L’argent Mobile Pour les Personnes Non-Bancarisées Juillet

2010
Definition Juillet

Agent

Personne physique ou morale sous contrat habilitée à effectuer des transactions pour le compte des
clients, les plus importantes d’entre elles étant les dépôts ou retraits d’espèces, c’est-à-dire le chargement
(ou le déchargement/retrait) d’une certaine valeur dans le porte-monnaie électronique. Ils ont également
souvent la responsabilité de l’enregistrement des nouveaux clients. Les agents perçoivent généralement
une commission sur les services rendus. Dans certains cas, ils fournissent des services d’assistance à la
clientèle, par exemple, la formation de nouveaux clients au service. Les agents ont dans la plupart du
temps d’autres activités lucratives. Selon la législation en vigueur dans certains pays, l’agent peut être
assujetti à une autorisation et à des obligations particulières. Dans d’autres marchés les petits détaillants,
les institutions de micro finance (IMF), les chaînes de magasins ou des agences bancaires peuvent faire
office d’agents. Les agents sont aussi connus sous le nom de « commerçant », « détaillant » ou «
marchand » afin d’éviter les implications juridiques liées au terme « agent » dans certains secteurs
d’activité ou certains marchés.

Agent Principal (« master agent » en anglais)

Personne physique ou morale achetant de « l’argent électronique en gros » auprès d’un opérateur de
réseau mobile ou fournisseur de services financiers mobiles (« service provider » en anglais) pour le
revendre aux agents. L’agent principal est donc le premier maillon de la chaine de distribution d’argent
mobile, sachant que les agents revendent à leur tour cet « argent électronique » aux utilisateurs. À la
différence d’un grossiste, un agent principal a la responsabilité de la gestion des besoins d’un groupe
donné d’agents en matière de liquidité en espèces et en valeur électronique.

Agrégateur

Personne physique ou morale en charge du recrutement de nouveaux Agents. Cette fonction est souvent
associée à celle d’agent principal et les deux termes s’utilisent indifféremment.

Argent électronique (« e-money » ou « e-cash » en anglais)

L’argent électronique est la valeur stockée sur les portemonnaies électroniques des utilisateurs, des agents
et du prestataire de services bancaires mobiles. À tous moments, le montant total de l’Argent électronique
en circulation a sa contrepartie sur un ou des compte(s) bancaire(s). Ainsi, en cas de difficultés majeures
liées à son activité commerciale, les utilisateurs récupéreraient leurs mises.

Argent mobile (Mobile Money en anglais)

Service permettant d’accéder à des services financiers par l’intermédiaire d’un téléphone portable
(mobile).

Autorités réglementaires

Sensitivity: MTN Group - Internal

 Se référant à l’argent mobile, ce terme désigne habituellement les autorités réglementaires supervisant les
institutions financières dans un pays donné – généralement la banque centrale ou toute autre autorité
financière.

Canal de transmission

Canal de communication sans fil par lequel s’effectue la transmission des données (« data » en anglais)
entre le téléphone d’un client et la plateforme de services financiers mobiles. Les opérateurs de téléphonie
mobile fournissent le « canal de transmission » en contrepartie parfois d’une commission couvrant le coût
lié a la transmission de données. Les canaux de transmission sans fil les plus utilisés sont USSD, SMS et
GPRS.

Connaissance du client (« Know Your Customer » ou KYC en anglais)

Désigne les règles de LAB/CFT obligeant les prestataires ou Agents à respecter certaines procédures pour
la vérification de l’identité des utilisateurs.

Dépôt d’espèces (« cash-in » en anglais)

Opération par laquelle le client dépose de l’argent liquide sur son porte-monnaie électronique. Cela
s’effectue généralement par l’intermédiaire d’un Agent qui reçoit les espèces du client et crédite le porte-
monnaie électronique du client.

Épargne/Compte d’épargne

Désigne traditionnellement la conservation de l’argent d’un client par une institution habilitée et autorisée
sur un compte porteur d’intérêts.

Enrégistrement OTA (« Over the air »)

Terme utilisé pour la création d’un compte d’argent mobile pour un client par le biais d’un réseau de
téléphonie mobile, sans qu’il y ait besoin d’ajouter un équipement supplément à l’appareil.

Float

Terme anglais désignant le montant total de l’argent électronique, des espèces et des sommes déposées en
banque à la disposition immédiate d’un Agent lui permettant de faire face aux demandes d’achat (dépôts)
ou de vente (retraits) d’argent électronique. Le ¹float correspond donc aux encaisses, soldes ou encours de
trésorerie de l’agent consacrées aux opérations d’argent mobile.

Grossiste (« superagent » en anglais)

Une entreprise, ou parfois une banque, achetant de l’argent électronique (e-money ou e-cash) « en gros »
auprès d’un fournisseur de service financiers mobiles pour le revendre aux agents, lesquels le revendent à
leur tour aux utilisateurs.

G2P

En anglais « government to person », signifie de l’État vers les personnes.

Interopérabilité

Sensitivity: MTN Group - Internal

 Désigne la possibilité offerte aux utilisateurs de différents systèmes de services financiers mobiles
d’effectuer des transactions directement entre eux.

Liquidité

Désigne la capacité d’un Agent à faire face aux demandes d’achat (dépôts) ou de vente (retraits) d’argent
électronique. L’indicateur le plus courant de mesure de la liquidité d’un Agent est le montant total des
sommes détenues par celui-ci en Argent électronique et en argent liquide (aussi appelé « solde » ou «
float » en anglais).

Lutte anti-blanchiment/contre le financement du terrorisme (LAB/CFT)

Ensemble des réglementations généralement mises en place par les banques centrales et autres autorités
compétentes visant à détecter et empêcher l’usage de services financiers aux fins de blanchiment de
l’argent ou de financement du terrorisme. L’organisme en charge de l’établissement de normes mondiales
en matière de LAB/CFT est le GAFI (Groupe d’Action financière, ou Financial Action Task Force/FATF
en anglais).

Non-bancarisé

Se dit des personnes souvent à faibles revenus, ne disposant pas d’un compte bancaire ou d’un compte
courant auprès d’une institution financière conventionnelle.

Sous-bancarisé

Se dit des personnes ayant accès à des services bancaires compte courant simple auprès d’une institution
financière conventionnelle, mais ayant cependant des besoins financiers non satisfaits ou mal satisfaits.
Par exemple, elles n’ont pas la possibilité d’envoyer de l’argent de façon sûre ou abordable.

Paiement mobile

Transfert de valeur réalisé à partir d’un porte-monnaie électronique, au crédit d’un porte-monnaie mobile
et/ou initié à partir d’un téléphone mobile. Le terme de paiement mobile est parfois réservé à la
désignation de virements effectués pour le paiement de biens ou services, que ce soit sur le point de vente
(vente au détail) ou à distance (paiement de factures).

Plateforme

Équipements et logiciels permettant d’offrir des services d’argent électronique.

Porte-monnaie electronique ou mobile

Compte utilisé principalement par le biais d’un téléphone portable mobile.

P2P

De l’anglais « person to person », signifie d’individu à individu (par opposition aux personnes morales).

P2B

De l’anglais « person to business », signifie d’individu à entreprise (ou personne morale).

Sensitivity: MTN Group - Internal

 Point de vente

Commerce de détail où s’effectuent des paiements de biens ou services.

Responsable d’agents (« masteragent » en anglais)

Personne physique ou morale achetant de « l’argent électronique en gros » auprès d’un opérateur de
réseau mobile ou fournisseur de services financiers mobiles (« service provider » en anglais) pour le
revendre aux agents. Le responsable d’agents est donc le premier maillon de la chaine de distribution
d’argent mobile, sachant que les agents revendent à leur tour cet « argent électronique » aux utilisateurs.
À la différence d’un agent principal, le responsable d’agents est également responsable de la gestion des
besoins d’un groupe donné d’agents en matière de liquidité en espèces et en valeur électronique.

Retrait d’espèces (« cash-out » en anglais)

Opération par laquelle le client retire de l’argent liquide de son porte monnaie électronique. Cela
s’effectue généralement par l’intermédiaire d’un Agent qui débite le compte bancaire mobile du client et
lui remet l’argent en liquide.

Services bancaires mobiles

Désigne l’accès à des services financiers par l’intermédiaire d’un téléphone portable (mobile). Cela peut
inclure l’exécution de certaines transactions.

Services financiers conventionnels

Désignent les services financiers fournis par des entités non réglementées par opposition aux services
financiers informels qui sont nonréglementés. En plus des banques, les fournisseurs de services de
transferts de fonds, les institutions de microfinance (IMF) et les opérateurs de réseaux mobiles peuvent
avoir l’autorisation de fournir certains services financiers.

Services financiers informels (ou non-conventionnels)

Désignent les services financiers fournis par les entités non réglementées, comme par exemple les
encaisseurs du réseau Susu au Ghana, et les associations d’épargne, etc.

Solde

Voir « float »

Virement d’argent mobile

Transfert de valeur réalisé à partir d’un porte-monnaie mobile, au crédit d’un porte-monnaie mobile et/ou
initié à partir d’un téléphone mobile.

RAPPORT ANNUEL SUR LES SERVICES FINANCIER NUMERIQUES DE L’UEMOA 2019

ANNEXE 1 : ETABLISSEMENTS EMETTEURS DE MONNAIE ELECTRONIQUE A FIN

DECEMBRE 2019

Sensitivity: MTN Group - Internal

 ETABLISSEMENTS SYSTEMES FINANCIERS PARTENARIATS NOUES ENTRE LES BANQUES ET LES OPERATEURS DE NOMBR
DE MONNAIE DECENTRALISES TELECOMMUNICATION OU PRESTATAIRES TECHNIQUES POUR L'EMISSION DE MONNAIE D’INI
ELECTRONIQUE AUTORISES A EMETTRE LA ELECTRONIQUE
MONNAIE ELECTRONIQUE ETABLISSEMENTS OPERATEURS DE PRESTATAIRES NOM DU
TELECOMMUNICATION TECHNIQUES PRODUIT
MTN MOBILE ASMAB (Association pour la BANQUE ATLANTIQUE ETISALAT BENIN MOOV MONEY
MONEY SA Solidarité des Marchés du Bénin- BENIN
SFD)
ECOBANK

A ORANGE MONEY UBA BURKINA TELMOB MOBICASH -

BURKINA FASO VENEGA
SOCIETE GENERALE TAGPAY YUP-BURKINA
DE BANQUE AU
BURKINA
CORIS BANK TAGPAY CORIS-MONEY
INTERNATIONAL

ORANGE MONEY CELPAID SGBC TAGPAY SGBCI-YUP

E CÔTE D'IVOIRE
MTN MOBILE UBA CI WAVE WAVE
FINANCIAL
SERVICES COTE
D'IVOIRE
QASH SERVICES BACI WIZALL WIZALL
MOOV MONEY BDA KASH KASH KASH KASH
COMPAGNIE BRM XIKKA XIKKA
FINANCIÈRE DE MONEY
PAIEMENT

BANCO DA AFRICA MTN MOBILE

OCIDENTAL MONEY
ECOBANK ORANGE BISSAU ORANGE
MONEY

ORANGE FINANCES BDM SOTELMA-MALITEL MOBICASH

MOBILES MALI

BOA NIGER ORANGE NIGER ORANGE

MONEY
ECOBANK NIGER CELTEL NIGER AIRTEL
MONEY
BANQUE ATLANTIQUE ATLANTIQUE TELECOM MOOV FLOOZ
NIGER NIGER

L ORANGE FINANCE BANQUE DE DAKAR KASH KASH KASH KASH

MOBILES SENEGAL SENEGAL
MOBILE CASH S.A BSIC SN EXPRESSO E-MONEY
ECOBANK SENEGAL WIZALL
SGBS TAGPAY SGBS-YUP
UNITED BANK FOR ZUULU PAY /
AFRICA WAVE / WARI

BANQUE ATLANTIQUE ATLANTIC TELECOM / FLOOZ

ORABANK MOOV ETISALAT

Sensitivity: MTN Group - Internal

 ECOBANK
DIAMOND BANK
BANQUE TOGOLAISE TOGO CELLULAIRE TMONEY
POUR LE COMMERCE
ET L'INDUSTRIE

E 10 2 26

VE

RAPPORT ANNUEL SITUATION INCLSION FINANCIERE

INDICATEURS D’UTILISATION DES SERVICES FINANCIERS

Tableau n°3 : Taux de bancarisation strict (TBS) en %
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Benin 21,6 22,6 23,2 25,4 26,3 26,4 26,7 20,9 23,8 24,0 31,2
Burkina 13,0 12,8 14,7 15,4 16,9 19,8 21,0 21,0 22,3 20,4 20,6
Cote 11,5 19.5 16,5 16,5 15,6 15,8 17,2 17,2 17,8 19,1 20,5
d’ivoire
Guinée- 3,8 3,7 4,6 5,8 6,9 8,6 10,9 10,8 11,21 16,8 17,6
Bissau
Mali 8,1 8,5 9,0 9,5 9,5 10,6 11,1 12,6 13,4 14,2 15,6
Niger 1,8 2,2 2,8 3,4 4,4 5,5 5,8 5,6 6,8 8,2 9,1
Senegal 10,6 11,8 13,0 15,9 18,3 17,0 17,7 19,6 19,0 18,6 19,6
Togo 17,1 17,3 17,2 18,6 20,4 21,0 21,4 24,3 24,7 25,1 27,0
UEMOA 10,8 13,0 12,9 4,0 14,7 15,5 16,3 16,4 17,2 17,6 19,3
Tableau n°4 : Taux de bancarisation élargi (TBE) en %
2010 2011 2012 2013 2014 2015 2016 2017 2018
Benin 52,9 52,3 50,0 62,2 64,6 65,1 63,2 63,2 70,0
Burkina 27,4 27,0 30,7 32,0 34,1 37,9 39,1 39,9 43,3
Cote d’ivoire 21,7 27,0 24,1 22,3 21,6 23,0 25,1 25,5 28,8
Guinée-Bissau 4,8 4,8 5,8 6,8 8,0 9 9,8 12,1 12,0 12,3
Mali 21,7 21,9 22,3 22,8 21,7 23,2 23,9 25,6 26,7
Niger 7,9 7,8 11,0 12,6 14,1 16,7 16,8 15,8 15,3
Senegal 31,0 33,8 36,5 40,8 45,1 43,4 45,8 47,9 51,5
Togo 41,9 45,5 50,2 61,1 65,2 68,1 70,8 68,6 73,3
UEMOA 25,7 27,3 28,4 30,9 32,2 33,8 35,0 35,5 38,4

Sensitivity: MTN Group - Internal

 Tableau n°5 : Taux global d'utilisation des services financiers, corrigé de la multibancarité (TGUSF) en
%
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Benin 45,4 44,9 44,7 53,5 57,7 62,0 69,0 71,7 74,5 75,4 82,4
Burkina 23,7 24,1 27,8 35,1 32,0 41,1 45,7 67,8 69,3 70,9 75,4
Cote 18,6 32,3 33,4 38,9 39,2 41,6 49,9 61,3 67,1 78,9 79,1
d’ivoire
Guinée- 4,1 4,1 4,9 5,9 8,1 10,3 12,9 14,4 20,6 36,8 57,0
Bissau
Mali 19,2 20,5 21,9 24,0 32,1 37,4 38,7 37,8 37,9 38,3 48,6
Niger 6,8 7,4 10,2 11,9 14,5 17,1 17,1 16,3 15,6 17,8 15,6
Senegal 26,9 30,2 35,1 40,1 50,3 52,4 61,9 65,9 67,0 70,0 75,6
Togo 35,7 38,7 42,7 53,0 57,7 66,2 72,5 72,2 79,0 79,0 81,5
UEMOA 22,2 26,2 28,6 33,9 37,2 41,7 47,0 53,6 56,0 60,0 63,8

Résultats et observations
La figure 3 présente les valeurs de l’indice de la réglementation de l’argent mobile pour les 81 pays
examinés. Bien que l’indice produise une valeur chiffrée, les différences entre pays sont souvent minimes.
Il convient par conséquent de ne pas accorder une importance excessive au classement précis ou à la note
exacte de chaque pays. L’intérêt majeur de l’indice se trouve plutôt dans l’évaluation des différentes
dimensions et de leurs indicateurs dans le but de mieux cerner les aspects spécifiques de la réglementation
qu’il serait souhaitable d’améliorer pour favoriser l’inclusion financière. Figure 3

Valeurs de l’indice de la réglementation de l’argent mobile

Guinée-Bissau 79.74

Burkina Faso 79.98

Sensitivity: MTN Group - Internal

 Mali 79.98

Niger 79.96

Bénin 79.93

Togo 79.83

Côte d'Ivoire 79.82

Sénégal 79.82

Risk management — Guidelines

ISO 31000:2018(E)

3.5 Event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several
consequences (3.6).
Note 2 to entry: An event can also be something that is expected which does not happen, or something
that is not
expected which does happen.
Note 3 to entry: An event can be a risk source.

3.6 Consequence
outcome of an event (3.5) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or
indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.

Sensitivity: MTN Group - Internal

 Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.

3.7 likelihood
chance of something happening
Note 1 to entry: In risk management (3.2) terminology, the word “likelihood” is used to refer to the
chance of
something happening, whether defined, measured or determined objectively or subjectively, qualitatively
or
quantitatively, and described using general terms or mathematically (such as a probability or a frequency
over a
given time period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages;
instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly
interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent
that it
should have the same broad interpretation as the term “probability” has in many languages other than
English.

3.8 Control
measure that maintains and/or modifies risk (3.1)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other
conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

4 Principles
The purpose of risk management is the creation and protection of value. It improves performance,
encourages innovation and supports the achievement of objectives.
The principles outlined in Figure 2 provide guidance on the characteristics of effective and efficient
risk management, communicating its value and explaining its intention and purpose. The principles are
the foundation for managing risk and should be considered when establishing the organization’s risk
management framework and processes. These principles should enable an organization to manage the
effects of uncertainty on its objectives.

Sensitivity: MTN Group - Internal

 Copyrighted material licensed to University of Toronto by Clarivate Analytics (US) LLC,
subscriptions.techstreet.com, downloaded on 2018-03-11 14:38:32 -0500 by University of Toronto User.
No further reproduction or distribution is permitted.
d
Figure 2 — Principles
Effective risk management requires the elements of Figure 2 and can be further explained as follows.
a) Integrated
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management contributes to consistent and
comparable results.
c) Customized
The risk management framework and process are customized and proportionate to the organization’s
external and internal context related to its objectives.
d) Inclusive
Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions
to be considered. This results in improved awareness and informed risk management.
e) Dynamic
Risks can emerge, change or disappear as an organization’s external and internal context changes.
Risk management anticipates, detects, acknowledges and responds to those changes and events in an
appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current information, as well as on future
expectations. Risk management explicitly takes into account any limitations and uncertainties associated
with such information and expectations. Information should be timely, clear and available to relevant
stakeholders.
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of risk management at each level and
stage.
h) Continual improvement
Risk management is continually improved through learning and experience.

5 Framework
5.1 General
The purpose of the risk management framework is to assist the organization in integrating risk
management into significant activities and functions. The effectiveness of risk management will depend

Sensitivity: MTN Group - Internal

 on its integration into the governance of the organization, including decision-making. This requires
support from stakeholders, particularly top management. Framework development encompasses
integrating, designing, implementing, evaluating and improving risk management across the organization.
Figure 3 illustrates the components of a framework.
Figure 3 — Framework
The organization should evaluate its existing risk management practices and processes, evaluate any gaps
and address those gaps within the framework.
The components of the framework and the way in which they work together should be customized to the
needs of the organization.

5.2 Leadership and commitment

Top management and oversight bodies, where applicable, should ensure that risk management is
integrated into all organizational activities and should demonstrate leadership and commitment by:
— customizing and implementing all components of the framework;
— issuing a statement or policy that establishes a risk management approach, plan or course of action;
— ensuring that the necessary resources are allocated to managing risk;
— assigning authority, responsibility and accountability at appropriate levels within the organization.
This will help the organization to:
— align risk management with its objectives, strategy and culture;
— recognize and address all obligations, as well as its voluntary commitments;
— establish the amount and type of risk that may or may not be taken to guide the development of risk
criteria, ensuring that they are communicated to the organization and its stakeholders;
— communicate the value of risk management to the organization and its stakeholders;
— promote systematic monitoring of risks;
— ensure that the risk management framework remains appropriate to the context of the organization.
Top management is accountable for managing risk while oversight bodies are accountable for overseeing
risk management. Oversight bodies are often expected or required to:
— ensure that risks are adequately considered when setting the organization’s objectives;
— understand the risks facing the organization in pursuit of its objectives;
— ensure that systems to manage such risks are implemented and operating effectively;
— ensure that such risks are appropriate in the context of the organization’s objectives;
— ensure that information about such risks and their management is properly communicated.

5.3 Integration
Integrating risk management relies on an understanding of organizational structures and context.

Sensitivity: MTN Group - Internal

 Structures differ depending on the organization’s purpose, goals and complexity. Risk is managed in
every part of the organization’s structure. Everyone in an organization has responsibility for managing
risk.
Governance guides the course of the organization, its external and internal relationships, and the rules,
processes and practices needed to achieve its purpose. Management structures translate governance
direction into the strategy and associated objectives required to achieve desired levels of sustainable
performance and long-term viability. Determining risk management accountability and oversight roles
within an organization are integral parts of the organization’s governance.
Integrating risk management into an organization is a dynamic and iterative process, and should be
customized to the organization’s needs and culture. Risk management should be a part of, and not
separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives
and operations.

5.4 Design
5.4.1 Understanding the organization and its context
When designing the framework for managing risk, the organization should examine and understand its
external and internal context. Examining the organization’s external context may include, but is not
limited to:
— the social, cultural, political, legal, regulatory, financial, technological, economic and environmental
factors, whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external stakeholders’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
Examining the organization’s internal context may include, but is not limited to:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization’s culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual
property, processes, systems and technologies);
— data, information systems and information flows;
— relationships with internal stakeholders, taking into account their perceptions and values;
— contractual relationships and commitments;
— interdependencies and interconnections.

Sensitivity: MTN Group - Internal

 5.4.2 Articulating risk management commitment
Top management and oversight bodies, where applicable, should demonstrate and articulate their
continual commitment to risk management through a policy, a statement or other forms that clearly
convey an organization’s objectives and commitment to risk management. The commitment should
include, but is not limited to:
— the organization’s purpose for managing risk and links to its objectives and other policies;
— reinforcing the need to integrate risk management into the overall culture of the organization;
— leading the integration of risk management into core business activities and decision-making;
— authorities, responsibilities and accountabilities;
— making the necessary resources available;
— the way in which conflicting objectives are dealt with;
— measurement and reporting within the organization’s performance indicators;
— review and improvement.
The risk management commitment should be communicated within an organization and to stakeholders,
as appropriate.
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
Top management and oversight bodies, where applicable, should ensure that the authorities,
responsibilities and accountabilities for relevant roles with respect to risk management are assigned and
communicated at all levels of the organization, and should:
— emphasize that risk management is a core responsibility;
— identify individuals who have the accountability and authority to manage risk (risk owners).
5.4.4 Allocating resources
Top management and oversight bodies, where applicable, should ensure allocation of appropriate
resources for risk management, which can include, but are not limited to:
— people, skills, experience and competence;
— the organization’s processes, methods and tools to be used for managing risk;
— documented processes and procedures;
— information and knowledge management systems;
— professional development and training needs.
The organization should consider the capabilities of, and constraints on, existing resources.
5.4.5 Establishing communication and consultation
The organization should establish an approved approach to communication and consultation in order to
support the framework and facilitate the effective application of risk management. Communication
involves sharing information with targeted audiences. Consultation also involves participants providing
feedback with the expectation that it will contribute to and shape decisions or other activities.
Communication and consultation methods and content should reflect the expectations of stakeholders,

Sensitivity: MTN Group - Internal

 where relevant. Communication and consultation should be timely and ensure that relevant information is
collected, collated, synthesised and shared, as appropriate, and that feedback is provided and
improvements are made.

5.5 Implementation
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are made across the organization, and
by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are clearly understood and practised.
Successful implementation of the framework requires the engagement and awareness of stakeholders.
This enables organizations to explicitly address uncertainty in decision-making, while also ensuring that
any new or subsequent uncertainty can be taken into account as it arises.
Properly designed and implemented, the risk management framework will ensure that the risk
management process is a part of all activities throughout the organization, including decision-making, and
that changes in external and internal contexts will be adequately captured.

5.6 Evaluation
In order to evaluate the effectiveness of the risk management framework, the organization should:
— periodically measure risk management framework performance against its purpose, implementation
plans, indicators and expected behaviour;
— determine whether it remains suitable to support achieving the objectives of the organization.

5.7 Improvement
5.7.1 Adapting
The organization should continually monitor and adapt the risk management framework to address
external and internal changes. In doing so, the organization can improve its value.
5.7.2 Continually improving
The organization should continually improve the suitability, adequacy and effectiveness of the risk
management framework and the way the risk management process is integrated.
As relevant gaps or improvement opportunities are identified, the organization should develop plans and
tasks and assign them to those accountable for implementation. Once implemented, these improvements
should contribute to the enhancement of risk management.

6 Process
6.1 General

Sensitivity: MTN Group - Internal

 The risk management process involves the systematic application of policies, procedures and practices to
the activities of communicating and consulting, establishing the context and assessing, treating,
monitoring, reviewing, recording and reporting risk. This process is illustrated in Figure 4.
Figure 4 — Process
The risk management process should be an integral part of management and decision-making and
integrated into the structure, operations and processes of the organization. It can be applied at strategic,
operational, programme or project levels.
There can be many applications of the risk management process within an organization, customized to
achieve objectives and to suit the external and internal context in which they are applied.
The dynamic and variable nature of human behaviour and culture should be considered throughout the
risk management process. Although the risk management process is often presented as sequential, in
practice it is iterative.

6.2 Communication and consultation

The purpose of communication and consultation is to assist relevant stakeholders in understanding risk,
the basis on which decisions are made and the reasons why particular actions are required.
Communication seeks to promote awareness and understanding of risk, whereas consultation involves
obtaining feedback and information to support decision-making. Close coordination between the two
should facilitate factual, timely, relevant, accurate and understandable exchange of information, taking
into account the confidentiality and integrity of information as well as the privacy rights of individuals.
Communication and consultation with appropriate external and internal stakeholders should take place
within and throughout all steps of the risk management process. Communication and consultation aims to:
— bring different areas of expertise together for each step of the risk management process;
— ensure that different views are appropriately considered when defining risk criteria and when
evaluating risks;
— provide sufficient information to facilitate risk oversight and decision-making;
— build a sense of inclusiveness and ownership among those affected by risk.

6.3 Scope, context and criteria

6.3.1 General
The purpose of establishing the scope, the context and criteria is to customize the risk management
process, enabling effective risk assessment and appropriate risk treatment. Scope, context and criteria
involve defining the scope of the process, and understanding the external and internal context.
6.3.2 Defining the scope
The organization should define the scope of its risk management activities.
As the risk management process may be applied at different levels (e.g. strategic, operational, program,
project, or other activities), it is important to be clear about the scope under consideration, the relevant
objectives to be considered and their alignment with organizational objectives.
When planning the approach, considerations include:
— objectives and decisions that need to be made;

Sensitivity: MTN Group - Internal

 — outcomes expected from the steps to be taken in the process;
— time, location, specific inclusions and exclusions;
— appropriate risk assessment tools and techniques;
— resources required, responsibilities and records to be kept;
— relationships with other projects, processes and activities.
6.3.3 External and internal context
The external and internal context is the environment in which the organization seeks to define and
achieve its objectives.
The context of the risk management process should be established from the understanding of the external
and internal environment in which the organization operates and should reflect the specific environment
of the activity to which the risk management process is to be applied.
Understanding the context is important because:
— risk management takes place in the context of the objectives and activities of the organization;
— organizational factors can be a source of risk;
— the purpose and scope of the risk management process may be interrelated with the objectives of the
organization as a whole.The organization should establish the external and internal context of the risk
management process by considering the factors mentioned in 5.4.1.
6.3.4 Defining risk criteria
The organization should specify the amount and type of risk that it may or may not take, relative to
objectives. It should also define criteria to evaluate the significance of risk and to support decisionmaking
processes. Risk criteria should be aligned with the risk management framework and customized to the
specific purpose and scope of the activity under consideration. Risk criteria should reflect the
organization’s values,objectives and resources and be consistent with policies and statements. About risk
management. The criteria should be defined taking into consideration the organization’s obligations and
the views of stakeholders.While risk criteria should be established at the beginning of the risk assessment
process, they are dynamic and should be continually reviewed and amended, if necessary.
To set risk criteria, the following should be considered:
— the nature and type of uncertainties that can affect outcomes and objectives (both tangible and
intangible);
— how consequences (both positive and negative) and likelihood will be defined and measured;
— time-related factors;
— consistency in the use of measurements;
— how the level of risk is to be determined;
— how combinations and sequences of multiple risks will be taken into account;
— the organization’s capacity.

6.4 Risk assessment

Sensitivity: MTN Group - Internal

 6.4.1 General
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. Risk
assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge
and views of stakeholders. It should use the best available information, supplemented by further enquiry
as necessary.
6.4.2 Risk identification
The purpose of risk identification is to find, recognize and describe risks that might help or prevent an
organization achieving its objectives. Relevant, appropriate and up-to-date information is important in
identifying risks.
The organization can use a range of techniques for identifying uncertainties that may affect one or more
objectives. The following factors, and the relationship between these factors, should be considered:
— tangible and intangible sources of risk;
— causes and events;
— threats and opportunities;
— vulnerabilities and capabilities;
— changes in the external and internal context;
— indicators of emerging risks;
— the nature and value of assets and resources;
— consequences and their impact on objectives;
— limitations of knowledge and reliability of information;
— time-related factors;
— biases, assumptions and beliefs of those involved.

Sensitivity: MTN Group - Internal

Sensitivity: MTN Group - Internal