Most SACCOs experience technology risk as a series of surprises — a channel outage, a fraud loss, a regulator’s finding. Mature institutions experience it as a managed portfolio: identified, scored, owned, treated and reported. This guide sets out how a deposit-taking SACCO builds that discipline, step by step, in a way a board elected from the membership can genuinely govern.

Technology Risk Governance: Who Owns What

Technology risk management fails most often not for lack of tools but for lack of ownership. A workable SACCO governance model uses three lines of defense: management and ICT own and operate controls (first line); a risk or compliance function maintains the framework, challenges scoring and aggregates reporting (second line); and internal audit provides independent assurance (third line). The board’s risk committee approves the risk appetite, receives quarterly technology risk reports and holds management accountable for treatment actions.

In smaller SACCOs where one officer wears several hats, the principle still holds: whoever scores a risk should not be the only person who reviews that score, and the person operating a control should not be the one attesting to its effectiveness. Boards should also invest in their own technology literacy i.e directors elected from the membership cannot challenge what they do not understand.

Technology Risk Identification

Identification should be systematic, not anecdotal. Practical sources for a SACCO include:

Asset & Process Inventory

Map core banking, mobile/USSD channels, payment integrations, databases, network, endpoints and the vendors behind each asset.

Incident & Loss History

Past outages, fraud events, audit findings and near misses are the strongest evidence of where risk actually materialises.

Threat & Sector Intelligence

Fraud patterns reported across the Kenyan SACCO and banking sector, regulator circulars, and vendor advisories.

Workshops & Interviews

Structured sessions with ICT, operations, finance and branch staff surface risks that never appear in system logs — especially process and people risks.

Express each risk as a cause-event-consequence statement: “vendor remote access is permanently enabled and not monitored (cause) which may lead to an attacker accessing the core banking system (event), resulting in fraudulent transactions and member fund loss (consequence).” Vague entries like “cybersecurity risk” cannot be scored, owned or treated.

Risk Assessment Methodology

A consistent methodology turns a list of worries into comparable, decision-ready scores. The sequence every SACCO should follow:

1
Score Inherent Risk

Assess likelihood and impact assuming no controls (or controls failed). This shows the raw exposure the SACCO is carrying.

2
Assess Control Design & Effectiveness

Identify the controls that address the risk, then test whether they are well designed and operating as intended.

3
Calculate Residual Risk

Re-score likelihood and impact given the demonstrated control effectiveness. This is the SACCO’s true current exposure.

4
Compare Against Appetite

Measure the residual score against the board-approved appetite. Breaches trigger treatment actions with owners and dates.

Inherent Risk Calculation

Use a 5×5 scale: Inherent Risk = Likelihood (1–5) × Impact (1–5), giving scores of 1–25. Impact should be assessed across financial (KES loss relative to core capital), regulatory (SASRA/ODPC consequence), operational (hours of member-facing downtime), customer (number of members impacted) and reputational (Internal awareness only vs external visibility by media and members of public) dimensions — You should select the highest. Define each rating in a written scale so two assessors reach the same score: for example, Impact 4 (Major) might mean “loss above 1% of core capital, or member-facing outage exceeding 24 hours, or a reportable regulatory breach.”

Control Design and Effectiveness Assessment

For each key control, assess two questions separately. Design: If the control were performed as specified, by competent personnel, with the stated frequency and inputs, would it prevent or detect the risk on a timely basis? Operating effectiveness: Was the control performed consistently and completely over the defined period? Rate the combined result on a simple scale such as Effective, Partially Effective, Ineffective and record the evidence. A control that exists on paper but has never been tested must be rated Ineffective until proven otherwise.

Residual Risk Calculation

Residual risk is the inherent score adjusted to demonstrate control effectiveness. A practical convention: Effective controls may reduce likelihood by up to two rating points and/or impact by one; Partially Effective controls reduce likelihood by one point; Ineffective controls give no reduction i.e residual equals inherent. Document the rationale for every reduction. Two disciplines matter most: controls must be evidenced, not assumed; and appetite breach status must always be measured against the residual score, never the inherent score i.e comparing appetite to inherent risk overstates exposure and forces boards to “accept” breaches that don’t exist, eroding the credibility of the whole framework.

Risk Appetite, Tolerance and Capacity

These three terms anchor the framework and are frequently confused:

Risk Capacity

The maximum loss the SACCO can absorb before breaching capital adequacy or threatening viability i.e an objective financial ceiling.

Risk Appetite

The amount of risk the board is willing to accept in pursuit of objectives i.e set well inside capacity, e.g. “no technology risk with residual score above 12.”

Risk Tolerance

The acceptable deviation from the risk appetite before corrective action is required. The measurable boundaries around appetite per risk or KRI, e.g. “digital channel fraud losses below 0.05% of deposits per quarter.”

Escalation Triggers

Defined thresholds at which breaches escalate i.e amber to management risk committee, red to the board immediately, not at the next quarterly cycle.

A practical example: An investment firm may have a capacity to lose KES 1 billion without threatening solvency, a risk appetite to invest up to KES 500 million in high-risk assets, and a tolerance allowing minor deviations of (risk appetite) ±KES 50 million due to market fluctuations. The board approves the appetite statement annually and management translates it into tolerances and thresholds embedded in the risk register and KRI framework.

Developing KRIs and KPIs

Key Risk Indicators provide early warning signals of increasing risk exposure before it materializes into a loss event i.e they are leading measures of rising exposure; Key Performance Indicators in terms of risk management evaluate how well internal controls are performing in achieving their intended objectives, such as risk mitigation, compliance, and operational efficiency. Good indicators are measurable from existing systems, trending over time, and tied to a tolerance threshold. A starter set for a SACCO:

IndicatorTypeToleranceEscalation
Digital channel fraud losses (% of deposits, quarterly)KRI< 0.05%Red: board, immediate
Critical vulnerabilities open > 30 daysKRI0Amber at 1; Red at 3
Core banking / channel uptimeKPI≥ 99.5%Amber < 99.5%; Red < 99%
Privileged access reviews completedKPI100% quarterlyAmber if late
Backup restore tests passedKPI100% of scheduleRed on any failure
Phishing simulation failure rateKRI< 10%Amber 10–20%; Red > 20%
High-rated audit findings overdueKRI0Red: board, immediate
Critical vendors with current security assessmentKPI100%Amber < 100%

Technology Risk Register Design

The risk register is the single source of truth. Each entry should carry, at minimum: a unique ID; risk statement (cause-event-consequence); category and affected assets; named risk owner; inherent likelihood, impact and score; key controls with design and effectiveness ratings and evidence references; residual likelihood, impact and score; appetite threshold and breach status (against residual); linked KRIs; treatment actions with owners and due dates; and review date. Keep it to the 15–30 risks that matter. A 200-line register that nobody reads is worse than a focused one the board actually discusses. Review scores quarterly and after every material incident or system change.

Board Reporting and Dashboards

Quarterly board reporting should be one page of signal, backed by detail on request: a heat map of residual risks against appetite; the KRI dashboard, RAG-rated and trended; appetite breaches with treatment actions, owners and dates; top movements since last quarter and why; and incident summary with lessons applied. An illustrative snapshot:

2
Risks Above Appetite
▲ from 1 last Q
6/8
KRIs Within Tolerance
Stable
92%
Treatment Actions On Track
▲ from 78%
1
Material Incidents in Q
Lessons applied

Every red or amber item arrives with a named owner, an action and a date — the dashboard is a management tool, not a scoreboard.

Risk Treatment Planning

For each residual risk outside the risk appetite, the board has four options: Treat (implement or strengthen controls i.e the default), Transfer (cyber insurance, contractual liability shifts to vendors i.e noting insurance transfers financial impact only, never regulatory accountability), Tolerate (formally accept, documented with rationale and review date, only where within appetite or treatment cost clearly exceeds benefit), or Terminate (exit the activity — e.g. suspending a channel until controls mature). Treatment plans need an owner, budget, milestone dates, and a projected post-treatment residual score, tracked to completion in the quarterly report.

Incident Management and Lessons Learned

Incidents are the risk framework’s reality check. Every material technology incident should follow a defined lifecycle — detect, contain, eradicate, recover, notify (SASRA and, for personal data breaches, the ODPC within statutory timelines), and review. The post-incident review asks three framework questions: Was this risk on the register? Were its scores realistic? Which control failed, and what does that mean for its effectiveness rating? Feeding answers back into the register — re-scoring, re-rating controls, adding treatment actions — is what makes the framework a living system rather than an annual document.

Technology Risk Maturity Assessment

SACCOs should honestly locate themselves on a five-level maturity scale and set a realistic target — most DT-SACCOs today sit at Level 1–2; Level 3 is an achievable 12–18 month goal:

LevelCharacteristics
1 — InitialAd hoc; risks surface through incidents; no register or appetite.
2 — DevelopingBasic register exists; scoring inconsistent; reporting sporadic; no defined appetite.
3 — DefinedDocumented methodology; board-approved appetite; quarterly reporting; named owners; residual-based measurement.
4 — ManagedKRIs actively monitored with thresholds; treatment tracked; incidents feed re-scoring; second-line challenge operating.
5 — OptimisedNear-real-time indicators; risk informs strategy and investment; continuous improvement embedded.

SASRA Regulatory Alignment

SASRA’s risk management and IT expectations for deposit-taking SACCOs map directly onto this framework: a board-approved risk management framework covering IT risk; documented IT policies and governance structures; business continuity and disaster recovery arrangements that are tested; information security and member data protection controls (reinforced by the Data Protection Act, 2019); and board-level oversight evidenced through minutes and reports. A SACCO operating the framework in this guide does not need a separate compliance exercise — the risk register, appetite statement, KRI reports and board minutes are the evidence SASRA inspectors ask for. The same artefacts also serve annual external audit and licensing renewal processes.

Practical SACCO Case Studies and Worked Examples

Worked Example · Scoring End-to-End

Mobile Channel Fraud: From Inherent to Residual

Risk statement: Because mobile banking lacks real-time transaction monitoring (cause), fraudsters using SIM-swap could drain member accounts (event), causing member fund loss and SASRA findings (consequence).

Inherent: Likelihood 4 (Likely) × Impact 4 (Major) = 16 — High. Controls: daily limits (Effective), device binding (Partially Effective — 60% of users enrolled), anomaly alerts (Ineffective — not yet implemented). Residual: Likelihood reduced 4→3, Impact 4→3 = 9 — Medium. Appetite threshold: 12. Status: within appetite, with a treatment action to complete device-binding enrolment and implement anomaly alerts, projected residual 6.

Note: Measured against inherent (16), this risk would falsely appear as an appetite breach — demonstrating why breach status must use residual scores.

Case Study · Framework in Action

Register Review Catches a Backup Failure Before Ransomware Does

During a quarterly control-effectiveness review, a SACCO’s risk officer downgraded the “backup and recovery” control from Effective to Ineffective after discovering restore tests had been skipped for two quarters. The residual score for the ransomware risk rose above appetite, triggering board escalation and an urgent treatment plan: restore testing resumed, an offline backup copy was implemented within 60 days. Eight months later a malware infection encrypted a file server — recovery took hours, not weeks, because the control had been fixed while it was still a register entry rather than a crisis.

Lesson: The framework’s value is realised in the boring quarterly discipline — evidence-based control ratings and honest re-scoring — long before any incident occurs.

Case Study · Governance Failure

A Register That Nobody Owned

A SACCO maintained an impressive 180-line technology risk register built by a consultant — with no named owners, no appetite statement and no link to board reporting. When SASRA inspectors asked management to explain the top five technology risks and their treatment status, nobody could. The register was rebuilt around 22 material risks, each with an owner, residual score and appetite status, reported quarterly. The following inspection cited the framework as a strength.

Lesson: A focused register with real ownership and board engagement outperforms an exhaustive document that exists only to be shown to auditors.

Conclusion: From Surprises to a Managed Portfolio

Technology risk management is not a document — it is a quarterly rhythm: identify systematically, score inherent exposure, test controls honestly, calculate residual risk, measure it against a board-approved appetite, treat what breaches, and report it all on one page the board can act on. SACCOs that build this rhythm satisfy SASRA, protect member funds, and make better technology investment decisions.

For Kenya’s co-operative movement, the question is no longer whether technology risk will materialise — it is whether the SACCO will meet it as a surprise or as a managed, measured and governed portfolio.