PlaNet Finance Risk Management Public Tools Series

Microfinance
Risk Mapping tool [Version 2]
[China] 版本2

with the support of

PlaNet Finance Group – 44 rue de Prony - 75017 Paris - France

Tel. 33 (0)1 49 21 26 26 – Fax. 33 (0)1 49 21 26 27
http://www.planetfinance.org/

For any questions on the risk mapping tool, please contact PlaNet Finance China
info@mfchina.cn
 Nam...
GENERAL INFORMATION Please enable Macros before you start
risk mapping.

Risk M... Name...

Date : XX/XX/2014

Date : mm/dd/year

Date : mm/dd/year

Orga... Startin...
Date : mm/dd/year

Microfinance Institution
 NET RISK MAPPING (1-5)

XX/XX/2014

mm/dd/year

0 mm/dd/year

mm/dd/year

Legend
1 An example in this area, well functioning.

2 The risk management controls in this area are sustainably set up and generally function well.

3 The risk management controls in this area are correctly set up, and could reach a good functioning if improvements are made.

4 There are significant issues to be addressed in the set-up and/or functioning of risk management controls in this area.

5 The organization shows deep weaknesses in this area; the risk management controls in this area are unsustainable.
 GROSS RISK MAPPING ( L / M / H )

Likelihood of Emergence / Severity of Impact Severity

Type of Risk L/L L/M M/L L/H M/M M/H H/L H/M H/H Total
Governance Risk 0 0 0 0 0 0 0 0 0 0 High 0 0 0
External Risk 0 0 0 0 0 0 0 0 0 0
Operational Risk 0 0 0 0 0 0 0 0 0 0
IT Risk 0 0 0 0 0 0 0 0 0 0 Moderate 0 0 0
Credit Risk 0 0 0 0 0 0 0 0 0 0
Liquidity & Market Risk 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0 Low 0 0 0
Likelihood
Low Moderate High

Legend
Low gross risk
Medium gross risk
High gross risk
 GOVERNANCE RISK

Governance risk is the risk of loss due to inadequate governance or a poor governance structure.

A MFI should have strong governance in place to ensure the Board and the management are accountable to the organization and shareholders in fulfilling the organization's mission and protecting the
organization's assets. The Board and the management are ultimately responsible for analyzing risks and ensuring the MFI has robust controls, as well as strong audit and reporting mechanisms, to minimize
vulnerabilities. Thus, the Board and the management should have the proper technical skills and personal attributes to set up a sustainable risk management system.

IMPACT NET RISK

SUMMARY RISK DESCRIPTION RISK ASSESSMENT
( L/M/H ) (1-5)

LIKELIHOOD

mm/dd/year

mm/dd/year
XX/XX/2014
ID REF NO.

SEVERITY
CATEGORY RISK INDICATORS CONTROL GAP

enter risk weighting below

1. BOARD STRUCTURE 20%

o Are there clear and well written by-laws defining the structure, roles,
responsibilities, and procedures of the Board?
o Is there a mechanism in place to ensure sufficient scheduling,
preparation, organization, and recording of Board proceedings?
Risk that the Board activities are
Board o Are there minimum requirements on the frequency and attendance of
1.1 not carried out in a well-defined,
proceedings Board meetings?
clear and organized manner
o Are there specialized committees (e.g. asset and liability, audit, risk
management, remuneration, etc.) set up in line with evolving needs of the
organization?
o Are the internal rules in line with the regulatory minimum requirements?

o Are there mechanisms, such as disclosure of financial and non-financial

interests of Board members and/or a policy for situations requiring recusal
to minimize potential conflicts of interest of Board members?
Risk of Board member(s) having o Are there mechanisms to ensure the Board is independent from the
conflict of interest that may management, such as separation of the Chairman of the Board and CEO
1.2 Conflict of interest
hinder objectivity and/or roles?
independence o Have there been cases of "Conflict of Interest" in the past and have those
issues been properly assessed?
o Is there a clear opinion whether or not board members currently have a
Conflict of Interest or not!

o Are Board members properly qualified and have the right mix of skills
appropriate for the needs of the organization?
Qualifications, Risk due to lack of proper o Does the Board have a periodic self-assessment mechanism?
1.3 Evaluation and evaluation and training of Board o Is there orientation for new Board directors and education of existing
training members Board directors in line with evolving needs of the organization?
o How have board members handled situations of conflict or the lack of
knowledge?

o Are there mechanisms to change the composition of the Board if

Risk due to lack of proper Board
1.4 Succession members are not fulfilling duties or new perspectives or skills are needed?
succession mechanisms
o Is there a policy of term limits at the organization?

Evaluation: Board Structure

 enter risk weighting below
2. BOARD OVERSIGHT 20%

o Does the Board periodically review the management's strategy and

Risk due to the Board's lack of
Strategic, approve it in light of the organization's goals and mission?
proper strategic management,
2.1 management, and o Does the Board periodically evaluate and monitor the operational and
and fiduciary oversight over the
fiduciary oversight financial performance of the organization under management in light of the
organization and management
organization's strategy and goals?

o Does the Board periodically review the organization's risk management

and compliance, and provide appropriate guidance on further implementing
Risk due to the Board's lack of appropriate frameworks?
Risk management
2.2 attention to risks and compliance o Is there a Risk Committee at the Board level?
& compliance
o Does the Board periodically review current regulations and laws
governing the organization's activities in order to identify non-compliance or
grey areas ?

o Is relevant and accurate financial information provided to the Board on a

Risk due to the Board's lack of
Reporting to the regular and timely basis, and in a standardized manner?
2.3 regular, accurate, relevant, and
Board o Is relevant and accurate operational information provided to the Board on
timely information
a regular and timely basis, and in a standardized manner?

o Does the Board periodically measure organization's social performance in

Social Risk due to the Board's lack of line with strategy and goals?
2.4
performance attention to social performance o Expand beyond the Board's involvement to look at the overall activities
related to social performance throughout the organization?

o Is the topic of creating a good risk culture in the mindset of the Board
members?
Is the Board promoting a good
2.5 Risk Culture oWhat are the aspects of the Risk Culture that the board is actively
and healthy risk culture
promoting?

Management Risk due to the Board's lack of o Does the Board regularly discuss issues related to management
identification, involvement in the management identification and development?
2.6
development, and identification, development, and o Is there a Remuneration Committee at the Board level?
succession succession o Does the Board have a management succession plan in place?

Evaluation: Board Oversight

enter risk weighting below
3. MANAGEMENT 20%

o Does the current management structure match the scale and complexity
Risk of inadequate and/or
of the organization?
3.1 Structure unclear management structure in
o Are roles and responsibilities of the management clearly defined and
the organization
documented?

o Are the key management positions in the organization currently filled?

Risk of key management roles
3.2 Staffing o If the key management positions are vacant, is there an active recruitment
being vacant
process underway?
 o Is there a system for evaluation of the management to ensure they have
Risk due to the management's the right skills and qualifications for their respective roles?
Skills and
3.3 lack of proper skills and o Is there continuous training for the management to ensure they have the
qualifications
qualifications right skills and qualifications in line with the evolving needs of the
organization?

o Has the management documented a clear strategy and plans for the
Risk of lack of or insufficient
3.4 Strategy and plan business?
strategy and plans
o Are they reviewed, updated and approved by the management regularly?

o Are there clearly documented policies and procedures for the key areas
Policy and Risk of lack of or insufficient
3.5 set up by the management and provided to the relevant staff?
procedures policies and procedures
o Are they reviewed, updated and approved by the management regularly?

o Does the management hold periodic risk management meetings?

o Has the management set up a comprehensive risk management
Risk due to the management's
3.6 Risk management frameworks and related policies?
lack of attention to risks
o Does the management regularly review and update risk management
frameworks?

o Has the management set up a comprehensive compliance frameworks

and related policies?
Risk due to the management's o Does the management regularly review and update compliance
3.7 Compliance
lack of attention to compliance frameworks?
o Is there a mechanism for the management to follow up and rectify
compliance issues that are uncovered during internal and external reviews?

o Is the organization overly dependent on key management for the well

Risk of overdependency on key
3.8 Key man risk functioning of the organization?
management
o Is there succession planning in place to mitigate key man risk?

o Has the management set up a robust code of conduct to actively promote

3.9 Culture of integrity Risk of weak culture of integrity honesty and open communication of risk issues among staff members and
the client community?

Evaluation: Management
 enter risk weighting below
4. AUDIT 20%

o Is there an independent internal audit structure set up for key areas of the
business with clear and robust procedures?
o Is internal audit conducted on a frequent enough basis?
Risk due to insufficient internal
4.1 Internal audit o Is there a clear procedure for reporting and follow up of internal audit
audit
findings to the management and the Board?
o Is there sufficient number of qualified internal auditors in line with the
business scale and complexity?

o Is there an external audit structure in place?

o Is external audit conducted on a frequent enough basis?
Risk due to insufficient external
4.2 External audit o Is there a clear procedure for reporting and follow up of external audit
audit
findings to the management and the Board?
o Is the external audit conducted by a qualified external auditor?
Evaluation: Audit
enter risk weighting below
5. REPORTING 20%

Risk of inaccurate or unreliable
Financial information on the balance
5.1
Statements sheet, income statement and
cash flow statement
o Is information contained in the financial statements accurate and
according to commonly accepted financial reporting standards?
o Are financial statements prepared both on an individual entity basis and a
consolidated basis if the organization have various entities?

o Does reporting cover the key areas of the operations, such as operations,
credit, risk management, and treasury?
Risk of inaccurate or unreliable
Operational o Is there a mechanism in place to ensure the accuracy of business related
5.2 reporting on the key areas of the
reporting reports?
operations
o Are operational reports prepared both on an individual entity basis and a
consolidated basis if the organization have various entities?

o Are financial statements provided to the relevant users on a regular and

Risk that the management and timely basis, and in a standardized manner?
5.3 Usage of reports staff do not utilize reports to o To ensure effective management, are business related reports provided to
guide business decisions the relevant users on a regular and timely basis, and in a standardized
manner?
Evaluation: Reporting
enter risk weighting below
6. OTHER RISKS 0%
6.1
6.2
6.3
6.4
6.5
Evaluation: Other

EVALUATION: GOVERNANCE RISK

Recommendations
NET RISK
(1-5)
mm/dd/year
 EXTERNAL RISK

External risk is the risk of loss due to developments, changes, or influences from the external environment.

A MFI should be sensitive to its operating environment, including, but not limited to, regulatory, legal, political, and macroeconomic factors, and constantly assesses the external environment it operates in, to
minimize potential vulnerabilities of the organization to these outside forces. Although a MFI may have less control over some external risks, certain external risks can be actively managed.

IMPACT NET RISK

SUMMARY RISK DESCRIPTION RISK ASSESSMENT
( L/M/H ) (1-5)

LIKELIHOOD

mm/dd/year

mm/dd/year

mm/dd/year
XX/XX/2014
ID REF NO.

SEVERITY
CATEGORY RISK INDICATORS CONTROL GAP

enter risk weighting below

1. EXTERNAL ENVIRONMENT 100%

o Does the organization periodically review changes in regulations and laws

Risk the organization faces from
Regulatory & legal that may materially impact the organization?
1.1 the regulatory and legal
environment o If there are changes in the regulatory and legal environment, does the
environment
organization assess the potential impact and take measures accordingly?

o Does the organization have awareness of potential influences from the

political environment (e.g. changes in leadership or policies) that may
Political Risk the organization faces from
1.2 materially impact on the organization?
environment the political environment
o If there are developments in the political environment, does the
organization assess the potential impact and take measures accordingly?

o Does the organization periodically assess the competitive environment

Risk due to increasing (e.g. new market entrants, new products, pricing pressure, market
Competitive
1.3 competition from existing and saturation, etc.)?
environment
new players o If the competitive environment changes, does the organization adapt
accordingly?
 o Is the organization aware of social and demographic trends that may
Social and Risk the organization faces from materially impact the organization (e.g. social cohesiveness, population
1.4 demographic the social and demographic mobility, urbanization, etc.)?
environment environment o If there are changes in the social and demographic environment, does the
organization assess the potential impact and take measures accordingly?

o Is the local environment at risk for natural calamities that could negatively
impact the organization (e.g. floods, cyclones, drought, etc.)?
Physical Risk the organization faces from
1.5 o Do these natural calamities pose a risk to income streams of households
environment the environment
and enterprises and/or microfinance delivery?
o Does the organization have a business continuity plan?

o Does the organization monitor the developments in the macroeconomic

environment that may impact the organization's clients (e.g. stability of
Macroeconomic Risk the organization faces from
1.6 local pillar industry)?
environment the macroeconomic environment
o If there are changes in the macroeconomic environment, does the
organization assess the potential impact and take measures accordingly?

o Are there any internal business practices and external factors that may
negatively impact the organization (e.g. operating environment,
External Risk of damage to the external microfinance industry)?
1.7
reputation reputation of the organization o Does the organization have contingency plans for external reputation
damage?

Evaluation: External Environments

 enter risk weighting below
2. OTHER RISKS 0%
2.1 Funder risk?
2.2
2.3
2.4
2.5
Evaluation: Other

EVALUATION: EXTERNAL RISK

Recommendations
 OPERATIONAL RISK

Operational risk is the risk of loss due to inadequate or failed internal processes, people, and systems. Fraud is also considered as an operational risk.

A MFI should design and imbed control mechanisms throughout the operations to mitigate potential vulnerabilities in the control environment. The organization should proactively conduct ex-post review of
transactions and assess the adequacy of control measures and staff resources. Finally, cultivating a culture of integrity and transparency among employees is critical to control operational risk.

IMPACT NET RISK

SUMMARY RISK DESCRIPTION RISK ASSESSMENT
( L/M/H ) (1-5)

LIKELIHOOD

mm/dd/year

mm/dd/year

mm/dd/year
XX/XX/2014
ID REF NO.

SEVERITY
CATEGORY RISK INDICATORS CONTROL GAP

enter risk weighting below

1. LOAN PROCESS - PROMOTION 5%
Risk of promotional activities o Are there controls to ensure promotion is conducted in a standardized and
Promotional
lacking standardization and transparent manner so clients are aware of the loan services, and make sure clients fully understand loan products
activities
transparency understand the loan terms and obligations?
Documentation of
Risk of lack of documentation of o Are there procedures to ensure information on promotional activities are
1.2 promotional
promotional activities collected, recorded, and utilized?
activities
Evaluation: Promotion
enter risk weighting below
2. LOAN PROCESS - APPLICATION 10%

o Are there controls to ensure the information on application forms is

complete and accurate?
Risk of application forms being
o When an old borrower applies for a new loan, is updated information Clients Information on application forms must be
2.1 Application taking incomplete, inaccurate, or
collected, and the ID and loan purpose revalidated? complete and accurate
submitted in an untimely manner
o Are there controls to ensure application forms are submitted and entered
into the system in a timely manner?

Evaluation: Application
enter risk weighting below
3. LOAN PROCESS - ANALYSIS 15%

o Are there clear and sufficient standards to guide the credit analysis?
o Are staff following procedures in conducting the credit analysis to obtain
Do LOs know about its clients and follow procedures to
Risk of the client analysis not an accurate picture of the client's socio-economic situation?
3.1 Client analysis conduct credit analysis?. Are there any controls in place
being conducted properly o Are controls in place to protect against external or internal fraud?
to protect against external and internal fraud?.
o Is there independent validation on the information collected by loan
officers?
 o Are there controls to ensure sufficient investigation of the borrower's real
Loan purpose Risk of insufficient loan purpose loan purpose? Do LOs know the real loan purpose ?. Are they any
l
analysis analysis o If the borrower has previous loans, are there procedures to check the check for the actual usage of their previous loan?
actual usage of his/her previous loans?

o Are staff following procedures in carrying out the analysis and verification
Risk of guarantor and/or
Guarantor and of the guarantor and/or collateral? Checking Guarantor and their collatreal ?. Their collateral
3.3 collateral not being verified and
collateral analysis o Are controls in place to ensure that the guarantor and collateral are not are not used for multiple loans…
analyzed properly
used for multiple loans?

o Is there a standardized form documenting the information collected during

Risk of inadequate
Documentation of the credit analysis?
3.4 documentation of the credit Adequate documentation of the credit analysis ?
analysis o Are there controls to ensure staff are properly documenting the results of
analysis
the credit analysis?

Evaluation: Analysis
 enter risk weighting below
4. LOAN PROCESS - APPROVAL 10%

Risk of lending decisions o Are there controls in place to ensure staff responsible for loan approval
4.1 Approval decision charged to staff without sufficient are properly qualified?
risk assessment capability o Are there multiple people involved in the loan approval decision making?

o Is there an audit trail of the loan approval process?

Documentation of Risk of unclear documentation of
4.2 o Can an independent party trace back and re-perform the approval
approval process the approval process
process?
Evaluation: Approval
enter risk weighting below
5. LOAN PROCESS - DISBURSEMENT 15%

o Are there controls in place to ensure disbursements are made to the

intended borrower?
Loan Risk of disbursement not being
5.1 o Are approved loans disbursed within a fixed period from time of approval?
disbursement conducted appropriately
o If disbursement happens after the allowed time period, is re-approval
required and is the loan approval decision revalidated?

o Are there multiple hand-offs of cash between the organization and the
Cash control at Risk of weak control of cash at borrower?
5.2
disbursement disbursement o If there are both collections and disbursements on the same day, is cash
handled separately or netted?

Evaluation: Disbursement
enter risk weighting below
6. LOAN PROCESS - POST LENDING COLLECTIONS & M 25%

o Are there procedures in place to remind the client of upcoming installment

payment dates?
Risk that the client or loan officer
o Are there procedures in place to ensure loan officers are aware of
6.1 Payment reminder forgets the installment payment procedure to remind clients ?
upcoming payment dates of clients?
date
o Is there a system generating daily reports to remind loan officers and their
managers of payments falling due?

o Are there controls to ensure monitoring is conducted in a standardized

Risk of inadequate monitoring of
6.2 Client monitoring manner according to the monitoring policy? Monitoring clients or not ?
clients
o Is there an audit trail of the monitoring process?

o Are there multiple hand-offs of cash between the organization and the
Cash control at Risk of weak control of cash at borrower?
6.3
collection collection o If there are both collections and disbursements on the same day, is cash
handled separately or netted?
 o Is delinquency monitored on a regular basis (daily, monthly, quarterly)?
Delinquency Risk of not detecting or reporting
6.4 o Is there a dedicated function for monitoring delinquency?
monitoring delinquency in a timely manner
o Are late payments occurring within the month included as delinquency?

o Do lending officers have the incentive to stay alert of early warning signs
and disclose problems early?
Early problem Risk of staff not reporting credit
6.5 o Do loan officers flag potential credit concerns (e.g. borrower business
recognition problems in a timely manner
weaknesses, sickness of family members, borrower left home, gambling,
divorce, etc.)?

o Is post-disbursement sample checking performed by the organization?

Risk of inadequate or lack of
6.6 Sample checking o Is there the right level of skills and training of staff to conduct qualitative
sample checking
assessment during sample checking?

Evaluation: Post Lending Collections & Monitoring

 enter risk weighting below
7. STAFF 10%

Risk of inadequate and/or o Does the current staff structure match the scale and complexity of the
7.1 Structure unclear staff structure in the organization?
organization o Are roles and responsibilities of the staff clearly defined and documented?

o Are the key staff positions in the organization currently filled?

Risk of key staff roles being
7.2 Staffing o If the key staff positions are vacant, is there an active recruitment process
vacant
underway?

o Is there a system for evaluation of staff to ensure they have the right
skills and qualifications for their respective roles?
Skills and Risk of staff lacking the proper o Is there continuous training for staff to ensure they have the right skills
7.3
qualifications skills and qualifications and qualifications in line with the evolving needs of the organization?
o Is there a healthy mix between senior and junior staff, mature and new
staff?

o Is there ongoing monitoring to ensure appropriate workload for staff

Risk of the workload of staff involved in different areas of the operations?
7.4 Workload
force being excessive o Is there a mechanism to detect whether the staff force is stretched too
thin?

o Is the compensation designed to encourage balanced risk taking (e.g.

Risk of inappropriate or
Compensation ratio between fixed and variable salary components)?
7.5 unintended staff behavior driven
structure o For loan officers, does the pay structure discourage risk disclosure due to
by the compensation system
penalty on delinquency or non performing loans?

o Is the competence level and training requirements of each staff mapped

out in accordance with the needs of the business?
Risk of lack of ongoing, relevant,
7.6 Training o Does the staff force receive sufficient technical training (in addition to
and standardized staff training
policies and procedures training) to carry out their respective
responsibilities?
Evaluation: Staff
enter risk weighting below
8. PHYSICAL SECURITY 10%
o Are sensitive or valuable items and documents stored securely in the
Safekeeping of Risk of theft, destruction or loss
premises, under authorized access?
8.1 valuable assets of valuable assets and
o Are control procedures for safekeeping documented (e.g. dual controls,
and documents documents
regular stock checks, files access, etc.)?

o If cash is stored at the branch or unit office, is the cash stored in a

protected safe or vault, under authorized access?
Safekeeping of Risk of theft, destruction, or loss
8.2 o Are there documented procedures for cash reconciliation?
cash of cash
o Are there limits in place on the amount of cash that can be kept in a
service location at any given time?

o Are there safety measures on the branch premises commensurate with

Risk of theft, destruction, or loss the risk in the local area (e.g. locks on doors, windows, security alarms,
Security of
8.3 due to unsafe or improperly etc.)?
premises
secured premises o Is there a proper separation of client and employee-restricted areas to
ensure confidentiality and safekeeping of assets?
Evaluation: Physical Security
enter risk weighting below
9. OTHER RISKS 0%
9.1
 9.2
9.3
9.4
9.5
Evaluation: Other

EVALUATION: OPERATIONAL RISK

Recommendations
 CREDIT RISK

Credit risk is the risk of loss due to borrowers' late or non-payment of loan principal and/or interest obligations.

A MFI should have methodologies to assess credit risk exposures at both the individual borrower and portfolio level. Credit risk should be undertaken in a calculated and controlled manner to achieve the
desired business results while keeping credit losses within tolerance limits. Timely identification and prevention of problems, as well as periodic review of credit risk methodologies in light of changes in the
internal and external environment, are critical.

IMPACT NET RISK

SUMMARY RISK DESCRIPTION RISK ASSESSMENT
( L/M/H ) (1-5)

LIKELIHOOD

mm/dd/year

mm/dd/year

mm/dd/year
XX/XX/2014
ID REF NO.

SEVERITY
CATEGORY RISK INDICATORS CONTROL GAP

enter risk weighting below

1. PRODUCT STRUCTURE 25%

o Are the products and clients screening criteria deigned to ensure they
Risk due to a mismatch between attract intended target segment and meet loan purpose?
1.1 Target segment the product design and the o Are the products designed to fit a critical mass of local loan demand?
underlying target segment o Are the products designed to ensure the loan size fits the loan demand of
the target segment?

o Is there periodic review to ensure the loan pricing is in line with overall
Risk of distortions due to loan pricing in the market to avoid potential distortions (e.g. sub-market pricing
1.2 Loan pricing
pricing could attract mis-appropriation; excessive pricing could conflict with social
motives or lead to adverse selection)?

Risk of insufficient protections or o Are there safeguards to control loss norms (e.g. frequent test of
Protections or risk
1.3 risk mitigations in the loan repayments, loan maturities, collateral, guarantees, credit insurance,
mitigations
products mandatory risk fund, etc.)?
 o Are policies in place to cap exposure to clients over multiple loan
Risk of over-exposure to a single products?
1.4 Loan exposure
client or group of related parties o Are client exposure to guarantees also assessed?
o Are policies in place to cap exposure across related parties?

Evaluation: Product structure

enter risk weighting below
2. PORTFOLIO STRUCTURE 35%
o Is there a regular review of portfolio to identify potential over-
concentration in the portfolio (by product, geography, industry, borrower
Portfolio Risk of over-concentration in the
2.1 type, business unit, loan officer, etc.)?
concentration loan portfolio
o Does the organization establish concentration limits in place to control
risky areas?

Risk of credit deterioration due to o Does the review of portfolio take into account the potential hidden risk due
2.2 Portfolio growth
fast expansion to rapid loan growth?

o Is it possible to review or inspect the quality of each loan in the portfolio in

detail (e.g. is it possible to retrieve borrower credit information in addition to
Portfolio Risk of inadequate portfolio
2.3 basic client information)?
management tools management tools
o Does the organization utilize its client database to develop statistical tools
to manage the lending process?

Evaluation: Portfolio structure

 enter risk weighting below
3. CREDIT POLICY 40%
o Are there effective target market screening criteria or screening tools to
assist client selection?
Application Risk of inadequate application o If so, are there screening tools which are statistically designed to aid in
3.1
screening screening criteria the screening process?
o Where there are multiple products, are screening criteria and tools
customized by product?

o Are there clear standards and procedures for conducting a

comprehensive credit analysis?
o Are there policies specifying what information and documents should be
3.2 Credit Analysis Risk of insufficient credit analysis
collected?
o Is guarantor and collateral assessment required as part of the credit
analysis?

o Is there a clear policy to specify who has the authority for loan approval
Risk that credit decisions are not
differentiated by risk level and loan amount?
3.3 Approval authority controlled at the appropriate
o Is there a clear policy to specify who has authorization to grant approval
level
authorities and on what basis?

Risk of having unclear approval o Are there clear risk acceptance standards to guide credit decision
3.4 Approval criteria
criteria making?

o Is credit accountability clearly defined in the policy?

Risk of not having clear
3.5 Accountability o Is credit policy clearly defined who has ownership over credit quality,
ownership of credit quality
including the individual with primary responsibility for loan quality?

Risk of having unclear o Are there clear policies for monitoring clients after loan disbursement?
3.6 Monitoring monitoring requirements post o Are there requirements of client visits or meetings after disbursement?
disbursement o Are post-lending visits or meetings recorded?

o Does the organization set aside general reserves and specific loan loss
reserves in a prudent manner?
Risk of not making reasonable
o Are there provisioning policies to specify the time for provisioning of
3.7 Provisioning provision against potential credit
overdue loans?
losses
o Are the provisioning policies reviewed on a periodic basis in line with the
specific situation of the organization?
o Are there clearly documented procedures for collection actions, with
Risk of having unclear collection escalating measures depending upon the severity?
3.8 Collections
requirements o Do collection policies specify the reporting of collection activities within the
organization?

Risk due to lack of or inadequate o Is there a robust stress testing framework that evaluates the real quality of
3.9 Stress testing
stress testing framework the loan portfolio?

Evaluation: Credit policy

enter risk weighting below
4. OTHER RISKS 0%
4.1
4.2
4.3
4.4
4.5
Evaluation: Other

EVALUATION: CREDIT RISK

Recommendations
 INFORMATION TECHNOLOGY RISK

Information technology risk is the risk of loss due to inadequate IT systems infrastructure.

A MFI should have robust, responsive and properly scaled IT systems infrastructure in order to identify and monitor current and future risks, while systematizing business processes and controls. The IT
system's ability to generate standardized, timely , and accurate reporting is also a key component in an organization's risk management framework.

IMPACT NET RISK

SUMMARY RISK DESCRIPTION RISK ASSESSMENT
( L/M/H ) (1-5)

LIKELIHOOD

mm/dd/year

mm/dd/year

mm/dd/year
XX/XX/2014
ID REF NO.

SEVERITY
CATEGORY RISK INDICATORS CONTROL GAP

enter risk weighting below

1. SYSTEMS 100%
o Does the organization have a robust loan management system in line with
the complexity and scale of the operation?
System Risk due to lack of or insufficient
1.1 o Does the organization have a robust accounting system in line with the
Infrastructure IT systems infrastructure
complexity and scale of the operation?
o Is the loan management system and accounting system linked?

o Are the functionalities of the IT system sufficient to support the

requirements of the organization in regards to operations, controls and
reporting?
Risk due to lack of or inadequate
1.2 System Features o Is there a mechanism in place to identify the gaps in IT system
system functionalities
functionalities?
o Is there a procedure to ensure that IT system gaps are addressed through
new requirements?

o Does each employee only have access to computers for his/her own
Risk of fraud or loss of data due work?
1.3 System integrity to system failures, breaches or o Are there passwords and levels of administration (e.g. data entry, data
improper usage viewing rights, etc.) in the IT system?
o Does the IT system have backup procedures and audit trails?

o Is there a periodic spot-checking of the IT system to ensure data entry is

Risk that the IT system does not accurate, complete and timely?
1.4 Data integrity produce accurate, complete, o Is there a dedicated person/function for handling data entry?
and/or timely data o Is data periodically backed up?
o Is there restricted access to sensitive data?

Risk due to staff not being o Is there periodic training to help staff utilize the IT systems correctly?
1.5 System Training properly trained on the use of the o Are there manuals, tutorials, and help screens available for staff, in
IT system addition to training?
 o Is there a qualified in-house or outsourced team for maintaining and
Risk of not having sufficient IT upgrading the system?
1.6 System Support
systems support o has there been experience with external support? Is it available and and
what price levels?

Evaluation: Systems
 enter risk weighting below
2. OTHER RISKS 0%
2.1
2.2
2.3
2.4
2.5
Evaluation: Other

EVALUATION: INFORMATION TECHNOLOGY RISK

Recommendations
 LIQUIDITY & MARKET RISK

Liquidity risk is the risk of loss due to an organization's inability to meet its payment commitments or finance new loan growth.
Market risk is the risk of loss due to re-pricing of assets and liabilities.

A MFI should manage liquidity risk to avoid cash shortages and ensure sufficient funding for new loan demand and savings withdrawals (for deposit-taking lenders). A clear overall funding strategy, as well as
detailed ongoing forecasts of cash inflows and outflows, are several key components to manage liquidity risk. To protect against market risk requires constant monitoring of the interest rate environment, and an
active strategy to ensure assets and liabilities are properly matched within tolerance limits set by the organization. Tools for evaluating the impact of potential liquidity and market shocks are also important for
better understanding of these risks.

IMPACT NET RISK

SUMMARY RISK DESCRIPTION RISK ASSESSMENT
( L/M/H ) (1-5)

LIKELIHOOD

mm/dd/year

mm/dd/year

mm/dd/year
XX/XX/2014
ID REF NO.

SEVERITY
CATEGORY RISK INDICATORS CONTROL GAP

enter risk weighting below

1. IDENTIFICATION & MEASUREMENT 40%

o Is the topic of liquidity and market risk on the organization's radar screen
o Does the organization have a comprehensive well-documented policy to
Risk of not having a
identify, measure, and manage liquidity and market risks?
comprehensive framework for
1.1 Framework o Is the policy periodically reviewed and updated by the management and
liquidity and market risk
approved by the Board?
management
o Is there a dedicated person and/or function for managing liquidity and market
risks?

Risk that the specific set of

qualifications required to o Do the people responsible for liquidity and market risk have the necessary
1.2 Staffing properly manage liquidity and qualifications?
market risk is not available o Are there succession plans in place?

Assets Risk of not having a clear o Does the organization have a clear definition of which assets are classified
1.3
classification definition of liquid assets as liquid and non-liquid?

o Does the organization have a clearly documented methodology and

procedure for forecasting cashflows, contractual maturity mismatch and
Cashflow Risk of not properly forecasting liquidity gap on a periodic basis?
1.4
forecasting cashflows on a periodic basis o Are all material cash inflows and outflows accounted in the forecasting
methodology (e.g. off balance sheet commitments and liabilities)?
o Does the organization produce a regular report?

Risk that a reliable and
functional MIS system is not in
1.5 Technical Support place to produce the required
data for liquidity and market risk
reporting
o Does the MIS system produce reliable, timely, and accurate cash flow tables
for deterministic cash flow streams?
o Does the MIS system produce reliable, timely, and accurate transaction data
that can be used as a basis for statistical analysis of client behavior?

Risk due to lack of a

o Are liquidity and market risks assessed both on an individual entity basis and
1.6 Consolidation
consolidated view of risk
a consolidated basis, if the organization have multiple entities?
exposures
Evaluation: Identification & Measurement
enter risk weighting below
2. MANAGEMENT 40%
 o Does the organization monitor interest rates within and across entities and
business lines?
o Does the organisation produce a gap report for maturity bucket? Is the
sensitivity of the open risk positions calculated?
Risk due to lack of or inadequate
Monitoring o Does the organization calculate a Value at Risk?
2.1 monitoring of interest rate risk
interest rate risk
o Is there a liquid market to manage interest rate risk?

o Does the regulator require interest rate risk monitoring and how
sophisticated is the requirement? Is it sufficient to adress interest risk?
o Does the organization monitor liquidity within and across entities and
business lines?

o Does the organziation produce a cash flow analysis for the next 30 days and
how solid is the calculation?
Risk due to lack of or inadequate
Monitoring liquidity o Does the organization use a professional monitoring tool to manage liquidity
2.2 monitoring of liquidity risk
risk risk?
o How complex is the asset and liability structure?

o Is there a workflow tool in place which allows projection of future business

(e.g approved but not disbursed loans, early extended term deposits)

o Does the organization monitor foreign exchange risk?

o Does the organization produce a gap report for maturity buckets? Is the
Risk due to lack of or inadequate
Monitoring foreign sensitivity of the open risk positions calculated?
2.3 monitoring of foreign exchange
exchange risk o Does the organization monitor foreign exchange rate development?
risk
o Does the organization have an early warning monitoring system for foreign
exchange risk?

o Does the organization monitor its funding needs?

o How complex is the funding structure (is there funding in the local banking
market or mainly from development finance institutions and microfinance
Monitoring funding Risk due to lack of or inadequate investment vehicles?)
2.4
risk monitoring of funding risk o Is the insitution exposed to funding instruments with very short term legal
maturities (current accounts/savings accounts?)

Risk that the impact of external o Does the organization have an early warning monitoring system (EWS)?
factors such as macroeconomic o Is the EWS looking at reasonable input factors?
Monitoring of the
developments, exchange rates,
2.5 external
trade balance, etc.) are not o Is the EWS looking at forecasting indicators (an EWS looking at spot
environment
properly assessed vis-à-vis exchange rates is projecting risk)?
liquidity and market risk

o Does the organization have a clearly documented methodology for setting up

Risk due to lack of liquidity risk
2.6 Limits setting and market risk limits, or limits
being inadequately set
liquidity and market risk limits?
o Are these limits periodically reviewed, updated and approved by the
management and/or the Board?
o Are there clear procedures in place what to do in case of exceeding limits?
 o Is there access to hedging instruments for the management of foreign
exchange and interest rate risk?
o Can products be traded quickly, at reasonable amounts, and at stable
Available Risk of the lack of instruments
prices?
instruments to for managing (hedging) market
2.7
manage market risk or the lack of experience in
o Has the organzation set up relationships with other market participants to
risk managing hedging instruments
quickly access hedging instruments?
o Does the institution have experience in dealing with hedging instruments?

Risk due to lack of liquidity

o Does the organization have a reserve fund of the appropriate size to meet
2.8 Liquidity cushion cushion for the timely repayment
unexpected demands for cash?
of liabilities

Collateral Risk of lack of or inadequate o Does the organization actively manage and monitor collateral to mitigate
2.9
management management of collateral liquidity risk?

o Does the organization have a formally documented contingency plan at

Contingency Risk of not having a contingency different levels of the organization?
2.10
funding plan funding plan o Does the organization have backup funding lines that can be utilized in a
case of liquidity crisis?
Evaluation: Management 1
 enter risk weighting below
3. MODELLING and STRESS TESTING 20%

o Is there a robust stress testing framework that evaluates impacts from the
scenarios on liquidity and market risks?
Risk due to lack of or inadequate
3.1 Stress testing o Do stress testing scenarios take into account the risks and lessons learned
stress testing framework
from the most recent crisis?
o Are stress testing scenarios subject to regular reviews and reappraisals?

Risk of not testing plausible o Does the organization have the ability to build resverse stress testing (i.e.
Reverse stress
3.2 scenarios outside normal stress use potential, negative outcome to model scenarios that could potentially
testing
testing requirements affect the organization in a significant manner)?
Risk due to non compliance with o Are there minimum regulatory requirements for scenario testing?
Regulation &
3.3 prevailing regulations regarding o If so, is the organization's stress testing compliant with the regulatory
scenario setting
stress testing requirements?
Risk that standard reports for
o What is the quality of the existing stress testing models?
stress testing are too complex
Standard
3.4 and/or difficult to understand
Reporting o Do the models produce quality results that are presented clearly to various
concept and easy to read.
stakeholders within the organization?
Evaluation: Stress testing
enter risk weighting below
4. OTHER RISKS 0%
4.1
4.2
4.3
4.4
4.5
Evaluation: Other

EVALUATION: LIQUIDITY & MARKET RISK 0.40

Recommendations
 Risk XX/XX/2014 mm/dd/year mm/dd/year mm/dd/year
Governance Risk
External Risk
Operational Risk
Information & Technology Risk
Credit Risk
Liquidity & Market Risk 0

Weight (%) Risk XX/XX/2014 mm/dd/year mm/dd/year mm/dd/year

100% Governance Risk
20% Board Structure
20% Board Oversight 0
20% Management 0
20% Audit
20% Reporting
0% Other Risks

100% External Risk

100% External environment
0% Other risks

100% Operational Risk

5% Loan Promotion
10% Loan Application
15% Loan Analysis
10% Loan Approval
15% Loan Disbursement
25% Post Lending Collecting & Monitoring
10% Staff
10% Physical and Information Security
0% Other Risks

100% IT Risk
100% Systems
0% Other Risks

100% Credit Risk

25% Product structure
35% Portfolio structure
40% Credit policy
0% Other risks

100% Liquidity & Market Risk 0

40% Identification & Measurement
40% Management 1
20% Stress Testing
0% Other risks
 ce

l
na
an

ty
io
l a
n

di
at
rn
er

t
di

ui
r
te
ov

pe

re

q
Ex

IT

Li
G

/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
C
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / #REF!
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /
/ / / /