A risk is an exposure to the chance of loss. Risks are not inherently bad. Sometimes, it is necessary to take risks to accomplish worthy and meaningful goals. This is especially true in microfinance where loan officers take risks every day by lending money to people without credit histories, without business records and often without collateral. One has to take risks to operate a successful microfinance institution—but it is important to take calculated risks.
Risk management, or the process of taking calculated risks, reduces the likelihood that a loss will occur and minimizes the scale of the loss should it occur. Risk management includes both the prevention of potential problems and the early detection of actual problems when they occur. As such, risk management is an ongoing three-step process
1.Identify Vulnerabilities: Before managing risks, it is necessary to identify the organization’s vulnerability points, both current and future. An important aspect of assessing risk is to predict exposure in the short, medium and long term. To help MFIs identify their vulnerabilities, this document contains a risk assessment framework that addresses financial and institutional development issues.
2. Design and Implement Controls: Once an MFI has identified its vulnerability points, then it can design and implement controls to mitigate those risks. Because MFIs operate in different environments, and because CARE works with a diverse set of microfinance partners, the controls outlined in this handbook tend not to be specific or prescriptive. By understanding why a certain control should be in place, MFI managers and directors can tailor the control to their local environment. For example, taking collateral to control credit risk may be appropriate in some markets, whereas in other markets a group guarantee is a more appropriate control.
3. Monitor Effectiveness of Controls: Once the controls are in place, then the MFI needs to monitor their effectiveness. Monitoring tools consist primarily of performance ratios that managers and directors need to track to ensure that risks are being managed.
This three-step risk management process is ongoing because vulnerabilities change over time. Risks also vary significantly depending on the institution’s stage of development. An MFI with 2,500 borrowers will experience different challenges from an organization with 25,000 outstanding loans. As participants in a new industry, MFIs cannot afford to become complacent if they want to avoid being toppled by innovations, competition, and new regulations among other things. How often is “ongoing”? That will vary by country context, but at the very least the board should conduct an annual risk assessment update.
Besides analyzing the current state of the organization, risk management involves using a crystal ball to anticipate possible changes in the internal and external environment during the short-, medium- and long-term. Since no one can accurately predict the future, it is recommended that you consider best, worst and average case scenarios for each of the three time periods. While it is probably excessive to prepare for the absolute worst-case scenario, risk management involves taking a conservative approach in preparing for potential outcomes. Managers and directors who only plan for best-case scenarios are deluding themselves and are setting their organization up for perpetual disappointments.
It is important to note that microfinance institutions cannot completely eliminate their exposure to risks. Any effort to do so would be prohibitively expensive, thus creating a vulnerability to another set of risks. Managing risk involves the search for the appropriate, though elusive, balance between the costs and effectiveness of controls, and the effects that they have on clients and staff.