Governance, Risk & Compliance
A world-class governance framework protecting our members’ assets, ensuring regulatory compliance, and building long-term institutional trust.
Enterprise Risk Matrix
All identified risks are rated by likelihood and impact. The board reviews this matrix quarterly. All critical risks have active mitigation plans.
| Risk Category | Likelihood | Impact | Risk Level | Mitigation Strategy | Owner |
|---|---|---|---|---|---|
| Credit Default Risk | Medium | High | HIGH | AI credit scoring, diversified portfolio, NPL monitoring | Credit Committee |
| Cybersecurity Breach | Low | Critical | HIGH | ISO 27001, pen testing, 2FA, 24/7 SOC monitoring | IT Security Team |
| Liquidity Risk | Low | High | MEDIUM | Liquidity buffer at 24.8% (min 15%), diversified funding | Treasurer |
| Regulatory Non-Compliance | Low | Critical | MEDIUM | Dedicated compliance officer, SASRA liaison, annual audit | Compliance Officer |
| Fraud & Internal Misappropriation | Low | High | MEDIUM | Maker-checker controls, dual approval for transactions, audit logs | Audit Committee |
| Digital Transformation Failure | Medium | Medium | MEDIUM | Phased approach, pilot testing, member change management | Technology Director |
| Key Person Dependency | Medium | Medium | LOW | Succession planning, cross-training, documented procedures | Board Secretary |
| Reputational Risk | Low | High | LOW | Transparent communications, rapid complaint resolution, NPS monitoring | CEO |
Compliance Framework
Njepe Welfare Group operates within a robust multi-layer compliance framework covering SASRA regulations, Kenya’s Data Protection Act, anti-money laundering requirements, and emerging digital banking standards.
- SASRA License & Annual ReturnsFully licensed SACCO with clean annual returns filed. Last audit: Q4 2025 — No material findings.
- Data Protection Act 2019 (Kenya)DPA-compliant data collection, storage, and processing policies. Privacy notice published and member consent obtained.
- Anti-Money Laundering (AML)KYC procedures for all members. Suspicious transaction reporting protocols in place. Staff trained annually.
- CBK / National Payment SystemM-Pesa integration fully compliant with CBK payment system regulations and Safaricom API terms.
- ISO 27001 Information SecurityCertification process underway. Gap analysis completed. Expected certification: Q4 2026.
- Open Banking / PSD2-equivalentMonitoring CBK proposed open banking regulations. API framework being prepared for Phase 3 compliance.
🤖 AI Governance Policy
All AI systems used by Njepe Welfare operate under a formal AI Governance Policy approved by the Board. Key principles:
- •Explainability: Every AI credit decision can be explained to the member.
- •Fairness: Models are audited quarterly for bias against protected categories.
- •Human Oversight: All AI decisions above KES 500,000 require human review.
- •Member Rights: Members can request human review of any AI-driven decision.
🔄 Business Continuity Plan
Our BCP ensures critical operations continue during disruptions — system outages, natural disasters, or security incidents.
Our Security Architecture
Five layers of defence protecting every member transaction and piece of data.
- Web Application Firewall (WAF)
- DDoS protection
- Intrusion Detection System
- Network segmentation
- VPN for internal staff
- Multi-factor authentication
- Role-based access control
- Privileged access management
- Session timeout policies
- Biometric verification
- 256-bit AES encryption at rest
- TLS 1.3 for data in transit
- Database encryption
- PII data masking
- Secure key management
- 24/7 anomaly detection
- Behavioral biometrics
- Real-time fraud scoring
- Automated threat response
- Security incident & event management