GENERAL RISK MANAGEMENT MANUAL FOR CREDIT UNIONS · GENERAL RISK MANAGEMENT MANUAL FOR CREDIT UNIONS ... This General Risk Management Manual as prepared is intended for the ... (documents,

GRM Manual Version 2.8

GENERAL RISK MANAGEMENT

MANUAL

FOR CREDIT UNIONS

Ferdinand A. Ayisi and Bilal Yan Hagen

1st Edition, 2011

CUA - Ghana Co-operative Credit Unions associations Ltd

2 General Risk Management Manual

Contents

Abbreviations ............................................................................................................................................................. 3

I. INTRODUCTION .................................................................................................................................................. 4

Philosophy of the Credit Union Movement.................................................................................................... 4

To whom this Manual is intended for ............................................................................................................ 4

Philosophy of the General Risk Management ................................................................................................ 4

Who is responsible for the GRM? ................................................................................................................... 4

II. GRM FRAMEWORK ............................................................................................................................................ 5

2.1 Definition, purpose and objectives of the General Risk Management ...................................................... 5

2.2 Types of risks and risk categories............................................................................................................... 6

2.3 The General Risk Management Process................................................................................................... 10

Overview of the six steps of the GRM Process ............................................................................................. 10

Details about each steps .............................................................................................................................. 11

1) Identify and assess the risks .......................................................................................................... 11

2) Develop strategies to measure and prioritise risks ....................................................................... 12

3) Design policies and procedures to mitigate risks .......................................................................... 14

4) Implement controls and assign responsibility (preventive and detective control) ....................... 16

a. Internal Controls (preventive and detective control) .................................................................... 17

b. Internal Audit (detective control) .................................................................................................. 21

c. External Audit (detective control) ................................................................................................. 24

5) Test effectiveness and evaluate results (detective control) .......................................................... 25

6) Revise policies & procedures (corrective control) ......................................................................... 25

2.4 Role of CUA Ltd in the GRM of the CUs ................................................................................................... 26

2.5 Summary .................................................................................................................................................. 27

III. CONCLUSION.................................................................................................................................................... 28

Annex ....................................................................................................................................................................... 29

List of main risk areas ................................................................................................................................... 29



Abbreviations

BOD Board Of Directors (of a Credit Union)

BoG Bank of Ghana

CUA Credit Union Association

CUA CFF CUA Central Fund Facility

CU Credit Union

GRM General Risk Management

LPP Loan Protection Plan

LSP Life Saving Plan

MFI Microfinance Institution

MIS Management Information System

SC Supervisory Committee



I. INTRODUCTION

Philosophy of the Credit Union Movement

The credit union philosophy of self help and service takes the high road in human relationships. It

assumes the best in people, by working together members of a credit union improve their

economic and social well – being. Given this philosophy credit unions are still financial Institutions

and exist in the competitive financial world. They must follow broad business practices to protect

their assets against risks.

Risk is a part of business and human relationship, just as a credit union must manage its funds

efficiently, and risk must be managed wisely. Risk will never be eliminated; the goal is to lessen the

dangers – to manage risk.

To whom this Manual is intended for

This General Risk Management Manual as prepared is intended for the administration of the CUs,

especially the BOD, the Supervisory Committee and the CU-Management as well as for the CUA

staff involved in the risk management issues of the CUs, like Audit, Field Services, Deposit

Guarantee.

Philosophy of the General Risk Management

The approach of the General Risk Management is based on the iterative or dynamic risk

management process and the GRM Policy.

The GRM Policy is fixing the GRM procedures among the CU and giving guidelines, that are

providing channels and recommendations for the management for the main risk areas.

Though the GRM approach is given to the risk prevention a high weight and is a dynamic process

enable the society to adapt to new situation and introduce new risks in its risk management policy.

In complement to this manual, the CUA-GRM Department has developed GRM Policy for the CUs.

Who is responsible for the GRM?

The responsibility of the implementation of the General Risk Management policy lies with the CU,

especially the BOD of the CUs. The implementation itself has to be realised through the Manager of

the CU.

CUA Ltd brings a support in form of monitoring and training for the implementation of this policy.

The control of the implementation, effectiveness and improvement of the risk management has to

be assured through the CU. CUA Ltd has the role of monitoring the control by the Regional Offices

and the Field Officers. The main supervision falls on the Auditors from CUA Ltd and the DOC.



II. GRM FRAMEWORK

2.1 Definition, purpose and objectives of the General Risk Management

Definition of the General Risk Management

General Risk Management is the process of protecting the Credit Union’s Assets, Liabilities and

Resources from loss and damage. It may also be defined as a conscious attempt on behalf of

Savings and Credit Co-operative Management to indentify measures and control all exposures to

loss which are created by the activities in which the society engages. Savings and Credit Co-

operatives are confronted with risks on daily basis, regardless of the nature of the common bond,

size or location. The element of risk is found in all phases of Savings and Credit Co-operatives

operations.

The purpose and the objective of the General Risk Management Manual is as

follows

1) To identify the main risk areas associated in the running of credit unions,

2) To give a methodology to classify and prioritise the risks,

3) To develop criterion for early intervention of identified risks by management of credit unions,

4) To work in direct co-operation to improve upon identified problems,

5) To develop risk monitoring and control tools, train and coach all CUA staff, CU BOD and

Management on the use of these tools in their supervision,

6) To equip the BOD to initiate, review all risk management policies and procedures,

7) To make sufficient and effective provision to safeguard the asset, liabilities and resources of

CUs,

8) To specify the instruments for the implementation, control and adjustment of the GRM Policy,

9) To fix the responsibility concerning the implementation of the GRM Policy within CUA Ltd and

the CUs.

Principles of General Risk Management

The GRM is based on the following principles:

→ A proactive General Risk Management, the risks have to be assessed and managed before they are appearing. This approach is reducing the impacts of the risk and is avoiding that by discovering the risk on late stage the CU has only short time to look for solutions and find the best one. The cost to reduce the risk might be higher as if the CU would have started earlier.

→ An iterative or dynamic approach of General Risk Management, that established six steps in the processing of risk management. It enables the CUs to have a dynamic approach of the management of the risks suiting to the permanent changes on the market and on the members’



expectations. This approach allows the CUs to face new risks and to introduce them in their Risk Management Policy.

→ A comprehensive approach to General Risk Management, involving all the risks that CUs are facing and that is reducing the risk of loss, builds credibility among the members of the CUs and in the marketplace, and creates new opportunities for growth.

Benefits of an effective general risk management

An effective general risk management is directly providing:

→ More time for production and growth: a proactive risk management for potential problems means less time for fixing problems and more time for the income generating activities.

→ Efficient use of capital: risk management allows management to qualitatively measure risk, fine tune the capital adequacy ratio, and evaluate the impact of potential shocks to the financial system or institution.

→ Successful new product development and roll-out: systematically addressing the risks inherent in new-product development and roll-out can result in enhanced corporate reputation, improved member loyalty, easier cross-selling of services, and better knowledge for developing future business.

2.2 Categories and types of risks

The six categories of main risk areas

1) Operational risks

Operational risks are the vulnerabilities that a CU faces in its daily operations, including concerns over portfolio quality, fraud and theft, all of which can erode the institution’s capital and undermine its financial position. Credit risk – lending money and not getting it back (delinquency),

Operational errors risk, e.g. accounting and cash errors – unintentional errors that create unreliable information and reports, or the loss of assets,

Fraud risk – intentional deception for personal gain, illegal or irregular means,

Security risk (internal and external) – risk of theft or harm to property (documents, furniture, safe,

building...) or person.

2) Financial risks

Asset and liability risk – management of interest rate and liquidity (in the case of MFI involved in

foreign activities the foreign exchange will be also a risk). These risks increase and become more

complex as the CU grows, and broadens its range of financial services to include savings,

Interest rate:

This risk affects the earnings of the Credit Union. Interest rates are not controlled by the Credit Union; rather they are the result of a variety of forces in the financial environment.



Example of the effect of interest rate changes:

Loans Savings Spread

Credit Union Rate in January 7 5 2

Market Rate in June 13 8 5

Consider the above table where the Community Credit Union offers low cost loans at 7% and savings at 5% in January. Several months later in June, the market changes drastically and other financial institutions in the community offered loans at 13% and savings of 8%. Unless the Credit Union offers competitive rate for savings, some members may withdraw their funds and deposit them where they can get a better rate.

The Community Credit Union Funds itself is in a difficult position. It must offer competitive savings rate at 8% to attract savings to help fund the loans. But if it offers these savings at 5% and has loans on the books at 7%, it will have a negative spread, which occurs when the cost of funds – what is paid for savings exceed the income earned in funds – what is earned in loans.

One means of minimizing interest rate, risk is to offer variable rate loans, where the interest rate is tied to a general index, allowing the rate to be adjusted to change in the market. Viable rate loans allow both the member and the Credit Union to share interest rate risk.

Liquidity:

Even though a Credit Unions operation is providing loans and a place to save may seem simple; elements of risk exist. If the Credit Union has more funds loaned than accumulated in savings, the potential for liquidity risk exists. Liquidity is a financial institutions ability to meet demand for funds. Liquidity risk occurs when the members withdraw more funds than are available. If losses continue and the demand for funds cannot be met the Credit Union could become insolvent. An increased demand for funds can sometimes be remedied by:

→ Borrowing from the National Association Central Fund Facility (CFF) or another financial institution,

→ Follow a policy of matching. Matching is the structure of the maturities and amount of Assets – loans – to match the maturities and amount of liabilities – savings,

→ Maintain adequate reserves and capital to meet unexpected losses. If the Credit Union maintains steady and growing income along with growth in membership and loans.

CU’s investments risk –investments for commercial ventures or for high risk stocks

Accounting errors’ risk – in the treatment and establishment of the balance sheet and the income

and expenditure account,

Inefficiency risk – management of costs per unit of output, affected by both cost controls and level

of outreach.

3) Institutional risks

Microfinance success is defined as an independent organisation providing financial services to large numbers of low-income persons over the long-term. An assessment of risks against this definition results in three categories of institutional risk:



Vision risk – adequate and communicated to members and employees,

Social mission risk – to assure that the CU is reaching the social objectives: the members are

improving well being,

Commercial mission risk – to manage the organisation as a business to allow it to exist for the long

term,

Governance risk – performance of BOD, the committees and the management and the relationship

between them,

Human resources risk – skills of members of BOD, committees and employees and importance of

training and personal promotion,

Bye Laws, policies, standards and manuals risks– are not available or not in use,

CUA financial obligations risk – like CUA and Chapter Dues, statutory reserves, CUA CFF, risk

management program (LPP, LSP), stabilisation funds are not follow,

Dependency risk – continuing need for strategic, financial, and operational support from an external

organisation. CUs that have strong financiers are exposed with the time these financiers are going to

retire from the CU.

4) MIS risks

As the importance of MIS is permanently increasing, it is worth to distinguish it as separate main risk type with two aspects:

System integrity risk – the integrity of the information systems, whether computerized or manual,

Efficiency of the system risk – effective software programs, security of the data (back-ups, virus).

5) Marketing risks

Marketing including customer or member relations have become very important over the last

decades for business companies. With the increase of the competition in Ghana in the financial

and non-financial sector the expectations from the members has also increase making marketing

and member relation a central issue for the sustainability of CUs:

Efficiency of the Marketing-mix risk – effective marketing strategy combining consistent product,

price, promotion and place/distribution strategies,

Member relations risk – strategy for managing the CU’s interactions with members and sales

prospects in order to nurture and retain the present CU’s members and find, attract, and win new

members.

Image / Reputation / Goodwill risk – A CU’s image amongst members in the community it serves is

critical to strong repayment and repeat business. Image and reputation in the community does not

only come from actual and factual information about the CU. It is about member perceptions and

the satisfaction they feel about the society, about how they feel they are treated, and whether they

value the services provided.



Reputation is one of the most important assets that a credit union has to protect. All financial

institutions operate with the understanding that money deposited will be safe and wisely managed.

Once that trust is shaken through mismanagement or dishonesty action of employees, corporate

image disrupted, and confidence loss leading to total collapse.

A CU is similar to other financial Institutions and in competition with them – the trust of depositors

is sacred. It must maintain a solid reputation that it can conduct business in both an efficient and

ethical manner. People within the community must perceive the CU a safe place to deposit their

money.

6) External risks

Although the CU may have less control over them, the BOD and the CU Manager must also assess the external risks to which they are exposed. The CU can have a relatively strong management and staff, and adequate systems and controls, but still experience major problems due to the environment in which it operates. It is important that these risks are recognized as challenges to be addressed rather than excuses for poor performance. Some of the most important external risks are:

Regulatory risk – awareness of regulations in banking, labour laws, contract enforcement, and other

policies that affect CUs,

Competition risk – familiarity with the services of others to position, price, and sell your services.

Competition for staff is also a huge risk,

Physical environment risk – natural disasters, physical infrastructure. Some rural or city areas may

be prone to floods nearly every year. Droughts will also affect the rural poor who are dependent on

agriculture or agri-businesses; these natural disasters will not only affect members and their

businesses, but the CUs that serve them,

Demographic risk – assessing characteristics of the target market. This could look at special social

issues, including health, aging, and migration. The HIV/AIDS pandemic is a threat to productive

middle-aged people, posing risks to the CU’s targeted market and their staff,

Macroeconomic risk – inflation, depression, recession, currency devaluation, change of the interest

rate of the Central Bank may have effects on the CUs and the members,

Political / Governmental risk – political instability, civil unrest.

Through these six categories of main risk areas, risks can be also divided in two

groups

1) Pure risk

Pure Risk includes all possibilities of loss of assets or reduction in the value of assets through

destruction or confiscation. Destruction can include natural disasters (flood, fire, storm or

manmade events including vandalism, civil disorder or commotion. Pure Risk can result only in

loss; there is no possibility of gain.



2) Speculative risk

This embraces all the uncertainties in the management of the Assets of savings and credit co-

operatives and can bring gain or loss.

For example loans to members can either be paid or not paid. Investments can either result

in a gain or loss. Each loan granted of course has the possibility of not being paid and ending

in the bad-debt column of a financial statement. The BOD of a society is required to manage

the funds of the society efficiently. This requires a timely balance between the co-operative

philosophy and sound business practices. The BOD continually has to weigh up the granting

of loans and investments decisions against the risk of Bad Debt.

2.3 The General Risk Management Process

The GRM approach is based on the iterative and dynamic process, that comprises six steps.

Overview of the six steps of the GRM Process

1. Identify and

assess the risks

2. Prioritise and

develop strategies to

measure the risks

3. Design policies and

procedures to

mitigate the risks

4. Implement

controls and assign

responsibility

5. Test effectiveness

and evaluate results

6. Revise policies &

procedures



Steps Persons involved Responsibilities and Tasks

1. Identify risks Management Identify major risks

BOD Review and approve risk identification

2. Prioritise and develop strategies to measure the risks

Management Develop measurement indicators Set acceptable range for risk

BOD Approve indicators and range Monitor results

3. Design policies and procedures to mitigate risks

Management Design operational policies, systems, and guidelines to reduce risk Provide clear instructions for procedures to implement policies

BOD Approve operational policies and procedures

4. Implement controls and assign responsibility

Manager Assign responsibility for implementation

CU’s Management Implement control procedures Monitor compliance

Operating Staff Provide input on appropriateness of policies and procedures, offer suggestions for policies needed and comply with established policies

Internal Audit Staff / Supervisory Committee

Independent review of the operations and controls

External Audit Independent and external review and evaluation of the financial statement and the operations

5. Test effectiveness and evaluate results

BOD Review results of operations

Management

Internal Audit Staff / Supervisory Committee

Monitor compliance with policies Identification of weaknesses in the risk management process

External Audit Identification of weaknesses in the risk management process

6. Revise policies and procedures as necessary

BOD Repeat the steps above for new policies and procedures

Management

Details about each steps

1) Identify and assess the risks

This involves recognising the various risk exposures confronting the society, by determining

what can happen to cause a loss. CUs face many types of risk.

The list in Annex based on assessment among the CUs gives a broad overview about the

different risks and it can help to identify the risk that a particular CU is facing.

The Management and Board of Directors can use this list and determine the risks that their

own CU is facing.

Hereby it is very important not to look only on concrete current and tangible risks but also

on all the potential risks, that can induce a potential loss.



The list is based on field assessment and is covering width risk areas. Though it is not an

exhaustive list of all possible risks that can affect CUs as new risks can appear and change

over the times or that a CU can be in a particular situation and therefore face risks that other

CUs are not facing.

2) Prioritise and develop strategies to measure the risks

Measure the risks:

There are four basic means of measuring value:

1. Original cost,

2. Replacement cost,

3. Market value,

4. And actual cash value.

When buying insurance the Credit Union selects replacement or actual cost.

In order to measure risk two variable should be considerate in addition to the value itself:

a. Loss frequency:

In general risk can be measured in terms of the number of times that events such as

embezzlement or storms are expected to occur. This is basically on past experiences

and expectations of the person doing the measurement.

b. Loss Severity:

This is the degree to which a loss is known. This is based on past experiences and

personal expectations.

Prioritise the risks:

Once the risk Measurement is completed, the evaluation process takes place. This entails

classifying each risk in terms of loss severity and frequency as high, medium or low, so that

there are nine categories from high/high, high/medium, high/low ...... to low/low as

represented in the following matrix:

Risk measurement matrix:

Frequency

High Medium Low

Seve

rity

High 10 – 9 8 – 7 6 – 5

Medium 8 – 7 6 – 5 4 – 3

Low 6 – 5 4 – 3 2 – 1



A chart from 1 to 10 gives the possibility in each category to make a further distinction

between the risks in the same categories, e.g. if delinquency as well as liquidity are considered

with high severity and high frequency, one can receive “10” whereas the other one “9”.

The method below provides the evaluation and prioritisation of the risks:

1. After evaluating each potential, each risk has to be place in one of the nine categories

of the above matrix according to loss frequency and loss severity. The highest risk

potential would be placed in category high severity and high frequency whereas the

lower risk potential would be placed in category low severity and low frequency.

For each criteria the right measurement has to be done, e.g. in case of rubbery, it is not

only the immediate loss of money that has to be take in account but also the indirect impacts

like bad image for the society that might afraid the members and the potential members.

2. Choose in each category a value from the chart in order to make a finer distinction in

each category.

3. Note all the risks in a lists as in the following example:

Risk Severity Frequency Chart value

Robbery Low Low 2

Delinquency High High 10

Ineffective MIS Medium High 8

Frauds Medium Low 4

Accounting errors Medium High 7

Liquidity Medium Medium 5

...

4. As last step establish the ranking base on the above list:

Ranking Risk Severity Frequency Chart value

1 Delinquency High High 10

2 Ineffective MIS Medium High 8

3 Accounting errors Medium High 7

4 Liquidity Medium Medium 5

5 Frauds Medium Low 4

6 Robbery Low Low 2

7 ...

Remarks:

a) If there are some risks with the same value, e.g. “8”, it basically means that these

risks have the same priority. Though the management with the BOD can analyse

these risks deeper and prioritize them based on the replacement cost or market

value.



b) If the number of listed risks is so huge that there are a lot of risks with the same

value a broader chart going for example from 1 to 20 can be established.

The ranking is given the risks that have to be treated in first priority and those that can

be treated in second steps or less intensively at the beginning, e.g. if the risk of

robbery has been ranked on a low level, a suitable new safe hasn’t to be bought

immediately especially if the resources of the society are short, but if it has been

ranked on a high level (e.g. 1 to 4) it is necessary to plan in the short term to buy a

suitable new safe, increase the day and night security etc.

The ranking is given useful information how to plan the resources of the CU in matter

of risk management.

Based on this ranking the societies can establish a plan for the development and the

implementation of the policies and the procedures.

3) Design policies and procedures to mitigate risks

Policies and procedures involve the selection of the most effective and efficient methods that

may be used to prevent and at least minimise the possibility of loss.

The policies and the procedures should be based on the guidelines of the CUA General Risk

Management Policy. Each society is advice to adopt it.

If a particular potential risk that the CU is facing is not covert through the GRM Policy, the CU

has to develop procedures to reduce the potential of this risk and to introduce this new

element in its GRM Policy. If the new procedure has some impacts on one or more of the other

policies, these have to be adapted.

For this purpose there are basically five methods which may be used to determine how a given

risk can be best handled. These are:

a. Avoid

Savings and Credit Co-Operatives should first consider ways to avoid risks, if possible and

practical.

For example, loans to members can either be paid or not paid. Investments can either result

in a gain or loss. Each loan granted of course has the possibility of not being paid and ending

up in the bad-debt column of a financial statement.

The Board of a Society is required to manage the funds of the society efficiently. This

requires a timely balance between the co-operative philosophy and good business

practices. The Board continually has to weigh up the granting of loans and investment

decisions against the risk of bad-debt.



b. Reduce

If risk is unavoidable, societies should consider ways in which exposure to risk may be

reduced. The risk to armed robbery can be reduced by installing an effective alarm system,

employing services of security or police officers, by acquiring a suitable safe and / or elect to

limit available cash by allowing members to deposit cash in the banks account of society or

depositing large sum of money collected by a particular time or arranging with the banks to

pick total cash from the premises of the Credit Union.

c. Spread

A third measure to be considered is that of spreading a risk, if possible and / or practical. An

example of spreading a risk would be to make more frequent cash lodgements.

d. Assume / Retention

There are some risks that a co-operative society may wish to assume. Retention or self

insurance occurs when the credit union elects to pay for the loss itself. The credit union may

decide not to buy insurance claim is a retention decision.

The credit union may decide not to buy insurance because it had decided that the cost of

the potential loss is a prudent risk to take. A co-operative society may decide it can afford to

stand the loss of the office furniture is usually a normal amount so the loss may not

adversely affects its assets.

e. Transfer

This is allowing another party such as an insurance carrier to take on the risk. The credit

union pays a premium which is a small percentage of a potential loss and transfers the risk

to the insurance company. Transfer of risk may be accomplished through the use of lease

agreements. In this case the owner of the equipment or building is liable to loss.

→ Insurance:

Insurance is a method to reduce risk. This is accomplished by guaranteeing

predetermined amounts of compensation for a loss in return for paying a premium

usually on an annual basis. By purchasing an insurance contract, the credit union

transfers most of the risk to the insurance company. An insurance company pools a large

number of risks in order to make a profit. Natural and man-made mishaps occur with

little warning and an organisation cannot prevent an earthquake or a storm. Insurance

can protect against such events.

Not every risk can be insured. If a risk is too unpredictable and the premiums are

difficult to calculate, an insurer may elect not to offer insurance for particular risk. Many

Insurance Company for instance refuse to offer insurance against flood.

For a risk be insurable its must fulfil certain criteria:

The Losses must exist,

The Loss must be measurable in amount, time and cause,



The loss must be calculated so that premiums can be determined,

The Loss must be accidental. Most Insurance do not cover intentional acts.

→ Fidelity bond:

Credit Unions like other financial institutions are especially vulnerable to loss from

crime because of the quantities of cash being handled. Embezzlement and other crimes

that are granted from within the organization by employees can be protected with a

bond.

A fidelity Bond is a legal contract stating that Insurance Company agrees to pay within

stated limits, for financial damages caused by the dishonest act or default of a third

party.

The third party is usually someone performing official work for the credit unions such

as an employee or a director. Credit union often buys a bond that will over all employees

called a blanket bond. This type of bond will cover employees and directors as well as

members of the various committees for dishonest acts while they are performing official

duties for the credit union. The Insurance Company now distinguish between dishonesty

and unfaithfully performance. The latter in difficult to insure because of its wide

interpretation.

→ Depending on their needs and their size in term of volume of activities, volume of

cash, number of employees, CUs should think about insuring the following risk areas:

Cash at the cash desk (with a maximal amount, that has to be specified with the

insurance company),

Cash in the safe (with a maximal amount, that has to be specified with the insurance

company),

Cash in transit between bank and CU (with a maximal amount, that has to be specified

with the insurance company),

Fire,

Injury of an employee during the working hours.

4) Implement controls and assign responsibility (preventive and detective control)

An effective control system is based on three elements:

1. Preventive controls: developed to avoid undesirable incidents,

2. Detective controls: developed to detect undesirable incidents and errors when there

are happening,

3. Corrective controls: developed to ensure that corrective measures are being taken

and to avoid that they can happen again.



Instruments:

There are basically three instruments to control the risks:

a. The internal controls: preventive, detective (and corrective) functions,

b. The internal audit: detective function,

c. The external audit: detective function.

a. Internal Controls (preventive and detective control)

Definition:

Internal Controls are part of a system that ensures the accuracy of records, guards

assets and makes for efficient operation.

Responsibilities:

The BOD has to ensure that an effective control system is established in the CU.

The Manager is responsible for the implementation of this system.

The different internal control tasks have to be assigned to the different employees

of the CUs and they have to be included in the task description of each employee as

well as in the GRM Policy of the CU.

The control of the effectiveness of the internal control is the duty of the internal

audit and the Supervisory Committee, which has to evaluate the internal control

and make recommendations to the BOD.

Objectives of the internal control:

Internal controls have three main objectives:

→ Check the effectiveness of the operations,

→ Ensure the reliability and integrity of the financial data and MIS,

→ Ensure the respect of the legislation.

Furthermore internal controls also ensure that errors will be readily detected as of

course mistakes – intentional or accidental will occur whenever people are involved.

Internal Controls are used more to catch mistakes of miscalculations or over sight

rather than dishonesty. One or two mistakes may be seen, as trivial, but these

mistakes can add up and become a problem.

Means and tools of the internal control:

Risk management tools for the Internal Control are used to reduce the possibility of

loss as well as the effects of a loss. These include human resource, policies,

procedures and information systems:

i. Human Resources and Personnel Policies

o HR and frauds:

Concerning frauds a motivated and honest personal is a key issue. Therefore CUs

have to care on the following points:



→ A good recruitment methodology. Indeed the prospective employees need to

be evaluated thoroughly before being hired. References and former

employer’s comments can help to predict future behaviour although this will

not predict with certainty an employee’s future behaviour. It will however

provide some guidance for hiring decisions.

→ A training plan for the employees and the members of the BOD and the

Committees,

→ Material (e.g. equity of salary) and moral motivation for the employees,

→ Rotation of Staff. This is completed on an unannounced but regular basis. This

also has the benefit of training staff members in other operational areas.

Annual vacations are a wise policy for all employees since embezzlers depend

on continual vigilance over fictitious accounts. No exceptions should be made.

If staff is rotated through normal procedures and vacation the potential for

assisting can be lessened.

→ Sanctions.

Each CU has to develop Personnel Policies involving these points.

o Job description:

Written job descriptions that list duties and responsibilities for each position in an

organization are essential. This routine should be followed up with regular

performance evaluations. Some credit unions provide written job descriptions for

directors and committee members. This defines the directions and committee

member’s duties as well as ensures a more efficient working relationship

between Management and Directors.

o Organisational diagram:

It is a complement of the job description and it has to have the following

characteristics:

→ Indicate the relations between the different positions in the hierarchy (staff

and committees),

→ List all the positions,

→ Distribute the diagram among the employees and the members of the BOD

and the committees.

ii. Further Policies and Procedures

Policies are the written guidelines that indicate the direction of the operations.

Procedures are the written instructions that tell how to implement and follow the

policies.



In order to be effective, Policies and Procedures must be:

→ Written,

→ Simple and clear,

→ Known and understood from the relevant persons,

→ Relevant (up to date) and

→ Implemented.

Each CU must have in a reasonable timeframe the following policies:

1) Corporate Governance Policy,

2) Personnel Policy (Condition of Service),

3) Shares and Savings Policy,

4) Loan Policy,

5) Products Policy (when a CU has other products than shares, savings and

loans),

6) Financial Management Policy,

7) Investment Policy,

8) Procurement Policy.

Keys issues concerning the controls of financial transactions:

→ Access to Cash: This is a vital internal control. The BOD authorizes cash

amounts in temporary and permanent – change funds such as petty cash.

Access to storage devices, including vaults and files requires two keys or two

set of combination under the control of two individuals. It is critical that the

two individuals guard their keys or combinations.

→ Dual Control: This allows one employee to serve as a check on another

through the use of two keys or a combination. As with other internal controls,

this is intended more to catch errors than dishonesty. Dual control can be

used for safeguarding materials, reserve, dormant accounts, reserve cash,

negotiable collateral and safety deposit box keys.

→ Segregation of Duties: This is an additional control on the accessibility of

assets as withdrawal control, when two or more people are involved in a

transaction one can act as a check for the other. Some jobs in operations take

transactions from the beginning to the end. By separating the duties, the

chance of error or fraud is greatly reduced. For example one staff member

can process on loan application, while another disburses the funds.

For the small CUs with all volunteer workers or one employee segregation of

duties and dual control may present problems. If this is the case the BOD

alongside with the Supervisory Committee will have to compensate by taking



more responsibility and special precautions. The guiding principle is that dual

control and segregation of duties should be instituted whenever possible.

iii. MIS and Reporting System

A MIS involves all the means and the processes that allow a CU to create, edit,

share and save information.

o Information and reporting System:

The reporting system is one of the crucial administrative controls. This system

keeps directors informed about daily operations. Deterring crimes such as

embezzlement is a prime objective. Crime is essentially a series of opportunities

that sign a given light to the criminal. Remove the opportunity and often the

potential for a crime is eliminated.

Another critical aspect is to ensure that the MIS is providing a good loan reports

especially useful reports from the outstanding loans.

o Accounting controls and MIS:

If the CU is to be an efficient financial Institution it must maintain a record –

keeping system that provides reliable information. This is necessary so that the

Manager can control, financial operations and the BOD can make intelligent

policy decisions. The accounting system used must first follow the country’s legal

requirement and accepted principles; records should be accurate and regularly

reflect the CU’s financial condition and operations.

Internal reports are used for various members of the CU to do their jobs. The

Loan Committee, for example need regular reports on loan delinquency. BOD

members will also need loan delinquency reports for decision taken as well as

reports on investments and earnings.

Documents that are sequentially numbered such as share drafts, cheques or

savings certificates aid in reconciling and controlling used and unused items.

Records posted regularly give an accurate summary of the business activity on

specific dates. These records give the CU’s financial condition and structure on

that date.



b. Internal Audit (detective control)

Definition:

An internal audit is a systematic and independent review of the operations and

controls within an organisation.

Responsibility:

Within CUs the Supervisory Committee is responsible for the internal audit.

Though CUs should have the objective to delegate part of or all the tasks of the

realisation of the internal audit to a part-time or full-time Internal Auditor.

The part-time or full-time Internal Auditor is working closely with the Supervisory

Committee, who is given him / her directives and indications for its work. The

internal auditor is reporting to the Supervisory Committee, who is himself reporting

to the BOD. The BOD can request that the Internal Auditor report with the

Supervisory Committee directly to him.

Supervisory Committee and Internal Auditor are working for the planning and

realisation of the internal audit with the Manager of the society.

Remark: In small and medium CUs it is very difficult to assign the tasks of internal

audit to a full-time employee of the CU because of the requirement that an internal

audit has to be an independent review of the operations and control of the CU. In

such cases the CU can take a part-time Internal Auditor.

Just up to big CUs with enough staff it is possible to assign the tasks of the

realisation of the internal audit to a full-time employee by respecting the

requirement of separation of duties. The condition is to have a competent employee

that is not directly involved in the major operations of the society. Therefore it can’t

be the Manager, a loan officer or an accountant of the CU.

Competent employee means in this case someone who has at a minimum

knowledge in accounting and auditing.

Objectives of the internal audit:

The primary goal of an internal audit is to determine whether the risks to the CU are identified by checking to see if: Financial and operating information is accurate (for internal and external

purposes),

Internal policies and procedures are being followed,

Management’s risk identification, prioritisation and mitigation is appropriate,

and

Any new risks become evident or previously identified risks remain unaddressed.



Means and tools of the internal audit:

Annual work plan and budget:

An annual work plan for the internal control should be define. It should comprise the

following activities:

→ Conduct first time internal control assessments,

→ Review policy and procedure updates,

→ Write reports and issue recommendations to revise procedures and strengthen

controls,

→ Meet with the CU Management and BOD to discuss findings, reports, and provide

input into strengthening internal control systems and managing newly identified

risks.

The budget related with the activities of the internal audit has to be planned at the

beginning of each annual work plan.

Planning of an internal audit:

The goals have to be fixed at the beginning of the planning and can be different from

an audit to another. Though an audit will always include:

→ Checklists to determine whether established procedures are being followed,

→ A check of selected financial transactions,

→ Previous audit reports, management responses, external audit reports and audit

management letters (as necessary and available).

Across a year all the following activities should be covered:

→ Audit of investments,

→ Audit of loans,

→ Audit of liquid funds (petty cash and bank transactions),

→ Audit of fixed assets,

→ Audit of “other assets”,

→ Audit of other liabilities,

→ Audit of share/savings,

→ Audit of expenses/income,

→ Audit of the transactions between the CU, the employees, the BOD, the committees

and their relatives,

→ Audit of the members through members’ visits to verify their existence, their loan

and saving balances,

→ Audit of the management, staff and committees performance.



For more details about all these last points please consult the “Supervisory

Committee Manual of Operation for Credit Union” available at the CUA Accounts

Department.

This Manual gives a sample of useful checklists.

Conduct:

The work of the Supervisory Committee and the Internal Auditors should be careful in discretion, approachable and use an objective perspective to their work. They should first of all be curious people - curious about what they see, observe, and curious about why things appear as they do.

They are there to help protect and promote the CU, staff and members. They should only work in the best interests of all of the stakeholders, and can best do so by seeking to understand what happens, and why things happen as they do.

Reporting:

Each audit must be correctly documented and filed. The audit findings should first of all be clearly understood, clarified and explained by operational staff.

They should then be verbally debriefed with operational staff. This is the opportunity for the Supervisory Committee and/or the Internal Auditor to explain the risks that the findings can bring to the CU if left unchecked. The findings then are included in the written report.

Cases of frauds discovered:

If during the internal audit a case of deliberate fraud by a staff member is discovered, the Manager should be immediately and confidentially informed so that a deliberate, careful investigation can take place without having the staff member run away, try to cover up the problem or suspect that they have been detected. This allows due process of fraud investigation and evidence to be completed, and appropriate disciplinary action as per organisational policy.

If during the internal audit a case of deliberate fraud by the Manager is discovered, they should take immediate steps to contact the BOD, so that it can take steps for investigation and disciplinary action.



c. External Audit (detective control)

Definition:

An external audit is an independent examination of the books and records of a CU. An

audit also examines the procedures dealing with cash and assets to ensure that theft or

errors are being properly deterred. The audit confirms the financial statements and

points to areas where procedures can be improved.

Difference between internal and external audit:

Internal Audit External Audit

Can be an employee of the CU

Serves the needs of the CU

Focuses on future events by evaluating controls that ensure the achievement of the CU’s objectives

Is directly concerned with preventing fraud

Audit work is continuous throughout the year

Is an independent body

Also serves third parties who need reliable financial information and reports (members, DOC, CUA Ltd, BoG, Ministry of Finance)

Focuses on whether financial statements reflect historical events clearly and accurately

Is incidentally concerned with fraud controls in general, but is directly concerned only when the financial statements are affected

Audit work is mainly done annually at the end of the fiscal year

Responsibility:

The CUA Audit Department with the Department of Co-operative (DOC) from the

Ministry of Social Welfare and Development organise a joint external audit of the CUs.

Each region has a representation of the DOC and has at least one CUA Auditors at the

regional office. The CUA Auditor Coordinator is at CUA Head Office.

Objectives of the external audit:

The audit has a symbolic function because it shows members that the CU leadership is

diligently overseeing operations so that errors and theft will not occur or minimise.

The audit can be regarded as both a risk management and financial management tool.

However the Supervisory Committee’s work can be surprise nature which can discover

whether loans are being made according to policies and procedures. The Manager can

than take quick steps to remedy the faulty practice, saving the credit union from

potential loss.

Whereas the audit can uncover fraudulent activities that may have been undetected by

normal Management procedures.



Framework for the external audit:

The BOD and staff need to know that audit is not to find fault, but to detect any error

or fraud as well as to give recommendations how to enhance the performances of the

CU.

Timeless of audit will also prevent fraud and errors. The early detection of fraud or

errors on time will prevent loss to CU. This will ensure that the BOD account to

members on timely basis and put into members confidence that they may have in the

BOD and the CU.

What a CU has to do to prepare the visit of the auditors:

→ The BOD has to ensure that the final books of accounts are ready (i.e. income and

expenditure statement and balance sheet). All other documents that relate to the

audit (i.e. members data, loan forms, investment files, minutes of the BOD and

committees etc.) should be available. All the staff should be available during the

audit. The auditors should have the opportunity to meet members of committees

(BOD, Loan committee, Supervisory Committee) if necessary.

→ When the CU would be ready it has to contact the Chapter Office in order to plan

the audit schedule.

5) Test effectiveness and evaluate results (detective control)

The test of the effectiveness of the internal control that should ensure that the policies and the

procedures are implemented and are themselves effective is one part of the work of the

internal and external audit.

But evaluating the CU’s internal control system is not simply the role of the internal and

external auditor. It is an overall Board and Management responsibility, and must be

understood and fully appreciated.

The BOD with the Management has to fix how often it is necessary to evaluate the internal

controls. And if systems are found in good order, how soon is it necessary to review them again.

The answer lies in the human factor and therefore in the own situation of each CU. Though

each CU should at least evaluate the system once a year.

Monitoring, checking and reviewing employee performance sends the message that

performance matters. On the whole, individuals are less likely to take short-cuts or deviate

from standard procedures if they know that their work will be reviewed.

6) Revise policies & procedures (corrective control)

The BOD with the Management is responsible for the revision of the policies and the

procedures. The revision should be based on the recommendations of the Supervisory



Committee / internal Auditor and the External Auditor as well as on own inquiries of the BOD

and the Management.

They have then to carry out if necessary the revision of the policies and procedures.

The GRM process will therefore start again.

2.4 Role of CUA Ltd in the GRM of the CUs

CUA’s role during the implementation of the GRM

Before and during the first implementation of the GRM a CU can receive support from CUA through

the CUA-GRM Department and the Regional Offices (Managers and Field Officers). CUA can provide

advice and monitoring.

CUA’s role after the implementation of the GRM

After the implementation of the GRM CUA will especially during the visit of the Field Officers

evaluate the effectiveness of the GRM of the society, provide recommendations and control if the

recommendations were implemented. The field officer can also assist the CU and provide advice

concerning the GRM.

CUA’s role in relation with the external audit

The external auditors will have during their audit a particular attention on GRM issues and have to

give the CU recommendations how to improve their GRM.

After the audit report and until the next audit report the field officers will follow the

implementation of the auditors’ recommendations and offer the CU their advice if necessary.



GRM

2.5 Summary

An effective General Risk Management is based on the iterative and dynamic risk

management process and implies a permanent control

Permanent Control Steps of the iterative and dynamic risk management process

1. Preventive Control Step 1: Identify and assess the risks

Step 2: Develop strategies to measure and prioritise the risks

Step 3: Design policies and procedures to mitigate the risks

2. Detective Control Step 4: Implement controls and assign responsibility

Step 5: Test effectiveness and evaluate results

3. Corrective Control Step 6: Revise policies & procedures

As control should be the concern of everyone in the society, General Risk Management is

EVRYONE’s job!

Overview of the interaction between Internal Control, Internal Audit and External

Audit as part of the GRM

An effective system of strong internal controls is the CU’s primary mechanism to identify, measure

and mitigate operational risks. Their role is to prevent problems.

The internal audit function acts as an early warning to detect whether there are weaknesses or

deficiencies in the system of internal controls. The internal audit is intended to find errors,

problems or breaches of policy and procedure before the consequences of such incidences are

Internal Control

External Audit

Internal Audit



severe or have a major effect on the CU. Internal audits can also help to identify new or

unrecognized risks.

The external audit is evaluating the effectiveness of the internal control and the internal audit and

is given recommendations how to improve them.

Planning:

Every year after the external audit the GRM of the CU has to be complete redefined.

During the rest of the year the internal control and internal audit have to assess the effectiveness

of the implemented procedures, policies. Depending on the results of these assessments the GRM

Policy or procedures have to be redefined or optimised by going through the GRM iterative

process.

III. CONCLUSION

Credit Unions are exposed to all types of Risks just like any other business concern. It is up to the

BOD and the Management of the various societies to identify the types of risks their societies are

exposed to and to manage them. Some could be avoided, reduced or assumed. Others could either

be shared or transferred to Insurance Company.

Other risks which are regular threat to credit union development are loan delinquencies, Liquidity

problems, poor accounting records and embezzlements of societies, funds by Managers or

Treasurers.

The Management could set up internal control system to control such risks if they plan effectively

towards them. Credit Unions officers must always be reminded that “Preventions is better than

cure.”



Annex

List of main risk areas

Category

N° Category Type

N° Type of Risk Specifications for each type of risk

1 Operational risks

1 Credit risk: high loan delinquency Non respect of repayment schedules (part amount, delays…)

Failing of repayment over long period

2 Operational errors risk, e.g. accounting and cash errors

Accounting errors

Back / Front office errors

Counterfeit money

Receiving or giving the wrong among of money

3 Fraud and embezzlements risk from one

person or related with collision among staff

or between staff and board member or

member

Frauds on loans, savings and funds: - Use the account of a dormant member - Making a loan out to a non existing person (ghost member) - Making a loan out to a non-member of the society - Give a higher amount as loan but not qualified as per loan

policy - Manipulated loan (not qualified for it) - Payments or withdrawals from other members loans (active

or dormant) - Savings withdrawal from dormant accounts - Create a new ledger card to withdraw funds

Fiscal frauds

Computer or manual manipulations, e.g. in order to access loans or withdrawal or cash-shortages

Collision with Bank clerk to evade Bank deposits

Misapplication of funds: - Manipulations through purchasing costs - Through inflating expenditures

Holding simultaneously different incompatible or conflicting tasks

Stealing of an asset (e.g. computer, equipments)



4 Cash management risk Due to the non respect of: - Only one person is suppose to deal at one desk at one time - Only one person is suppose to deal with one petty cash

Proper hand over from cashier to cashier has to be assured

5 Internal security risk Deficiency concerning the store of documents, the check books, job description, delegation of decision

Safe/cabinet, that is open only through one person and not two persons

No or deficient assets register

6 External security risk Robbery because of insufficient security (deficit related to locks, doors, keys, alarm system...)

Lack or of watchmen/security officer (day/night), police

Vandalism from staff following seat-down strikes or lock-out of the management

Vandalism from members other any external individuals (affecting building and others assets)

2 Financial risks

7 Risk of inappropriate interest rate policy on savings and loans

Wrong interest rate policy within the CU or related to the market. Ex: - If interest the interest rate on loans is too low and the interest

rate on savings too high, the margin will be not enough and cause loses for the CU

- Or if the interest rate on savings is much more less than the competitors the risk that a lot of customers withdraw their money is high and therefore the risk of liquidity tension

8 Liquidity risk Induce due to increasing or high loan delinquency

Induce through higher withdrawals than deposits

Not all of CUs are in the CUA CFF

9 CU’s investments risk Investments for commercial ventures (vehicles, farms, buildings…) or for high risk stocks

10 Risk of accounting errors and insufficiency Errors in the treatment and establishment of the balance sheet and the income and expenditure account

Lack or bad accounting records, e.g. monthly and statistical reports

Bank transactions and reconciliations: bank deposits and



withdrawals

11 Inefficiency risk: Profitability and viability CUA’s requirements for Operating Standards like net income of 6%of total average asset

No capital adequacy: 5% shares, 10% reserves

Lack or insufficiency concerning the Strategy of Development with Business Plan including the Budget

Growth: - Fast growth with non control of expenditure or of loans or of

investments - Absence of growth (shares, savings, loans…) - Dormant and inactive members

3 Institutional risks

12 Vision risk Vision does not exist or not followed

Not communicated among members and employees

13 Social and commercial mission risk Provision of appropriate financial services to the intended membership

Not clear defined and communicated among members and employees

Lack or inappropriate strategy of development: - Yearly Business Plan (including Budget) not exist or not

implemented - Three years Business Plan not exist or not conducted

14 Governance risk Performance of BOD and/or committees and/or management

Relationships between BOD, committees, management

Lack of inter-committee meetings

15 Human resources risk Skills of some members of the BOD and of committees not adequate

Skills of managers and employees not adequate

Training and promotion: - Lack of understanding of the importance of training - Knowledge of training not put into the practice

Recruitment not always based on qualifications but on relations

Mutual issues between board of BOD / committees / staff /



members

Competition of staff

16 Bye-laws, policies, standards and manuals risks

Lack of using CUA manuals and standards

No own Bye Laws in use, sometimes use of the CUA model Bye Laws

Lack of CU manuals for all the internal procedures such as investment policy, personal policy, product policy (loan and savings policy), procurement policy

Lack of a code of conduct

17 CUA financial obligations Non compliance to CUA financial obligations: Dues, CUA shares, CUA CFF, statutory reserves, risk management program (LPP, LSP), stabilization funds

18 Dependency risk High dependency from external financiers that would withdraw in the middle and long term from the CU

4 MIS (Management Information System) risks

19 System efficiency and integrity risk Information process not clear define: - Lack of procedures for manual or IT-based MIS - Loss of information (electronic or hard copy)

Deficiency with the availability of the information

Non effectiveness of the banking-software: CU-Soft or other software programs

Lack of back-ups and securing of the information (of the data base)

No or not up-to-date anti-virus software and firewall (protecting the IT-system against external attacks)

Insufficient IT-skills of the employees

Interrupted power supply and no protection (UPS - uninterruptible power supply)

5 Marketing risks

20 Efficiency of the Marketing-mix risk Not Effective or lack of marketing strategy combining consistent product, price, promotion and place/distribution strategies

21 Member Relations risk Not adequate strategy for managing the CU’s interactions with



members and sales prospects in order to nurture and retain the present CU’s members and find, attract, and win new members

22 Image / Reputation / Goodwill risk Bad members’ perceptions and satisfaction about the society, about their feeling how they are treated, and about the value they attach to the CU’s services

Bad Reputation of the society because of mismanagement or dishonesty action of employees or of disrupted corporate image that cause confidence loss what may lead to total collapse

Disrupted perception of the CU has a safe place to deposit their money

6 External risks

23 Regulatory risk Regulation framework: - Registration of CUs before their affiliation to CUA Ltd - No Law for CUs and or for MFI till now - Which impacts on CUs and CUA Ltd if CU’s Bill is passed?

Insufficient knowledge of Labour laws

24 Competition risk Competitors: Banks, Rural banks, Commercial MFI, NGO with microfinance programs, insurances

Poor quality of products and services

Customer relations / care: - Insufficiency of the marketing of the products - Insufficiency of services

25 Physical environment / Natural risks (affecting building and others assets)

Flood (rains, rivers)

Fire (lack of standards and emergency plan, Electric installation, staff behaviour / kitchen)

Storm

26 Demographic risk Characteristics of the target market, including special social issues, health (HIV/AIDS), aging, and migration.

27 Macroeconomic risks Inflation, depression, recession, currency devaluation, change of the interest rate of the Central Bank

28 Political / Governmental risks Political instability, civil unrest