Risk management framework

In the face of ever-changing challenges and risks, the Group continuously builds on its risk management culture to ensure the risk management is comprehensive and meets the requirements of a sustainable financial institution. As a microfinance operator, the Group takes a prudent and consistent approach towards risk and the Group’s risk culture is based on its values, beliefs, knowledge, attitudes and understanding of risk across its various countries. The Group assesses its risk culture by identifying and evaluating its quantifiable and non-quantifiable risks that are then integrated in management and decision-making processes.

Identification & assessment

At the subsidiary level there is a risk officer responsible for preparing risk reports on a quarterly basis by assessing the risks facing the company in terms of likelihood and impact. The risk officer also captures what mitigation activities are being taken to manage the risks. However, the mitigation responsibility lies with the process owner. The risk reports are evaluated by the subsidiary level risk management coordination committee and approved by the subsidiary CEO before presenting to the subsidiary ARC. The Group risk management team collects these country risk reports and prepares the Group risk report based on the country report information. The Group risk report is discussed in the Executive Committee meeting before presenting to the Group ARC where the risk report is scrutinized and recommendations are made for improved risk management.

Risk appetite

Risk appetite, or the amount and type of risk that the Group is willing to accept, tolerate, or expose itself to in pursuit of its business objectives, is set at a level to avoid loss, fraud and operational inefficiencies. The Group establishes its risk appetite to provide direction and set boundaries for risk management across its microfinance institutions. The Group targets more conservative financial and prudential ratios than those required by regulators in the countries in which the Group operates. The Group also has zero tolerance for any unethical, illegal or unprofessional conduct and maintains a zero appetite for association with any disreputable individuals. The Group evaluates its risk appetite on a quarterly basis. The Group first identifies and reports its risk appetite at the microfinance institution level, where a financial target is established and a risk appetite statement is produced by each microfinance institution and submitted for consideration to senior management at the Group’s corporate headquarters. At the Group’s corporate headquarters, each microfinance institution’s risk appetite report is evaluated, and the Group establishes an overall risk appetite that is later implemented across its countries.

Outline of the framework in place for risk management

Three lines of defence

Principal risks

1. Financial risk

1.1 Credit risk
1.2 Liquidity risk
1.3 Exchange rate risk
1.4 Inflation risk
1.5 Interest rate risk
1.6 Concentration risk
1.7 Tax compliance risk

2. Legal & Compliance risk

2.1 Regulation
2.2 Product Transparency
2.3 Anti-money laundering risk

3. Strategic risk

3.1 Growth risk
3.2 Competition risk
3.3 Reputation risk
3.4 Climate risk

4. Operational risk

4.1 Human resource risk
4.2 Fraud & Integrity risk
4.3 Business contingency
4.4 Health & Safety risk

5. IT risk
5.1 Business continuity
5.2 System vulnerability
5.3 Data privacy & protection
5.4 IT support
5.5 System access control
5.6 IT fraud
5.7 Data migration

Find our Risk Map and all principal risks described in our 2023 Annual Report

The first line of defence is the branch staff and area, regional and district managers at the microfinance
institution level who are responsible for the client risk assessment, client retention and credit risk. The Country Heads and the Group’s senior management ensure proper implementation of control activities, policies and procedures.

The second line of defence at the Group’s subsidiaries provides guidance and oversight of the activities performed by the first line of defence. It includes internal oversight functions such as Compliance, Risk Management, and the Fraud and Misappropriation Prevention Unit (‘FMPU‘). Other departments, including IT, HR and Finance/Accounts also play an important role in the second line of defence.

The third line of defence is Internal Audit at both the Group level and the microfinance institution level. In addition to regularly performing internal auditing activities, Internal Audit ensures that all units responsible for managing risk are performing their roles effectively and continuously.