Enhancing Control and Risk Management for a Small Finance Bank
A small finance bank with a distribution network of over 270 banking outlets.
BUSINESS REQUIREMENT
The primary objectives of this engagement were to construct an entity-level Risk and Control Matrix (RACM) for the organization and conduct testing of the Internal Control Framework for the financial year. This involved
1. Developing a Risk and Control Matrix across business operations and processes.
2. Documenting the existing “As Is” business processes.
3. Identifying and mapping risks to these business processes.
4. Creating Control Design Documentation and conducting evaluations.
5. Assessing the operating effectiveness of controls.
6. Reporting deficiencies and recommending “Should be” business processes
IDENTIFIED PROCESS CHALLENGES
The challenges included undefined roles and responsibilities, excessive dependence on Single Points of Contact (SPOCs), frequent process revisions, and a lack of documented process notes.
APPROACH AND SOLUTION DESIGN
To address these challenges, the engagement team devised the following solutions
1. Studied the processes and developed a comprehensive risk register, clearly defining roles and responsibilities, testing controls for comprehensiveness and operating effectiveness, and establishing segregation of duty controls.
2. Documented procedures and policies in standard formats previously agreed upon with the entity, creating a repository of documents organized by function.
BUSINESS BENEFIT AND RESULT
The results of this engagement included the development of detailed risk registers for each process area. These registers were created based on comprehensive process walkthroughs with the client. They encompassed potential risks within each process, documented existing controls, highlighted gaps in control measures, provided recommendations for addressing these gaps, and designed detailed control and transaction testing procedures. Additionally, the team conducted exhaustive control and transaction testing and presented the results to the management.