Connect with us:

Mobile Money

By Guest Blogger

Know your processes: the first step to managing internal risks

Know your processes: the first step to managing internal risks

This is a guest post from Michael Joyce, the co-author on MMU’s recent publication “Managing the risk of fraud in mobile money”.   Michael is mobile money professional, specialising in operations, risk and compliance. He has experience in the design and implementation phases of mobile money projects, as well as hands-on practical knowledge gained from his previous position as Head of Operations for WING Cambodia and subsequent consulting engagements. He is currently working as Mobile Money Policy Advisor for the Government of Indonesia’s TNP2K Taskforce on Poverty Reduction. 

For most mobile money operators, internal fraud is one of the biggest risks to worry about. It might be unlikely, but the potential consequences are devastating in terms of financial loss, customer trust and regulatory implications.   While internal fraud does carry high consequences, the simple fact is that mobile money managers should also be concerned with internal operational errors, which might expose operators to unnecessary risks. These operational errors could come from systems failures, accounting failures, data input problems, and so on. It’s easy to think of all these as “human errors”, but the reality is that most of them can be prevented with well designed and implemented internal processes. These same internal processes should prevent both errors and frauds through careful consideration of risks and necessary controls in the processes.

Mapping and documenting internal processes should be one of the very first steps in any risk management plan for a mobile money operator. If processes are vague, ad hoc, or are known only to a few select people, the following risks emerge:

  • Processing errors due to shortcuts being taken
  • Inefficiencies due to unnecessary steps
  • Opportunities for internal fraud
  • Inability to spot fraudulent transactions
  • Inability to restore after an outage
  • Inability to expand or scale services
  • Key person risk
  • Business continuity failures
  • Failed audit results (including regulatory audits)

If you start a risk management plan without having your internal processes documented, you may identify some useful controls to prevent risks, but it will be extremely difficult to enforce these controls or to monitor that they are working effectively. In order for a control to be truly effective, it must be monitored or tested by an independent party, and this is simply not possible unless the rules for the control are written down.

One example is an operator who had a poorly documented e-money process. The process for creating e-money had evolved over time and was only written down in a series of e-mails between the relevant team members. The team had considered segregation of duties for the creation and approval of new e-money, but the process was informal and not readily accessible.  During a detailed risk assessment, the operator documented the process and found weaknesses in the approval process.  As they discovered, the approver had no way to independently verify the creation of e-money. Under these circumstances, it would have been possible for the creator of the e-money to manipulate the transactions without being detected; the approver could do no more than effectively “rubber-stamp” the process.  By documenting their process, the operator saw this was a weakness and developed a new system report that would allow the approver to independently verify the transactions, thus reducing the risk.

Mobile money is a fast-moving business, and many operators are still working in a “start-up” mode, relying on a small team of dedicated and highly professional staff to undertake critical functions. It might seem like a difficult and costly exercise to document the internal processes needed to run the mobile money operation, but it is an essential step if the business is to scale up in an efficient and low risk manner. 

This blog post is part of this week’s series aimed at providing operators greater insight on the tools to implement an effective risk management strategy. For further information on risk management, see our publication Managing the risk of fraud in mobile money.”

One Comment

  1. Very well put Michael. Documenting processes and identifying risks is an absolutely essential exercise which often does not get the time, attention and resources required from the management team. Based on our experiences with several deployments, we have spelled out some good practices and a broad framework which could be used to map these internal processes. Would be interesting to get your thoughts / comments Here is the link:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>