Governance & Risk

Governance, Risk & Compliance

A world-class governance framework protecting our members’ assets, ensuring regulatory compliance, and building long-term institutional trust.

Enterprise Risk Matrix

All identified risks are rated by likelihood and impact. The board reviews this matrix quarterly. All critical risks have active mitigation plans.

Risk Category Likelihood Impact Risk Level Mitigation Strategy Owner
Credit Default Risk
Medium
High
HIGH
AI credit scoring, diversified portfolio, NPL monitoringCredit Committee
Cybersecurity Breach
Low
Critical
HIGH
ISO 27001, pen testing, 2FA, 24/7 SOC monitoringIT Security Team
Liquidity Risk
Low
High
MEDIUM
Liquidity buffer at 24.8% (min 15%), diversified fundingTreasurer
Regulatory Non-Compliance
Low
Critical
MEDIUM
Dedicated compliance officer, SASRA liaison, annual auditCompliance Officer
Fraud & Internal Misappropriation
Low
High
MEDIUM
Maker-checker controls, dual approval for transactions, audit logsAudit Committee
Digital Transformation Failure
Medium
Medium
MEDIUM
Phased approach, pilot testing, member change managementTechnology Director
Key Person Dependency
Medium
Medium
LOW
Succession planning, cross-training, documented proceduresBoard Secretary
Reputational Risk
Low
High
LOW
Transparent communications, rapid complaint resolution, NPS monitoringCEO

Compliance Framework

Njepe Welfare Group operates within a robust multi-layer compliance framework covering SASRA regulations, Kenya’s Data Protection Act, anti-money laundering requirements, and emerging digital banking standards.

  • SASRA License & Annual Returns
    Fully licensed SACCO with clean annual returns filed. Last audit: Q4 2025 — No material findings.
  • Data Protection Act 2019 (Kenya)
    DPA-compliant data collection, storage, and processing policies. Privacy notice published and member consent obtained.
  • Anti-Money Laundering (AML)
    KYC procedures for all members. Suspicious transaction reporting protocols in place. Staff trained annually.
  • CBK / National Payment System
    M-Pesa integration fully compliant with CBK payment system regulations and Safaricom API terms.
  • ISO 27001 Information Security
    Certification process underway. Gap analysis completed. Expected certification: Q4 2026.
  • Open Banking / PSD2-equivalent
    Monitoring CBK proposed open banking regulations. API framework being prepared for Phase 3 compliance.

🤖 AI Governance Policy

All AI systems used by Njepe Welfare operate under a formal AI Governance Policy approved by the Board. Key principles:

  • Explainability: Every AI credit decision can be explained to the member.
  • Fairness: Models are audited quarterly for bias against protected categories.
  • Human Oversight: All AI decisions above KES 500,000 require human review.
  • Member Rights: Members can request human review of any AI-driven decision.

🔄 Business Continuity Plan

Our BCP ensures critical operations continue during disruptions — system outages, natural disasters, or security incidents.

Recovery Time Objective (RTO) 4 hours
Recovery Point Objective (RPO) 1 hour
Data Backup Frequency Every 15 min
Off-site Backup Location AWS Kenya (AZ2)
Last BCP Test ✓ March 2026

Our Security Architecture

Five layers of defence protecting every member transaction and piece of data.

🛡️
Perimeter Security
Network-level protection
  • Web Application Firewall (WAF)
  • DDoS protection
  • Intrusion Detection System
  • Network segmentation
  • VPN for internal staff
🔐
Identity & Access
Who can access what
  • Multi-factor authentication
  • Role-based access control
  • Privileged access management
  • Session timeout policies
  • Biometric verification
🔒
Data Protection
Encryption & privacy
  • 256-bit AES encryption at rest
  • TLS 1.3 for data in transit
  • Database encryption
  • PII data masking
  • Secure key management
🤖
AI Threat Detection
Intelligent monitoring
  • 24/7 anomaly detection
  • Behavioral biometrics
  • Real-time fraud scoring
  • Automated threat response
  • Security incident & event management
Njepe Welfare

Governed with integrity. Protected with technology.

Scroll to Top