"risk mapping tool final"
PlaNet Finance Risk Management Public Tools Series Microfinance Risk Mapping tool [China] with the support of Developed with financial support of the Credit Suisse Foundation, Switzerland. Credit Suisse Foundation, Credit Suisse Group AG and its affiliates do not make any representation as to the accuracy or completeness of the materials and do not accept liability for any loss arising from the use thereof. PlaNet Finance Group – 44 rue de Prony - 75017 Paris - France Tel. 33 (0)1 49 21 26 26 – Fax. 33 (0)1 49 21 26 27 http://www.planetfinance.org/ For any questions on the risk mapping tool, please contact PlaNet Finance China email@example.com All material contained in the tool are either the copyrighted property of PlaNet Finance. The user may not publish, transmit, sell the content for public or commercial purpose. Unauthorized use of the materials is strictly prohibited and is a violation of the rights of PlaNet Finance. PlaNet Finance assumes no liability or responsibility for any loss arising from the use of the tool. GENERAL INFORMATION Please enable Macros before you start risk mapping. Name of the organization Risk Mapping Conducted Name & Position of Staff Responsible for Risk Map Date : mm/dd/year Date : mm/dd/year Date : mm/dd/year Date : mm/dd/year Organization Type Starting year of the first financial activity [Type] [Year] NET RISK MAPPING (1-5) Governance 5 4 3 External Risk Liquidity & Market Risk 2 mm/dd/year 1 mm/dd/year 0 mm/dd/year mm/dd/year Operational Risk Credit Risk Information Technology Risk Legend 1 An example in this area, well functioning. 2 The risk management controls in this area are sustainably set up and generally function well. 3 The risk management controls in this area are correctly set up, and could reach a good functioning if improvements are made. 4 There are significant issues to be addressed in the set-up and/or functioning of risk management controls in this area. 5 The organization shows deep weaknesses in this area; the risk management controls in this area are unsustainable. GROSS RISK MAPPING ( L / M / H ) Likelihood of Emergence / Severity of Impact Severity Type of Risk L/L L/M M/L L/H M/M M/H H/L H/M H/H Total Governance Risk 0 0 0 0 0 0 0 0 0 0 High 0 0 0 External Risk 0 0 0 0 0 0 0 0 0 0 Operational Risk 0 0 0 0 0 0 0 0 0 0 IT Risk 0 0 0 0 0 0 0 0 0 0 Moderate 0 0 0 Credit Risk 0 0 0 0 0 0 0 0 0 0 Liquidity & Market Risk 0 0 0 0 0 0 0 0 0 0 Total 0 0 0 0 0 0 0 0 0 0 Low 0 0 0 Likelihood Low Moderate High Legend Low gross risk Medium gross risk High gross risk GOVERNANCE RISK Governance risk is the risk of loss due to inadequate governance or a poor governance structure. A MFI should have strong governance in place to ensure the Board and the management are accountable to the organization and shareholders in fulfilling the organization's mission and protecting the organization's assets. The Board and the management are ultimately responsible for analyzing risks and ensuring the MFI has robust controls, as well as strong audit and reporting mechanisms, to minimize vulnerabilities. Thus, the Board and the management should have the proper technical skills and personal attributes to set up a sustainable risk management system. IMPACT NET RISK SUMMARY RISK DESCRIPTION RISK ASSESSMENT ( L/M/H ) (1-5) LIKELIHOOD mm/dd/year mm/dd/year mm/dd/year mm/dd/year ID REF NO. SEVERITY CATEGORY RISK INDICATORS CONTROL GAP enter risk weighting below 1. BOARD STRUCTURE 20% o Are there clear and well written by-laws defining the structure, roles, responsibilities, and procedures of the Board? o Is there a mechanism in place to ensure sufficient scheduling, Risk that the Board activities are preparation, organization, and recording of Board proceedings? Board 1.1 not carried out in a well-defined, o Are there minimum requirements on the frequency and attendance of proceedings clear and organized manner Board meetings? o Are there specialized committees (e.g. asset and liability, audit, risk management, remuneration, etc.) set up in line with evolving needs of the organization? o Are there mechanisms, such as disclosure of financial and non-financial Risk of Board member(s) having interests of Board members and/or a policy for situations requiring recusal conflict of interest that may to minimize potential conflicts of interest of Board members? 1.2 Conflict of interest hinder objectivity and/or o Are there mechanisms to ensure the Board is independent from the independence management, such as separation of the Chairman of the Board and CEO roles? Risk due to lack of proper o Does the Board have a periodic self-assessment mechanism? Evaluation and 1.3 evaluation and training of Board o Is there orientation for new Board directors and education of existing training members Board directors in line with evolving needs of the organization? o Are there mechanisms to change the composition of the Board if Risk due to lack of proper Board 1.4 Succession members are not fulfilling duties or new perspectives or skills are needed? succession mechanisms o Is there a policy of term limits at the organization? Evaluation: Board Structure enter risk weighting below 2. BOARD OVERSIGHT 20% o Does the Board periodically review the management's strategy and Risk due to the Board's lack of Strategic, approve it in light of the organization's goals and mission? proper strategic management, 2.1 management, and o Does the Board periodically evaluate and monitor the operational and and fiduciary oversight over the fiduciary oversight financial performance of the organization under management in light of the organization and management organization's strategy and goals? o Does the Board periodically review the organization's risk management and compliance, and provide appropriate guidance on further implementing appropriate frameworks? Risk management Risk due to the Board's lack of 2.2 o Is there a Risk Committee at the Board level? & compliance attention to risks and compliance o Does the Board periodically review current regulations and laws governing the organization's activities in order to identify non-compliance or grey areas ? o Is relevant and accurate financial information provided to the Board on a Risk due to the Board's lack of Reporting to the regular and timely basis, and in a standardized manner? 2.3 regular, accurate, relevant, and Board o Is relevant and accurate operational information provided to the Board on timely information a regular and timely basis, and in a standardized manner? Social Risk due to the Board's lack of o Does the Board periodically measure organization's social performance in 2.4 performance attention to social performance line with strategy and goals? Management Risk due to the Board's lack of o Does the Board regularly discuss issues related to management identification, involvement in the management identification and development? 2.5 development, and identification, development, and o Is there a Remuneration Committee at the Board level? succession succession o Does the Board have a management succession plan in place? Evaluation: Board Oversight enter risk weighting below 3. MANAGEMENT 20% o Does the current management structure match the scale and complexity Risk of inadequate and/or of the organization? 3.1 Structure unclear management structure in o Are roles and responsibilities of the management clearly defined and the organization documented? o Are the key management positions in the organization currently filled? Risk of key management roles 3.2 Staffing o If the key management positions are vacant, is there an active being vacant recruitment process underway? o Is there a system for evaluation of the management to ensure they have Risk due to the management's the right skills and qualifications for their respective roles? Skills and 3.3 lack of proper skills and o Is there continuous training for the management to ensure they have the qualifications qualifications right skills and qualifications in line with the evolving needs of the organization? o Has the management documented a clear strategy and plans for the Risk of lack of or insufficient 3.4 Strategy and plan business? strategy and plans o Are they reviewed, updated and approved by the management regularly? o Are there clearly documented policies and procedures for the key areas Policy and Risk of lack of or insufficient 3.5 set up by the management and provided to the relevant staff? procedures policies and procedures o Are they reviewed, updated and approved by the management regularly? o Does the management hold periodic risk management meetings? o Has the management set up a comprehensive risk management Risk due to the management's 3.6 Risk management frameworks and related policies? lack of attention to risks o Does the management regularly review and update risk management frameworks? o Has the management set up a comprehensive compliance frameworks and related policies? Risk due to the management's o Does the management regularly review and update compliance 3.7 Compliance lack of attention to compliance frameworks? o Is there a mechanism for the management to follow up and rectify compliance issues that are uncovered during internal and external reviews? o Is the organization overly dependent on key management for the well Risk of overdependency on key 3.8 Key man risk functioning of the organization? management o Is there succession planning in place to mitigate key man risk? o Has the management set up a robust code of conduct to actively promote 3.9 Culture of integrity Risk of weak culture of integrity honesty and open communication of risk issues among staff members and the client community? Evaluation: Management enter risk weighting below 4. AUDIT 20% o Is there an independent internal audit structure set up for key areas of the business with clear and robust procedures? o Is internal audit conducted on a frequent enough basis? Risk due to insufficient internal 4.1 Internal audit o Is there a clear procedure for reporting and follow up of internal audit audit findings to the management and the Board? o Is there sufficient number of qualified internal auditors in line with the business scale and complexity? o Is there an external audit structure in place? o Is external audit conducted on a frequent enough basis? Risk due to insufficient external 4.2 External audit o Is there a clear procedure for reporting and follow up of external audit audit findings to the management and the Board? o Is the external audit conducted by a qualified external auditor? Evaluation: Audit enter risk weighting below 5. REPORTING 20% Risk of inaccurate or unreliable o Is information contained in the financial statements accurate and Financial information on the balance according to commonly accepted financial reporting standards? 5.1 Statements sheet, income statement and o Are financial statements prepared both on an individual entity basis and a cash flow statement consolidated basis if the organization have various entities? o Does reporting cover the key areas of the operations, such as operations, credit, risk management, and treasury? Risk of inaccurate or unreliable Operational o Is there a mechanism in place to ensure the accuracy of business related 5.2 reporting on the key areas of the reporting reports? operations o Are operational reports prepared both on an individual entity basis and a consolidated basis if the organization have various entities? o Are financial statements provided to the relevant users on a regular and Risk that the management and timely basis, and in a standardized manner? 5.3 Usage of reports staff do not utilize reports to o To ensure effective management, are business related reports provided guide business decisions to the relevant users on a regular and timely basis, and in a standardized manner? Evaluation: Reporting enter risk weighting below 6. OTHER RISKS 0% 6.1 6.2 6.3 6.4 6.5 Evaluation: Other EVALUATION: GOVERNANCE RISK Recommendations EXTERNAL RISK External risk is the risk of loss due to developments, changes, or influences from the external environment. A MFI should be sensitive to its operating environment, including, but not limited to, regulatory, legal, political, and macroeconomic factors, and constantly assesses the external environment it operates in, to minimize potential vulnerabilities of the organization to these outside forces. Although a MFI may have less control over some external risks, certain external risks can be actively managed. IMPACT NET RISK SUMMARY RISK DESCRIPTION RISK ASSESSMENT ( L/M/H ) (1-5) LIKELIHOOD mm/dd/year mm/dd/year mm/dd/year mm/dd/year ID REF NO. SEVERITY CATEGORY RISK INDICATORS CONTROL GAP enter risk weighting below 1. EXTERNAL ENVIRONMENT 100% o Does the organization periodically review changes in regulations and laws Risk the organization faces from Regulatory & legal that may materially impact the organization? 1.1 the regulatory and legal environment o If there are changes in the regulatory and legal environment, does the environment organization assess the potential impact and take measures accordingly? o Does the organization have awareness of potential influences from the political environment (e.g. changes in leadership or policies) that may Political Risk the organization faces from 1.2 materially impact on the organization? environment the political environment o If there are developments in the political environment, does the organization assess the potential impact and take measures accordingly? o Does the organization periodically assess the competitive environment (e.g. Risk due to increasing new market entrants, new products, pricing pressure, market saturation, Competitive 1.3 competition from existing and etc.)? environment new players o If the competitive environment changes, does the organization adapt accordingly? o Is the organization aware of social and demographic trends that may Social and Risk the organization faces from materially impact the organization (e.g. social cohesiveness, population 1.4 demographic the social and demographic mobility, urbanization, etc.)? environment environment o If there are changes in the social and demographic environment, does the organization assess the potential impact and take measures accordingly? o Is the local environment at risk for natural calamities that could negatively impact the organization (e.g. floods, cyclones, drought, etc.)? Physical Risk the organization faces from 1.5 o Do these natural calamities pose a risk to income streams of households environment the environment and enterprises and/or microfinance delivery? o Does the organization have a business continuity plan? o Does the organization monitor the developments in the macroeconomic environment that may impact the organization's clients (e.g. stability of local Macroeconomic Risk the organization faces from 1.6 pillar industry)? environment the macroeconomic environment o If there are changes in the macroeconomic environment, does the organization assess the potential impact and take measures accordingly? o Are there any internal business practices and external factors that may negatively impact the organization (e.g. operating environment, microfinance Risk of damage to the external industry)? 1.7 External reputation reputation of the organization o Does the organization have contingency plans for external reputation damage? Evaluation: External Environments enter risk weighting below 2. OTHER RISKS 0% 2.1 2.2 2.3 2.4 2.5 Evaluation: Other EVALUATION: EXTERNAL RISK Recommendations OPERATIONAL RISK Operational risk is the risk of loss due to inadequate or failed internal processes, people, and systems. Fraud is also considered as an operational risk. A MFI should design and imbed control mechanisms throughout the operations to mitigate potential vulnerabilities in the control environment. The organization should proactively conduct ex-post review of transactions and assess the adequacy of control measures and staff resources. Finally, cultivating a culture of integrity and transparency among employees is critical to control operational risk. IMPACT NET RISK SUMMARY RISK DESCRIPTION RISK ASSESSMENT ( L/M/H ) (1-5) LIKELIHOOD mm/dd/year mm/dd/year mm/dd/year mm/dd/year ID REF NO. SEVERITY CATEGORY RISK INDICATORS CONTROL GAP enter risk weighting below 1. LOAN PROCESS - PROMOTION 5% Risk of promotional activities o Are there controls to ensure promotion is conducted in a standardized Promotional 1.1 lacking standardization and and transparent manner so clients are aware of the loan services, and activities transparency understand the loan terms and obligations? Documentation of Risk of lack of documentation of o Are there procedures to ensure information on promotional activities are 1.2 promotional promotional activities collected, recorded, and utilized? activities Evaluation: Promotion enter risk weighting below 2. LOAN PROCESS - APPLICATION 10% o Are there controls to ensure the information on application forms is Risk of application forms being complete and accurate? incomplete, inaccurate, or o When an old borrower applies for a new loan, is updated information 2.1 Application taking submitted in an untimely collected, and the ID and loan purpose revalidated? manner o Are there controls to ensure application forms are submitted and entered into the system in a timely manner? Evaluation: Application enter risk weighting below 3. LOAN PROCESS - ANALYSIS 15% o Are there clear and sufficient standards to guide the credit analysis? o Are staff following procedures in conducting the credit analysis to obtain Risk of the client analysis not an accurate picture of the client's socio-economic situation? 3.1 Client analysis being conducted properly o Are controls in place to protect against external or internal fraud? o Is there independent validation on the information collected by loan officers? o Are there controls to ensure sufficient investigation of the borrower's real Loan purposeRisk of insufficient loan purpose loan purpose? 3.2 analysis analysis o If the borrower has previous loans, are there procedures to check the actual usage of his/her previous loans? o Are staff following procedures in carrying out the analysis and Risk of guarantor and/or Guarantor and verification of the guarantor and/or collateral? 3.3 collateral not being verified and collateral analysis o Are controls in place to ensure that the guarantor and collateral are not analyzed properly used for multiple loans? o Is there a standardized form documenting the information collected Risk of inadequate Documentation of during the credit analysis? 3.4 documentation of the credit analysis o Are there controls to ensure staff are properly documenting the results of analysis the credit analysis? Evaluation: Analysis enter risk weighting below 4. LOAN PROCESS - APPROVAL 10% Risk of lending decisions o Are there controls in place to ensure staff responsible for loan approval charged to staff without 4.1 Approval decision are properly qualified? sufficient risk assessment o Are there multiple people involved in the loan approval decision making? capability o Is there an audit trail of the loan approval process? Documentation of Risk of unclear documentation 4.2 o Can an independent party trace back and re-perform the approval approval process of the approval process process? Evaluation: Approval enter risk weighting below 5. LOAN PROCESS - DISBURSEMENT 15% o Are there controls in place to ensure disbursements are made to the intended borrower? Loan Risk of disbursement not being o Are approved loans disbursed within a fixed period from time of 5.1 disbursement conducted appropriately approval? o If disbursement happens after the allowed time period, is re-approval required and is the loan approval decision revalidated? o Are there multiple hand-offs of cash between the organization and the Cash control at Risk of weak control of cash at borrower? 5.2 disbursement disbursement o If there are both collections and disbursements on the same day, is cash handled separately or netted? Evaluation: Disbursement enter risk weighting below 6. LOAN PROCESS - POST LENDING COLLECTIONS & MONITORING 25% o Are there procedures in place to remind the client of upcoming installment payment dates? Risk that the client or loan Payment o Are there procedures in place to ensure loan officers are aware of 6.1 officer forgets the installment reminder upcoming payment dates of clients? payment date o Is there a system generating daily reports to remind loan officers and their managers of payments falling due? o Are there controls to ensure monitoring is conducted in a standardized Risk of inadequate monitoring 6.2 Client monitoring manner according to the monitoring policy? of clients o Is there an audit trail of the monitoring process? o Are there multiple hand-offs of cash between the organization and the Cash control at Risk of weak control of cash at borrower? 6.3 collection collection o If there are both collections and disbursements on the same day, is cash handled separately or netted? Risk of not detecting or o Is delinquency monitored on a regular basis (daily, monthly, quarterly)? Delinquency 6.4 reporting delinquency in a o Is there a dedicated function for monitoring delinquency? monitoring timely manner o Are late payments occurring within the month included as delinquency? o Do lending officers have the incentive to stay alert of early warning signs and disclose problems early? Early problem Risk of staff not reporting credit 6.5 o Do loan officers flag potential credit concerns (e.g. borrower business recognition problems in a timely manner weaknesses, sickness of family members, borrower left home, gambling, divorce, etc.)? o Is post-disbursement sample checking performed by the organization? Risk of inadequate or lack of 6.6 Sample checking o Is there the right level of skills and training of staff to conduct qualitative sample checking assessment during sample checking? Evaluation: Post Lending Collections & Monitoring enter risk weighting below 7. STAFF 10% o Does the current staff structure match the scale and complexity of the Risk of inadequate and/or organization? 7.1 Structure unclear staff structure in the o Are roles and responsibilities of the staff clearly defined and organization documented? o Are the key staff positions in the organization currently filled? Risk of key staff roles being 7.2 Staffing o If the key staff positions are vacant, is there an active recruitment vacant process underway? o Is there a system for evaluation of staff to ensure they have the right skills and qualifications for their respective roles? Skills and Risk of staff lacking the proper o Is there continuous training for staff to ensure they have the right skills 7.3 qualifications skills and qualifications and qualifications in line with the evolving needs of the organization? o Is there a healthy mix between senior and junior staff, mature and new staff? o Is there ongoing monitoring to ensure appropriate workload for staff Risk of the workload of staff involved in different areas of the operations? 7.4 Workload force being excessive o Is there a mechanism to detect whether the staff force is stretched too thin? o Is the compensation designed to encourage balanced risk taking (e.g. Risk of inappropriate or Compensation ratio between fixed and variable salary components)? 7.5 unintended staff behavior driven structure o For loan officers, does the pay structure discourage risk disclosure due by the compensation system to penalty on delinquency or non performing loans? o Is the competence level and training requirements of each staff Risk of lack of ongoing, mapped out in accordance with the needs of the business? 7.6 Training relevant, and standardized staff o Does the staff force receive sufficient technical training (in addition to training policies and procedures training) to carry out their respective responsibilities? Evaluation: Staff enter risk weighting below 8. PHYSICAL SECURITY 10% o Are sensitive or valuable items and documents stored securely in the Safekeeping of Risk of theft, destruction or loss premises, under authorized access? 8.1 valuable assets of valuable assets and o Are control procedures for safekeeping documented (e.g. dual controls, and documents documents regular stock checks, files access, etc.)? o If cash is stored at the branch or unit office, is the cash stored in a protected safe or vault, under authorized access? Safekeeping of Risk of theft, destruction, or loss 8.2 o Are there documented procedures for cash reconciliation? cash of cash o Are there limits in place on the amount of cash that can be kept in a service location at any given time? o Are there safety measures on the branch premises commensurate with Risk of theft, destruction, or loss the risk in the local area (e.g. locks on doors, windows, security alarms, Security of 8.3 due to unsafe or improperly etc.)? premises secured premises o Is there a proper separation of client and employee-restricted areas to ensure confidentiality and safekeeping of assets? Evaluation: Physical Security enter risk weighting below 9. OTHER RISKS 0% 9.1 9.2 9.3 9.4 9.5 Evaluation: Other EVALUATION: OPERATIONAL RISK Recommendations INFORMATION TECHNOLOGY RISK Information technology risk is the risk of loss due to inadequate IT systems infrastructure. A MFI should have robust, responsive and properly scaled IT systems infrastructure in order to identify and monitor current and future risks, while systematizing business processes and controls. The IT system's ability to generate standardized, timely , and accurate reporting is also a key component in an organization's risk management framework. IMPACT NET RISK SUMMARY RISK DESCRIPTION RISK ASSESSMENT ( L/M/H ) (1-5) LIKELIHOOD mm/dd/year mm/dd/year mm/dd/year mm/dd/year ID REF NO. SEVERITY CATEGORY RISK INDICATORS CONTROL GAP enter risk weighting below 1. SYSTEMS 100% o Does the organization have a robust loan management system in line with the complexity and scale of the operation? System Risk due to lack of or insufficient 1.1 o Does the organization have a robust accounting system in line with the Infrastructure IT systems infrastructure complexity and scale of the operation? o Is the loan management system and accounting system linked? o Are the functionalities of the IT system sufficient to support the requirements of the organization in regards to operations, controls and reporting? Risk due to lack of or inadequate 1.2 System Features o Is there a mechanism in place to identify the gaps in IT system system functionalities functionalities? o Is there a procedure to ensure that IT system gaps are addressed through new requirements? o Does each employee only have access to computers for his/her own Risk of fraud or loss of data due work? 1.3 System integrity to system failures, breaches or o Are there passwords and levels of administration (e.g. data entry, data improper usage viewing rights, etc.) in the IT system? o Does the IT system have backup procedures and audit trails? o Is there a periodic spot-checking of the IT system to ensure data entry is Risk that the IT system does not accurate, complete and timely? 1.4 Data integrity produce accurate, complete, o Is there a dedicated person/function for handling data entry? and/or timely data o Is data periodically backed up? o Is there restricted access to sensitive data? Risk due to staff not being o Is there periodic training to help staff utilize the IT systems correctly? 1.5 System Training properly trained on the use of o Are there manuals, tutorials, and help screens available for staff, in the IT system addition to training? Risk of not having sufficient IT o Is there a qualified in-house or outsourced team for maintaining and 1.6 System Support systems support upgrading the system? Evaluation: Systems enter risk weighting below 2. OTHER RISKS 0% 2.1 2.2 2.3 2.4 2.5 Evaluation: Other EVALUATION: INFORMATION TECHNOLOGY RISK Recommendations CREDIT RISK Credit risk is the risk of loss due to borrowers' late or non-payment of loan principal and/or interest obligations. A MFI should have methodologies to assess credit risk exposures at both the individual borrower and portfolio level. Credit risk should be undertaken in a calculated and controlled manner to achieve the desired business results while keeping credit losses within tolerance limits. Timely identification and prevention of problems, as well as periodic review of credit risk methodologies in light of changes in the internal and external environment, are critical. IMPACT NET RISK SUMMARY RISK DESCRIPTION RISK ASSESSMENT ( L/M/H ) (1-5) LIKELIHOOD mm/dd/year mm/dd/year mm/dd/year mm/dd/year ID REF NO. SEVERITY CATEGORY RISK INDICATORS CONTROL GAP enter risk weighting below 1. PRODUCT STRUCTURE 25% o Are the products and clients screening criteria deigned to ensure they Risk due to a mismatch between attract intended target segment and meet loan purpose? 1.1 Target segment the product design and the o Are the products designed to fit a critical mass of local loan demand? underlying target segment o Are the products designed to ensure the loan size fits the loan demand of the target segment? o Is there periodic review to ensure the loan pricing is in line with overall Risk of distortions due to loan pricing in the market to avoid potential distortions (e.g. sub-market pricing 1.2 Loan pricing pricing could attract mis-appropriation; excessive pricing could conflict with social motives or lead to adverse selection)? Risk of insufficient protections or o Are there safeguards to control loss norms (e.g. frequent test of Protections or risk 1.3 risk mitigations in the loan repayments, loan maturities, collateral, guarantees, credit insurance, mitigations products mandatory risk fund, etc.)? o Are policies in place to cap exposure to clients over multiple loan products? Risk of over-exposure to a single 1.4 Loan exposure o Are client exposure to guarantees also assessed? client or group of related parties o Are policies in place to cap exposure across related parties? Evaluation: Product structure enter risk weighting below 2. PORTFOLIO STRUCTURE 35% o Is there a regular review of portfolio to identify potential over-concentration in the portfolio (by product, geography, industry, borrower type, business unit, Portfolio Risk of over-concentration in the 2.1 loan officer, etc.)? concentration loan portfolio o Does the organization establish concentration limits in place to control risky areas? Risk of credit deterioration due to o Does the review of portfolio take into account the potential hidden risk due 2.2 Portfolio growth fast expansion to rapid loan growth? o Is it possible to review or inspect the quality of each loan in the portfolio in detail (e.g. is it possible to retrieve borrower credit information in addition to Portfolio Risk of inadequate portfolio 2.3 basic client information)? management tools management tools o Does the organization utilize its client database to develop statistical tools to manage the lending process? Evaluation: Portfolio structure enter risk weighting below 3. CREDIT POLICY 40% o Are there effective target market screening criteria or screening tools to assist client selection? Application Risk of inadequate application o If so, are there screening tools which are statistically designed to aid in the 3.1 screening screening criteria screening process? o Where there are multiple products, are screening criteria and tools customized by product? o Are there clear standards and procedures for conducting a comprehensive credit analysis? o Are there policies specifying what information and documents should be 3.2 Credit Analysis Risk of insufficient credit analysis collected? o Is guarantor and collateral assessment required as part of the credit analysis? o Is there a clear policy to specify who has the authority for loan approval Risk that credit decisions are not differentiated by risk level and loan amount? 3.3 Approval authority controlled at the appropriate level o Is there a clear policy to specify who has authorization to grant approval authorities and on what basis? Risk of having unclear approval 3.4 Approval criteria o Are there clear risk acceptance standards to guide credit decision making? criteria o Is credit accountability clearly defined in the policy? Risk of not having clear 3.5 Accountability o Is credit policy clearly defined who has ownership over credit quality, ownership of credit quality including the individual with primary responsibility for loan quality? o Are there clear policies for monitoring clients after loan disbursement? Risk of having unclear monitoring 3.6 Monitoring o Are there requirements of client visits or meetings after disbursement? requirements post disbursement o Are post-lending visits or meetings recorded? o Does the organization set aside general reserves and specific loan loss reserves in a prudent manner? Risk of not making reasonable o Are there provisioning policies to specify the time for provisioning of 3.7 Provisioning provision against potential credit overdue loans? losses o Are the provisioning policies reviewed on a periodic basis in line with the specific situation of the organization? o Are there clearly documented procedures for collection actions, with Risk of having unclear collection escalating measures depending upon the severity? 3.8 Collections requirements o Do collection policies specify the reporting of collection activities within the organization? Risk due to lack of or inadequate o Is there a robust stress testing framework that evaluates the real quality of 3.9 Stress testing stress testing framework the loan portfolio? Evaluation: Credit policy enter risk weighting below 4. OTHER RISKS 0% 4.1 4.2 4.3 4.4 4.5 Evaluation: Other EVALUATION: CREDIT RISK Recommendations LIQUIDITY & MARKET RISK Liquidity risk is the risk of loss due to an organization's inability to meet its payment commitments or finance new loan growth. Market risk is the risk of loss due to re-pricing of assets and liabilities. A MFI should manage liquidity risk to avoid cash shortages and ensure sufficient funding for new loan demand and savings withdrawals (for deposit-taking lenders). A clear overall funding strategy, as well as detailed ongoing forecasts of cash inflows and outflows, are several key components to manage liquidity risk. To protect against market risk requires constant monitoring of the interest rate environment, and an active strategy to ensure assets and liabilities are properly matched within tolerance limits set by the organization. Tools for evaluating the impact of potential liquidity and market shocks are also important for better understanding of these risks. IMPACT NET RISK SUMMARY RISK DESCRIPTION RISK ASSESSMENT ( L/M/H ) (1-5) LIKELIHOOD mm/dd/year mm/dd/year mm/dd/year mm/dd/year ID REF NO. SEVERITY CATEGORY RISK INDICATORS CONTROL GAP enter risk weighting below 1. IDENTIFICATION & MEASUREMENT 40% o Does the organization have a comprehensive well-documented policy to Risk of not having a identify, measure, and manage liquidity and market risks? comprehensive framework for o Is the policy periodically reviewed and updated by the management and 1.1 Framework liquidity and market risk approved by the Board? management o Is there a dedicated person and/or function for managing liquidity and market risks? Assets Risk of not having a clear o Does the organization have a clear definition of which assets are 1.2 classification definition of liquid assets classified as liquid and non-liquid? o Does the organization have a clearly documented methodology and procedure for forecasting cashflows, contractual maturity mismatch and Cashflow Risk of not properly forecasting 1.3 liquidity gap on a periodic basis? forecasting cashflows on a periodic basis o Are all material cash inflows and outflows accounted in the forecasting methodology (e.g. off balance sheet commitments and liabilities)? Risk due to lack of a o Are liquidity and market risks assessed both on an individual entity basis 1.4 consolidated view of risk Consolidation and a consolidated basis, if the organization have multiple entities? exposures Evaluation: Identification & Measurement enter risk weighting below 2. MANAGEMENT 40% o Does the organization monitor interest rates within and across entities and Risk due to lack of or inadequate business lines? 2.1 Monitoring monitoring liquidity and market o Does the organization monitor funding needs within and across entities risks and business lines? o Does the organization have an early warning monitoring system? o Does the organization have a clearly documented methodology for setting Risk due to lack of liquidity risk up liquidity and market risk limits? 2.2 Limits setting and market risk limits, or limits o Are these limits periodically reviewed, updated and approved by the being inadequately set management and/or the Board? Risk due to lack of liquidity o Does the organization have a reserve fund of the appropriate size to meet 2.3 Liquidity cushion cushion for the timely repayment unexpected demands for cash? of liabilities Collateral Risk of lack of or inadequate o Does the organization actively manage and monitor collateral to mitigate 2.4 management management of collateral liquidity risk? o Does the organization have a formally documented contingency plan at Contingency Risk of not having a contingency different levels of the organization? 2.5 funding plan funding plan o Does the organization have backup funding lines that can be utilized in a case of liquidity crisis? Evaluation: Management enter risk weighting below 3. STRESS TESTING 20% o Is there a robust stress testing framework that evaluates impacts from the scenarios on liquidity and market risks? Risk due to lack of or inadequate 3.1 Stress testing o Do stress testing scenarios take into account the risks and lessons stress testing framework learned from the most recent crisis? o Are stress testing scenarios subject to regular reviews and reappraisals? Risk of not testing plausible o Does the organization have the ability to build resverse stress testing (i.e. Reverse stress 3.2 scenarios outside normal stress use potential, negative outcome to model scenarios that could potentially testing testing requirements affect the organization in a significant manner)? Risk due to non compliance with o Are there minimum regulatory requirements for scenario testing? Regulation & 3.3 prevailing regulations regarding o If so, is the organization's stress testing compliant with the regulatory scenario setting stress testing requirements? Evaluation: Stress testing enter risk weighting below 4. OTHER RISKS 0% 4.1 4.2 4.3 4.4 4.5 Evaluation: Other EVALUATION: LIQUIDITY & MARKET RISK Recommendations