Mustapha B.

Mugisas Keynote address

AMFIU Annual Conference and AGM

20th 21st June 2013 Hotel Africana.

Microfinance Risk Management: Current Status in Uganda

Managing risks a critical challenge for MFI sustainability

www.summitcl.com

Forensic. Advisory. Fraud.

Why care?
#1
What do you think is the impact to the economy when a business collapses?

What happens when that particular business is a microfinance?

#2
Image credit, ACFE.com

Forensic. Advisory. Fraud

Keynote Agenda

1. Perspective 2. Current status a) Regulatory b) Governance 3. Way forward

A low-end business woman with merchandise.

Credit: Internet photo.

www.summitcl.com

Forensic. Advisory. Fraud.

Perspective
Case 1: The rise and fall of SOMEDI Microfinance. Started in 1996, in Masindi Expanded regionally. Was no more by 2012

www.summitcl.com

Forensic. Advisory. Fraud.

Perspective impact
Case 1: The rise and fall of SOMEDI Microfinance. Lost donor goodwill Lots of people lost livelihood Bad reputation of the industry
www.summitcl.com

Joseph Businge, who used to own three shops, lost it all. He now lives in poverty in Masindi

Forensic. Advisory. Fraud.

Perspective why collapse?

Case 1: The rise and fall of SOMEDI Microfinance. Poor governance High levels of fraud Lack of shared strategic focus

www.summitcl.com

Forensic. Advisory. Fraud.

Perspective
Case 2: The rise and fall of Victoria Basin Savings & Microfinance Cooperative Trust Ltd (VBS). Started in 1990, in Rakai as building society Transformed into a SACCO. Off the radar by 2013!
www.summitcl.com Forensic. Advisory. Fraud.

Perspectiveimpact.

9,854

active borrowers in 2005

56% women.
www.summitcl.com Forensic. Advisory. Fraud.

Perspective why collapse?

Case 2: VBS Microfinance High levels of fraud Failure to manage change Poor governance

www.summitcl.com

Forensic. Advisory. Fraud.

Perspective lessons
Timely supervision

Effective risk management

www.summitcl.com

Forensic. Advisory. Fraud.

Status of Microfinance RM

1. Perspective

2. Current status a) Regulatory framework b) Governance

3. Way forward
www.summitcl.com

Credit: Internet photo.

Forensic. Advisory. Fraud.

Majority of the players are outside the formal regulation.

(a) Regulatory framework is key

www.summitcl.com

Forensic. Advisory. Fraud.

Who is regulating who?

T a b l e 1 : C u r r e n t s t a t u s o f t h e M ic r o f in a n c e in d u s t r y in U g a n d a
T ie r T ie r 1 T ie r 2 T ie r 3 T ie r 4 C a te g o ry o f I n s t it u t io n s Banks C r e d it I n s t it u t io n s M ic r o f in a n c e D e p o s it T a k in g I n s t it u t io n s M F Is a n d S A C C O s T h e C o m p a n ie s A c t , 1 9 6 1 T h e N G O (A m e n d m e n t) A c t 2 0 0 6 F o r S A C C O s , t h e R e g is t r a r o f C o o p e r a t iv e S o c ie t ie s ( M T I C ) u n d e r t h e C o o p e r a t iv e S o c ie t ie s A c t C a p 1 1 2 I n f o r m a l: n o c le a r r e g u la t io n f o r o t h e r s a v in g s a n d c r e d it s c h e m e s lik e s a v in g s a n d c r e d it s c h e m e s in s e v e r a l c o m p a n ie s . O th e r M o n e y le n d e r s M o n e y le n d e r s A c t , C a p 2 7 3 , 1 9 5 2 53 Unknow n 49 81 2 ,0 6 5 B a n k o f U g a n d a ; F in a n c ia l I n s t it u t io n s A c t 2004 Bank of U ganda; M D I Act 2003 24 4 4 R e g u la tio n Num ber

www.summitcl.com

S o u r c e : A M F I U p u b lic a t io n s .

Forensic. Advisory. Fraud.

Regulatory framework Should address the key failings: Avoid mission drift Address fraud risk Monitor key business indicators
www.summitcl.com Forensic. Advisory. Fraud.

Regulatory framework

MoPED provides policy and oversight of the financial sector through Rural Finance Services Program (RFSP) Department of Cooperatives in MTIC registers & supervises SACCOs

AMFIU and UCSC provide support to members as self regulating.

www.summitcl.com

Forensic. Advisory. Fraud.

Regulatory framework

Tier 4 regulatory framework underway SACCOs to be classified Large ones to be under prudential regulations, e.g. under amended MDI Act

Clear definition of large or small SACCOs to be specified.

www.summitcl.com

Forensic. Advisory. Fraud.

Regulatory framework
Microfinance is a business for social impact and economic return. It supports the people at the bottom of the pyramid to change their lives in a sustainable way.
www.summitcl.com

Risk is the probability that an investments actual return will be different than expected
Forensic. Advisory. Fraud.

Regulatory framework
Microfinance is not about making a lot of profits or becoming a bank. It is about expanding scale and capacity to extend very low cost microloans to as many poor people as possible and enabling their enterprises to grow,
Mustapha B. Mugisa, 2013.

www.summitcl.com

Forensic. Advisory. Fraud.

The need for regulation

Case 3: Enter Promotion of Economic Transformation & Realization of sustainable Livelihood (PEARL) microfinance Started in July 2006 Expanded rapidly Voluntarily closed in 2013.
www.summitcl.com Forensic. Advisory. Fraud.

The need for regulation

Lots of changes in the industry Both SACCO and nonSACCO institutions New dynamics e.g. money transfer, microcredits via mobile money and mobile savings = more complex!
www.summitcl.com Forensic. Advisory. Fraud.

Fact: risk management is not structured in many microfinances.

(b) It is all about Good Governance.

www.summitcl.com

Forensic. Advisory. Fraud.

Status on ground
Best practices are just on paper There is the Board, Auditors, etc but these are for cosmetic purposes Institutions want to just be seen to be ok because they have the Board.
www.summitcl.com Forensic. Advisory. Fraud.

Status on ground
Risk management is not structured. Majority of staff dont know their roles in risk management!

www.summitcl.com

Forensic. Advisory. Fraud.

Status on ground
Generic risks exits e.g. credit, liquidity, technology, governance. Few people, if any, know how those risks are identified, assessed, managed and continuously reviewed
www.summitcl.com Forensic. Advisory. Fraud.

Status on ground
Although cases of SOMEDI, VBS and PEARL have shown fraud, IT & staff are big challenges, few institutions have recognized this. Why?

www.summitcl.com

Forensic. Advisory. Fraud.

#1: Lots of fraud in the sector

An average organization loses about 5% of its annual revenue to fraud, ACFE Report to The Nations 2012.
ACFE Uganda survey in 2011 revealed banks & telecoms lose 15-25% of annual revenue to fraud!
Total annual revenue (all Uganda banks) in 2011

1.94/-

Trillion

Average cost of fraud to each bank in Uganda

Ugx. 4

billion annually!
Forensic. Advisory. Fraud

#2: Cyber threat & ICT security risks

35% Virus & Hacker Attack

Your Institution

65% Data Leakage & Network Abuse

For institutions 65% of security breaches are internal 35% of security breaches are external.

Cyber Crime Combat

Quality Demand from Clients

You need tools to ensure real time network monitoring?

#3: The people risks

Information theft About 2/3 leaving employees steal data Microfinance IT system frauds; e.g. salami techniques; loan writeoffs, etc.

www.summitcl.com

Forensic. Advisory. Fraud.

The way forward

1. Perspective

2. Current status a) Regulatory b) Governance

3. Way forward
A low-end business woman with merchandise.
Credit: Internet photo.

www.summitcl.com

Forensic. Advisory. Fraud.

XY Microfinance RM model
Case 4: XY Microfinance risk management model is good. Risk management is part of their business Process owners identify the risks and monitor them Eight questions are asked and answered
www.summitcl.com Forensic. Advisory. Fraud.

XY RM model awareness
#1: Do the Board, management and staff all understand how the risk register is developed?
F ig u r e 1 : R is k m a n a g e m e n t p r o c e s s a t X Y

4.

M o n it o r a n d C o n t in u o u s R e v ie w

1.

I d e n t if y

W h a t c o u ld g o w r o n g ?

A r e t h e c o n t r o ls e f f e c t iv e ? H a s t h e r is k c h a n g e d ?

X Y O b je c t iv e s / KRAs

2. Assess
3. C o n t r o l/ M it ig a t e

H o w lik e ly is it t o h a p p e n ? W h o w o u ld c o m m it f r a u d ? W h a t w o u ld b e t h e im p a c t if it h a p p e n e d

W h a t s h o u ld b e d o n e t o r e d u c e t h e r is k ? W h o o w n s t h e r is k ? W h a t m o r e t o d o a b o u t it ?

www.summitcl.com

Forensic. Advisory. Fraud.

XY RM model tone at the top

#2: Is the Board involved in risk management? XY ensures a right tone at the top throughout the RM process.

www.summitcl.com

Forensic. Advisory. Fraud.

XY RM impact/likelihood
#3, for each identified event, are likelihood and impact clearly defined and assessed by process owners? XY uses the likelihood and impact guide by the Institute of Risk Management (IRM), specifically follows the ISO 31000:2009 guidelines as in tables 2 & 3 below.

www.summitcl.com

Forensic. Advisory. Fraud.

XY RM modellikelihood
R a t in g F re q u e n t S co re 5 T h rea t > 7 5 % ch a n c e o f o c c u rre n c e V e r y r e g u la r o c c u r r e n c e L ik e ly 4 > 5 0 % < 7 5 % ch a n ce o f o ccu rre n ce C ir c u m s t a n c e s f r e q u e n t ly e n c o u n te re d P o s s ib le 3 > 2 5 % < 5 0 % ch a n ce o f o ccu rre n ce L ik e ly t o h a p p e n a t s o m e p o in t in th e n e x t 2 y e a rs . C ir c u m s t a n c e s o c c a s io n a lly e n c o u n te re d . U n lik e ly 2 > 5% < 25% chance of o ccu rre n ce O n ly lik e ly t o h a p p e n o n c e in 3 y e a rs. C ir c u m s t a n c e s r a r e ly e n c o u n t e r e d . R e m o te 1 L e s s th a n 5 % c h a n c e o f o ccu rre n ce . H a s n e v e r h a p p e n e d b e fo re C ir c u m s t a n c e s n e v e r e n c o u n t e r e d . www.summitcl.com L e s s th a n 5 % c h a n c e o f o c c u rre n c e . S o m e c h a n c e s o f f a v o u r a b le o u t c o m e in t h e m e d iu m t e r m 5 % to 2 5 % c h a n c e o f o c c u rre n c e O p p o r t u n ity F a v o u r a b le a n d f r e q u e n t o c c u r r e n c e lik e ly. F a v o u r a b le o u t c o m e is lik e ly t o b e a c h ie v e d in o n e y e a r. M o re th a n 5 0 % ch a n c e o f o c c u rre n c e . R e a s o n a b le p r o s p e c t s o f f a v o u r a b le r e s u lt s in o n e y e a r. 2 5 % to 5 0 % ch a n c e o f o c cu rre n ce

Forensic. Advisory. Fraud.

XY RM modelimpact
R a t in g D e f in it io n M o n e ta ry Im p a ct ( U g x m ) 5 V e r y h ig h ( c a t a s t r o p h ic ) > 50 L e a d s to t e r m in a t io n o f p ro je c ts o r w it h d ra w a l o f fin a n c in g a n d is u n d a m e n ta l to s e r v i c e d e l iv e r y 4 H i g h ( C r i t i c a l) > 1 0 < 50 E v e n t w h ic h m a y h a v e a p r o lo n g e d n e g a t iv e im p a c t a n d e x t e n s iv e consequences 3 M o d e ra te > 5 < 10 E v e n t w h ic h c a n be m anaged, but r e q u ir e s a d d it io n a l re so u rce s a n d m anagem ent e ffo rt 2 M in o r > 0 .5 < 5 Event can be m anaged under n o r m a l o p e ra t in g c o n d it io n s 1 I n s ig n ific a n t < 0 .5 C onsequences can e a s ily b e a b so rb e d u n d e r n o r m a l o p e ra t in g c o n d it io n s L it t le im p a c t S ig n ific a n t d e la y s ; p e rfo rm a n c e s ig n ific a n tly u n d e r ta rg e t M a t e r ia l d e la y s , m a r g in a l under a c h ie v e m e n t of ta rg e t p e rfo rm a n c e I n c o n v e n ie n t d e la y s N o n - h e a d lin e e x p o su re , fa u lt q u i c k ly ; n e g l i g i b l e im p a c t N o n - h e a d lin e e x p o su re , n o t a t fa u lt , n o im p a c t In n o ce n t b re a ch ; im p a c t p r o c e d u ra l e v id e n c e of c le a r s e tt le d B re a ch ; c o m p la in t m in o r h a rm in v e s t ig a t io n o b je c t io n / lo d g e d ; w it h H e a d lin e re p e a te d e x p o su re ; r e g u la t o r y e n q u ir y R e p e a te d h e a d lin e e x p o su re ; r e s o lu t io n ; P a r lia m e n t a r y e n q u ir y / b r ie fin g s lo w non N e g lig e n t la c k of b re a ch ; good fa it h B o a rd in v o lv e m e n t ; p r o f il e ; D e li b e r a t e g ro ss fo rm a l b re a ch or n e g lig e n c e ; in v e s t ig a t io n ; a c t io n ; C onsequence Im p a ct X Y s o b j e c t iv e s Non a c h ie v e m e n t of o b j e c t iv e s ; p e rfo rm a n c e f a il u r e M a x im u m h e a d lin e e x p o su re ; ce n su re ; c r e d i b i li t y B o a rd lo s s of h ig h S e r io u s b re a ch ; n e g lig e n c e p r o s e c u t io n ; ce n su re . or w i lf u l c r im in a l a c t; B o a rd on R e p u t a t io n event per N o n c o m p lia n c e

d i s c i p li n a r y

B o a r d in v o lv e m e n t

e v id e n t ; p e r fo r m a n c e r e v ie w in it ia te d

www.summitcl.com

Forensic . Advisory. Fraud. good fa it h ; lit tle

Impact x likelihood = risk

X Y R is k in d e x = im p a c t x lik e lih o o d S co re 20 - 25 15 - 19 10 - 14 5 9 1 - 4 R is k m a g n it u d e M a x im u m H ig h r is k M e d iu m r is k L o w r is k M in im u m r is k

5 4 3
IM P A C T

5 4 3 2 1 1

10 8 6 4 2 2

15 12 9 6 3 3

20 16 12 8 4 4

25 20 15 10 5 5

2 1

LIK ELIH O O D

www.summitcl.com

#4, Are risks identified and managed?

Forensic. Advisory. Fraud.

Figure 2: XYs risk universe

Reputation Risk

Mission drift Unclear Strategic focus

Non compliance to internal policies

Non Compliance to statutory requirements Dynamic legal regime / Non compliance to Best practices

Corporate governance

Compliance
Unclear Performance Indicators
Procurement frauds

Inadequate Succession planning

Strategic
Fraud

Ineffective change management

Risk Universe
High staff turnover

Financial
Asset misappropriation

Poor Client management

Gaps in compliance enforcement

Liquidity

Over indebtedness

Operational
Stakeholder risks; concealment of Malpractices Fraud. Compromise of XY Credit / fieldStaff Weak contract Management Governance constraints low Anti-fraud funding

Information Technology

Poor change management

XYs risk universe www.summitcl.com. 2013 All rights reserved.

Poor IT security practices

High System downtime

Weak IT system security

XYs risk control strategy

F ig u r e 3 : R is k I m p a c t / L ik e lih o o d c o n t r o l

Im p a c t

1
L ik e lih o o d

5 1
2 # 3 P re co n tro l # 4
Post c o n tro l

5 5

XYs strategy is to move risks from the red category to the Green one, on an on-going basis
Forensic. Advisory. Fraud.

www.summitcl.com

XY RM risk reporting
#5, are risk reporting processes effective?
R o le
B oard

Q u a r t e r ly

Sem i A nnual / A nnual to p 1 0 r is k lis t . su m m a ry d a sh b o a rd . p e n d in g litig a tio n . m a jo r in te r n a l a n d e x te r n a l e v e n ts . a u d it a s s u r a n c e .

u ltim a t e a c c o u n ta b ility a n d o v e r s ig h t f o r b u s in e s s r is k a n d c o n tr o ls . r e c e iv e a ssu ra n c e th a t r is k m a n a g e m e n t is w ith in p o lic y. R e c e iv e p e r i o d ic r e p o r ts f r o m A u d it C o m m itte e a n d r e v ie w a ll r is k s in r e d c a te g o r y.

A u d it /R is k C o m m it t e e

A p p ro v e S tr a te g y. O v e rse e s

th e

R is k

M anagem ent

d e v e lo p m e n t, and m a in te n a n c e o f

r is k p r o f ile . s e lf a s s e s s m e n t . lo s s e v e n t d a ta . s tr e s s t e s tin g . k e y r is k in d ic a to r s . p e n d in g litig a tio n . r is k p r o f ile . s e lf a s s e s s m e n t . lo s s e v e n t d a ta . s tr e s s t e s tin g . k e y r is k in d ic a to r s . p e n d in g litig a tio n .

T o p 1 0 s tr a te g ic r is k s . T o p r is k s o f th e d e p a r t m e n ts . a u d it a s s u r a n c e . e ff e c tiv e n e s s o f r is k m a n a g e m e n t. c o s t / v a lu e o f r is k m a n a g e m e n t. b e n c h m a r k in g r is k m a n a g e m e n t.

i m p le m e n ta ti o n

r is k m a n a g e m e n t a c r o s s th e A u th o r ity.

D ep a rtm en t / S e c t io n h e a d s

o w n r is k s . d e s ig n a n d o w n c o n tr o ls .. r u n th e b u s in e s s

www.summitcl.com

Forensic. Advisory. Fraud.

XY RM risk appetite & KRIs

#6, has the board set and communicated risk appetite?
R is k c la s s B o a r d / S M T / m a n a g e m e n t le v e l a r t ic u la t io n o f r is k a p p e t it e . S t r a t e g ic 1 ) Z e ro t o le r a n c e of a c t iv it ie s not w it h in th e C o m p a n y s b u s in e s s p la n a n d s t r a t e g ic o b j e c t iv e s . 2 ) V e r y L o w r is k a p p e t it e f o r r e p u t a t io n a l r is k s 3 ) Z e r o t o le r a n c e f o r d is c lo s u r e o f c o n f id e n t ia l o r c l a s s if ie d in f o r m a t io n . C o m p lia n c e F in a n c ia l O p e r a t io n a l 1 ) Z e r o t o le r a n c e f o r n o n - c o m p lia n c e 1 ) Z e r o t o le r a n c e f o r f r a u d u le n t / t h e f t a c t iv it y b y a n y s t a f f, c u s t o m e r o r s t a k e h o ld e r 2) Low 3) Low
www.summitcl.com

r is k

a p p e t it e

fo r

in a d e q u a t e ly fo r a n y

t r a in e d ,

in e x p e r ie n c e d a n d u n s k ille d s t a f f. o p e r a t io n a l r is k a p p e t it e in t e r n a l p r o c e s s f a ilu r e s .

Forensic. Advisory. Fraud.

XY RM top 10 risks
#7, are top 10 risks identified and clearly monitored? XY has operates a risk management software which provides a dashboard or a Risk Register for easy risk monitoring on-going.

www.summitcl.com

Forensic. Advisory. Fraud.

XY RM risk reporting
#8, Is the Risk Register up to date? XY has operates a risk management software which provides a dashboard or a Risk Register for easy risk monitoring on-going.

www.summitcl.com

Forensic. Advisory. Fraud.

Address ICT security

Train all computer users in comprehensive ICT security 96% of your staff are not IT secure aware They are a weakest link

www.summitcl.com

Forensic. Advisory. Fraud.

Focus on fraud management

SCL fraud prevention toolkit

i. Fraud risk management strategy e.g. PAPEMO toolkit & on-going awareness training to all staff ii. Effective whistleblowing solution
Microfinance fraud prevention

www.summitcl.com

Toolkit

Forensic. Advisory. Fraud.

Call to Donors & Government

Donors must become business partners; provide support beyond enabling outreach and focus on on-site capacity building Government must fast track the law for regulating Microfinance Institutions GoU should take advantage of existing institutions like AMFIU and UCSU
www.summitcl.com Forensic. Advisory. Fraud.

Our values for your success! Thank you!

We take pride in doing the right thing, rather than what is right for the profitability of SCL.
For more info, visit: www.summitcl.com www.mustaphamugisa.com

m: 0712 984 585.

www.summitcl.com Forensic. Advisory. Fraud.