Ramesh S Arunachalam,
Rural Finance Practitioner
First, let us look at the MFIs and try and outline what they should be doing and I will make a separate post on what regulators ought to be looking at…
The main elements of the sort of control systems needed (and more so now) are: (1) management oversight and the control culture; (2) risk assessment; (3) control activities; (4) information and communication; and (5) monitoring activities.
1) Management oversight and the control culture: The starting point is that the Board of Directors need to understand the risks run by the institution, to set the acceptable limits on these risks, and to ensure that senior management takes the steps necessary to identify, monitor and control these risks. Senior management must then take the responsibility to implement the strategies approved by the Board, to set appropriate internal control procedures, and to monitor the effectiveness of these procedures.
This makes it quite clear where the main responsibility for controls rests - and that is fairly and squarely on the shoulders of the institution’s Board of Directors and its senior management, not just on its compliance and audit departments. However, having said that, everyone in an institution shares the responsibility to some extent. A key task for the Board and senior management is to establish the right culture within the institution, a culture in which the importance of internal controls is stressed, and high ethical and integrity standards are promoted. This culture will be determined not simply by what the top levels of management say but what they do. For example, do the institution’s remuneration policies reward risk-taking at the expense of prudence? Does senior management display a casual attitude towards breaches of limits? Do they encourage the right attitude towards regulatory compliance? Is there backing and respect at senior levels for the internal audit and compliance functions? The response of the senior levels of the organisation to these kind of issues will determine how personnel lower down actually behave in practice, including their attitude to control issues.
2) Risk assessment: The important thing is to identify and evaluate every factor that could adversely affect the achievement of the institution’s objectives. This means not just the familiar risks of credit risk and liquidity risk, but also risks such as operational risk, legal risk and reputational risk. And this needs to be an ongoing process, continually re-evaluating the risks and reviewing the control systems to address these risks.
3) Control Activities: Control activities need to be an integral part of the daily operations of an institution. Examples of this include: top level reviews of performance and risk exposure; appropriate activity controls that monitor performance and exceptions at the departmental or branch level; segregation of duties; physical controls on access to assets; periodic checking for compliance on various aspects; a system of approvals and authorisations for transactions over certain limits; and a system of verification and reconciliation of transaction details and activities. The objective should be to ensure that all areas of the institution are continually in compliance with established policies and procedures.
4) Information and communication: An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements. But having the information is only the first step. Equally important is the second step, that the information should get to the right people at the right time. Third, accuracy and transparency of information are critical.
5) Monitoring: Monitoring of the effectiveness of an institution’s internal controls should be a continual and ongoing process, and that monitoring of key risks should be an integral part of the daily operations of the institution. Effective and independent internal audit and compliance functions have an important role to play here. This requires these functions to have direct access to senior levels of the organisation so that potential criticisms of systems or transactions cannot be blocked by the line management concerned…