficiencies caused by dishonesty, theft, manipulation of data or abuse of office.
• Human Error Risk – Human error risk refers to the risk of inefficiencies caused by inadequate staff capacity and discipline.
• External Events Risk – External events risk refers to the risk of inefficiencies caused by an external event whose occurrence is difficult for an MFI to control (for example earthquakes, fires, robberies).
• Information Technology Risk – Information technology risk refers to the risk of inefficiencies caused by technology systems that result in errors or delays in data processing.
–
–
Legal and Compliance Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: |
| • Policies and procedures in line with legal and regulatory requirements | • Policies and procedures in line with legal and regulatory requirements | • Policies and procedures in line with legal and regulatory requirements |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| External support to manage legal and compliance risk | External support to manage legal and compliance risk | Dedicated area to manage legal and compliance risk |
| Quantitative operational risk methodology with implementation of action plans |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Legal and compliance risk matrix | Up-to-date legal and compliance risk matrix | |
| Annual mapping of external events risks | ||
| Periodic reports of legal and compliance risk | Monthly reports of legal and compliance risk | |
| Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
| Quarterly reports of quantitative operational risk methodology, including: | ||
| • Inherent loss analysis | ||
| • Residual loss analysis |
Fraud Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage fraud risk, including: | Formal set of policies and procedures to manage fraud risk, including: | Formal set of policies and procedures to manage fraud risk, including: |
| • Policies concerning cash transactions and handling inside the branch and on the field. | • Policies concerning cash transactions and handling inside the branch and on the field. | • Policies concerning cash transactions and handling inside the branch and on the field. |
| • Dual signature policy | • Dual signature policy | • Dual signature policy |
| • Human resources policies that discourage fraud (for example selection, remuneration) | • Human resources policies that discourage fraud (for example selection, remuneration) | • Human resources policies that discourage fraud (for example selection, remuneration) |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Separation of functions: | Separation of functions: | Separation of functions: |
| • Existence of at least a CEO, a person in charge of finance, a person in charge of credit/business, and a part-time internal audit function./td> | • Existence of at least a CEO, finance department, credit/business department and internal audit. | • Existence of at least a CEO, finance department, credit/business department, internal audit department and risk management department (as well as other departments depending on structure, for example human resources, technology, social responsibility). |
| • Clear definition of functions and responsibilities./td> | • Clear definition of functions and responsibilities. | |
| Formalization and dissemination of policies: | Formalization and dissemination of policies: | Formalization and dissemination of policies: |
| • Existence of up-to-date credit manuals, financial management manuals and functions manual. | • Existence of up-to-date credit manuals, financial management manuals, functions manual as well as manuals covering other main processes. | • Existence of up-to-date credit manuals, financial management manuals, functions manual, internal control manuals as well as manuals covering all other processes. |
| • Availability of all relevant manuals to personnel. | • Availability of all relevant manuals to personnel. | • Availability of all relevant manuals to personnel. |
| • Periodic training of staff on relevant policies and procedures. | • Periodic training of staff on relevant policies and procedures. | • Systematic training of staff on relevant policies and procedures. |
| • Periodic evaluation of personnel’s knowledge of relevant manuals. | • Periodic evaluation of personnel’s knowledge of relevant manuals. | |
| Strict supervision structure, including: | Strict supervision structure, including: | Strict supervision structure, including: |
| • Branch manager and credit/business manager. | • Branch manager, regional manager and credit/business manager. | |
| • Cross-checking controls. | • Cross-checking controls. | • Cross-checking controls. |
| • Operational Plan. | • Operational Plan. | • Business Plan and Operational Plan (consolidated and by department). |
| • Individual goals and objectives for field personnel. | • Individual goals and objectives for field personnel. | • Individual goals and objectives for all personnel. |
| • Periodic monitoring of fulfillment of institutional and individual goals and objectives. | • Systematic monitoring of fulfillment of institutional and individual goals and objectives. | • Systematic monitoring of fulfillment of institutional and individual goals and objectives. |
| Ex-post controls | Ex-post controls | Ex-post controls |
| • Internal audit controls based on annual work plan | • Internal audit controls based on annual work plan | • Internal audit controls based on annual work plan |
| • Surprise visits to branches | • Surprise visits to branches | • Surprise visits to branches |
| • Visits to clients | • Visits to clients | • Visits to clients |
| Dedicated area for operational risk management | ||
| Internal control unit for ex-ante controls | ||
| Adequate information technology platform that reduces the risk of fraud | Optimal information technology platform that minimizes the risk of fraud | |
| Quantitative operational risk methodology with implementation of action plans | ||
| Implementation of internal audit recommendations and action plans | Implementation of internal audit recommendations and action plans | Implementation of internal audit recommendations and action plans |
| Education campaigns to clients that creates consciousness on the risk of fraud |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Annual mapping of fraud risks | ||
| Fraud risk matrix | Up-to-date fraud risk matrix | |
| Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
| Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
| Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
| Quarterly reports of quantitative operational risk methodology, including: | ||
| • Inherent loss analysis | ||
| • Residual loss analysis |
Human Error Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage human resources risk | Formal set of policies and procedures to manage human resources risk, including: | Formal set of policies and procedures to manage human resources risk, including: |
| • Staff training | • Staff training | |
| • Policies to avoid work overload | • Policies to avoid work overload |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Adequate information technology platform that reduces human error risk. | Optimal information technology platform that minimizes human resources risk. | |
| Quantitative operational risk methodology with implementation of action plans. | ||
| Dedicated area for operational risk management. | ||
| Periodic training of staff on relevant policies and procedures. | Periodic training of staff on relevant policies and procedures. | Systematic training of staff on relevant policies and procedures. |
| Periodic testing on personnel’s knowledge of relevant manuals. | Periodic evaluation of personnel’s knowledge of relevant manuals. |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Annual mapping of human resources risks | ||
| Human resources risk matrix | Up-to-date human resources risk matrix | |
| Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
| Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
| Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
| Quarterly reports of quantitative operational risk methodology, including: | ||
| • Inherent loss analysis | ||
| • Residual loss analysis |
External Events Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: |
| • Policies concerning cash transactions inside the branch and on the field, including cash transfers | • Policies concerning cash transactions inside the branch and on the field, including cash transfers | • Policies concerning cash transactions inside the branch and on the field, including cash transfers |
| • Branch security | • Branch security policies | • Branch security policies/td> |
| • Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
| • Risk mitigation policies (for example insurances, outsourcing) | • Risk mitigation policies (for example insurances, outsourcing) | • Risk mitigation policies (for example insurances, outsourcing) |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: |
| • In the safes and vaults | • In the safes and vaults | • In the safes and vaults |
| • At the cash desks | • At the cash desks | • At the cash desks |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Cash transfers in armoured vehicle | ||
| Security measures at each branch, including: | Security measures at each branch, including: | Security measures at each branch, including: |
| • Safes and vaults | • Safes and vaults | • Safes and vaults with time-delayed opening mechanisms |
| • Cameras | ||
| Quantitative operational risk methodology with implementation of action plans | ||
| Dedicated area for operational risk management |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Dedicated area for operational risk management | ||
| External events risk matrix | Up-to-date external events risk matrix | |
| Annual mapping of external events risks | ||
| Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
| Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
| Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
| Quarterly reports of quantitative operational risk methodology, including: | ||
| • Inherent loss analysis | ||
| • Residual loss analysis |
Information Technology Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage information technology risk | Formal set of policies and procedures to manage information technology risk, including: | Formal set of policies and procedures to manage information technology risk, including: |
| • Data back-ups | • Data back-ups | • Data back-ups |
| • Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
| • Security policies (for example access to network and software) | • Security policies (for example access to network and software) |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| No specific guidelines | No specific guidelines | No specific guidelines |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Dedicated area to manage information technology risk | Dedicated area to manage information technology risk | |
| Basic information technology platform, including: | Adequate information technology platform, including: | Optimal information technology platform, including: |
| • Accounting and portfolio modules with periodic conciliation of data | • Integrated accounting and portfolio modules | • Integrated accounting and portfolio modules |
| • Other main modules also integrated (for example human resources, operations, banks, investments, loans, risk) | ||
| • Headquarters and all branches online for real-time data transfer | • Headquarters and all branches online for real-time data transfer | |
| • Flexible system for user-friendliness and personalization of reports | • Flexible system for user-friendliness and personalization of reports | |
| • Weekly manual back-ups | • Daily manual back-ups | • Daily automatic back-ups |
| • UPS | • Generators and UPS | |
| Quantitative operational risk methodology with implementation of action plans | ||
| Dedicated area for operational risk management | ||
| Annual systems audit |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Information technology risk matrix | Up-to-date information technology risk matrix | |
| Annual mapping of information technology risks | ||
| Quarterly internal audit reports to Audit Committee | Monthly internal audit reports to Audit Committee | |
| Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors | Annual internal audit reports to Board of Directors |
| Quarterly analysis of variations of operating expenses | Quarterly analysis of variations of operating expenses | Monthly analysis of variations of operating expenses |
| Quarterly reports of quantitative operational risk methodology, including: | ||
| • Inherent loss analysis | ||
| • Residual loss analysis |
Evaluate
–
–