risk mapping tool final by Yu75LG

VIEWS: 15 PAGES: 23

									PlaNet Finance Risk Management Public Tools Series




                                          Microfinance
                                       Risk Mapping tool
                                                                   [China]




with the support of




Developed with financial support of the Credit Suisse Foundation, Switzerland.
Credit Suisse Foundation, Credit Suisse Group AG and its affiliates do not make any representation as to the accuracy or completeness of the
materials and do not accept liability for any loss arising from the use thereof.




                                     PlaNet Finance Group – 44 rue de Prony - 75017 Paris - France
                                          Tel. 33 (0)1 49 21 26 26 – Fax. 33 (0)1 49 21 26 27
                                                      http://www.planetfinance.org/

                           For any questions on the risk mapping tool, please contact PlaNet Finance China
                                                              info@mfchina.cn
All material contained in the tool are either the copyrighted property of PlaNet Finance. The user may not publish, transmit, sell the content for public or
commercial purpose. Unauthorized use of the materials is strictly prohibited and is a violation of the rights of PlaNet Finance. PlaNet Finance assumes no
liability or responsibility for any loss arising from the use of the tool.
   GENERAL INFORMATION                                                                        Please enable Macros before you
                                                                                              start risk mapping.
 Name of the organization




Risk Mapping Conducted                    Name & Position of Staff Responsible for Risk Map

  Date :                    mm/dd/year

  Date :                    mm/dd/year

  Date :                    mm/dd/year

  Date :                    mm/dd/year




 Organization Type                       Starting year of the first financial activity


    [Type]                                 [Year]
                                            NET RISK MAPPING (1-5)
                                                        Governance
                                                           5
                                                            4
                                                            3                      External Risk
                                Liquidity &
                                Market Risk                 2
                                                                                                                    mm/dd/year
                                                            1
                                                                                                                    mm/dd/year
                                                            0
                                                                                                                    mm/dd/year

                                                                                                                    mm/dd/year


                                                                                    Operational Risk
                                     Credit Risk



                                                         Information
                                                         Technology Risk



Legend
 1   An example in this area, well functioning.

 2   The risk management controls in this area are sustainably set up and generally function well.

 3   The risk management controls in this area are correctly set up, and could reach a good functioning if improvements are made.

 4   There are significant issues to be addressed in the set-up and/or functioning of risk management controls in this area.

 5   The organization shows deep weaknesses in this area; the risk management controls in this area are unsustainable.
                                              GROSS RISK MAPPING ( L / M / H )

                                 Likelihood of Emergence / Severity of Impact                             Severity
          Type of Risk     L/L    L/M    M/L    L/H   M/M M/H        H/L   H/M   H/H   Total
      Governance Risk       0       0     0      0     0      0       0      0    0     0        High         0         0        0
           External Risk    0       0     0      0     0      0       0      0    0     0
      Operational Risk      0       0     0      0     0      0       0      0    0     0
                 IT Risk    0       0     0      0     0      0       0      0    0     0      Moderate       0         0        0
             Credit Risk    0       0     0      0     0      0       0      0    0     0
Liquidity & Market Risk     0       0     0      0     0      0       0      0    0     0
                   Total    0       0     0      0     0      0       0      0    0     0        Low          0         0        0
                                                                                                                                       Likelihood
                                                                                                            Low      Moderate   High



Legend
    Low gross risk
    Medium gross risk
    High gross risk
                                                                                             GOVERNANCE RISK

Governance risk is the risk of loss due to inadequate governance or a poor governance structure.

A MFI should have strong governance in place to ensure the Board and the management are accountable to the organization and shareholders in fulfilling the organization's mission and protecting the
organization's assets. The Board and the management are ultimately responsible for analyzing risks and ensuring the MFI has robust controls, as well as strong audit and reporting mechanisms, to minimize
vulnerabilities. Thus, the Board and the management should have the proper technical skills and personal attributes to set up a sustainable risk management system.



                                                                                                                                                     IMPACT                                                                            NET RISK
               SUMMARY                                                          RISK DESCRIPTION                                                                                                  RISK ASSESSMENT
                                                                                                                                                     ( L/M/H )                                                                          (1-5)




                                                                                                                                                                LIKELIHOOD




                                                                                                                                                                                                                          mm/dd/year

                                                                                                                                                                                                                                       mm/dd/year

                                                                                                                                                                                                                                                    mm/dd/year

                                                                                                                                                                                                                                                                 mm/dd/year
  ID REF NO.




                                                                                                                                                     SEVERITY
                 CATEGORY                       RISK                                                 INDICATORS                                                              CONTROL                                GAP




                                                                                                                      enter risk weighting below
1. BOARD STRUCTURE                                                                                                                             20%
                                                                     o Are there clear and well written by-laws defining the structure, roles,
                                                                     responsibilities, and procedures of the Board?
                                                                     o Is there a mechanism in place to ensure sufficient scheduling,
                                  Risk that the Board activities are preparation, organization, and recording of Board proceedings?
               Board
 1.1                              not carried out in a well-defined, o Are there minimum requirements on the frequency and attendance of
               proceedings
                                  clear and organized manner         Board meetings?
                                                                     o Are there specialized committees (e.g. asset and liability, audit, risk
                                                                     management, remuneration, etc.) set up in line with evolving needs of the
                                                                     organization?

                                                                      o Are there mechanisms, such as disclosure of financial and non-financial
                                    Risk of Board member(s) having    interests of Board members and/or a policy for situations requiring recusal
                                    conflict of interest that may     to minimize potential conflicts of interest of Board members?
 1.2           Conflict of interest
                                    hinder objectivity and/or         o Are there mechanisms to ensure the Board is independent from the
                                    independence                      management, such as separation of the Chairman of the Board and CEO
                                                                      roles?

                                  Risk due to lack of proper       o Does the Board have a periodic self-assessment mechanism?
               Evaluation and
 1.3                              evaluation and training of Board o Is there orientation for new Board directors and education of existing
               training
                                  members                          Board directors in line with evolving needs of the organization?

                                                                   o Are there mechanisms to change the composition of the Board if
                                  Risk due to lack of proper Board
 1.4           Succession                                          members are not fulfilling duties or new perspectives or skills are needed?
                                  succession mechanisms
                                                                   o Is there a policy of term limits at the organization?
Evaluation: Board Structure
                                                                                                                      enter risk weighting below
2. BOARD OVERSIGHT                                                                                                                           20%
                                                                      o Does the Board periodically review the management's strategy and
                                   Risk due to the Board's lack of
               Strategic,                                             approve it in light of the organization's goals and mission?
                                   proper strategic management,
 2.1           management, and                                        o Does the Board periodically evaluate and monitor the operational and
                                   and fiduciary oversight over the
               fiduciary oversight                                    financial performance of the organization under management in light of the
                                   organization and management
                                                                      organization's strategy and goals?
                                                          o Does the Board periodically review the organization's risk management
                                                          and compliance, and provide appropriate guidance on further implementing
                                                          appropriate frameworks?
       Risk management Risk due to the Board's lack of
 2.2                                                      o Is there a Risk Committee at the Board level?
       & compliance     attention to risks and compliance
                                                          o Does the Board periodically review current regulations and laws
                                                          governing the organization's activities in order to identify non-compliance or
                                                          grey areas ?
                                                          o Is relevant and accurate financial information provided to the Board on a
                        Risk due to the Board's lack of
       Reporting to the                                   regular and timely basis, and in a standardized manner?
 2.3                    regular, accurate, relevant, and
       Board                                              o Is relevant and accurate operational information provided to the Board on
                        timely information
                                                          a regular and timely basis, and in a standardized manner?

       Social              Risk due to the Board's lack of      o Does the Board periodically measure organization's social performance in
 2.4
       performance         attention to social performance      line with strategy and goals?

       Management       Risk due to the Board's lack of         o Does the Board regularly discuss issues related to management
       identification,  involvement in the management           identification and development?
 2.5
       development, and identification, development, and        o Is there a Remuneration Committee at the Board level?
       succession       succession                              o Does the Board have a management succession plan in place?
Evaluation: Board Oversight
                                                                                                          enter risk weighting below
3. MANAGEMENT                                                                                                                     20%
                                                           o Does the current management structure match the scale and complexity
                           Risk of inadequate and/or
                                                           of the organization?
 3.1   Structure           unclear management structure in
                                                           o Are roles and responsibilities of the management clearly defined and
                           the organization
                                                           documented?

                                                                o Are the key management positions in the organization currently filled?
                           Risk of key management roles
 3.2   Staffing                                                 o If the key management positions are vacant, is there an active
                           being vacant
                                                                recruitment process underway?

                                                                o Is there a system for evaluation of the management to ensure they have
                           Risk due to the management's         the right skills and qualifications for their respective roles?
       Skills and
 3.3                       lack of proper skills and            o Is there continuous training for the management to ensure they have the
       qualifications
                           qualifications                       right skills and qualifications in line with the evolving needs of the
                                                                organization?
                                                                o Has the management documented a clear strategy and plans for the
                           Risk of lack of or insufficient
 3.4   Strategy and plan                                        business?
                           strategy and plans
                                                                o Are they reviewed, updated and approved by the management regularly?

                                                                o Are there clearly documented policies and procedures for the key areas
       Policy and          Risk of lack of or insufficient
 3.5                                                            set up by the management and provided to the relevant staff?
       procedures          policies and procedures
                                                                o Are they reviewed, updated and approved by the management regularly?
                                                                o Does the management hold periodic risk management meetings?
                                                                o Has the management set up a comprehensive risk management
                           Risk due to the management's
 3.6   Risk management                                          frameworks and related policies?
                           lack of attention to risks
                                                                o Does the management regularly review and update risk management
                                                                frameworks?

                                                                o Has the management set up a comprehensive compliance frameworks
                                                                and related policies?
                           Risk due to the management's         o Does the management regularly review and update compliance
 3.7   Compliance
                           lack of attention to compliance      frameworks?
                                                                o Is there a mechanism for the management to follow up and rectify
                                                                compliance issues that are uncovered during internal and external reviews?
                                                                o Is the organization overly dependent on key management for the well
                           Risk of overdependency on key
 3.8   Key man risk                                             functioning of the organization?
                           management
                                                                o Is there succession planning in place to mitigate key man risk?
                                                                o Has the management set up a robust code of conduct to actively promote
 3.9   Culture of integrity Risk of weak culture of integrity   honesty and open communication of risk issues among staff members and
                                                                the client community?
Evaluation: Management
                                                                                                                enter risk weighting below
4. AUDIT                                                                                                                                   20%
                                                              o Is there an independent internal audit structure set up for key areas of the
                                                              business with clear and robust procedures?
                                                              o Is internal audit conducted on a frequent enough basis?
                          Risk due to insufficient internal
 4.1   Internal audit                                         o Is there a clear procedure for reporting and follow up of internal audit
                          audit
                                                              findings to the management and the Board?
                                                              o Is there sufficient number of qualified internal auditors in line with the
                                                              business scale and complexity?
                                                              o Is there an external audit structure in place?
                                                              o Is external audit conducted on a frequent enough basis?
                          Risk due to insufficient external
 4.2   External audit                                         o Is there a clear procedure for reporting and follow up of external audit
                          audit
                                                              findings to the management and the Board?
                                                              o Is the external audit conducted by a qualified external auditor?
Evaluation: Audit
                                                                                                               enter risk weighting below
5. REPORTING                                                                                                                          20%
                          Risk of inaccurate or unreliable    o Is information contained in the financial statements accurate and
       Financial          information on the balance          according to commonly accepted financial reporting standards?
 5.1
       Statements         sheet, income statement and         o Are financial statements prepared both on an individual entity basis and a
                          cash flow statement                 consolidated basis if the organization have various entities?
                                                            o Does reporting cover the key areas of the operations, such as operations,
                                                            credit, risk management, and treasury?
                          Risk of inaccurate or unreliable
       Operational                                          o Is there a mechanism in place to ensure the accuracy of business related
 5.2                      reporting on the key areas of the
       reporting                                            reports?
                          operations
                                                            o Are operational reports prepared both on an individual entity basis and a
                                                            consolidated basis if the organization have various entities?
                                                            o Are financial statements provided to the relevant users on a regular and
                          Risk that the management and timely basis, and in a standardized manner?
 5.3   Usage of reports   staff do not utilize reports to   o To ensure effective management, are business related reports provided
                          guide business decisions          to the relevant users on a regular and timely basis, and in a standardized
                                                            manner?
Evaluation: Reporting
                                                                                                               enter risk weighting below
6. OTHER RISKS                                                                                                                         0%
  6.1
  6.2
  6.3
  6.4
  6.5
Evaluation: Other

EVALUATION: GOVERNANCE RISK

Recommendations
                                                                                                 EXTERNAL RISK

External risk is the risk of loss due to developments, changes, or influences from the external environment.

A MFI should be sensitive to its operating environment, including, but not limited to, regulatory, legal, political, and macroeconomic factors, and constantly assesses the external environment it operates in, to
minimize potential vulnerabilities of the organization to these outside forces. Although a MFI may have less control over some external risks, certain external risks can be actively managed.



                                                                                                                                                       IMPACT                                                                                         NET RISK
               SUMMARY                                                          RISK DESCRIPTION                                                                                                                 RISK ASSESSMENT
                                                                                                                                                       ( L/M/H )                                                                                        (1-5)




                                                                                                                                                                  LIKELIHOOD




                                                                                                                                                                                                                                         mm/dd/year

                                                                                                                                                                                                                                                      mm/dd/year

                                                                                                                                                                                                                                                                   mm/dd/year

                                                                                                                                                                                                                                                                                mm/dd/year
  ID REF NO.




                                                                                                                                                       SEVERITY
                 CATEGORY                       RISK                                                  INDICATORS                                                                        CONTROL                                    GAP




                                                                                                                        enter risk weighting below
1. EXTERNAL ENVIRONMENT                                                                                                                       100%
                                                                     o Does the organization periodically review changes in regulations and laws
                                  Risk the organization faces from
               Regulatory & legal                                    that may materially impact the organization?
  1.1                             the regulatory and legal
               environment                                           o If there are changes in the regulatory and legal environment, does the
                                  environment
                                                                     organization assess the potential impact and take measures accordingly?

                                                                     o Does the organization have awareness of potential influences from the
                                                                     political environment (e.g. changes in leadership or policies) that may
               Political          Risk the organization faces from
  1.2                                                                materially impact on the organization?
               environment        the political environment
                                                                     o If there are developments in the political environment, does the organization
                                                                     assess the potential impact and take measures accordingly?
                                                                     o Does the organization periodically assess the competitive environment (e.g.
                                  Risk due to increasing             new market entrants, new products, pricing pressure, market saturation,
               Competitive
  1.3                             competition from existing and      etc.)?
               environment
                                  new players                        o If the competitive environment changes, does the organization adapt
                                                                     accordingly?
                                                                     o Is the organization aware of social and demographic trends that may
               Social and         Risk the organization faces from   materially impact the organization (e.g. social cohesiveness, population
  1.4          demographic        the social and demographic         mobility, urbanization, etc.)?
               environment        environment                        o If there are changes in the social and demographic environment, does the
                                                                     organization assess the potential impact and take measures accordingly?

                                                                     o Is the local environment at risk for natural calamities that could negatively
                                                                     impact the organization (e.g. floods, cyclones, drought, etc.)?
               Physical           Risk the organization faces from
  1.5                                                                o Do these natural calamities pose a risk to income streams of households
               environment        the environment
                                                                     and enterprises and/or microfinance delivery?
                                                                     o Does the organization have a business continuity plan?

                                                                   o Does the organization monitor the developments in the macroeconomic
                                                                   environment that may impact the organization's clients (e.g. stability of local
               Macroeconomic      Risk the organization faces from
  1.6                                                              pillar industry)?
               environment        the macroeconomic environment
                                                                   o If there are changes in the macroeconomic environment, does the
                                                                   organization assess the potential impact and take measures accordingly?
                                                                     o Are there any internal business practices and external factors that may
                                                                     negatively impact the organization (e.g. operating environment, microfinance
                                   Risk of damage to the external    industry)?
  1.7          External reputation
                                   reputation of the organization    o Does the organization have contingency plans for external reputation
                                                                     damage?

Evaluation: External Environments
                            enter risk weighting below
2. OTHER RISKS                                      0%
  2.1
  2.2
  2.3
  2.4
  2.5
Evaluation: Other

EVALUATION: EXTERNAL RISK

Recommendations
                                                                                              OPERATIONAL RISK

Operational risk is the risk of loss due to inadequate or failed internal processes, people, and systems. Fraud is also considered as an operational risk.

A MFI should design and imbed control mechanisms throughout the operations to mitigate potential vulnerabilities in the control environment. The organization should proactively conduct ex-post review of
transactions and assess the adequacy of control measures and staff resources. Finally, cultivating a culture of integrity and transparency among employees is critical to control operational risk.



                                                                                                                                                     IMPACT                                                                            NET RISK
               SUMMARY                                                          RISK DESCRIPTION                                                                                                  RISK ASSESSMENT
                                                                                                                                                     ( L/M/H )                                                                          (1-5)




                                                                                                                                                                LIKELIHOOD




                                                                                                                                                                                                                          mm/dd/year

                                                                                                                                                                                                                                       mm/dd/year

                                                                                                                                                                                                                                                    mm/dd/year

                                                                                                                                                                                                                                                                 mm/dd/year
  ID REF NO.




                                                                                                                                                     SEVERITY
                 CATEGORY                         RISK                                               INDICATORS                                                              CONTROL                                GAP



                                                                                                                    enter risk weighting below
1. LOAN PROCESS - PROMOTION                                                                                                                  5%
                       Risk of promotional activities                 o Are there controls to ensure promotion is conducted in a standardized
      Promotional
  1.1                  lacking standardization and                    and transparent manner so clients are aware of the loan services, and
      activities
                       transparency                                   understand the loan terms and obligations?
      Documentation of
                       Risk of lack of documentation of               o Are there procedures to ensure information on promotional activities are
  1.2 promotional
                       promotional activities                         collected, recorded, and utilized?
      activities
Evaluation: Promotion
                                                                                                                     enter risk weighting below
2. LOAN PROCESS - APPLICATION                                                                                                                10%
                                                                      o Are there controls to ensure the information on application forms is
                                    Risk of application forms being   complete and accurate?
                                    incomplete, inaccurate, or        o When an old borrower applies for a new loan, is updated information
 2.1           Application taking
                                    submitted in an untimely          collected, and the ID and loan purpose revalidated?
                                    manner                            o Are there controls to ensure application forms are submitted and entered
                                                                      into the system in a timely manner?
Evaluation: Application
                                                                                                                     enter risk weighting below
3. LOAN PROCESS - ANALYSIS                                                                                                                 15%

                                                                      o Are there clear and sufficient standards to guide the credit analysis?
                                                                      o Are staff following procedures in conducting the credit analysis to obtain
                                    Risk of the client analysis not   an accurate picture of the client's socio-economic situation?
 3.1           Client analysis
                                    being conducted properly          o Are controls in place to protect against external or internal fraud?
                                                                      o Is there independent validation on the information collected by loan
                                                                      officers?

                                                             o Are there controls to ensure sufficient investigation of the borrower's real
               Loan purposeRisk of insufficient loan purpose loan purpose?
 3.2
               analysis    analysis                          o If the borrower has previous loans, are there procedures to check the
                                                             actual usage of his/her previous loans?
                                                             o Are staff following procedures in carrying out the analysis and
                           Risk of guarantor and/or
       Guarantor and                                         verification of the guarantor and/or collateral?
 3.3                       collateral not being verified and
       collateral analysis                                   o Are controls in place to ensure that the guarantor and collateral are not
                           analyzed properly
                                                             used for multiple loans?
                                                             o Is there a standardized form documenting the information collected
                           Risk of inadequate
       Documentation of                                      during the credit analysis?
 3.4                       documentation of the credit
       analysis                                              o Are there controls to ensure staff are properly documenting the results of
                           analysis
                                                             the credit analysis?
Evaluation: Analysis
                                                                                                              enter risk weighting below
4. LOAN PROCESS - APPROVAL                                                                                                          10%
                        Risk of lending decisions
                                                            o Are there controls in place to ensure staff responsible for loan approval
                        charged to staff without
  4.1 Approval decision                                     are properly qualified?
                        sufficient risk assessment
                                                            o Are there multiple people involved in the loan approval decision making?
                        capability
                                                            o Is there an audit trail of the loan approval process?
       Documentation of Risk of unclear documentation
 4.2                                                        o Can an independent party trace back and re-perform the approval
       approval process of the approval process
                                                            process?
Evaluation: Approval
                                                                                                           enter risk weighting below
5. LOAN PROCESS - DISBURSEMENT                                                                                                    15%
                                                            o Are there controls in place to ensure disbursements are made to the
                                                            intended borrower?
       Loan               Risk of disbursement not being    o Are approved loans disbursed within a fixed period from time of
 5.1
       disbursement       conducted appropriately           approval?
                                                            o If disbursement happens after the allowed time period, is re-approval
                                                            required and is the loan approval decision revalidated?
                                                            o Are there multiple hand-offs of cash between the organization and the
       Cash control at    Risk of weak control of cash at   borrower?
 5.2
       disbursement       disbursement                      o If there are both collections and disbursements on the same day, is cash
                                                            handled separately or netted?
Evaluation: Disbursement
                                                                                                         enter risk weighting below
6. LOAN PROCESS - POST LENDING COLLECTIONS & MONITORING                                                                        25%
                                                        o Are there procedures in place to remind the client of upcoming
                                                        installment payment dates?
                        Risk that the client or loan
      Payment                                           o Are there procedures in place to ensure loan officers are aware of
  6.1                   officer forgets the installment
      reminder                                          upcoming payment dates of clients?
                        payment date
                                                        o Is there a system generating daily reports to remind loan officers and
                                                        their managers of payments falling due?
                                                        o Are there controls to ensure monitoring is conducted in a standardized
                        Risk of inadequate monitoring
  6.2 Client monitoring                                 manner according to the monitoring policy?
                        of clients
                                                        o Is there an audit trail of the monitoring process?
                                                        o Are there multiple hand-offs of cash between the organization and the
      Cash control at   Risk of weak control of cash at borrower?
  6.3
      collection        collection                      o If there are both collections and disbursements on the same day, is cash
                                                        handled separately or netted?

                          Risk of not detecting or          o Is delinquency monitored on a regular basis (daily, monthly, quarterly)?
       Delinquency
 6.4                      reporting delinquency in a        o Is there a dedicated function for monitoring delinquency?
       monitoring
                          timely manner                     o Are late payments occurring within the month included as delinquency?

                                                             o Do lending officers have the incentive to stay alert of early warning signs
                                                             and disclose problems early?
       Early problem      Risk of staff not reporting credit
 6.5                                                         o Do loan officers flag potential credit concerns (e.g. borrower business
       recognition        problems in a timely manner
                                                             weaknesses, sickness of family members, borrower left home, gambling,
                                                             divorce, etc.)?
                                                            o Is post-disbursement sample checking performed by the organization?
                          Risk of inadequate or lack of
 6.6   Sample checking                                      o Is there the right level of skills and training of staff to conduct qualitative
                          sample checking
                                                            assessment during sample checking?
Evaluation: Post Lending Collections & Monitoring
                                                                                                                enter risk weighting below
7. STAFF                                                                                                                              10%
                                                              o Does the current staff structure match the scale and complexity of the
                           Risk of inadequate and/or
                                                              organization?
 7.1   Structure           unclear staff structure in the
                                                              o Are roles and responsibilities of the staff clearly defined and
                           organization
                                                              documented?
                                                              o Are the key staff positions in the organization currently filled?
                           Risk of key staff roles being
 7.2   Staffing                                               o If the key staff positions are vacant, is there an active recruitment
                           vacant
                                                              process underway?

                                                              o Is there a system for evaluation of staff to ensure they have the right
                                                              skills and qualifications for their respective roles?
       Skills and          Risk of staff lacking the proper   o Is there continuous training for staff to ensure they have the right skills
 7.3
       qualifications      skills and qualifications          and qualifications in line with the evolving needs of the organization?
                                                              o Is there a healthy mix between senior and junior staff, mature and new
                                                              staff?

                                                            o Is there ongoing monitoring to ensure appropriate workload for staff
                           Risk of the workload of staff    involved in different areas of the operations?
 7.4   Workload
                           force being excessive            o Is there a mechanism to detect whether the staff force is stretched too
                                                            thin?
                                                            o Is the compensation designed to encourage balanced risk taking (e.g.
                           Risk of inappropriate or
       Compensation                                         ratio between fixed and variable salary components)?
 7.5                       unintended staff behavior driven
       structure                                            o For loan officers, does the pay structure discourage risk disclosure due
                           by the compensation system
                                                            to penalty on delinquency or non performing loans?
                                                            o Is the competence level and training requirements of each staff
                           Risk of lack of ongoing,         mapped out in accordance with the needs of the business?
 7.6   Training            relevant, and standardized staff o Does the staff force receive sufficient technical training (in addition to
                           training                         policies and procedures training) to carry out their respective
                                                            responsibilities?
Evaluation: Staff
                                                                                                              enter risk weighting below
8. PHYSICAL SECURITY                                                                                                                  10%
                                                            o Are sensitive or valuable items and documents stored securely in the
       Safekeeping of   Risk of theft, destruction or loss
                                                            premises, under authorized access?
  8.1  valuable assets  of valuable assets and
                                                            o Are control procedures for safekeeping documented (e.g. dual controls,
       and documents    documents
                                                            regular stock checks, files access, etc.)?
                                                            o If cash is stored at the branch or unit office, is the cash stored in a
                                                            protected safe or vault, under authorized access?
       Safekeeping of   Risk of theft, destruction, or loss
  8.2                                                       o Are there documented procedures for cash reconciliation?
       cash             of cash
                                                            o Are there limits in place on the amount of cash that can be kept in a
                                                            service location at any given time?
                                                            o Are there safety measures on the branch premises commensurate with
                        Risk of theft, destruction, or loss the risk in the local area (e.g. locks on doors, windows, security alarms,
       Security of
  8.3                   due to unsafe or improperly         etc.)?
       premises
                        secured premises                    o Is there a proper separation of client and employee-restricted areas to
                                                            ensure confidentiality and safekeeping of assets?
Evaluation: Physical Security
                                                                                                              enter risk weighting below
9. OTHER RISKS                                                                                                                         0%
  9.1
  9.2
  9.3
  9.4
  9.5
Evaluation: Other

EVALUATION: OPERATIONAL RISK

Recommendations
                                                                                      INFORMATION TECHNOLOGY RISK

Information technology risk is the risk of loss due to inadequate IT systems infrastructure.

A MFI should have robust, responsive and properly scaled IT systems infrastructure in order to identify and monitor current and future risks, while systematizing business processes and controls. The IT
system's ability to generate standardized, timely , and accurate reporting is also a key component in an organization's risk management framework.




                                                                                                                                                       IMPACT                                                                               NET RISK
               SUMMARY                                                            RISK DESCRIPTION                                                                                                     RISK ASSESSMENT
                                                                                                                                                       ( L/M/H )                                                                             (1-5)




                                                                                                                                                                  LIKELIHOOD




                                                                                                                                                                                                                               mm/dd/year

                                                                                                                                                                                                                                            mm/dd/year

                                                                                                                                                                                                                                                         mm/dd/year

                                                                                                                                                                                                                                                                      mm/dd/year
  ID REF NO.




                                                                                                                                                       SEVERITY
                  CATEGORY                      RISK                                                     INDICATORS                                                            CONTROL                                   GAP




                                                                                                                          enter risk weighting below
1. SYSTEMS                                                                                                                                      100%
                                                                        o Does the organization have a robust loan management system in line with
                                                                        the complexity and scale of the operation?
               System             Risk due to lack of or insufficient
  1.1                                                                   o Does the organization have a robust accounting system in line with the
               Infrastructure     IT systems infrastructure
                                                                        complexity and scale of the operation?
                                                                        o Is the loan management system and accounting system linked?
                                                                        o Are the functionalities of the IT system sufficient to support the
                                                                        requirements of the organization in regards to operations, controls and
                                                                        reporting?
                                  Risk due to lack of or inadequate
  1.2          System Features                                          o Is there a mechanism in place to identify the gaps in IT system
                                  system functionalities
                                                                        functionalities?
                                                                        o Is there a procedure to ensure that IT system gaps are addressed through
                                                                        new requirements?
                                                                        o Does each employee only have access to computers for his/her own
                                  Risk of fraud or loss of data due     work?
  1.3          System integrity   to system failures, breaches or       o Are there passwords and levels of administration (e.g. data entry, data
                                  improper usage                        viewing rights, etc.) in the IT system?
                                                                        o Does the IT system have backup procedures and audit trails?
                                                                        o Is there a periodic spot-checking of the IT system to ensure data entry is
                                  Risk that the IT system does not      accurate, complete and timely?
  1.4          Data integrity     produce accurate, complete,           o Is there a dedicated person/function for handling data entry?
                                  and/or timely data                    o Is data periodically backed up?
                                                                        o Is there restricted access to sensitive data?

                                  Risk due to staff not being           o Is there periodic training to help staff utilize the IT systems correctly?
  1.5          System Training    properly trained on the use of        o Are there manuals, tutorials, and help screens available for staff, in
                                  the IT system                         addition to training?

                                  Risk of not having sufficient IT      o Is there a qualified in-house or outsourced team for maintaining and
  1.6          System Support
                                  systems support                       upgrading the system?
Evaluation: Systems
                                          enter risk weighting below
2. OTHER RISKS                                                    0%
  2.1
  2.2
  2.3
  2.4
  2.5
Evaluation: Other

EVALUATION: INFORMATION TECHNOLOGY RISK

Recommendations
                                                                                                        CREDIT RISK

Credit risk is the risk of loss due to borrowers' late or non-payment of loan principal and/or interest obligations.

A MFI should have methodologies to assess credit risk exposures at both the individual borrower and portfolio level. Credit risk should be undertaken in a calculated and controlled manner to achieve the desired
business results while keeping credit losses within tolerance limits. Timely identification and prevention of problems, as well as periodic review of credit risk methodologies in light of changes in the internal and
external environment, are critical.




                                                                                                                                                         IMPACT                                                                                      NET RISK
               SUMMARY                                                              RISK DESCRIPTION                                                                                                            RISK ASSESSMENT
                                                                                                                                                         ( L/M/H )                                                                                     (1-5)




                                                                                                                                                                    LIKELIHOOD




                                                                                                                                                                                                                                        mm/dd/year

                                                                                                                                                                                                                                                     mm/dd/year

                                                                                                                                                                                                                                                                  mm/dd/year

                                                                                                                                                                                                                                                                               mm/dd/year
  ID REF NO.




                                                                                                                                                         SEVERITY
                  CATEGORY                        RISK                                                    INDICATORS                                                                   CONTROL                                    GAP




                                                                                                                            enter risk weighting below
1. PRODUCT STRUCTURE                                                                                                                              25%

                                                                  o Are the products and clients screening criteria deigned to ensure they
                                   Risk due to a mismatch between attract intended target segment and meet loan purpose?
  1.1          Target segment      the product design and the     o Are the products designed to fit a critical mass of local loan demand?
                                   underlying target segment      o Are the products designed to ensure the loan size fits the loan demand of
                                                                  the target segment?

                                                                         o Is there periodic review to ensure the loan pricing is in line with overall
                                   Risk of distortions due to loan       pricing in the market to avoid potential distortions (e.g. sub-market pricing
  1.2          Loan pricing
                                   pricing                               could attract mis-appropriation; excessive pricing could conflict with social
                                                                         motives or lead to adverse selection)?
                                   Risk of insufficient protections or   o Are there safeguards to control loss norms (e.g. frequent test of
               Protections or risk
  1.3                              risk mitigations in the loan          repayments, loan maturities, collateral, guarantees, credit insurance,
               mitigations
                                   products                              mandatory risk fund, etc.)?
                                                                      o Are policies in place to cap exposure to clients over multiple loan products?
                                   Risk of over-exposure to a single
  1.4          Loan exposure                                          o Are client exposure to guarantees also assessed?
                                   client or group of related parties
                                                                      o Are policies in place to cap exposure across related parties?
Evaluation: Product structure
                                                                                                                     enter risk weighting below
2. PORTFOLIO STRUCTURE                                                                                                                         35%
                                                               o Is there a regular review of portfolio to identify potential over-concentration
                                                               in the portfolio (by product, geography, industry, borrower type, business unit,
       Portfolio           Risk of over-concentration in the
 2.1                                                           loan officer, etc.)?
       concentration       loan portfolio
                                                               o Does the organization establish concentration limits in place to control risky
                                                               areas?
                           Risk of credit deterioration due to o Does the review of portfolio take into account the potential hidden risk due
 2.2 Portfolio growth
                           fast expansion                      to rapid loan growth?
                                                               o Is it possible to review or inspect the quality of each loan in the portfolio in
                                                               detail (e.g. is it possible to retrieve borrower credit information in addition to
       Portfolio           Risk of inadequate portfolio
 2.3                                                           basic client information)?
       management tools management tools
                                                               o Does the organization utilize its client database to develop statistical tools to
                                                               manage the lending process?
Evaluation: Portfolio structure
                                                                                                                    enter risk weighting below
3. CREDIT POLICY                                                                                                                              40%
                                                               o Are there effective target market screening criteria or screening tools to
                                                               assist client selection?
       Application        Risk of inadequate application       o If so, are there screening tools which are statistically designed to aid in the
 3.1
       screening          screening criteria                   screening process?
                                                               o Where there are multiple products, are screening criteria and tools
                                                               customized by product?
                                                               o Are there clear standards and procedures for conducting a comprehensive
                                                               credit analysis?
                                                               o Are there policies specifying what information and documents should be
 3.2   Credit Analysis    Risk of insufficient credit analysis
                                                               collected?
                                                               o Is guarantor and collateral assessment required as part of the credit
                                                               analysis?
                                                               o Is there a clear policy to specify who has the authority for loan approval
                          Risk that credit decisions are not differentiated by risk level and loan amount?
 3.3   Approval authority
                          controlled at the appropriate level o Is there a clear policy to specify who has authorization to grant approval
                                                               authorities and on what basis?
                          Risk of having unclear approval
 3.4   Approval criteria                                       o Are there clear risk acceptance standards to guide credit decision making?
                          criteria

                                                                 o Is credit accountability clearly defined in the policy?
                            Risk of not having clear
 3.5   Accountability                                            o Is credit policy clearly defined who has ownership over credit quality,
                            ownership of credit quality
                                                                 including the individual with primary responsibility for loan quality?


                                                              o Are there clear policies for monitoring clients after loan disbursement?
                            Risk of having unclear monitoring
 3.6   Monitoring                                             o Are there requirements of client visits or meetings after disbursement?
                            requirements post disbursement
                                                              o Are post-lending visits or meetings recorded?

                                                                 o Does the organization set aside general reserves and specific loan loss
                                                                 reserves in a prudent manner?
                            Risk of not making reasonable
                                                                 o Are there provisioning policies to specify the time for provisioning of
 3.7   Provisioning         provision against potential credit
                                                                 overdue loans?
                            losses
                                                                 o Are the provisioning policies reviewed on a periodic basis in line with the
                                                                 specific situation of the organization?
                                                                 o Are there clearly documented procedures for collection actions, with
                            Risk of having unclear collection    escalating measures depending upon the severity?
 3.8   Collections
                            requirements                         o Do collection policies specify the reporting of collection activities within the
                                                                 organization?
                            Risk due to lack of or inadequate o Is there a robust stress testing framework that evaluates the real quality of
 3.9   Stress testing
                            stress testing framework          the loan portfolio?
Evaluation: Credit policy
                                                                                                                      enter risk weighting below
4. OTHER RISKS                                                                                                                                0%
  4.1
  4.2
  4.3
  4.4
  4.5
Evaluation: Other

EVALUATION: CREDIT RISK

Recommendations
                                                                                         LIQUIDITY & MARKET RISK

Liquidity risk is the risk of loss due to an organization's inability to meet its payment commitments or finance new loan growth.
Market risk is the risk of loss due to re-pricing of assets and liabilities.

A MFI should manage liquidity risk to avoid cash shortages and ensure sufficient funding for new loan demand and savings withdrawals (for deposit-taking lenders). A clear overall funding strategy, as well as
detailed ongoing forecasts of cash inflows and outflows, are several key components to manage liquidity risk. To protect against market risk requires constant monitoring of the interest rate environment, and
an active strategy to ensure assets and liabilities are properly matched within tolerance limits set by the organization. Tools for evaluating the impact of potential liquidity and market shocks are also important
for better understanding of these risks.



                                                                                                                                                      IMPACT                                                                                      NET RISK
               SUMMARY                                                          RISK DESCRIPTION                                                                                                             RISK ASSESSMENT
                                                                                                                                                      ( L/M/H )                                                                                    (1-5)




                                                                                                                                                                 LIKELIHOOD




                                                                                                                                                                                                                                     mm/dd/year

                                                                                                                                                                                                                                                  mm/dd/year

                                                                                                                                                                                                                                                               mm/dd/year

                                                                                                                                                                                                                                                                            mm/dd/year
  ID REF NO.




                                                                                                                                                      SEVERITY
                  CATEGORY                       RISK                                                INDICATORS                                                                    CONTROL                                     GAP




                                                                                                                      enter risk weighting below
1. IDENTIFICATION & MEASUREMENT                                                                                                                40%
                                                                      o Does the organization have a comprehensive well-documented policy to
                                   Risk of not having a               identify, measure, and manage liquidity and market risks?
                                   comprehensive framework for        o Is the policy periodically reviewed and updated by the management and
 1.1           Framework
                                   liquidity and market risk          approved by the Board?
                                   management                         o Is there a dedicated person and/or function for managing liquidity and
                                                                      market risks?
               Assets              Risk of not having a clear         o Does the organization have a clear definition of which assets are
 1.2
               classification      definition of liquid assets        classified as liquid and non-liquid?

                                                                      o Does the organization have a clearly documented methodology and
                                                                      procedure for forecasting cashflows, contractual maturity mismatch and
               Cashflow            Risk of not properly forecasting
 1.3                                                                  liquidity gap on a periodic basis?
               forecasting         cashflows on a periodic basis
                                                                      o Are all material cash inflows and outflows accounted in the forecasting
                                                                      methodology (e.g. off balance sheet commitments and liabilities)?

                           Risk due to lack of a
                                                                      o Are liquidity and market risks assessed both on an individual entity basis
 1.4                       consolidated view of risk
               Consolidation
                                                                      and a consolidated basis, if the organization have multiple entities?
                           exposures
Evaluation: Identification & Measurement
                                                                                                                      enter risk weighting below
2. MANAGEMENT                                                                                                                                  40%
                                                                      o Does the organization monitor interest rates within and across entities and
                                   Risk due to lack of or inadequate business lines?
 2.1           Monitoring          monitoring liquidity and market o Does the organization monitor funding needs within and across entities
                                   risks                              and business lines?
                                                                      o Does the organization have an early warning monitoring system?
                                                                      o Does the organization have a clearly documented methodology for setting
                                   Risk due to lack of liquidity risk
                                                                      up liquidity and market risk limits?
 2.2           Limits setting      and market risk limits, or limits
                                                                      o Are these limits periodically reviewed, updated and approved by the
                                   being inadequately set
                                                                      management and/or the Board?
                                   Risk due to lack of liquidity
                                                                      o Does the organization have a reserve fund of the appropriate size to meet
 2.3           Liquidity cushion   cushion for the timely repayment
                                                                      unexpected demands for cash?
                                   of liabilities
               Collateral          Risk of lack of or inadequate    o Does the organization actively manage and monitor collateral to mitigate
 2.4
               management          management of collateral         liquidity risk?
                                                                    o Does the organization have a formally documented contingency plan at
               Contingency         Risk of not having a contingency different levels of the organization?
 2.5
               funding plan        funding plan                     o Does the organization have backup funding lines that can be utilized in a
                                                                    case of liquidity crisis?
Evaluation: Management
                                                                                                               enter risk weighting below
3. STRESS TESTING                                                                                                                    20%
                                                            o Is there a robust stress testing framework that evaluates impacts from the
                                                            scenarios on liquidity and market risks?
                          Risk due to lack of or inadequate
 3.1   Stress testing                                       o Do stress testing scenarios take into account the risks and lessons
                          stress testing framework
                                                            learned from the most recent crisis?
                                                            o Are stress testing scenarios subject to regular reviews and reappraisals?
                          Risk of not testing plausible      o Does the organization have the ability to build resverse stress testing (i.e.
       Reverse stress
 3.2                      scenarios outside normal stress    use potential, negative outcome to model scenarios that could potentially
       testing
                          testing requirements               affect the organization in a significant manner)?
                          Risk due to non compliance with    o Are there minimum regulatory requirements for scenario testing?
       Regulation &
 3.3                      prevailing regulations regarding   o If so, is the organization's stress testing compliant with the regulatory
       scenario setting
                          stress testing                     requirements?
Evaluation: Stress testing
                                                                                                               enter risk weighting below
4. OTHER RISKS                                                                                                                         0%
  4.1
  4.2
  4.3
  4.4
  4.5
Evaluation: Other

EVALUATION: LIQUIDITY & MARKET RISK

Recommendations

								
To top