Risk management framework
The Group’s risk management philosophy is to promote a comprehensive risk management strategy to maintain a sustainable financial institution. To ensure that the Group’s philosophy is implemented across its various departments, there is a clear segregation of duties between operational and risk management functions in the country head office of each of the Group’s microfinance institutions as well as
at the Group level. At each of the Group’s microfinance institutions, all functions, activities and tasks are designed and developed having considered any related risk elements.
The Group’s risk culture is based on its values, beliefs, knowledge, attitudes and understanding of risk across its various countries. The Group assesses its risk culture by identifying and evaluating its quantifiable and non-quantifiable risks.
The Group has adopted the Three Lines of Defence model.
Risk appetite, or the amount and type of risk that the Group is willing to accept, tolerate, or expose itself to in pursuit of its business objectives, is set at a level to avoid loss, fraud and operational inefficiencies. The Group establishes its risk appetite to provide direction and set boundaries for risk management across its microfinance institutions. The Group targets more conservative financial and prudential ratios than those required by regulators in the countries in which the Group operates. The Group also has zero tolerance for any unethical, illegal or unprofessional conduct and maintains a zero appetite for association with any disreputable individuals.
The Group evaluates its risk appetite on a quarterly basis. The Group first identifies and reports its risk appetite at the microfinance institution level, where a financial target is established and a risk appetite statement is produced by each microfinance institution and submitted for consideration to senior management at the Group’s corporate headquarters. At the Group’s corporate headquarters, each microfinance institution’s risk appetite report is evaluated, and the Group establishes an overall risk appetite that is later implemented across its countries.
Given the nature of the Group's activities, the principal risks and uncertainties it faces are:
- Regulatory risk
- Credit risk
- Liquidity risk
- Exchange rate/currency risk
- Growth risk
- Information and technology risk
- Human resources risk
- Competition risk
- Interest rate risk
- Social and environmental risk
- Reputational risk
Outline of the framework in place for risk management
1 Ensuring the resources are in place to effectively implement the risk control framework and staff are equipped with necessary expertise.
Three lines of defence
The first line of defence is the team, personnel or department that is responsible for risk assessment and owns most of the business risk. Branch staff and area, regional and district managers are the key components of the first line of defence at the microfinance institution level and are responsible for client retention and credit risk. However, similar to the first line of defence at the Group level, the team, personnel or department who carry out a specific business activity or task own the associated risk and are responsible for implementing control and risk management processes.
Managing Directors within each country work closely with the Group’s senior management and play a vital role in the Group’s risk management and ensure proper implementation of control activities, policies and procedures to microfinance institutions.
The second line of defence is comprised of the management of the respective departments and personnel, who provide guidance and oversight of the users of the products/services of the first line of defence. This consists of each entity’s operation team including mid and upper line management and entities’ central management (i.e. compliance and other independent functions as such: finance and accounts, treasury, IT, HR and the Risk department). The second line of defence is supported by the risk management team (‘RMT’) at the Group level and the risk management unit (‘RMU’) at the microfinance institution level. The RMU is a designated team or individual who reports to the local board. The RMT is a two-person team headed by the Senior Vice President – Treasury, Investment & Risk Management in Dhaka, and reports to the Audit and Risk Committee of the Board.
The primary function of the second line of defence is to oversee the activities performed by the first line of defence and to help ensure that risk and control are effectively managed. The second line of defence works closely with its respective operation team to provide expertise in risk, define the risk implementation strategy, implement risk management policies and procedures, and collect information to create an enterprise-wide view of risk and control.
General responsibilities of the second line of defence include: identifying and monitoring known and emerging issues affecting the Group’s risks and controls; identifying shifts in the organisation’s implicit risk appetite and risk tolerance; and assisting management in designing and developing processes and controls to measure risk.
Finally, the nature of the Group’s business means that it operates in low-income communities around the world with a low-cost structure. This structure exposes the Group to operational risk associated with fraud and misappropriation. The most common types of fraud and misappropriation that the Group experiences include direct theft of funds by staff, misleading statements, bribes and kickbacks, loan sharing with and between borrowers and ghost loans and loan syndications by borrowers. To mitigate these operational risks, the Group has established operational policies and practices to prevent fraud, including training and orientation on fraud and misrepresentation, staff background checks and client verification. It has also established a Fraud and Misappropriation Prevention Unit for each of its microfinance institutions. The objective of this unit is to reduce the financial risk and losses caused by fraud and misappropriation through the review and investigation of any suspicious or unusual branch activity and/or client complaints through unannounced branch inspections, and reports to the Managing Director of the microfinance institution (with a reporting line to the Group).
The third line of defence is internal audit at both the Group level and the microfinance institution level. In addition to regularly performing internal auditing activities at the microfinance institution and the Group’s corporate headquarters, the internal audit department is responsible for continuous independent assessment and measurement of the risk areas, verification of control measures to manage risks and recommending corrective measures, where relevant. It achieves this by auditing the risk management functions to ensure that all units responsible for managing risk are performing their roles effectively and continuously.
The internal audit department is not permitted to perform management functions in order to maintain its objectivity and organisational independence. The internal audit department tests the adequacy of internal controls and makes recommendations to the Board of Directors on ways to strengthen any weaknesses identified within the Group’s risk management framework.