Credit Risk, Operational Risk However, we are still not done with all the risk categories and in this last section, we shall discuss another important risk called Strategic risk.
Strategic Risks
Strategic risks are risks related to weak governance, weak leadership, poor strategic decisions as well as risks due to regulatory and administrative reasons. These are high impact risks and can adversely affect the organization for the long-term.
Providing governance is the job of the Board of Directors. It is a process through which the Board ensures that the organization achieves its mission. Board directs and guides the management on various strategic issues, designs policies and reviews various reports to see that the organization is on the right way to achieving its vision and mission. However, if the Board of Directors were to take wrong decisions, design poor strategies or fail to review performance or take corrective measures in time, the organization runs. Board has to ensure that regulation s of the land are followed otherwise the organization may go out of the regulatory framework prescribed by the government and jeopardize the existence of the institution. For providing good governance it is very important that the individual Directors of the Board are themselves well qualified and experienced and have clarity about the mission of the organization. The Directors themselves have to be convinced of the mission. The Directors have to work as a cohesive unit, if there are conflicts among the Directors then the Board will not be able to provide the right direction to the MFI. As the MFI s evolve into a structured organization, Strategic risk gains more and more importance. Since MFIs have to deal with issues of varied nature it is advisable that MFIs have Directors who also have diverse skills. There could be a mix of people with social, finance, banking and law background. An important aspect of the micro-finance business is that although MFIs strive to become sustainable profit maximization is generally not the objective. The Board and the top management of the MFIs have to strike a balance between social objectives and commercial viability of an MFI. Therefore, it is necessary that the Board have people who can appreciate this kind of mission. If the Board cannot appreciate this kind of mission then there is a high probability that the MFI can from its mission. Another very important aspect of strategic risk is regulatory risk. Regulatory risk refers to the risk of non-compliance with the legal requirement as prescribed by the regulations. Micro-finance in India has mostly evolved from not-for-profit societies or Trusts, which are not strictly regulated as compared to finance companies. As the MFIs grow in Societies and Trust may not be a suitable legal from the carrying out Micro-finance. MFIs are aware of this is why we now see many MFIs transforming from one legal entity into another for the sheer reasons of controlling the regulatory risk by adopting a suitable legal form. MFIs have the option to co-operative, not-for-profit Companies or non-banking finance companies. It is a strategic choice for the MFI to adopt a correct legal form, which is most silted to its vision and mission and enables it to do what it is meant for. Here again, Board has an important role to play in deciding the suitable legal form for the MFI and to oversee the smooth transformation. When the micro-finance started many MFIs were accepting public deposits even though it was not allowed. However, the increasing awareness and the realization of the risk it accompanied had most of the MFIs refund client savings. Regulatory risks are very serious in nature as they can bring the MFI in conflict with the law of the land. It is the responsibility of the top management to comply with all the legal requirements to avoid attracting such risk. It is also good to maintain cordial relations with the authorities by updating them on the MFIs activities. Another form of strategic risk that has become important in recent times is of Political or administrative interference. As the MFIs are generally dealing with the poor their performance is subject to the scrutiny of politicians, administrators and civil society. Various stakeholders have different interests in the clientele that MFIs serve. It could be a vote bank for some, while some stakeholders may genuinely be concerned about the protection of the basic rights of the vulnerable sections. Issues of interest rate, the recovery process, penalties, staff behavior with clients are all very sensitive matters and can easily become big socio-political issues. Any behavioral lapse or any poor policy on part of MFI can bring disrepute to the institution. There could be violent protests, which can result in loss of portfolio, fixed assets and can even be dangerous from the perspective of staff security. There have been cases in India where MFI staffs have been threatened and offices vandalized over issues of interest rates and MFI staff coercion for repayments. These are risks, which have to be dealt with immediately by the top management and the Board. It is also necessary to always be aware of this kind of strategic risk, which can fast spurn out of control. Strategic risk can also emanate from very rapid growth and expansion. This is quite a pertinent risk in the current scenario with most of the MFIs growing very rapidly. The rapid expansion means going to new areas, recruiting new staff and operating through them, making fast disbursements and also arranging for funds. Fast growth increases the volatility in the system and is therefore risky. Going to new areas or running operations through new staff has its own risk. It is also necessary that all the systems such MIS, internal controls also keep pace with the growth. If the systems do not keep pace with the rapid expansion it can result in losses. Also, it requires high coordination at the top management particularly between the Operation Manager and the Finance Manager. This issue was discussed while discussing liquidity risk. Coordination is also required among other departments such as HR, which is responsible for recruitment, training and promotion of staff. With the expansion, the staff has to be fast recruited, trained and promoted. It is important therefore that growth is planned and coordinated. MFI has to ensure that all the systems and funding plans are in place to support rapid growth.
Managing Strategic Risks
In order to manage strategic risk, it is necessary for the MFIs to have a clear vision and mission. Many MFIs still do not consider vision and mission statements as important and many consider it just a mere formality. However, it is absolutely necessary for an MFI to clearly define what it wants to achieve. A clear vision can guide the organization and often help it in taking many strategic decisions. Once an MFI has a clarity of its own mission then it has to choose the right kind of board members who agree with the mission of the organization. The Board should be a mix of people having a variety of skills and strengths. They should be able to provide strategic guidance when the organization needs to make critical decisions. The board should also be proactive in assessing risk and set acceptable levels of risk. Transparency is an important issue, which can help, in managing political and administrative risks to a large extent. MFIs should maintain transparency on its interest rates and other policies. It should also regularly report its information through Annual reports and at other forums. Board device strategies to keep various stakeholders informed about the activities of the organization and direct the management to implement fair policies. MFIs should try and involve and interact with various stakeholders such as government authorities, local political leaders and media persons on the organization’s philosophy, its activities and other policies. Business ethics is another important factor that cannot be comprised with. With the micro-finance sector has gained a lot of recognition and is exposed to a larger audience. This makes it indispensable to define ethical behavior and code of conduct while dealing with clients. Any deviation from this should be seriously dealt with. It has to be considered that sometimes strict policies on repayment and staff benefit linked to repayments can also boomerang. While designing such policies it is necessary to be aware of its pros and cons and limitations. The effect of the organization’s policies, as well as the impact of regular operations, has to be monitored Mechanisms within the organization are needed which can provide direct feedback to the management and the Board on the field realities, client satisfaction levels and small issues which can emerge as big strategic threats. There should be an immediate response from the top to address sensitive issues of socio-political, regulatory, administrative or communal nature. With the growth in the size of MFIs as well as of the sector, the complications also increase making governance increasingly complex. In big size institutions the stake of all involved parties such as equity investors, lenders, regulators also increases and hence Board has to assume greater responsibilities in providing good governance, which only can keep strategic risk under control.
Risk Management Framework
We have discussed the various risks that MFIS is exposed to. We had discussed earlier that risk management is a continuous process of identifying risk and addressing them to keep them under acceptable limits. Also, the risk management framework has to be pro-active and forward-looking rather than just reactionary. MFIs need to constantly identify the risks and measure them and then design suitable policy interventions to address those risks. GTZ has come out with an effective risk management framework. According to it a good risk management framework in an organization should have the following features. • MFI should have processes in its regular operations to identify measure and monitor different types of risks that an MFI is exposed to. • Should have continuous feedback loop between identification, measure, risk and processes to manage them. In simple terms, there should be processes to identify risk and the report on this should be provided to departments managing them. Based on this feedback management will improve the process to manage risk. • Management should consider different risk scenarios and be prepared with some solution if the risk comes true. • Should encourage cost-effective decision-making and more efficient use of resources • Create an internal culture of “self-supervision” that can identify and manage risks long before they are visible to outside stakeholders or regulators.
For effective management of risk ‘Risk Management Feedback Loop’, which is a six-step cycle, can be followed. The six steps of the cycle are:
- Identifying, assessing, and prioritizing risks. 2. Developing strategies and policies to measure risks. 3. Designing policies and procedures to mitigate risks. 4. Implementing and assigning responsibilities. 5. Testing effective and evaluating results. 6. Revising policies and procedures as necessary. This feedback loop is a management tool and can be followed are various levels. E.g. a Branch Manager can follow the loop for his/her branch while a CEO can follow it at the organization level. The exercise can be done from time to time to take stock of the risk scenario and be prepared accordingly. The type of risks identified and their severity will changes from time to time, hence it is necessary to constantly carry out this risk analysis.
This section draws from GTS’s Risk Management Framework for MFIs, July 2000
Identifying, assessing, and prioritizing risks:
The first step in the risk management cycle is to identify different risks. In the above sections, we had discussed the genepageral categories of risks that MFIs face. However, here specific risks pertinent to the MFI have to be identified. E.g. liquidity, legal compliance, competition, portfolio quality, reputation, etc can be identified as the risks for an MFI. Once the risks have been identified it necessary to assess the possibility of the adverse event occurring. Based on this information the MFI has to prioritize the risks. This can be done using a risk management matrix. The MFI can lay down all risks in the form of a risk management matrix, which can help it in prioritizing the risks. In the risk management matrix, MFI lists down all the risks it is exposed to. In the second column of the table above, it tries to assess whether that threat is low, moderate or high for it. In the third column it is assessed that how are the existing risk management system within the organization to counter that threat; whether they are weak, acceptable or strong. The fourth column makes the final assessment on the risk exposure of the organization based on the aggregate of the previous two columns. If the quantity of risk is high and the quality of risk management is weak then the aggregate risk is high. The management needs to take as active as it is exposed to that particular risk and does not have sufficient systems to counter it. The fifth column shows the trend of risk as compared to the last time when a similar exercise was done. E.g. the first risk Credit Policy and underwriting shows aggregate risk profile as ‘moderate’ and direction as stable. This means that while the last time such an exercise was done, the aggregate risk on this parameter was ‘moderate’. Since it was ‘moderate’ last time and now, the direction is ‘stable’. This means that it is not going up or down. Similarly, in Portfolio monitoring and collection risk profile is ‘high’ and direction is ‘stable’. This is not good as despite being recognized high last time it still remains ‘high’ which is not good. Efforts should be made so that the trend is ‘decreasing’ for high risks and stable for low risks. The direction gives the information that whether the steps taken to counter that risk have yielded sufficient results or not. If the risk profile has been stable at a high level or it has been increasing then it is a warning for the management to react fast or modify its risk management approach for that particular risk. However, if it has been coming down then it is a signal that risk management for that particular risk is in the right direction. Developing strategies and policies to measure risks: Once the risks have been identified and prioritized the MFI has to design suitable policies to measure these risks. The top management and the board generally set policies for the measurement of risk and the acceptable limits of risk. It is a strategic decision to decide the levels of risk that the organization is willing to take. An organization may take an aggressive stand and go for rapid growth in the beginning and may be willing to take the associated risk while another organization may like to have gradual growth keeping the risk profile low. The Board plays a crucial role in designing such strategic and deciding what kind of risks have to be avoided, controlled, accepted, or transferred. Cost-benefit evaluations, business targets, capacity to absorb risk and external environment are some of the factors that are taken into consideration while making a decision on risk strategy. Designing policies and procedures to mitigate risks: Once the policies for risk measurement and acceptable thresholds of risks have been set, the MFIs then have to design policies and systems to mitigate risks. All policies and procedures of each department are documented in the form of manuals. Operation Manual is one of the most important manuals, which documents all the policies and procures for the operation department and plays a vital role in controlling credit and operational risk. All policies related to disbursement, collection, cash handling, cash deposition, cash limits, the process of recording, reporting, reconciliation of records, signatories, limits and authorities are to be clearly defined in the Operation Manual. Similarly, clear policies on human resources regarding recruitment, training, incentive/disincentive systems, disciplinary action, promotions, employee benefits and code of conduct have to define. Another important manual is on Internal Audit, it is necessary that clear policies on the internal audit are developed. It should lay down the policies on the frequency of audit, forms and formats for audit, the scope of the audit, a methodology to be followed, samples to be taken and the reporting system. Such clearly laid out policies and processes are critical for risk management. Lack of polities results in lack of standards to be followed and in dilution of control. Implementing and assigning responsibilities: Once the policies have been framed it is very important that they are implemented by assigning specific roles and responsibilities to each staff. Without setting responsibility it is not possible to hold anyone accountable for the lack of implementation or for any deviation. It is also important that policy deviations be taken as a serious issue within the organization. If there are deviations those responsible for implementing such as Branch Manager, Area Manager, Operation Manager, Internal Auditor, etc. have to be held accountable. There should be clear procedures for handling cases of policy deviations. These could be in the form of asking for a written explanation, marking in the personal staff file impacting promotion, adversely influencing the incentives, supers ions or even dismissals based on the severity of deviation from the policy. It is also important that any modifications or changes in policies are clearly communicated across the staff and the manuals are regularly updated and copies of manuals are made available to staff at all levels. Testing effectiveness and evaluating results: Once the policies have been implemented the top management has to evaluate the results. It should receive regular information from the field and should evaluate how effective the policies have been in mitigating the risks and whether the policies have been able to contain the risks within acceptable limits or not. MIS and reporting system plays a crucial role in this. Effective MIS can generate timely and accurate reports, which has to reach in an appropriate form to different levels. Field information should reach the branch on daily basis. This could be in form of details of groups, new clients formed, dropouts, overdue, etc. While Area office should get the consolidated branch information. An Area office may have several branches under it, so all the reports of various branches should get added at the area level and to form an area level report. The same information should be further consolidated Area wise to be sent to Head Office. Head Office should also receive this information in a reasonable time, which could be weekly. Although with the intervention of technology, particularly MFIs working in urban areas can consolidate all information and Head Office can receive it on daily basis. However, even in remote areas, the information should reach the Head Office can evaluate results and see the effectiveness of its policies. Performance should be reported to the Board, which can then take further actions based on the results. The Board must receive concise reports, which can enable it to understand the overall performance through critical indicators. Report to Board must include. (i) Details of disbursements, repayments, saving collection – product-wise breakups (ii) New clients formed, dropouts, the net growth in borrowers and savers – product-wise breakups (iii) Variance analysis: comparison of targets and achievements and variances (iv) Portfolio quality PAR with aging, repayment rates (v) Profitability: Operation Self-sufficiency, Return on asset (vi) The trend of ratios: PAR, OSS, Return on the portfolio, capital adequacy, staff/branch efficiency (vii) Funding situation – funds required and current position (debt/equity) (viii) Financial statements: Balance sheet and income statements This is the most critical information that must be reported to the Board. In addition to operation reports, the Internal Audit report, which is presented directly to the Board, provides valuable feedback on the overall risk environment of the organization. It enables cross-verification of the operation reports and results being presented to the Board, as Internal Audit is an independent check. Revising policies and procedures as necessary: If on the evaluation of results it is found that the policies and processes have not been effective in managing the risks then they have to be revised and redesigned and then re-implemented. It has to be evaluated whether the policy implementation has brought the risk down to the acceptable levels and has it been working as expected. If the results are not as per expectation then the policies have to be revised and fine-tuned and re-implemented. The risk management loop is a good tool that can help in proactively managing the risk and keeping them under the limits that the MFI considers acceptable.
