Operational Risk

Operational risk is the risk of financial losses and negative social performance related to failed people, processes, and systems in an MFI’s daily operations. As MFIs decentralize and offer a wider range of financial products and alternative delivery channels, the operational risks multiply and it becomes increasingly important to manage them effectively. There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.

  • People Risk – People risk is the risk of financial losses and negative social performance related to inadequacies in human capital and the management of human resources. This encompasses the inability to attract, manage, motivate, develop, and retain competent resources and often results in human errors, fraud, or other unethical behavior, both internal and external to the institution.
  • Process Risk –  Process risk is the risk of financial losses and negative social performance related to failed internal business processes within every aspect of the business. This can include product design flaws and internal project failures.
  • Systems Risk – Systems risk is the risk of financial losses and negative social performance related to failed internal systems. This encompasses inter-branch connectivity, management information and core banking systems, information technology systems, power backup systems, and other technical systems.
  • External Events Risk – External events risk is the risk of financial losses and negative social performance related to the occurrence of external events typically outside of an MFI’s control. This encompasses both natural disasters such as hurricanes, flooding, earthquakes, and fires, as well as man-made events such as civil disruptions, war, robberies, arson, road blockades, and terrorist attacks.
  • Legal and Compliance Risk  – Legal and compliance risk is the risk of financial losses and negative social performance related to non-compliance with internal and external regulations and laws. This encompasses non-compliance with microfinance regulations, anti-money laundering (AML) requirements, tax laws, human resource laws, mandatory vehicle registration, internal codes of ethical conduct, and other regulations.
  • Policies
  • Limits
  • Risk Management Tools
  • Risk Monitoring Tools
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Formal set of policies and procedures to manage people risks, including:
Formal set of policies and procedures to manage people risks, including:
Formal set of policies and procedures to manage people risks, including:
• Transparent remuneration policies (including incentives and benefits) for staff and board members
• Transparent remuneration policies (including incentives and benefits) for staff and board members
• Transparent remuneration policies (including incentives and benefits) for staff and board members
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Not applicable
Not applicable
Not applicable
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Mapping of people risks (at least every two years)
Mapping of people risks (at least every two years)
Annual mapping of people risks
Dual controls of relevant processes documented
Dual controls of relevant processes documented
Dual controls of relevant processes documented
Job descriptions for all staff
Job descriptions for all staff
Job descriptions for all staff
Periodic training of staff on relevant policies and procedures
Periodic training of staff on relevant policies and procedures
Periodic training of staff on relevant policies and procedures
Risk awareness training for all new staff
Risk awareness training for all new staff and lessons learned shared in the organization
Risk awareness training for all new staff, periodic risk awareness training for existing staff, and lessons learned shared in the organization
Structured communication lines
Structured communication lines
Structured communication lines
Periodic testing on personnel’s knowledge of relevant policy manuals
Periodic testing on personnel’s knowledge of relevant policy manuals
Authorization matrices
Role-based authorization matrices
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Quarterly analysis of variations of operating expenses
Quarterly analysis of variations of operating expenses
Quarterly analysis of variations of operating expenses
Periodic staff satisfaction review
Individual objective-setting in accordance with the strategy and risk framework
  • Policies
  • Limits
  • Risk Management Tools
  • Risk Monitoring Tools
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Formal set of policies and procedures to manage people risks, including:
Formal set of policies and procedures to manage people risks, including:
Formal set of policies and procedures to manage people risks, including:
• Risk-tracking policy
• Risk-tracking policy
• Risk-tracking policy
• Policies regarding cash transactions and handling; transport, at branch level, in the field
• Policies regarding cash transactions and handling; transport, at branch level, in the field
• Policies regarding cash transactions and handling; transport, at branch level, in the field
• Use of insurance policy
• Use of insurance policy
• Use of insurance policy
• Incident reporting policy
• Risk Self-Assessment policy
• Key Risk Indicator policy
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Not applicable
Not applicable
Not applicable
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Mapping of process risks (at least every two years)
Mapping of process risks (at least every two years)
Annual mapping of people risks
Reconciliation of transactions and accounts
Reconciliation of transactions and accounts
Reconciliation of transactions and accounts
Business Continuity Plan (BCP), including:
Business Continuity Plan (BCP), including:
Business Continuity Plan (BCP), including:
• Backup testing
• Backup testing
• Backup testing
• Building evacuation drills
• Building evacuation drills
• Building evacuation drills
• Call tree
• Call tree
• BCP testing and follow up process
Insurance for key assets
Insurance for key assets
Insurance for key assets
Security, including:
Security, including:
Security, including:
• Asset register
• Asset register
• Asset register
• Fire, theft, access controls monitoring
• Fire, theft, access controls monitoring
Product approval and review process for new products and services
Product approval and review process for new products and services, as well as annual review of existing products
Key controls embedded in business for crucial processes
Key controls embedded in business for crucial processes
Risk & Control Self-Assessment process
Risk & Control Self-Assessment process
Annual scenario analysis
Tender process for purchases
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Monitoring of dormant accounts
Monitoring of dormant accounts
Monitoring of dormant accounts
Monitoring of suspense accounts
Monitoring of suspense accounts
Monitoring of suspense accounts
Risk tracking for all internal and external reporting
Risk tracking for all internal and external reporting
Risk tracking for all internal and external reporting
Checking compliance with management controls
Checking compliance with management controls
Checking compliance with management controls
Key Risk Indicator dashboard for some key processes (including early warning signals for fraud)
Key Risk Indicator dashboard for some key processes (including early warning signals for fraud)
Incident reporting
Incident reporting (including historical loss database and lessons learned process)
  • Policies
  • Limits
  • Risk Management Tools
  • Risk Monitoring Tools
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Commitment to manage system risks
Formal set of policies and procedures to manage system risks
Formal set of policies and procedures to manage system risks
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Not applicable
Not applicable
Not applicable
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Integrated information systems (loans/savings and accounting modules)
Integrated information systems (loans/savings and accounting modules) as well as partial integration of other aspects
Integrated information systems (loans/savings and accounting modules) as well as partial integration of other aspects
Mapping of system risks (at least every two years)
Mapping of system risks (at least every two years)
Annual mapping of system risks
Quarterly checking authorization matrices
Quarterly checking authorization matrices
Quarterly checking authorization matrices
Daily backups / mirroring
Daily backups / mirroring
Daily backups / mirroring
Uninterruptible Power Supply (UPS)
Uninterruptible Power Supply (UPS)
Uninterruptible Power Supply (UPS)
Generator
Generator
Generator
User access arranged per person
User access arranged per person
User access arranged per person
Branches connected online / in real time
Branches connected online / in real time
Ethical hacking
Encryption of network
Audit trails
Development, test, training, and production environment separated
Automated controls
IT infrastructure library processes in place and documented
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Virus checking
Virus checking
Virus checking
Electronic Data Process audit (at least every two years)
Annual Electronic Data Process audit
Stress-testing
Exception reporting checking
  • Policies
  • Limits
  • Risk Management Tools
  • Risk Monitoring Tools
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Formal set of policies and procedures to manage external events risk, including:
Formal set of policies and procedures to manage external events risk, including:
Formal set of policies and procedures to manage external events risk, including:
• Outsourcing policy
• Outsourcing policy
• Outsourcing policy
• Security
• Security
• Security
• Business continuity plan
• Tested business continuity plan, with alternate site containing installations required for main operations
• Crisis management
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Limits on maximum cash at the branches, including:
Limits on maximum cash at the branches, including:
Limits on maximum cash at the branches, including:
• At the cash desks
• At the cash desks
• At the cash desks
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Mapping of external event risks (at least every two years)
Mapping of external event risks (at least every two years)
Annual mapping of external event risks
Security measures at each branch, including:
Security measures at each branch, including:
Security measures at each branch, including:
• Safes and vaults
• Safes and vaults
• Safes and vaults with time-delayed opening mechanisms
• Guards
• Cameras
Business continuity plan strategy
Cash transfers in armored vehicle
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Outsourcing monitoring
Backup testing
Backup testing
Backup testing
BCP testing
Transaction monitoring
Building evacuation drills
Building evacuation drills
Building evacuation drills
UPS/generator testing
UPS/generator testing
UPS/generator testing
  • Policies
  • Limits
  • Risk Management Tools
  • Risk Monitoring Tools
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Commitment to manage legal and compliance risk, including:
Formal set of policies and procedures to manage legal and compliance risk, including:
Formal set of policies and procedures to manage legal and compliance risk, including:
• Complaint handling
• Complaint handling
• Complaint handling
• Anti-money laundering (AML) policy
• Anti-money laundering (AML) policy
• Whistleblower policy
• Suspicious transactions
Legal charter: inventory of all applicable legislation (including tax laws)
Legal charter: inventory of all applicable legislation (including tax laws)
Legal charter: inventory of all applicable legislation (including tax laws)
Code of ethical conduct
Code of ethical conduct
Code of ethical conduct
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Not applicable
Not applicable
Not applicable
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Not applicable
Not applicable
Not applicable
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Mapping of legal and compliance risks (at least every two years)
Mapping of legal and compliance risks (at least every two years)
Annual mapping of legal and compliance risks
Financial Action Task Force list-checking
Financial Action Task Force list-checking
Quarterly reports of legal and compliance risk
Monthly reports of legal and compliance risk
Transaction monitoring