Professional Documents
Culture Documents
1. Objectives
2. Risk and types of Risk
3. Risk Management Approach
a. Risk Management Cycle
b. Risk Governance
c. Three lines of defence
4. Risk Management Tools
5. Operational risk, internal controls, and fraud
6. Anti-Money Laundering/Combating the Financing of Terrorism
(AML/CFT) and Know Your Customer (KYC)
Objectives
To understand:
• The risks that Wave Money faces and how they are managed.
• The risk management cycle for assessing and treating risks.
• The importance of internal controls in risk management.
• What is fraud and what are the fraud indicators and red flags.
• Know Your Customer (KYC), and Anti-money laundering/Combating the
financing of terrorism (AML/CFT) and Wave Money’s responsibilities
regarding them.
• Your individual responsibilities when it comes to risk management,
internal controls and fraud.
Risk and Compliance Test
You will be tested on the content of this training. The purpose of this is to
make sure that you understood concepts and can apply them to your
work. It is NOT a test of your performance.
Source: Digital Financial Services and Risk Management Handbook, ISBN Number: 978-0-620-71506-5
Types of risk faced by Wave Money
Strategic Risk is defined as the actual losses that result Partnership Risk is the potential that a partner will fail
from an unsuccessful business plan or the potential to deliver on their obligations to the company resulting
losses resulting from missed opportunities. Examples of in losses and business disruptions. Partners can include
this are ineffective products, failure to respond to distributors, master agents, vendors, technology
changes in the business environment, or inadequate providers, etc., and can also be a source of reputational
resource allocation. risk.
Regulatory Risk refers to the risks associated with Agent Management Risk refers to risks associated with
complying or not complying with regulatory guidelines the use of agents to act on behalf of the company. The
and rules. For mobile financial services these include management and supervision of agents is imperative to
anti-money laundering/ combating financing of a well-functioning service that protects customers. The
terrorism, Know Your Customer, data privacy, account use of agents can trigger operational, technological,
and transaction limits, trust accounts, and regulations legal, reputational, and fraud risk.
regarding the use of agents.
Financial Risk refers to the risks associated with
managing the finances of the company. These risks
include liquidity, foreign exchange, counterparty
(concentration) risk as well as credit and interest rate
risk.
Types of risk faced by Wave Money
Operational Risk is inherent in any business and refers to risks
associated with products, business practices, damage to
physical assets, as well as the execution, delivery and process
management of the service. In shorthand, operational risk is
often referred to as risk related to people, processes, and
systems. Operational risks are often managed through internal
controls.
Technology Risk refers to technology failure that leads to the
inability to transact. It is closely linked to operational risk.
Technology risk may be triggered failure by software,
hardware, or connectivity; transaction delays and replays; loss
of data; and cyber attacks.
Fraud Risk refers to the risk associated with the intentional,
false representation, or concealment of a material fact for the
purpose of inducing another to act upon it, resulting in damage
or loss. Fraud risk is multi-faceted and relates to several other
risks. Operational and technology risk can cause fraud risk, and
fraud can lead to financial risk. Fraud is also a significant
driver of reputational risk.
Risk Management Approach
Risk Management
As presented earlier, Risk management is a process of thinking systematically about all possible effects
(deviations from the expected) before they happen and setting up procedures that will avoid them, if
possible, and minimize or cope with their impact if they cannot be avoided.
Wave Money’s approach to manage risks mirrors the ISO 31000 risk management framework
Risk Identification
continuous flow)
Risk Treatment
1. The first line of defence (functions that own and manage risks)
This is formed by managers and staff who are responsible for identifying and managing risk as part of their accountability for achieving objectives. Collectively, they
should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk control. This requires an understanding
of the company, its objectives, the environment in which it operates, and the risks it faces.
2. The second line of defence (functions that oversee or who specialise in compliance or the management of risk)
This provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line, conducts monitoring to judge how
effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.
When to Report
• Immediately… There is no need to wait until “all facts are in” before making a report.
Risk Management Tools
Risk Management Tools
To support the Risk Management process, Wave Money has adopted several risk
management tools which are implemented by the Risk & Compliance function and across
the company. The table below identifies some of the main tools that are being used.
As the risk register supports all process steps, this training will cover the basics of the risk
register process which will also give insight and guidance on the risk assessment process of
identification, analysis, and evaluation.
Risk Identification
The purpose of risk identification is to identify what might happen or what situations might exist that
might affect the achievement of the objectives of the company. Once a risk is identified, we should identify
any existing controls such as design features, people, processes and systems. The risk identification
process includes identifying the causes and source of the risk, events, situations or circumstances which
could have a material impact upon objectives and the nature of that impact.
Common approaches to risk identification are assessing issues that have already occurred and
brainstorming. Brainstorming can be started with two questions:
Lowest risk: the chance of the risk happening is low AND the
impact if it does happen is low.
Medium Risk: the chance of the risk happening is low BUT the
impact if it does happen is high.
the chance of the risk happening is high BUT the
impact if it does happen is low.
High Risk: the chance of the risk happening is high AND the
impact if it does happen is high.
23
Risk Analysis - Rating Risks
Assessing Probability and Impact as either high or low is not very useful,
especially when we want to compare many different risks.
To solve this, we use scores for the assessment. For consistency and
comparability across risks there are standard measures in place.
Likelihoo Probability of occurrence within
Score d one year with a material frequency Probability %
Risk is unlikely to materialize or will
1 unlikely 0-25%
materialize with low frequency
Risk could materialize at some point or will
2 possible materialize with a moderate frequency 25-50%
Risk is likely to materialize at some point
3 likely 50-75%
or will materialize with a high frequency
Risk is highly likely to materialize at some
almost
4 point or will materialize with a very high 75-100%
certain
frequency
24
Risk Analysis - Rating Risks
25
Risk Analysis - Rating Risks
Calculating the Risk Rating using likelihood and impact allows is to plot the
ratings on a matrix and compare the exposure to different risks.
Impact
Severe
High
Major
Medium
Moderate
2
Minor
Low
1
Likelihood 1 2 3 4
Unlikely Possible Likely Almost Certain
26
Risk Evaluation
Risk evaluation involves reviewing estimated levels of risk (risk ratings) to determine the significance of the
level and type of risk.
Risk evaluation uses the understanding of risk obtained during risk analysis to make decisions about future
actions. Ethical, legal, financial and other considerations, including perceptions of risk, are also inputs to
the decision.
Decisions may include:
whether a risk needs treatment;
priorities for treatment;
whether an activity should be undertaken;
which of a number of paths should be followed.
Risk Evaluation
Probability and Impact can help us evaluate risk. The simple high-low
matrix can help us understand if treatment is needed and which type of
treatment:
Transfer – Shift the negative impact of a threat, along with the
ownership, to a third party.
• Insurance is a good example of transferring a risk, e.g. the impact of a fire
destroying the building would be high, but insurance would reduce the impact
because a third party (the insurance company) would be responsible for
paying for the damage.
Control – Reducing the Probability or Impact of a threat through control
activities.
• Preventive controls reduce likelihood as they prevent the risk from happening
• Detective controls can reduce impact as the undesired event is identified
quickly, reducing damage (impact)
Avoid – Change the activity to eliminate the threat.
• In some cases, additional controls may reduce the impact
• Some high risks are part of the business and in those cases management and
the BOD need to accept the high risk
Accept – No change to process to deal with the risk.
• Passive acceptance: no action, deal with threats as they occur
• Active acceptance: establish a contingency reserve to handle threats (time or
funds)
28
Risk Treatment
29
Operational risk, internal
controls, and fraud
Operational Risk and Internal Controls
As discussed in the types of risk section above, Operational Risk is referred to
as risk related to people, processes, and systems, as well as external events, and
is often managed through internal controls.
Therefore, operational risk touches each staff member so it is important that
everyone understands operational risk and the main treatment for these risks:
internal control.
Definition of Internal Control
Internal control is a process, implemented by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
related to:
• protecting its resources against waste, fraud, and inefficiency;
• ensuring accuracy and reliability in operating, business, financial, and accounting data;
• securing compliance with the policies of the organization and the rules and regulations of the
environments in which it operates; and
• evaluating the level of performance in all organizational units of the organization.
Types of Controls
Detective controls are
designed to uncover an
undesired event that has
already occurred.
Preventive controls are Corrective controls assist
intended to reduce the in the investigation and
likelihood of an undesired correction of causes of
event (a risk) from undesired event that have
happening in the future. been detected
32
Common Controls by Type
Directive Controls
Corrective Controls
• Code of Conduct
• Back-up and recovery • Employee Policies
• Documentation (audit trail) • Raising Integrity Concerns
33
Fraud Risk
What is fraud?
Fraud is the intentional, false representation, or concealment of a material fact for the purpose of inducing another to act upon it, resulting
in damage or loss to the victim and a personal unfair or unlawful gain, either direct or indirect for fraudster.
Simply put, fraud is deceiving someone to the benefit of another.
Fraud against Wave Money Fraud against Customers Fraud against WM partners
• Agent or customer raising false dispute • Identity Theft from customers by agents or • Counterfeit currency given by customer
claim for reimbursement nearby third-party person • Customer refusing to pay for completed
• Vendor bid-rigging or billing the company • Social engineering by impersonation WM transaction
for goods or services not provided. or WM staff • Unauthorized access of agent’s transaction
• Staff submitting false receipts • Unauthorized access of agent’s transaction tools
• Agents and other partners gaming tools • Fraud on agent app
commissions and incentives. • Phishing, SMS spoofing, fake SMS • Social engineering by impersonation WM
• Security breaches • Cheating through online shopping or WM staff
• Candidates providing false employment • False transactions-make customers believe • Phishing, SMS spoofing, fake SMS
history to get hired a transaction was successful • Staff taking bribe from a partner in the
• theft of intellectual property • Unauthorised withdrawal - use of name of WM
• hacking customer's transaction code
• theft of proprietary information • Imposition of unauthorised customer
charges/surcharging
• Split transactions for higher fees
Fraud Management
The main components of an effective anti-fraud strategy are Prevention, Detection, and Response. These
components are all closely interlinked and together create effective fraud Deterrence.
Response Prevention
A consistent and comprehensive response to suspected and Effective fraud prevention focuses on decreasing motive, restricting
detected incidents of fraud is also important. This sends a message opportunity and limiting the ability for potential fraudsters to
that fraud is taken seriously and that action will be taken against rationalise their actions.
perpetrators. Prevention initiatives include:
Reasonable steps for fraud response include: Fraud • Developing an ethical Culture
• clear reporting mechanisms Prevention • Periodic assessment of fraud risk
• a thorough investigation • Fraud risk training and awareness
• disciplining of the individuals responsible (internal, civil and/or criminal) • Reporting mechanisms and whistleblowing
• recovery of stolen funds or property • Sound internal control systems
• modification of the anti-fraud strategy to prevent similar behavior in • Pre-employment screening
the future. Fraud
Deterrence
Fraud Fraud
Deterrence Response Detection Detection
As shown in the diagram, when all three of the main components Fraud cannot be prevented 100% so it is important to have systems
work together, there is effective risk deterrence. Using the same and processes in place to detect occurrences of fraud in a timely
terms as risk analysis, Prevention is related to likelihood of fraud manner. In addition to controls and oversight, fraud can be
occurring: the stronger the prevention measures, the less likely it is detected by paying attention to fraud indicators such as:
to occur. Detection is related to impact: the faster and better that • Warning signs are organisational indicators such as cultural
fraud is detected the lower the impact of the fraud. A strong issues, management issues, employee issues, process issues
response that is well-communicated can impact both likelihood and and transaction issues which are opportunities for fraud risk.
impact: if it is known that the company takes fraud seriously and • Fraud alerts and red flags are specific events which may be
there are real consequences, some fraudsters may be deterred. indicative of fraud and which warrant follow-up. All staff
Likewise, a response that includes the recovery of lost funds and should be aware of fraud red flags and properly report any
property can reduce the impact of the fraud. suspicions immediately.
Preventing Fraud
There are some simple steps you can take to ensure that fraud is
prevented through your normal work activities:
Understand and validate what you authorize, sign, or approve
o Ensure you fully understand the basis and the implications of the request
Don’t take short cuts: know and follow policy and procedures
Make informed decisions – never assume
Listen to your first instincts (gut feelings) and don’t be afraid to ask
clarifying questions
Refer any suspicion to your Line Manager. If your suspicion
involves your Line Manager, refer to Risk & Compliance.
• It is not your responsibility to investigate or have proof, but the concern
needs to be raised in good faith.
Detecting Fraud – Red Flags
Red Flags are indicators that fraud may be occurring. The red flags can be behavioral or relate to work anomalies.
Red Flags do not mean that fraud is occurring, but it does indicate an unusual situation that needs further review.
All staff should be aware of red flags and bring any concerns they have to their line manager of to Risk & Compliance.
Behavioral Red Flags Work Anomalies
The Association of Certified Fraud Examiners (ACFE) 2020 Global Study Alteration of documents and records.
on Occupational Fraud and Abuse reported that 85% of people Extensive use of correction fl uid and unusual erasures.
committing fraud display at least one of the following behavioral red Photocopies of documents in place of originals.
flag. Rubber Stamp signatures instead of originals.
Living beyond one's means
Signature or handwriting discrepancies.
Financial difficulties
Missing approvals or authorisation signatures.
Unusually close association with a vendor or customer
Transactions initiated without the appropriate authority.
Excessive control issues or unwillingness to share duties
Unexplained fluctuations in account balances.
Unusual irritability, suspiciousness, or defensiveness
A general “wheeler-dealer” attitude involving shrewd or inventory variances and turnover rates.
unscrupulous behavior Inventory adjustments.
Recent divorce or family problems Subsidiary ledgers, which do not reconcile with control accounts.
Extensive use of ‘suspense’ accounts.
Inappropriate or unusual journal entries.
Confirmation letters not returned.
Supplies purchased in excess of need.
Higher than average number of failed login attempts.
Systems being accessed outside of normal work hours or from outside the
normal work area.
Controls or audit logs being switched off.
Anti-Money Laundering/
Combating the Financing of Terrorism (AML/CFT) and
Know Your Customer (KYC)
Anti-Money Laundering (AML)