Organizational Foundation

The organizational foundation represents the basic organization structure that MFIs should have in place in order to effectively engage in formal risk management. Three components—governance and strategy, risk culture, and internal control and management information system (MIS)—make up the foundation. Each component plays a critical role in an MFI’s ability to adequately implement formal risk management in a particular risk area. Being structurally weak in one or more of those foundation components does not mean that an MFI cannot engage in general risk management. However, its risk management function will be hindered to the degree by which those weaknesses exist.

The components of the organizational foundation are defined as follows:

  • Governance and Strategy – Governance and strategy is defined by the group of owners and the objectives they want to achieve and sets the tone for the way the institution is run, from its social mission to its financial objectives.
  • Risk Culture – Risk culture is an MFI’s commitment to analyze information in a self-critical manner and “face the facts” to manage and prevent risks.
  • Internal Control and MIS – Internal control and MIS is the basis of formal risk management and is characterized by separation of functions, formalization and dissemination of policies, ex post controls, and a capable MIS.
  • Governance and Strategy
  • Risk Culture
  • Internal Control and MIS
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Institutional bylaws
Up-to-date institutional bylaws
Up-to-date institutional bylaws
Mission
Mission
Mission
Separation of functions: Existence of at least a full-time CEO and CFO, a person in charge of credit/business, and a part-time internal audit function.
Separation of functions: Existence of at least a full-time CEO and CFO, credit/business department, and internal audit. Clear definition of functions and responsibilities.
Separation of functions: Existence of at least a full-time CEO and CFO, credit/business department, internal audit department, and risk management department. Clear definition of functions and responsibilities.
Goals and objectives: Business Plan and Operational Plan. Individual goals and objectives for field personnel. Periodic monitoring of fulfillment of institutional and individual goals and objectives.
Goals and objectives: Business Plan and Operational Plan. Individual goals and objectives for field personnel. Systematic monitoring of fulfillment of institutional and individual goals and objectives.
Goals and objectives: Business Plan and Operational Plan—consolidated and by department. Individual goals and objectives for all personnel. Systematic monitoring of fulfillment of institutional and individual goals and objectives.
At least one person in charge (including part-time personnel) of risk management
At least one full-time person in charge of risk management
Quarterly meetings of risk management committee with participation of members of the Board of Directors
Monthly meetings of risk management committee with participation of members of the Board of Directors
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Internal transparency: Commitment to analyze information in a self-critical manner and “face the facts”
Internal transparency: Commitment to analyze information in a self-critical manner and “face the facts”
Internal transparency: Commitment to analyze information in a self-critical manner and “face the facts”
External transparency: Commitment not to hide information
External transparency: Commitment not to hide information
External transparency: Commitment not to hide information and to publish it freely
Tier 3 Guidelines Tier 2 Guidelines Tier 1 Guidelines
Formalization and dissemination of policies: Existence of up-to-date credit manuals and financial management manuals.
Formalization and dissemination of policies: Existence of up-to-date credit manuals and financial management manuals as well as manuals covering other main processes. Manuals disseminated at all levels.
Formalization and dissemination of policies: Existence of up-to-date credit manuals, financial management manuals, and internal control manuals as well as manuals covering all other processes. Manuals disseminated at all levels.
Ex-post controls: Internal audit controls based on annual work plan. Surprise visits to branches and clients.
Ex-post controls: Internal audit controls based on annual work plan. Surprise visits to branches and clients.
Ex-post controls: Internal audit controls based on annual work plan. Surprise visits to branches and clients.
Management information system: capable of generating the information and reports mentioned in the risk categories in an accurate and timely manner
Management information system: capable of generating the information and reports mentioned in the risk categories in an accurate and timely manner.
Management information system: capable of generating the information and reports mentioned in the risk categories in an accurate and timely manner