Operational Risk
Operational risk is the risk of financial losses and negative social performance related to failed people, processes, and systems in an MFI’s daily operations. As MFIs decentralize and offer a wider range of financial products and alternative delivery channels, the operational risks multiply and it becomes increasingly important to manage them effectively. There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.
- People Risk – People risk is the risk of financial losses and negative social performance related to inadequacies in human capital and the management of human resources. This encompasses the inability to attract, manage, motivate, develop, and retain competent resources and often results in human errors, fraud, or other unethical behavior, both internal and external to the institution.
- Process Risk – Process risk is the risk of financial losses and negative social performance related to failed internal business processes within every aspect of the business. This can include product design flaws and internal project failures.
- Systems Risk – Systems risk is the risk of financial losses and negative social performance related to failed internal systems. This encompasses inter-branch connectivity, management information and core banking systems, information technology systems, power backup systems, and other technical systems.
- External Events Risk – External events risk is the risk of financial losses and negative social performance related to the occurrence of external events typically outside of an MFI’s control. This encompasses both natural disasters such as hurricanes, flooding, earthquakes, and fires, as well as man-made events such as civil disruptions, war, robberies, arson, road blockades, and terrorist attacks.
- Legal and Compliance Risk – Legal and compliance risk is the risk of financial losses and negative social performance related to non-compliance with internal and external regulations and laws. This encompasses non-compliance with microfinance regulations, anti-money laundering (AML) requirements, tax laws, human resource laws, mandatory vehicle registration, internal codes of ethical conduct, and other regulations.
People Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: | Formal set of policies and procedures to manage people risks, including: |
| • Transparent remuneration policies (including incentives and benefits) for staff and board members | • Transparent remuneration policies (including incentives and benefits) for staff and board members | • Transparent remuneration policies (including incentives and benefits) for staff and board members |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Risk Monitoring Tools
Processes Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage process risks, including: | Formal set of policies and procedures to manage process risks, including: | Formal set of policies and procedures to manage process risks, including: |
| • Risk-tracking policy | • Risk-tracking policy | • Risk-tracking policy |
| • Policies regarding cash transactions and handling; transport, at branch level, in the field | • Policies regarding cash transactions and handling; transport, at branch level, in the field | • Policies regarding cash transactions and handling; transport, at branch level, in the field |
| • Use of insurance policy | • Use of insurance policy | • Use of insurance policy |
| • Incident reporting policy | ||
| • Risk Self-Assessment policy | ||
| • Key Risk Indicator policy |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Risk Monitoring Tools
Systems Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage system risks | Formal set of policies and procedures to manage system risks | Formal set of policies and procedures to manage system risks |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Virus checking | Virus checking | Virus checking |
| Electronic Data Process audit (at least every two years) | Annual Electronic Data Process audit | |
| Stress-testing | ||
| Exception reporting checking |
External Events Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: | Formal set of policies and procedures to manage external events risk, including: |
| • Outsourcing policy | • Outsourcing policy | • Outsourcing policy |
| • Security | • Security | • Security |
| • Business continuity plan | • Tested business continuity plan, with alternate site containing installations required for main operations | |
| • Crisis management |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: | Limits on maximum cash at the branches, including: |
| • In the safes and vaults | • In the safes and vaults | • In the safes and vaults |
| • At the cash desks | • At the cash desks | • At the cash desks |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Mapping of external event risks (at least every two years) | Mapping of external event risks (at least every two years) | Annual mapping of external event risks |
| Security measures at each branch, including: | Security measures at each branch, including: | Security measures at each branch, including: |
| • Safes and vaults | • Safes and vaults | • Safes and vaults with time-delayed opening mechanisms |
| • Guards | ||
| • Cameras | ||
| Business continuity plan strategy | ||
| Cash transfers in armored vehicle |
Risk Monitoring Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Outsourcing monitoring | ||
| Backup testing | Backup testing | Backup testing |
| BCP testing | ||
| Transaction monitoring | ||
| Building evacuation drills | Building evacuation drills | Building evacuation drills |
| UPS/generator testing | UPS/generator testing | UPS/generator testing |
Legal and Compliance Risk
Policies
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Commitment to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: | Formal set of policies and procedures to manage legal and compliance risk, including: |
| • Complaint handling | • Complaint handling | • Complaint handling |
| • Anti-money laundering (AML) policy | • Anti-money laundering (AML) policy | |
| • Whistleblower policy | ||
| • Suspicious transactions | ||
| Legal charter: inventory of all applicable legislation (including tax laws) | Legal charter: inventory of all applicable legislation (including tax laws) | Legal charter: inventory of all applicable legislation (including tax laws) |
| Code of ethical conduct | Code of ethical conduct | Code of ethical conduct |
Limits
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Management Tools
Tier 3 Guidelines |
Tier 2 Guidelines |
Tier 1 Guidelines |
| Not applicable | Not applicable | Not applicable |
Risk Monitoring Tools
Evaluate