SACCO Governance Under Pressure: Lessons from Metropolitan and What Boards Must Fix

The Kenyan co-operative movement holds more than Sh1.3 trillion in member deposits across savings and credit co-operative societies. For millions of teachers, civil servants, health workers, and small business operators, SACCOs are the primary savings and credit institution — more trusted, more accessible, and more personally significant than commercial banks. That trust carries a governance obligation that many SACCO boards have not yet matched with the infrastructure required to fulfil it.

The collapse of Metropolitan National Sacco has made that gap impossible to ignore. Regulatory filings show that Metropolitan closed 2024 with deposits of Sh7.41 billion and a loan book of Sh17.2 billion carrying a default rate of 98.99 percent — meaning virtually the entire portfolio was non-performing. The institution reported negative equity of Sh12 billion and an untraceable Sh50 billion in historical lending. Nineteen former officials have been charged with conspiracy to defraud the sacco of Sh14.49 billion. Members are now suing through the Co-operative Tribunal to recover their deposits, with case records showing a consistent pattern of rulings in their favour — deepening the strain on an already insolvent institution.

Metropolitan is extreme, but the governance failures it exposes are not unique. Recent cases at Kenya Union of Savings and Credit Co-operatives, SIC Investment Co-operative, and Energy Sacco have involved senior officials linked to financial impropriety. These are not isolated incidents of individual misconduct. They are symptoms of systemic weakness in governance infrastructure — boards that fail in fiduciary duties, executives who exploit inadequate internal controls, and oversight mechanisms that react too late. This article examines the specific governance failures that enable SACCO crises and outlines the structured audit, risk, and compliance infrastructure that boards must build to protect member deposits.

The Governance Failure Pattern: Why Audit Findings Go Untracked

The root cause in every major SACCO governance failure follows a consistent pattern: audit findings and supervisory observations are documented but not tracked to closure. Internal auditors or SASRA examiners identify control weaknesses, lending irregularities, or governance deficiencies. Their findings are recorded in reports. Those reports are presented to the board or the supervisory committee. And then the follow-up process breaks down.

In the absence of a structured tracking system, findings migrate to spreadsheets, email chains, or verbal undertakings at board meetings. Due dates pass without escalation. Evidence of remediation is not collected or verified. Repeat findings appear in the next audit cycle, confirming that the original conditions persist. Over successive cycles, a portfolio of unaddressed findings accumulates — each one a documented governance liability that the board has acknowledged but not resolved.

The damage compounds silently. A lending limit breach that goes unaddressed becomes a pattern. A segregation-of-duties failure that remains unremediated becomes the mechanism for fraud. A liquidity ratio below SASRA thresholds that is reported but not corrected becomes the pathway to insolvency. By the time the consequences are visible — in Metropolitan's case, an untraceable Sh50 billion — the governance failure is not the latest incident but the accumulated result of years of findings that were documented and ignored.

What SASRA Expects: The Supervisory Framework SACCOs Must Meet

The SACCO Societies Regulatory Authority provides a clear supervisory framework for deposit-taking SACCOs. SASRA examinations assess capital adequacy, asset quality, management effectiveness, earnings, and liquidity — the CAMEL framework adapted for the co-operative sector. Examination findings are communicated to the SACCO board with expectations for corrective action within specified timelines.

SASRA's prudential guidelines establish minimum standards for loan provisioning, liquidity ratios, capital adequacy, insider lending limits, and governance structures including board composition, term limits, and committee mandates. Compliance is not discretionary. SACCOs that fall below prudential thresholds face supervisory action that can include restrictions on deposit-taking, lending, or branch expansion — and in severe cases, statutory management or liquidation.

The gap is not in the regulatory framework. It is in the governance infrastructure that SACCOs use to track and demonstrate compliance. A SACCO that receives SASRA examination findings and manages the response through a spreadsheet maintained by the internal auditor has no reliable mechanism to ensure that every finding reaches closure, that evidence of remediation is captured, or that the board receives an accurate picture of the institution's compliance posture.

Building the Audit Infrastructure: From Finding to Closure

The foundation of SACCO governance is a structured audit findings lifecycle that tracks every finding — from SASRA examinations, external audits, internal audit reviews, and supervisory committee observations — through assignment, implementation, evidence collection, verification, and closure. This is not a reporting obligation. It is the mechanism through which boards ensure that identified weaknesses are actually fixed.

A structured audit management system assigns each finding to an accountable action owner with a defined due date. Automated reminders escalate findings that approach or exceed their deadlines. Action owners submit evidence of implementation — not verbal assurances, but documented evidence that the corrective action has been completed. A reviewer verifies the evidence before the finding can be closed. And the board receives a real-time dashboard showing open findings by source, priority, and age — replacing the quarterly summary that management compiles retrospectively.

This infrastructure transforms the board's relationship with audit findings from passive receipt to active oversight. Board members can see — at any meeting, at any moment — how many findings are open, how many are overdue, and what management is doing about each one. The audit committee can compare closure rates across examination cycles and identify patterns that indicate systemic control weakness rather than isolated incidents.

Risk Governance: Making the Risk Register Work for SACCOs

Audit findings address what has already been identified. Risk governance addresses what the institution is exposed to before an audit uncovers it. A structured risk register — one that is maintained continuously, not prepared annually for the board offsite — is the instrument through which the SACCO board monitors its exposure to credit risk, operational risk, liquidity risk, and fraud risk in real time.

For SACCOs, credit risk governance is paramount. The loan book is the primary asset, and its quality determines whether member deposits are safe. A risk register that tracks portfolio concentration by sector, by borrower size, by collateral type, and by delinquency stage gives the board early warning of deterioration — long before the default rate reaches levels that threaten solvency. Insider lending — loans to directors, staff, and related parties — must be separately identified, monitored against regulatory limits, and reported to the board with full transparency.

Operational risk governance must address the controls around loan origination, disbursement, collection, and write-off — the points in the lending process where fraud is most likely to occur. Segregation of duties between loan officers, approval authorities, and disbursement functions must be documented, tested, and monitored. Exceptions to established procedures must be captured, escalated, and reviewed. A SACCO where a single official can originate, approve, and disburse a loan without independent verification is a SACCO where the Metropolitan pattern can repeat.

Compliance Infrastructure: SASRA, AML/CFT, and Member Protection

Beyond audit and risk, SACCOs require structured compliance infrastructure to track and demonstrate adherence to SASRA prudential guidelines, AML/CFT obligations under the Proceeds of Crime and Anti-Money Laundering Act, and the data protection requirements of the Kenya Data Protection Act. Each regulatory obligation must be mapped to an owner, scheduled for periodic assessment, and tracked through a documented workflow that produces evidence of compliance — or triggers corrective action when compliance gaps are identified.

The compliance register is especially important for SACCOs approaching SASRA examinations. Rather than assembling compliance evidence in the weeks before an examination — the fire-drill pattern that consumes significant staff time and produces inconsistent results — a structured compliance system maintains examination-ready evidence continuously. When SASRA arrives, the compliance posture is documented and current, not reconstructed from scattered records.

A Governance Blueprint for SACCO Boards

The governance infrastructure that SACCO boards need is not complex in concept. It is an integrated system that tracks audit findings to closure, maintains a living risk register, monitors compliance with prudential and regulatory obligations, and gives the board structured, evidence-based reporting on all three. The challenge for most SACCOs is not understanding what is needed but implementing it with the structured technology and workflows that make it operationally sustainable.

Trigarc provides this infrastructure through three integrated modules: Trigarc Audit for findings lifecycle management from every audit source, Trigarc Risk for enterprise risk registers including credit, operational, and fraud risk with board dashboards, and Trigarc Compliance for regulatory obligation tracking aligned to SASRA, POCAMLA, and KDPA requirements. The platform is configured to the SACCO operating model — with GRC Champions at branch or committee level feeding risks and compliance observations to the central governance function.

The SACCO sector's trust position is earned through decades of service to members. Protecting that trust requires governance infrastructure that matches the scale of the responsibility. Metropolitan has shown what happens when it does not. The question for every SACCO board is whether their institution has the structured audit, risk, and compliance systems to ensure it never follows that path — and whether they can prove it to their members, their regulator, and their auditors.