Partners and Action

 A Microfinance Risk Programme
SITE MAP - ALL CONTENT
Financial Institutions and
Health, HIV & AIDS Risk Management
   HOME       ABOUT US       CONTACT US       SEARCH       GLOSSARY OF TERMS       USER'S GUIDE       SITE MAP   
Home > Background > The Risk Management Framework > Key Elements of Risk Management back | print

Key Elements of Risk Management

The key elements of a risk management framework are summarised in the following diagram and are then discussed individually:

  • Risk Policy and Governance: The framework will contain a Policy setting out:
    • the MFIs views or attitudes towards risk, risk management and its risk appetites and tolerances
    • the organisational structures, functions and roles (responsibilities and accountabilities) for designing and implementing risk management - the risk management framework or the risk governance structure

  • The Risk Function: The risk function within the MFI is responsible for identifying, assessing and monitoring risk within the MFI, and for determining appropriate risk controls as well as the roles and responsibilities required in the business units to implement risk management. The risk function may be delivered by a single person or a substantial department, depending on the MFI's scale, capacity and requirements. Current trends in financial services are towards leaner risk functions, with day to day risk management decentralised to individual business units.
    • Risk identification typically involves the development of an inventory or database of relevant risks, based both on own knowledge, industry Experience and available tools8, external technical assistance and interviews or facilitated workshops with the board, business unit managers and operational staff - all of whom are concerned about particular and often different risks. In Chapter 3 of this Guide, we provide a fairly comprehensive overview of the risks associated with HIV & AIDS and health issues for MFIs, at all levels of operation. In practice, different MFIs will find that some risks apply and others do not, and may well discover additional risks that we have not considered in this Guide.

    • Risk assessment involves determining the likelihood of occurrence associated with each risk, as well as the scale of the resulting possible loss. Each may be assessed on a simple scale. A three step scale might be: rare, sometimes, frequent for frequency; and small loss, medium loss, high loss for severity, with the currency amounts of each loss band specified. More sophisticated approaches may have higher numbers of bands, or may even develop statistical distributions for frequency of event and severity of loss. Risks can then be prioritised from most urgent (high frequency, high loss) to less urgent (low frequency, low loss). Risk assessment must be revisited on an ongoing basis.

    • Risk control determines whether the risk is accepted, transferred, avoided or controlled, and what risk controls are put in place. Chapter 4 contains a cross-referenced, detailed overview of potential controls for the various HIV & AIDS and health risks identified in Chapter 3. Many controls bring with them their own associated risks, which in turn require consideration. For example, removing Mortality risk through purchasing Insurance transfers Mortality risk to the insurer, but creates risks around partnership management.

    • Risk monitoring is an ongoing process of monitoring high-level indicators like Portfolio at Risk (PAR) for general indicators, as well as the specific key indicators identified with each risk. The risk function is responsible for determining, gathering, analysing, interpreting and communicating information pertaining to risk management, key risk indicators and data on losses that actually occur. Management has to be informed as well as relevant staff throughout the organisation.

  • Day to Day Risk Management at Business Unit Level: The implementation of risk management identified by the risk function may typically occur in a business unit. Particular individuals are responsible for undertaking the risk management relating to their activities or areas. This is important to drive the culture of risk management throughout the organisation, ensuring personal awareness, ownership, responsibility and accountability at all levels of the relevant risks and controls. HR will be instrumental in incorporating risk functions into job descriptions throughout the organisation under the guidance of the risk function. Health and AIDS risk management has traditionally been limited to the human resource business unit, but as Chapters 3 and 4 show, it is much broader. Note that "business unit" here includes areas such as HR, finance and operations as well as marketing, credit, different branches and so on.

  • The Role of Internal Audit: Historically the internal audit function has typically conducted a lot of what is now becoming known as the risk function. Current trends are for risk function to manage risk as set out above, and for internal audit to verify that the risk management is occurring as required. Internal audit might therefore want to ensure that key risk controls are happening as set out by risk, or that the risk reporting data is reliable. Internal audit ensures that risk management is doing what it should be doing, and what it says it is doing.

  • Risk Information Systems: Effective risk management requires good information and data. Key indicators must be gathered and monitored regularly to determine the occurrence of risk events, or to identify changes in factors affecting their likelihood. Data on losses incurred as a result of each risk event will help the MFI target its risk management more effectively. In sophisticated settings, the risk function may be enabled using risk management software. However, the software never constitutes more than an information management, reporting and analysis tool: it cannot replace the risk function, risk governance or the day to day risk management at business unit level.

  • Capital Management: In the most sophisticated frameworks, the levels of retained risk and the effectiveness of risk management frameworks feed through into business capital. MFIs retaining higher risk need more capital to withstand the risk. And for two MFIs with the same apparent retained risk, the MFI with a demonstrably more effective risk management framework will require less capital. These principles underlie the evolving regulatory approaches to Solvency in the formal financial services sectors (Insurance and banking) of many countries.

This Guide focuses principally on the Policy structures and the particular risks and the potential controls to be implemented by the business units under the guidance of the risk function. We also mention some of the data requirements around identification and management of HIV & AIDS risk. We do not, however, set out the full requirements of a risk management database.

Case Studies

Box 2.1 : Teba Bank's Risk Management Framework

Teba Bank offers microcredit and savings schemes to employees of mines and to other low income clients in South Africa. Teba's risk management framework is modeled on Enterprise Risk Management principles and the requirements of Basel 2. The five key components are risk assessment, risk control, monitoring, information and strategy, and these are set out in the risk management policy.

Risk management is strongly supported by Teba's board, which is essential for success, and is seen not merely as compliance or damage control, but as opportunity to add value to the business.

Teba has articulated risk appetite statements for the various categories of risk.

Three departments report in to the general manager of risk: internal audit, the risk department and the governance and compliance department, though to ensure functional independence, internal audit reports in to audit on an operational basis.

As with many banks, Teba's current focus is on integrating day to day risk management into business units. Two critical success factors identified here are building and maintaining good systems, and ensuring buy in throughout the business. These two come together in the need to provide good and relevant information (from good systems) to the right people: giving the board the correct picture from which to formulate strategy and giving the business units feedback which allows them to appreciate the value of the risk management actions they are required to undertake.

Source: Discussion with Zienzile Musamirapamwe, General Manager, Teba Bank, July 2006


Box 2.2: GTZ's Ten Guidelines for Risk Management

1. Lead the risk management process from the top
2. Incorporate risk management into process and systems design
3. Keep it simple and easy to understand
4. Involve all levels of staff
5. Align risk management goals with goals of individuals
6. Address the most important risks first
7. Assign responsibilities and set monitoring schedule
8. Design informative management reporting to board
9. Develop effective mechanisms to evaluate internal controls
10. Manage risk continuously using a risk management feedback loop

Source: http://www.gtz.de/de/dokumente/en_risk_management_framework_for_MFI.pdf



Other The Risk Management Framework Sections

Your Browsing History
  2. Background
  3. Glossary of Terms - All Terms
  4. Home
 
Quindiem Consulting Just Good Business AfriCap Microfinance Fund   GBC   AFMIN
  IFC Swedish International Development Cooperation Agency
© 2006 - 2010 AfricaCap | Double Distilled by Firewater Interactive