Financial regulators have emphasised the importance of the quality of the Systematic Integrity Risk Assessment (SIRA) as the starting point for effective risk management. An important component of this is the integrity risk appetite. Here you can learn more about what an integrity risk appetite entails and how to determine it. It also describes the pitfalls of developing one.
An integrity risk appetite answers the questions which integrity risks the institution finds acceptable after control measures have been applied, as well as which risks the company does not want to take under any circumstances.
With an integrity risk appetite statement, the institution explicitly indicates which integrity risks it is willing to accept. Ideally, the integrity risk appetite is established before drafting the SIRA. The supervisor DNB notes that in practice, it is also often an interactive process.
You set the risk appetite for the integrity risks you identified for your organisation. Examples of integrity risks include: internal and external fraud, money laundering and cybercrime.
Two examples of an integrity risk appetite statement:
A risk appetite is by definition dynamic. After all, developments in the company and in the outside world can lead to adjustments of your risk appetite.
When creating an integrity risk appetite, there are various pitfalls. Projective Group describes what to watch out for.
Many entrepreneurs see a risk appetite as an impediment to achieving objectives. We see that contemplating risk appetite also means considering which risks can be appropriately taken to achieve organizational goals.
Too often, a risk appetite is drafted by an individual without considering whether this can be effectively conveyed and endorsed by management. As a result, a risk appetite loses its value. A good risk appetite is by definition a shared, person-independent view. All employees should be able to connect with it in their daily work. The tone at the top is decisive here.
Having an integrity risk appetite stems from the legal provisions in the context of sound and controlled business operation, and supports you in complying with the Wwft and Sanctions legislation. When it comes to customer integrity, it is not just about what is or is not legally allowed, but rather about principles you consciously stand for as an organisation. These principles are not always black and white, or static. For instance, we see that tax evasion is becoming less accepted, even though it may not necessarily be an illegal activity.
There are daily situations where it’s necessary to refer back to your risk appetite. A simple example: a project to implement a new CRM system has been delayed. This may lead to a situation where you need to consider whether the security of your current system still fits within your risk appetite of ‘not allowing any internal fraud’ and/or if this exceeds your risk tolerance. In that case, you may need to implement additional control measures.
A clear risk appetite can be a compass for your employees in how to deal with, for example, the situation where a loyal customer passes on a new direct debit account number under a different account holder’s name. After all, this increases the risk of facilitating money laundering.
An organisation that only states that it does not want to run any integrity risk and does not specify this, does not give direction to the risks it actually runs. A good risk appetite is based on a thorough analysis of the inherent risks at the level of its products and services, distribution channels and partnerships, customers and employees. This will also help you avoid unnecessary costs and missed benefits.
Could you use some assistance in conducting an integrity risk analysis or determining your risk appetite? Our consultants are happy to support you. Feel free to contact us.