Risk Management: FAQs

Risk management is creating a comprehensive framework to manage the various inherent financial and non-financial risks facing financial institutions. It includes developing policies and procedures to identify, measure, monitor and control these risks. Risk management also entails having the proper staff resources, in terms of a chief risk officer or risk manager, internal auditor, and risk management and/or internal audit committees at the board level. Sound risk management aims to strike a balance on which risks are worth taking for the financial institution and how to minimize losses generated by those risks.

Risks in the microfinance industry can be categorized into institutional risks and external risks. Institutional risks are those under the direct control of the institution themselves, such as corporate governance, management quality, credit risk, client management, and liquidity risk.  External risks are those outside the control of the institution, such as changes in foreign exchange values or interest rates, client over-indebtedness, competition, reputation risk, political interference, etc. 

Risks can also be classified as traditional financial risks (e.g. credit, foreign exchange, liquidity) and “higher level” or broader risks, such as reputational, political, and regulatory risks, as well as new risks emerging from the use of technology, such as mobile and agent banking. Traditional financial risks can typically be managed with competent staff, effective internal controls, and the proper policies, procedures and oversight.  Emerging risks may require more sophisticated forms of management. To learn more about the various risks facing the sector, the Microfinance Banana Skins is a yearly report that ranks the top twenty main risks in the sector and provides insights on why they’ve ranked as they have. The 2012 report found the top three risks in microfinance to be (1) over-indebtedness, (2) corporate governance, and (3) management quality.

The rapid growth of microfinance has left many institutions without an adequate understanding of the multitude of risks they face, especially in an increasingly competitive environment. In studying past crises in India, Morocco, Bosnia and Nicaragua, it is clear that there were failures on the part of microfinance institutions and the greater industry for not recognizing and acting on the warning signs. These included MFIs taking unnecessary risks or miscalculating the negative effects of their actions. With more institutions entering the field and expanding, and more MFIs transforming into commercial banks, microfinance is becoming an increasingly risky business with exposure to fluctuations in the market, political uncertainties, and regulatory changes.

Most importantly, provider saturation in certain areas has increased the risk of client over-indebtedness. Implementing sound risk management policies, procedures, and staff helps ensure not only an institution’s financial stability, but also the protection of client well-being. In Governing Banks: MFI Edition, author Karla Brom maintains, “We must therefore ensure that risk management is not separate from, but an integral part of the MFI’s activities. All decisions regarding, for example, which business opportunities to pursue, which clients to accept, which products to promote, and, what firm-wide behaviors are acceptable all tie back to our board view on the appropriate level of risk to be assumed by the bank.”

Starting at the board level, there can be a variety of issues, such as a lack of board engagement, prioritization, and/or understanding of what risk management entails for the board. This can also include a general lack of understanding of the MFI’s risk exposure, risk culture, and internal controls to manage these risks, which is the first requirement for developing a sound risk management framework. Beyond that, the board may not be clear on their role in terms of risk mitigation. The board might also feel that they don’t have the appropriate tools or methodologies and, therefore, are limited in what they can do. Boards can also create problems for themselves when they wait until a risk is critical, instead of making risk management a frequent, regular topic of discussion.

Like the board, top management and staff also encounter difficulties when they have not prioritized risk management to manage the increasing risks they’re facing and operate smoothly and sustainably. Some institutions also lack qualified staff and training to implement sound risk management. Another challenge is a lack of tools, resources, and guidance on risk management. And for the resources and best practices that do exist, they are not well known, organized, promoted, or implemented by the industry. For example, while most MFIs would agree that it is an industry best practice to have a risk committee on the board, 40% of MFIs that responded to a MIX survey said they don’t. Another 32% reported not having a risk manager, and 23% said they don’t have an internal auditor, and if they did have either, “both functions tend to report to the CEO contrary to accepted best practice.” These numbers point to the possibility that MFIs either are not aware of these best practices or have not given them sufficient priority. To address some of these challenges and raise awareness about risk management in the industry, eight leading organizations in microfinance came together in February 2013 to form the Risk management Initiative in Microfinance.

Some of the main players working on microfinance risk management include: The World Bank, IFC, CGAP, Centre for the Study of Financial Innovation (CFSI), Center for Financial Inclusion (CFI), various independent risk consultants, investors, and the newly established Risk management Initiative in Microfinance (RIM). Other players, like MicroSave, MEDA, and Triodos Facet have produced a number of tools on Risk Management. 

Boards should play a proactive role in addressing all institutional and external risks, providing leadership and clear direction from the top. The first step is understanding the importance of risk management and what it entails. As part of the board’s role in setting the institution’s risk appetite when determining the MFI’s strategy, annual plans, and budgets, the board’s mandate should include monitoring that the risks being taken are in-line with the mission and risk culture and not negatively impacting clients. In addition, the board should be monitoring and ensuring the effectiveness of internal controls, including establishing clear lines of accountability and requiring formal and regular information technology reports on risk, the regulatory framework and compliance supplemented. The board’s duty is to ensure a robust, independent, and authoritative risk management unit, with which the board communicates regularly.

Additional proactive risk management measures by the board include preparing for potential risk scenarios by conducting stress tests to see what would happen in different situations, like if funding costs or PAR increased, or foreign exchange rates changed significantly. MFIs and their boards should also prepare continuity of business (COB) and contingency funding plans (CFP) for major worst-case scenario risks, like natural disasters or severe and unexpected disruptions in funding.


Every institution works within certain limits when taking strategic risks to advance their business objectives and social mission. This is known as risk appetite and it reflects the MFI’s tolerance and risk culture. It addresses all forms of risk, including strategic, operational, financial, compliance, and reputational risks. Setting the MFI’s risk appetite is important to ensure that the full range of risks are adequately identified and managed.

The chief risk officer (CRO) has three main functions: risk reporting, risk monitoring and analysis, and representing the risk perspective on the management team. Risk reporting ensures that all necessary reports are being produced and are based on accurate inputs. The reporting process should be reviewed on an annual basis. Next, the CRO must monitor and analyze all risks – credit, market, operational, social performance, solvency, reputational risk, etc. - with a specific focus on where those risks overlap. Lastly, in representing the risk perspective on the senior management team (including the Asset Liability Committee, if it exists) and the board’s Risk Management Committee, the CRO provides input as needed when discussing new products, strategies, etc. and is responsible for stress testing and scenario planning.

The chief internal auditor reports directly to the board’s audit committee and can be appointed and dismissed only by the board. He or she monitors the activity of the MFI to ensure that it is always operating within its policies and defined objectives. It is their responsibility to provide assurance that the control systems work as designed and that the information supplied, both to management and the board, is accurate. The internal auditor is also in charge of monitoring the business activities for fraud and alerting the board to any such urgent matters as soon as possible.