Ramesh S Arunachalam
Rural Finance Practitioner
One of the most important fallouts of the recent crisis has been the apparent lack of and/or failure of risk management at many MFIs. There are several observations I have here and these are articulated below, not in any order of importance:
Internal Controls for Financial Reporting Vs Risk Management: In many MFIs, the (sole) focus on internal controls was mainly for the purpose of financial reporting. This resulted in risk management getting divorced from strategy and its implementation. Also, in several MFIs, the basic tenets of internal control, particularly those pertaining to operating risks, were not followed.
Risk Handled in Piecemeal Fashion: In a few cases, the enterprise (or MFI) as a whole was not considered and risk was handled in a piece meal fashion – so much so that even the boards were completely out of touch with the (risk management) systems in place. Thus, a holistic and comprehensive perspective on risk was lacking
Risk Management Mistaken with Risk Elimination: In one MFI, effective risk management was seen as eliminating risk taking and that is perhaps an inappropriate view of things. MFIs and other stakeholders must understand that RISK is a fundamental driving force in any activity including the business and entrepreneurship of micro-finance. Therefore risk elimination is perhaps strictly not possible. The aim must be to ensure that risks are understood, managed and, where appropriate, communicated throughout the organization, so that the whole MFI can be ready for it, as and when it becomes significant.
Inability to Seriously Anticipate and Properly Manage Political Risk: In several MFIs, the present political risk was neither (seriously) anticipated nor managed on an institution wide basis. People (initially) looking at this risk were perhaps either far too junior or lacked the requisite contextual experience and often, there seemed to be no serious guidance from senior management/board. Most importantly, boards were, in a number of cases, ignorant of the key (political and other key) risks facing their MFIs and came into the picture, much later than required
Lack of Board Involvement in Establishing/Overseeing Risk Management Structure: Without question, the effective implementation of risk management requires involving the Board in both establishing and overseeing the risk management structure. This did not happen and in many MFIs, the Board neither reviewed nor provided guidance about the alignment of overall (Corporate and Micro-Finance) strategy with risk-appetite and the internal risk management structure.
Lack of Independence of Risk Management and Control Functions: To assist the Board in its work, risk management and control functions need to be independent, reporting directly to the Board. However, this was seldom the case and as a result, risk perceptions often got altered by line management (and other staff) and were perhaps not fair representations of the true risk confronting the MFI (A situation akin to not wanting any bad news, often, without realizing that timely bad news affords a great chance to have appropriate on-course corrections). Sometimes, a true picture of the risks perhaps never reached the board, which was left high and dry when the same affected the organisation
So, how then can the Governance of Risk Management be improved in MFIs?
Here are some ideas…for what they are worth and what they are not…
Risk Assessment and Corporate Governance
1. Sound corporate governance at MFIs can enhance the quality of risk management including the processes adopted. As Governance involves many stakeholders, each with specific assigned responsibilities, they need to ensure that the system as a whole is geared to support the overall corporate and business strategy and ensure the effectiveness of the internal control mechanisms.
2. While board of directors is certainly not expected to understand every nuance of the micro-finance business or to oversee every micro-finance transaction, they surely need to ensure that management does that using an organized hierarchy of responsibilities. The board, however, does have the responsibility to set the tone regarding their MFIs risk-taking (preferences) and to oversee the internal control processes so that they can reasonably expect that their directives will be actually followed during implementation. They also have the responsibility to hire individuals who they believe have integrity and can exercise a high level of judgment and competence.
Risk Management and Internal Controls
3. Boards of directors also need to be responsible for ensuring that their MFIs have an effective audit process and that internal controls are adequate for the nature, scope and scale of their micro-finance business. The reporting lines of the internal audit function should be such that the information that board (of directors) receives is impartial and not unduly influenced by (line and other) management. Internal audit is a key element of management's responsibility to validate the strength of internal controls. This aspect should not be underestimated.
4. Internal controls are the responsibility of line management and line managers must clearly determine the level of risks they need to accept to run their micro-finance business (in accordance with the board’s overall risk appetite) and to assure themselves that the combination of earnings, capital, and internal controls is sufficient to compensate for the risk exposures. This again is a very critical issue.
Risk Management, Growth and Corporate Governance
5. Internal controls and sound governance become even more important when the MFIs’ operations move into higher-risk areas – like the kind of growth that MFIs experienced during 2007 - 2009. Indeed, when changes are happening as they have in the last three years in Andhra Pradesh, control failures will increase significantly. Rapid growth, introduction of new (adapted) products and delivery channels (use of agents for example) are examples of situations that put stress on the control environment.
6. When these types of changes occur, "people risks" escalate. These are risks that are related to training employees in new products and processes. Employees who join the MFIs need to learn the culture of the company and the control environment. Employees unfamiliar with their new responsibilities--the systems they use, their changing client profile, the services they provide customers, the oversight expected by their own supervisors and members of internal control functions--are all more likely to create control breaks. As a result, MFIs need to be wary of and manage people risks appropriately and in timely fashion, through a good human resources function.
7. Rapid growth and change also modify the relative risks to an MFI. For example, the pressure to beat a competitor to market with new/same products (as has been the case in Andhra Pradesh in the last three years) may shortcut the design-review process and omit an important control. In fact, significant controls that were there in the original Grameen (or even India Adapted Grameen) have perhaps been forgotten and that is why we hear of unsound lending and coercive recovery practices, with regard to MFIs today. It is time that MFIs revisit their original model and bring back features that facilitated borrower preparation (so significant in the original Grameen and other models), client protection and client dignity. That would be a very useful strategy to minimize and counter political risk…
8. Many of the MFIs that have been the center of the recent AP crisis also demonstrate some similar characteristics. Barring a few exceptions, they are mostly led by hard-charging entrepreneurs whose ability to think outside the box pioneered advances in the business of micro-finance. But the personalities of these individuals, in many cases, led to a focus on (perhaps even unmanageable) growth and as a result, inadequate time was spent on building the control infrastructure, much required in such an environment
9. Another form of people risk is internal fraud. When expectations of the market and supervisors, or pressures of professional/personal life become overwhelming, key staff may step over the ethical and legal boundaries and cover up errors or purposely commit fraud. There is good enough reason to believe that this may have been the case with several of the staff who have been found to be involved in recent frauds in Indian micro-finance. Again, the human resources function must take the driver’s seat and try and reduce (or if possible eliminate) unrealistic expectations and ease work time pressures – so that the staff are not forced to cross the line (or LAKSHMAN REKHA), with regard to ethical behavior on the job. An important aspect here is to ensure that there should be NO disconnect between strategy and risk management on the one hand, and incentives on the other. By incentives is meant not just remuneration but also other aspects such as promotion. That would also help in reducing ‘people risks’
To summarise, although risk management has become much more quantitative, considerable management judgment must be applied to the risk management process and this is what MFIs need to get their boards to facilitate. Frequent, small losses can generally be absorbed in the operating margin of the product or service. It is the low-probability, large losses that provide the greatest challenge. And, it is just such risks--the ones that can severely damage, if not kill, an MFI--that too many institutions do not formally take into consideration. Sometimes, I wonder whether MFIs thought lightly about the risk of political action (because the industry was after all widely regarded as the HOLY Cow of financial inclusion) and this gross underestimation is perhaps one of the main reasons as to why they were completely taken aback when this risk actually became a reality…in Andhra Pradesh…in October 2010…