S.

N Audit Result RCMD Response on the Rectificat

findings ion Time
framewor
k

Credit risk management

The audit team conducted a comprehensive review of the bank-wide credit risk management practices and evaluated the
effectiveness of the Risk and Compliance Management Department (RCMD) in this domain. The assessment focused on
compliance with the National Bank of Ethiopia (NBE) risk management guidelines and the overarching risk management
framework. The following key points were found to be in alignment with these standards:
1. Approved Policies: The bank has established and approved policies that effectively govern and influence credit
risk management, ensuring a structured approach to risk mitigation.

2. Credit Risk Tolerance Limits: The presence of defined tolerance limits for credit risk is evident, considering
various factors such as types of credit, economic sectors, geographical locations, currencies, and maturities. This
framework facilitates informed decision-making in lending practices.

3. Quarterly Risk Assessment: The RCMD identifies, evaluates, measures, controls, and monitors credit risk on a
quarterly basis through comprehensive risk assessment reports, thereby reinforcing a proactive risk management
strategy.

4. Portfolio-Level Risk Limits: The bank has developed portfolio-level risk limits that align with regulatory
requirements and the bank’s risk appetite, encompassing both on-balance sheet and off-balance sheet exposures.
This holistic approach helps in managing overall credit risk effectively.

5. Ratio Analysis Techniques: The RCMD employs ratio analysis techniques to measure and assess credit risks,
providing quantitative insights into the bank's credit exposure.

6. Tailored Reporting: The Risk and Compliance Management Department generates reports tailored to the needs of
various stakeholders, facilitating effective decision-making and review processes.

Despite these strengths, the audit identified several areas for improvement, which will be detailed in the following
sections.

1.1 Criteria: The bank's risk management framework (2.5.7) outlines the
establishment of a five-class credit risk rating system designed to classify
individual borrowers, ranging from Credit Risk Grade AAA (lowest risk) to
Credit Risk Grade B (highest risk). This system integrates three scenarios  RCMD shall accept qualitative
analysis has dominated its
 related to bankability and collateral strength to evaluate loan risk levels. report and will focus on the
Additionally, the corporate credit management procedure (4.4) specifies that expanding the quantitative
credit risk ratings should be conducted by credit analysts and approved by the analysis on forthcoming risk
credit director, with provisions for revising customer risk ratings based on early assessment reports.
warning signals (Article 4.6). Furthermore, Article 4.12 requires the workout  Recommending the regarding
division to develop action plans for borrowers classified in grades 3 to 8. of the risk grading;
As per NBE risk management guideline2.4 states the importance of
Categorization of the credit portfolio by credit characteristics, risk rating and
regular review of individual and groups of credits within the portfolio and
independent internal credit inspections or audits are integral elements of
effective and prudent portfolio monitoring and control.
Audit Result
 The loan review function employs a five-class credit risk rating system that
evaluates objective parameters such as loan performance, financial
management, business management, customer character, and industry  Centralized data concerning is
risk. However, it appears that the classification of loan advances not RCMD’s concern and loans
into the specified grades of 1 to 8 is not being effectively workout division
implemented. Additionally, the credit rating parameters focus
more on qualitative aspects rather than incorporating a
quantitative credit score.
The audit indicated that there is a lack of centralized data concerning the
bank's credit exposure risk ratings, which could limit accessibility for tracking
active credit exposures alongside customer risk grades. Additionally, it was
noted that the loan workout division has not yet developed action plans for
borrowers in grades 3 to 8, and customer credit re-grading following loan
review outcomes has not been consistently conducted.
1.2 Criteria: as per the NBE directive SBB/69/2018 2.8 and 4.5 and First of all the directive was
SBB/90/2024 4.2.1 require banks to review loans and advances exceeding communicated on June 12,2024 as a
5% of bank capital, considering both on-balance sheet (loans) and off-balance result fourth quarter 2023/24 report
sheet exposures (guarantees, letters of credit). doesn’t abide by the directive No
The large exposure directive SBB/97/2024 specifies that the aggregate sum SBB/90/2024 and SBB/87/2024,
second of all during counting off-
of all exposures to a counterparty or group of connected counterparties must
balance sheet items credit conversion
not exceed certain limits (e.g., 25% of total capital). This includes both on-
factors weren’t deployed by IAD as a
balance sheet and off-balance sheet items. result off-balance sheet items were
as per the NBE directive overstated.
SBB/90/2024 Article 4.6 The loan review function shall regularly, and on an Remark finding not accepted by
on-going basis, review all loans or advances, which are equal to or above five RCMD);
percent (5%) of a bank’s total capital to a single counterparty, calculated in
accordance with the Large Exposures Directive W/ro. Tigist: The Management has not
Audit result: The loan review function failed to comply with NBE directives accepted guarantee claim paid no
SBB/69/2018 and SBB/90/2024 regarding the review of loans and advances relation to affect outstanding loans
exceeding 5% of bank capital. Specifically: and advances
  The loan review function didn’t review all loans or advances, which are
equal to or above five percent (5%) of a bank’s total capital to a single
counterparty, for instance as of 4th quarter 2023/24 and 1st quarter 2024/25
the loan review conducted on 19 and 26 loans and advances however 13
and 16 loan and advances were not reviewed (omitted) respectively for the
quarters, this is because of the exclusion of letter of guarantee and other
off balance credit sheet exposures. (see annex 1)
 The review did not consider off-balance sheet exposures( for grading,
classifying, and monitoring), such as guarantees, in the assessment of
borrower exposures exceeding the 5% and 10% threshold, and are not
considering for risk rating parameters for loans and advances።
1.3 Audit result: While RCMD states on the loan review their review of current Current obligation identified shall affect and
obligations includes guarantee claims paid, commission receivable, and un- the loan review conclusion and it is not
cleared checks (referencing loan review periodic reports and Risk and
based any Directive and the Bank’s risk
Compliance assessment reports), our inspection revealed significant
omissions. Specifically, the current obligations section lacks key risk indicators
Program.
such as guarantee claims paid, uncollected overdue guarantee commission,
and un-cleared checks paid (see Annex 1) Un-cleared check shall be provided when
# name RCMDS Omitted remark the need arise;
statements as current
per 4th quarter obligation
loan review identified as
report per audit
Access to the GL needs by RCMD
1 Aleta land • Currently the loan has birr
coffee plc with Enat Bank is 39,281,235 un-
(Comprises Pass status; cleared
12.15%) of • Updated financial cheques paid
the Bank’s statement is elapsed more
Capital) required. than 1 year

2 Two F Capital Currently pass has birr has counterparty credit risk
plc. status in our bank 11,400,000 un- with Samrawit Fikru and Tirita
Updated financial cleared trading
statement is cheques paid
required; elapsed more
than 1 year

3 Afrotsion Updated financial has birr

construction statement is 90,326,297.56
required; guarantee
claim paid

4 Mulatu A current financial has birr has counterparty credit risk

Mengesha statement is 26,887,684.72
Wabe (Rich necessary; however, un-cleared
land the credit cheques paid
biochemical relationship with elapsed more
 production Enat Bank is than 1 year
Plc.) currently in the
pass status.

5 Nesanet Updated financial guarantee

solomon statement is claim 1 million
required.

Cause:
 Exclusion of Guarantees: RCMD’s collateral coverage metric omits
guarantees, violating the principle of comprehensive risk aggregation.
Weak Data Governance: No integration of off-balance sheet exposures into
collateral reporting tools.
1.4 Criteria: as per the risk management framework article 2.3.5 RCMD is Outstanding loans and advance with
responsible to Identify, evaluate/measure, control and monitor credit risk, collateral coverage ratio as per CMD was
required to ensure accurate and comprehensive collateral risk assessments,
intact, however, guarantees collateral
including all credit exposures (loans, advances, and off-balance sheet items
like guarantees). Collateral coverage calculations shall reflect the true risk
coverage risk isn’t assessed. In this regard
profile of the portfolio, incorporating all secured, partially secured, and RCMD will request CMD to provide periodic
unsecured exposures. data on collateral coverage of guarantees.
Audit result: even though with the internal audit questionnaire RCMD has
confirmed that the reported collateral limit measurement include letter of
guarantee credit exposure RCMD reported 99.06% collateral coverage for
loans and advances as of December 31, 2024. However, this figure excludes
letter of guarantee (LG) exposures (ETB 10.156 billion), which constitute a
material portion of the bank’s credit risk.
35% of guarantees (ETB 3.6 billion) are unsecured (“clean base”), exposing the
bank to losses if guarantees are called.
42% of guarantees (ETB 3.21 billion) are partially collateralized (<100%
coverage), increasing recovery risks.
Table 1: Collateral Risk Exposure in Guarantees (December 2024)
Outstandin
g % of
Description Risk Level
Guarantee Total
s (ETB)
3,602,927,
Clean Base (Unsecured) 35% High (No collateral)
179.76
3,210,864, Moderate (<100%
Partially Collateralized 42%
902.40 cover)
Fully Collateralized 3,342,652,
33% Low
(≥100%) 659.67

Total Guarantees 10,156,444 100%

 ,741.83
Cause:
Exclusion of Guarantees: RCMD’s collateral coverage metric omits
guarantees, violating the principle of comprehensive risk
aggregation.
Weak Data Governance: No integration of off-balance sheet exposures
into collateral reporting tools.
1.5 Audit result: While RCMD confirmed they consider overdue uncollected RCMD already identified and assessed the
guarantee claims and guarantee commission receivable for greater than one risks however the limitation rests on not
year as a credit risk on the internal audit questionnaire, our inspection
sufficient coverage. RCMD credit review
revealed these risks are not identified, measured, analyzed, reported and
communicated in risk assessment reports as a credit risk.
officers doesn’t have access right and lack
of availability of computer while performing
their task on head office premises. RCMD
shall write a memo to get accesses write for
the GL
1.6 Audit result: The audit revealed some weaknesses in the bank's handling of RCMD was not involved in the write-off
write-off loans, specifically in identification, measurement, and reporting. Key loans process and furthermore the
results include:- department was communicated on the last
 The Risk and Compliance Department (RCMD) has not sufficiently hours of the fourth quarter report
analyzed the risks associated with write-off loans.
 The impact of write-offs on critical financial ratios, such as the capital
(July,2024).
adequacy ratio and return on assets, has not been adequately assessed
or reported. We have accepted as an observation the
 The RCMD did not review or provide feedback on the revised write-off finding
policy and failed to examine the implementation process for loans written
off in the 4th quarter.
 The underlying reasons for loan write-offs are not formally documented
or analyzed as risks.
1.7 Criteria: as per NBE risk management guideline 2.3.5 Banks should have A Bank wide automated system limitation
credit granting procedures in place that identify connected counterparties as a to exhaustively identify connected
single obligor which means aggregating exposures to groups of counterparties
counterparties, moreover the directive has
(corporate or non-corporate) that exhibit financial interdependence by way of
common ownership, common control, or other connecting links (for example,
been introduced on June 12, 2024. Through
common Management, familiar ties). Identification of connected learning and growth and the development
counterparties requires a careful analysis of the impact of the above factors of automated system will solve the
(e.g. common ownership and control) on the financial interdependence of the problem.
parties involved.
Audit result: the absence of an adequate system for identifying, measuring,
and monitoring connected counterparty credit risk1, RCMD failed to
measure and report the following potential risk associated with
 connected counter party on its credit risk and compliance assessment
report.
Key risk indicator identified by audit team:
Aggregate exposure of connected counterparty credit exposure surpassed the
NBE limit of 35%.
# Connected Total credit Total capital % remark
counter exposures (on as of
parties and off balance June30,2024
sheet
exposure)as of
June30,2024
1 Rich land 543,150,191.49 36% Have a Same
biochemical 3,680,490,000 ownership,
production pl and had a
Rich land collateral
biochemical 294,085,503.34 counterparty
production pl credit risk
because of
Mulatu 484,939,374.99 the Mulatu
mengesha Mengesha
wabie also is
personal
guarantee of
the Richland
biochemical
Total
1,322,175,069.
82

2 Samrawit Fikru 79,651,195.38 10.33% Have a

Tirita trading 22,840,145.40 common
TwoF capital 278,028,256 ownership
Total 380,519,596
1.8 Criteria: National Bank of Ethiopia (NBE) Directive SBB/69/2018, Article 10.5, Not accepted by the Management
and SBB/90/2024, Article 15.5, stipulate that "any uncollectible claims,
other than loans and advances, shall be classified and provided for in
the same manner and method laid down in the asset classification
and provisioning directive for term loans with a monthly repayment
program or otherwise written off as an operating expense of the bank
as they are identified." These directives further define loans and advances
as financial assets arising from direct or indirect advances or commitments to
advance funds, conditioned on repayment obligations, usually with interest.
1
Means a group of counterparties with specific relationships of control or economic interdependencies, such that, if one of the counterparties were to fail, all of the
counterparties would very likely fail.
 Examples include unplanned overdrafts, loan syndication participation, loan
purchases, and contractual obligations to advance funds. Essentially, when a
guarantee claim is paid, it transforms into a financial asset representing the
bank's claim against the original obligor, and therefore should be treated
similarly to a loan.
Audit results: The audit revealed that overdue outstanding guarantee claims
paid by the bank are not being treated according to the loan classification and
provisioning requirements outlined in the NBE directives. Specifically, these
claims are not being subjected to the same classification and provisioning
process as term loans with a monthly repayment program. Not accepted dueto the bank’s policy that is
The (RMCD) and BOD is not adequately measuring, monitoring, and reporting guarantee claims paid aren’t automatically
overdue uncollected guarantee claims as a loan. converted to loans and advance. (requires
following guarantee claims paid by the bank were not included in credit Management’s further discussion)
reports, loan reviews, or risk assessments:
# Period Amount of claim paid
1 4th quarter 2024 (June 30 2024) 353,160,000
2 1st quarter 2024 (September 2024) 476,021,874.17
Audit results: these omission(understatement) has the following potential
consequences:
 Understate the level of risk and non-performing assets.
 underestimation of the bank's overall credit risk exposure regarding risk of
default
 Result in insufficient reserves, leaving the bank vulnerable to unexpected
losses.
 Understating risk-weighted assets (which include loans and advances), it
can artificially inflate the capital ratios, creating a false sense of financial
strength.
 Hide underlying financial problems, such as a deteriorating loan portfolio or
inadequate risk management practices.

1.9 Criteria: as per the risk management framework article 2.6.1.1 mandates RCMD accepts the finding and will act
Analyzing and classifying the Bank’s on and off-balance sheet exposures in accordingly in the forthcoming
different risk category (e.g. full risk, medium risk and low risk. This should be period.though there were efforts exerted to
also indicated in the Bank’s Credit management procedure;
acquire data from CMD.
Audit result: RCMD didn’t classify, measure and monitor off-balance sheet
exposures into three broad categories:
• Full risk (credit substitutes) – e.g. standby letters of credit or money
guarantees;
• Medium risk (not direct credit substitutes) – e.g. bid bonds, indemnities and
warranties; and
• Low risk – e.g. cash against document (CAD).
 The audit team identifies the following key risk indicators
Risk indicator 1: from the total issued letter of guarantee 69% of the
portfolio falls under full risk category.

Types of Active amount as of

# guarantee September 30,2024 % Type of risk

1 APG 6,296,687,606.95 63% Full risk

2 PG 2,287,725,328.81 23% Medium

3 BBG 501,796,834.89 5% low

4 CBG 182,877,411.48 2% Medium

5 RBG 96,139,276.83 1% Medium

6 SCG 573,946,986.63 6% Full risk

100
Total 9,939,173,445.59 %

Risk indicator 2 Concentration Risk:

From the Total guarantee concentrated above 70% (7,282,636,053.80) across
24 borrowers.(see annex 2)
1.10 Criteria: According to NBE risk management guideline 2.4.5, credit stress RCMD conducts stress testing in line with
testing must identify potential adverse economic events affecting credit NBE’s standard. However, we shall consider
exposures and assess the bank's resilience. Banks should examine scenarios
lending rate bearing in mind the risk report
related to economic downturns, market risks, and liquidity conditions.
RCMD conducts stress testing using the following scenarios:
should be readable so far it meets NBE’s
1. Scenarios assessing increases in Non-Performing Loans (NPLs) by 10%, risk management guideline reports.
30%, and 50%.
2. Impact of top borrowers falling into the NPL category. Rectified
3. Effects of pre-shipment loans becoming NPLs by 10%, 25%, and 50%.
4. Claims on 10% of issued guarantees.
Audit Findings: Weaknesses Identified:
 Limited Scenario Diversity: the credit stress testing Focus is
primarily on NPLs, lacking consideration for other risk factors like
interest rate changes and currency fluctuations and the methodology
does not incorporate broader economic factors, such as government
policy changes or sector-specific risks.

1.11 Criteria: NBE risk management guideline 4.1.5 requires that new products
 undergo a thorough pre-acquisition review to understand their interest rate
risk characteristics and ensure appropriate risk management processes are in
place. Major initiatives must be approved by the board or a delegated
committee before implementation.
Audit Findings:
Rectified on March 7,2025 by
Malefia digital lending product lacks pre-launch credit risk assessment reports
for new credit products. Instead, it conducts post-implementation communicating the boards approved limit
assessments, as seen with the, which does not comply with the guideline's and digital lending risk management policy,
requirements and risk management framework. procedure which assess associated
potential risks with digital lending.
1.12 Audit result: NBE RCMD doesn’t accept since it
Guideline 2.4.7 requires is Bank wide task.
banks to have a
management information
system (MIS) capable of
measuring credit risk,
considering loan specifics,
market exposure,
collateral, and default
potential. The MIS should
provide timely information
on portfolio composition,
risk concentrations, and
performance within risk
tolerance limits. It should
also aggregate exposures
and report exceptions.
However, the current
MIS lacks several key
functionalities,
including:
 generation of
accurate NPL
ratios,
 collateral
coverage ratio,
 visualization of
key risk
indicators;
 automated
regulatory
reporting;
 flagging of credit
policy
deviations;
notifications for
threshold
breaches;
 automated
categorization of
high-risk
accounts;
 Enforcement of
exposure limits.
 Identify and
analyze
connected
counterparty
credit risks.

Liqu
idit
y
risk
man
age
men
t

Criteria: As per SBB/57/2014 Guidance for Slotting Maturities of Assets,

1.13 Liabilities & Off-Balance Sheet Items 11 borrowing from other bank-local shall
be shown as per the maturity date.

As per risk management framework article 3.3.3. Notwithstanding the fact that
liquidity risk management is an iterative or ongoing phenomenon; monitoring
is the final stage of risk management process. Thus, in order to facilitate
monitoring of liquidity risk, Potential sources of current assets and liabilities
and claims and obligations arising from off-balance sheet business; Assess
overall alternative source of funding requirement and for off-balance sheet
commitment; shall be considered

Criteria (Per Risk Management Framework 3.1.4): The Risk and Compliance
Management Department (RCMD) is required to:

 Review and analyze liquidity risk data (e.g., cash flows, contractual
 obligations) provided by the Finance and Accounts Department.

 Critically evaluate reports submitted to the Asset-Liability Committee

(ALCO) to ensure accuracy, completeness, and alignment with liquidity
risk policies.

Audit result: The audit identified some discrepancies in the liquidity risk
reports, which appear to have been influenced by challenges in the
computation, review, and evaluation processes within the Risk and Compliance
Management Department (RCMD).

Certain key items, including guarantee claims paid and unrecorded contractual
liabilities, were not incorporated into the bank's cash flow projections,
potentially affecting the accuracy of projected inflows and outflows.

 Example 1: The maturity ladders for the 4th and 1st quarters did not
include claims receivable from settled guarantee claims that are
pending recovery, in each time band.(see annex 3)
 Example 2: Installment liabilities arising from agreements, such as
those with the Ethiopian Roads Authority for the repayment of
defaulted guarantee claims, were not factored into the cash outflow
projections.

Cost of Funds Calculation: There appears to be a misunderstanding

regarding the classification of guarantee claims paid, which should be treated
as loans and advances accruing interest at 16.5%, as per Enat Bank's standard
contract. Additionally, the omission of interest-generating installment claim
commitments as liabilities may lead to a miscalculation of the bank's overall
cost of funds.

Loan-to-Deposit Ratio: The computations for the loan-to-deposit ratio by

RCMD and ALCO didn’t not fully reflect the bank's financial position for the 3rd,
4th quarters, and 1st quarter, as they did not account for the guarantee claims
paid during these periods. This oversight could result in an understated
representation of the total loans.
 Regarding guarantee claims paid accounting
treatment needs further discussion with
EMT.

# period Loans deposi Loan to Total As per IAD

ts deposit guarantee
ratio as per claims
ALCO and paid
RCMD

1 3rd quarter 17,362.7 19,721. 88% 440.43 90.27%

2024/25 9 22

2 4th quarter 17,495.5 20,950. 83.51% 353.16 85.19%

2024/25 1 48

3 1st quarter 19,201.2 22,787. 84.26% 476.02 86.35%

2025/26 0 34

Cause: The RCMD's review and evaluation processes are in short supply to
identify and correct material errors in liquidity risk data and ALCO reports.

Criteria: as per risk management framework article 3.3.1.4 states The Risk
and Compliance Management Department shall conduct the following analysis
on quarterly basis and as required: Depending on availability of data relating
to industry and general market share, comparisons shall be made on certain
factors of growth and composition of funds against peer banks, all private
banks, and industry figures; Audit results: the liquidity risk assessment
report lacks any comparisons on certain factors of growth and composition of
funds against peer banks, all private banks, and industry figures
 As depicted in the risk management
program comparison to industry and
general market share against peer bank will
be conducted based on availability of such
data which indicates it is not mandatory
second the timing to acquire such data is
after the report is generated.

Market risk management (FX rate risk and interest rate risk)
1.14 Criteria: According to Risk Management Framework 4.2.3.2(d), the RCMD
must conduct trend analyses of currency revaluation gains/losses, monitor
exchange rates, analyze yields on foreign deposits, assess drivers of FX rate
movements, evaluate contracts, and manage off-balance sheet accounts.
 Audit results: 1.Trend analysis has been conducted in
The audit identified several areas for improvement in RCMD's foreign revaluation gain/loss for instance the 2 nd
currency risk measurement: quarter report was compared with 1 st
quarter report as gain to loss ratio during
1. Trend Analysis: There is potential to conduct detailed analyses of
the 2nd quarter reported to be 1.36 which
revaluation gains/losses for major currencies (e.g., USD, EUR, GBP) to
inform foreign exchange portfolio and hedging strategies. was 1.71 during 1st quarter.

2. Exchange Rate Monitoring: Enhanced tracking of local and interbank

exchange rate fluctuations is needed to assess their impact on foreign
currency assets, particularly to identify unrealized losses in USD 2. Accepted and will incorporate in the
holdings. forthcoming reports.

3. Macroeconomic Factors: Evaluating socio-political and economic

factors (e.g., inflation trends and geopolitical tensions) could provide
insights into foreign exchange volatility drivers.
3. Macro-economic factors in general are
4. Contract and Off-Balance Sheet Risks: Including analyses of
discussed on chapter 8 of the report
outstanding foreign exchange contracts and off-balance sheet accounts
(e.g., derivatives) in risk assessments could strengthen the overall risk moreover, macro-economic analysis is the
management framework. foundation in conducting scenario analysis.

4. Such derivatives are not applicable

nationwide as the FX market is in infant
stage, however L/C shall be covered in
more detail in the forthcoming report.
1.16 Audit results: The interest rate maturity gap for 4th quarter 2023/24 and 1st
quarter 2024/25 presents several critical deficiencies that compromise the
integrity of its assumptions, analyses, and projections. Specifically, the
analysis fails to account for important components that could significantly
affect the accuracy of the results.

Key Issues Identified

1. Exclusion of Guarantee Claims Paid:

o The analysis of net loans and advances does not include guarantee
claims that have been paid. These claims accrue interest at a rate of
16.5% from the date of payment, as stipulated in the bank's
 standard contracts. Additionally long outstanding un-cleared Not accepted by RCMD. However, as per
cheques and guarantee commission receivables are expected to be EMT this needs a system or guideline to be
collected with interests who were omitted. This omission leads to an
developed.
underestimation of potential interest income, thereby skewing the
overall assessment of the bank's interest-sensitive assets.

2. Omission of Loans from DBE and NBE:

o The liability section of the analysis completely omits loans from the
Development Bank of Ethiopia (DBE) and the National Bank of
Ethiopia (NBE), as well as other installment claim commitments that
generate interest expense. This exclusion not only distorts the
liability profile but also undermines the projections concerning the
bank's interest rate exposure.

3. Data Consistency Concerns:

o Notably, the interest-sensitive asset and liability maturity gap

analyses for the fourth quarter of 2023/24 and the first quarter of 2. Covered on the liability section of the
2024/25 are identical. This raises questions about the reliability of balance sheet as other financial institution
the data and the robustness of the analysis. Such consistency deposit, however on the maturity ladder
without any changes over two consecutive quarters is unusual and report loans from the Development Bank of
may indicate a lack of thorough review or data integrity. Ethiopia (DBE) and the National Bank of
4. Potential Impact on Risk Assessment: Ethiopia (NBE) are omitted by FAD, RCMD will
request FAD for the inclusion of such data.
o The aforementioned omissions and inconsistencies can significantly
distort the maturity gap analysis and the overall risk assessment.
The failure to incorporate these critical elements may lead to 3. Not accepted since the data is not
misguided decisions regarding the bank's interest rate risk identical at all.
management strategies.

Summary of Maturity Gap Percentages

Time Band Mismatch %

1 Day 9.73%

2-7 Days -8.01%

8-14 Days -4.01%

15 Days to 1 Month -3.01%

1-3 Months 1.77%

 3-6 Months 1.50%

6-12 Months -4.36%

1-3 Years -5.77%

Over 3 Years 22.49%

Non-Maturity Items 3.01%

 Overall Assessment: The bank's maturity gaps across various time

bands remain within the 30% limit for mismatches. The positive
mismatches observed in the 1 Day, 1-3 Months, 3-6 Months, and Over 3
Years bands indicate a generally favorable position regarding short-
term and long-term interest rate exposure.

 Caution Required: However, the negative mismatches in the 2-7

Days, 8-14 Days, 15 Days to 1 Month, 6-12 Months, and 1-3 Years
bands signify potential vulnerabilities to interest rate increases. These
areas require close monitoring and proactive management to mitigate
risks.

 Compliance with Limits: The analysis suggests that the bank adheres to
the 85% limit for interest-sensitive assets and liabilities, as indicated by
the mismatches, which do not breach this threshold.

Conclusion

The identified discrepancies in the interest rate maturity gap analysis pose
significant risks to Enat Bank's financial stability and decision-making
processes. The failure to adequately account for guarantee claims and the
omission of critical liabilities distort the overall assessment and may lead to
incorrect conclusions regarding the bank’s interest rate exposure. It is
imperative that these issues be addressed promptly to enhance the reliability
of future analyses and ensure effective risk management practices.

1.17 Audit result: On the Not accepted and requires

computation of cost of further discussion with EMT
fund it excludes
Guarantee claims paid
which shall be treated as
loan and advance, which
accrue interest at 16.5%
 from the claim payment
date per Enat Bank's
standard contract.

The bank's loans from DBE

and NBE, as well as other
installment claim
commitments that
generate interest expense
were also excluded from
the liability section

1.18 Criteria: as per NBE risk management guideline 4.1.3 requires banks
to assess the impact of interest rate changes on:

Earnings Perspective: Focuses on the impact of interest rate

changes on reported earnings.

Economic Value Perspective: Focuses on the impact of interest rate

changes on the economic value of assets, liabilities, and off-balance
sheet positions.

Under article 4.1.6.3 states In conducting stress tests, special

consideration should be given to instruments or markets where
concentrations exist as such positions may be more difficult to
liquidate or offset in stressful situations. Banks should consider “worst
case” scenarios in addition to more probable events. Management and
the board of directors should periodically review both the design and
the results of such stress tests, and ensure that appropriate
contingency plans are in place.
In this aspect the value of asset shall be
Audit result: RCMD under stress testing analysis demonstrates a indicated however liability section is
significant decline in net interest income under both the 100 basis covered on the scenario analysis, while
point and 200 basis point increase scenarios for deposit interest rates. off-balance sheet has indirect relation so
Specifically, net interest income decrement. can’t be objectively be quantified.
 However RCMD didn’t asses impact of interest rate changes on
the economic value of assets, liabilities, and off-balance sheet Not accepted the stress test was conduct
positions. as worst case scenario due to the
 The stress test assumption didn’t consider “worst case” assumptions were made on all the Bank’s
scenarios in addition to more probable events. current liabilities despite the fact that
Criteria: As per the risk management framework article 4.1.3.2.4. The interest change will affect saving deposits
Risk and Compliance Management Department shall conduct the only.
respective exercises on all the interest rate measurement tools at least
on quarterly basis to be reported to the Board and Senior Management.
 Audit results: The Risk and Compliance Management Department
didn’t conduct the respective exercises on some interest rate
measurement tools for instance the following ratios, limits and matrix
set for interest rate risk are not presented, analyzed and discussed.

 Interest bearing liability to earning asset

 Interest Sensitive Assets to Total Assets
 Interest Sensitive Liability to Total Liability
 Interest-Sensitive Asset or Interest-Sensitive Liability  Accepted and RCMD will
Gap request data from FAD
 Interest Sensitive Assets to Total Assets
 Interest sensitive Liability to Total Liability
Audit observation: Despite the risk management framework
requiring periodic assessment of net interest income changes to
determine effective interest rate movements for all funds against
investments, the Risk and Compliance Management Department failed
to conduct these analyses on all interest rate measurement tools at
least quarterly for reporting to the Board and Senior Management.
Operational risk management
The internal audit review of the operational risk management process has demonstrated a strong commitment to
mitigating risks associated with internal and external fraud.
The implementation of internal controls is evident, reflecting effective systems and processes designed to foster a risk-
aware culture within the organization.
Furthermore, the operational risk assessment framework is actively engaged in identifying potential vulnerabilities and
addressing them proactively.
Overall, the audit confirms that Enat Bank is well-positioned to manage operational risks, supported by a culture of
continuous improvement and adherence to best practices in risk management. The existing controls and processes are
effective in minimizing operational risk exposure and safeguarding the bank’s interests.

1.19 Audit Findings: The operational risk assessment for the fourth
quarter of 2023/24 and the first quarter of 2024/25 highlights a
commitment to mitigating both internal and external fraud through the
implementation of robust internal controls. These controls are a
combination of effective systems, processes, and a risk-aware culture
that is deeply embedded within the bank's workforce. However, despite
these measures, the internal audit has identified several instances of
fraud during this period, along with outstanding unrecovered cases
from previous quarters that have not been adequately communicated.
 Specific Fraud Incidents Identified

1. Embezzlement and Document Fraud by Internal Staff

o Period: June 2024
o Description: Instances of embezzlement have been
1. Covered on the risk report as
reported, involving internal staff manipulating part of operational risk
documents to misappropriate funds. This highlights assessment based on IAD’s
potential weaknesses in oversight and the need for
data.
W/ro. Genet Fraud risk assessment
improved monitoring of employee activities.
2. Unauthorized Cash Withdrawal through Identity Theft
o Amount: ETB 3,820,000
o Period: July 2024 (1st Quarter)
o Description: A significant case of external fraud was
noted, where unauthorized cash withdrawals were made 2. Covered on the risk report as
part of operational risk
through identity theft. This incident underscores
assessment based on IAD’s
vulnerabilities in customer verification processes and the data
need for enhanced security measures to protect against
external threats.
3. Existence of Forged Educational Certificates and
Experience
o Periods: 4th Quarter and 1st Quarter
o Description: The investigation uncovered instances of
forged educational certificates and falsified work
experience among internal staff. This raises concerns
about the hiring processes and the efficacy of 3. Covered on the risk report as
background checks in place. part of operational risk
assessment based on HCMD’s
data
1.20
 Criteria: According to the banks risk management framework,
specifically section 5.3, it is outlined that, in addition to existing
guidelines and procedures, the bank is required to develop and
establish comprehensive policies and procedures regarding
Outsourcing and Third-Party (Service Provider) Partnerships. This is
critical for managing the risks associated with engaging external
service providers.
Audit Result: The audit has identified a gap in the bank's operational
RCMD through global risk assessment
framework: there is currently no established Outsourcing and
since outsourcing is one of the top 10
Third-Party (Service Provider) Partnership Guidelines, global risks it has been assessed in line
procedure, or policy in place. This absence raises concerns with Enat Bank’s perspective. Regarding
regarding the bank's ability to effectively manage and mitigate risks the development of policy, procedures
PFMD is the responsible organ.
that may arise from outsourcing arrangements.

1.21 Criteria: As outlined in the bank's risk management framework:

 Article 6.1.5 assigns the Marketing Department the
responsibility of developing a public relations plan aimed at
mitigating the bank's reputational risk. This includes ensuring
effective implementation, monitoring, and reporting.
 Additionally, the Marketing Department is tasked with creating
and executing a social media strategy, along with monitoring
and reporting on the bank's social media activities.
 Article 6.4.1 designates the Risk and Compliance Department
(RCMD) as responsible for the regular review of policies and
procedures across all bank divisions regarding reputational risk
management, including measuring and reporting the level of
reputational risk.
Audit Result: The audit has revealed significant deficiencies in the
management of reputational risks as highlighted in internal audit
reports. Specifically, the Risk and Compliance Management
 Department has not effectively overseen the assessment and
management of these risks. Key issues identified include:
1. Absence of a Social Media Plan:
The bank does not have an established social media plan, which
undermines its ability to monitor and report on relevant social media
activities. This gap could expose the bank to reputational risks
stemming from negative social media interactions or the mishandling
of public responses.
2. Lack of a Public Relations Plan:
There is no formal public relations plan in place, nor have there been
efforts to implement, monitor, or report on activities designed to
manage the bank's reputational risks. This absence raises concerns
about the bank's preparedness to respond to potential reputational
challenges. 2. RCMD through its risk management
3. Inadequate Oversight by RCMD: framework has indicated for
The Risk and Compliance Management Department has not sufficiently
communication plan by MCCSD

fulfilled its role in overseeing the assessment of reputational risks. This

lack of oversight may lead to unaddressed vulnerabilities that could
adversely affect the bank's reputation and stakeholder trust

3.. Not accepted

Reputational risk is periodically
assessed by RCMD based on MCCSD
data
1.22 Criteria: According to the bank's risk management framework, Article
5.4.1(e) mandates that the bank must identify and utilize operational
key risk indicators (KRIs). These KRIs should encompass critical metrics
such as:
  The prevalence of fraud
 The number of legal cases lost
 The number of failed transactions
 The number of customer complaints
 The number of customer compensation events
 The number of observations by supervisory authorities
 The number of gaps in internal policies and procedures
requiring amendments
Audit Result: The audit has identified significant deficiencies in the
operational risk assessment process:
1. Omission of Critical Indicators:
The audit found that the number of customer complaints and
observations from supervisory authorities, including the NBE CAMEL
ratings, were neither identified nor communicated in the operational
risk assessments for all quarters.
2. Inaccuracies in Legal Risk Reporting:
As of the 3rd quarter of 2023/24, the Risk and Compliance
Management Department (RCMD) reported that the Legal Services
Department was managing 50 legal cases as of March 31, 2024. Of
these, 32 cases were related to credit matters, while 18 cases were
classified as non-credit. Notably, 17 cases were pending in federal and
regional zonal courts, with a total potential liability of Birr 375.63
million.

The bank successfully resolved one case with a favorable outcome

amounting to Birr 141,600.00. However, it is imperative for the Legal 1. Introduction part of the
Services Department to actively protect the bank's interests by risk assessment report
has clearly indicated
pursuing outcomes that favor the bank.
that the report considers
The audit investigation revealed inaccuracies in the RCMD’s
CAMEL rating
conclusions and assessments. A significant key risk indicator—
2. The problem stems
 the number of legal cases lost during the quarter—was omitted from the data source
from the report. Specifically, the bank lost three legal cases which is LSD.
totaling Birr 7,818,082.62, all related to letters of guarantee.
This oversight underscores the necessity for a more thorough
evaluation of legal risks.( see annex 4)

1.23 Criteria: According to the bank’s risk management framework,

specifically Section VII, the strategic plan must be closely aligned with
the bank’s long-term vision and mission. It serves as a comprehensive
roadmap to achieve the bank's goals and objectives in varying
environments. This strategic plan is essential for establishing a
competitive advantage and defining the bank's unique market position.
Additionally, the bank is required to identify critical success factors for
entering competitive markets and to implement key performance
indicators (KPIs) to effectively assess the execution of the strategic
plan.
Audit Result: The audit has revealed a concerning gap in strategic
planning and risk management:
1. Delayed Revision of the Strategic Plan:
The bank failed to revise its strategic plan in a timely manner after the
expiration of the previous plan on June 30, 2024. As a result, the bank 1. Not accepted since
has been operating for nearly seven months without an approved and strategy formulation is
updated strategic plan. This gap has introduced significant strategic
the task of the full
board and CEO
risk, as the bank lacks a clear roadmap for achieving its goals and
navigating competitive challenges.

2. Insufficient Risk Attention:

During this period without a strategic plan, the risk assessment reports
have not adequately addressed the major risks associated with
 operating without a defined strategy. This oversight suggests a lack of
proactive risk management and highlights potential vulnerabilities in
the bank’s operational and competitive positioning. 2..Not accepted since strategy
formulation is the task of the
full board and CEO

Risk register
In accordance with the National Bank of Ethiopia (NBE) directive SBB/76/2021, banks are mandated to establish a risk
register that identifies inherent risks along with the corresponding internal controls and risk mitigations. This risk register
must be reported to the internal audit, risk management, and compliance departments regularly. As of 2023, Enat Bank
has taken significant steps to develop its risk register system and has achieved the following:
 Automated Risk Register System: Enat Bank has successfully prepared an automated risk register system that
streamlines the process of risk identification and documentation.

 Active Risk Recording by Business Units: All business units are actively recording identified risks within the
system, ensuring comprehensive coverage across the organization.

 Quarterly Risk Reporting: The Risk and Compliance Department is preparing quarterly risk reports to
communicate findings and updates related to the risk register.

Despite these accomplishments, the current risk register has several deficiencies that need to be addressed:

1.24 Audit result: Inconsistent and Incomplete Data Entry in Risk Register:
Accepted, but requires all functional
 Incomplete Information: Numerous risk entries lack essential Departments due attention during
details such as dates, descriptions, and proposed mitigations; identifying, recording, updating and
this violates guideline 5.4, which mandates complete and timely
recording of risk events.
reporting of risks for the effectiveness of
 Ambiguous Risk Descriptions: Many risk incidents lack the risk register system.
clarity regarding when, where, and by whom they occurred. This
ambiguity casts doubt on the validity of the entries and
impedes proper incident tracking.

1.25 Audit result: Overemphasis on Operational Risks and

Misclassification:
 Disproportionate Focus: The risk register is heavily skewed As depicted in the above description
towards operational risks, with over 70% of entries falling into
there is gap in identifying, recording,
 this category (out of 150+ risks). This overrepresentation may updating and reporting of risks despite
indicate a systemic issue with risk classification. frequent trainings and memorandums has
 Misclassification of Risk Types: Several examples
been issued at various periods.
demonstrate inaccurate risk type identification. For instance,
compliance and reputational risks are often incorrectly
classified as operational risks. This misclassification,
exemplified by instances in IFBD, IBD, LSD, RCMD, and SID,
reflects a lack of awareness and training on proper risk
categorization. This further undermines the accuracy and utility
of the risk register.

1.26 Audit result: Confusion Between Incidents and Potential Risks:

 Lack of Differentiation: The risk register fails to clearly As depicted in the above description the
distinguish between actual incidents and potential risks,
gap mainly relies in identifying, recording,
blurring the lines between proactive risk management and
reactive incident response.
updating and reporting of risks despite
 Insufficient Evidence for Incidents: Departments frequently frequent trainings and memorandums has
record potential risks as actual incidents without providing been issued at various periods.
supporting evidence (e.g., emails, logs, and screenshots). This
lack of documentation compromises the integrity of the risk
data.
1.27 Audit result: Non-Compliance with Risk Reporting and KPI
Integration (Guideline 11):
 Unreported Risks: Significant risks identified by Internal Audit Department’s failure to properly report
(IAD) across various departments (Marketing, Human Capital,
Procurement, Legal, and SID) are not recorded in the risk
incidents and potential risks within the
register. This directly contravenes guideline 11. reporting period.
 Lack of KPI Integration: These unreported risks are not
factored into the performance appraisals (KPIs) of the Accepted and RCMD shall make follow-up
respective risk owners, as stipulated by guideline 11. This on the implementation status
failure to hold risk owners accountable weakens the risk
management framework.
1.28 Audit result: Failure to Address Emerging Risks:
 Inadequate Consideration of External Factors: The risk
register does not adequately address significant risks arising
Not accepted RCMD’s global risk
from global and macro-level political, economic, social,
technological, and legal (PESTLE) changes. Examples include
assessment has covered emerging risks as
 revisions to asset classification and provisioning NBE directive integral part of its function including risk
 instances of fraudulent credentials in Human Capital, register system.
 Macroeconomic devaluation, credit limits, and operational
frauds.