Risk management framework
In the face of ever-changing challenges and risks, the Group continuously builds on its risk management culture to ensure the risk management is comprehensive and meets the requirements of a sustainable financial institution. As a microfinance operator, the Group takes a prudent and consistent approach towards risk and the Group’s risk culture is based on its values, beliefs, knowledge, attitudes and understanding of risk across its various countries. The Group assesses its risk culture by identifying and evaluating its quantifiable and non-quantifiable risks that are then integrated in management and decision-making processes.
Identification & assessment
At the subsidiary level there is a risk officer responsible for preparing risk reports on a quarterly basis by assessing the risks facing the company in terms of likelihood and impact. The risk officer also captures what mitigation activities are being taken to manage the risks. However, the mitigation responsibility lies with the process owner. The risk reports are evaluated by the subsidiary level risk management coordination committee and approved by the subsidiary CEO before presenting to the subsidiary ARC. The Group risk management team collects these country risk reports and prepares the Group risk report based on the country report information. The Group risk report is discussed in the Executive Committee meeting before presenting to the Group ARC where the risk report is scrutinized and recommendations are made for improved risk management.
Risk appetite, or the amount and type of risk that the Group is willing to accept, tolerate, or expose itself to in pursuit of its business objectives, is set at a level to avoid loss, fraud and operational inefficiencies. The Group establishes its risk appetite to provide direction and set boundaries for risk management across its microfinance institutions. The Group targets more conservative financial and prudential ratios than those required by regulators in the countries in which the Group operates. The Group also has zero tolerance for any unethical, illegal or unprofessional conduct and maintains a zero appetite for association with any disreputable individuals. The Group evaluates its risk appetite on a quarterly basis. The Group first identifies and reports its risk appetite at the microfinance institution level, where a financial target is established and a risk appetite statement is produced by each microfinance institution and submitted for consideration to senior management at the Group’s corporate headquarters. At the Group’s corporate headquarters, each microfinance institution’s risk appetite report is evaluated, and the Group establishes an overall risk appetite that is later implemented across its countries.
Outline of the framework in place for risk management
Three lines of defence
1. Financial Risk
1.1 Credit Risk
1.2 Liquidity Risk
1.3 Exchange Rate Risk
1.4 Interest Rate Risk
1.5 Confidential & Price Sensitive Information
2. Legal & Compliance Risk
2.2 Change of Policy
2.3 Product Transparency
3. Business Risk
3.1 Growth Risk
3.2 Competition Risk
3.3 Reputation Risk
3.4 Climate Risk
3.5 Health & Environmental Risk
4. Operational Risk
4.1 Transaction Risk
4.2 Human Resource Risk
4.3 Fraud & Integrity Risk
5. IT Risk
5.1 Business Continuity
5.2 System Vulnerability
5.3 Network Availability
5.4 IT Support
5.5 System Access Control
5.6 IT Fraud
5.7 Data Migration
The first line of defence is the team, personnel or department that is responsible for risk assessment and owns most of the business risk. Branch staff and area, regional and district managers are the key components of the first line of defence at the microfinance institution level and are responsible for client retention and credit risk. However, similar to the first line of defence at the Group level, the team, personnel or department who carry out a specific business activity or task own the associated risk and are responsible for implementing control and risk management processes.
Managing Directors within each country work closely with the Group’s senior management and play a vital role in the Group’s risk management and ensure proper implementation of control activities, policies and procedures to microfinance institutions.
The second line of defence is comprised of the management of the respective departments and personnel, who provide guidance and oversight of the users of the products/services of the first line of defence. This consists of each entity’s operation team including mid and upper line management and entities’ central management (i.e. compliance and other independent functions as such: finance and accounts, treasury, IT, HR and the Risk department). The second line of defence is supported by the risk management team (‘RMT’) at the Group level and the risk management unit (‘RMU’) at the microfinance institution level. The RMU is a designated team or individual who reports to the local board. The RMT is a two-person team headed by the Senior Vice President – Treasury, Investment & Risk Management in Dhaka, and reports to the Audit and Risk Committee of the Board.
The primary function of the second line of defence is to oversee the activities performed by the first line of defence and to help ensure that risk and control are effectively managed. The second line of defence works closely with its respective operation team to provide expertise in risk, define the risk implementation strategy, implement risk management policies and procedures, and collect information to create an enterprise-wide view of risk and control.
General responsibilities of the second line of defence include: identifying and monitoring known and emerging issues affecting the Group’s risks and controls; identifying shifts in the organisation’s implicit risk appetite and risk tolerance; and assisting management in designing and developing processes and controls to measure risk.
Finally, the nature of the Group’s business means that it operates in low-income communities around the world with a low-cost structure. This structure exposes the Group to operational risk associated with fraud and misappropriation. The most common types of fraud and misappropriation that the Group experiences include direct theft of funds by staff, misleading statements, bribes and kickbacks, loan sharing with and between borrowers and ghost loans and loan syndications by borrowers. To mitigate these operational risks, the Group has established operational policies and practices to prevent fraud, including training and orientation on fraud and misrepresentation, staff background checks and client verification. It has also established a Fraud and Misappropriation Prevention Unit for each of its microfinance institutions. The objective of this unit is to reduce the financial risk and losses caused by fraud and misappropriation through the review and investigation of any suspicious or unusual branch activity and/or client complaints through unannounced branch inspections, and reports to the Managing Director of the microfinance institution (with a reporting line to the Group).
The third line of defence is internal audit at both the Group level and the microfinance institution level. In addition to regularly performing internal auditing activities at the microfinance institution and the Group’s corporate headquarters, the internal audit department is responsible for continuous independent assessment and measurement of the risk areas, verification of control measures to manage risks and recommending corrective measures, where relevant. It achieves this by auditing the risk management functions to ensure that all units responsible for managing risk are performing their roles effectively and continuously.
The internal audit department is not permitted to perform management functions in order to maintain its objectivity and organisational independence. The internal audit department tests the adequacy of internal controls and makes recommendations to the Board of Directors on ways to strengthen any weaknesses identified within the Group’s risk management framework.