Financial regulators have emphasised the importance of the quality of the Systematic Integrity Risk Assessment (SIRA) as the starting point for effective risk management. An important component of this is the integrity risk appetite. Here you can learn more about what an integrity risk appetite entails and how to determine it. It also describes the pitfalls of developing one.
What does an integrity risk appetite entail?
An integrity risk appetite answers the questions which integrity risks the institution finds acceptable after control measures have been applied, as well as which risks the company does not want to take under any circumstances.
With an integrity risk appetite statement, the institution explicitly indicates which integrity risks it is willing to accept. Ideally, the integrity risk appetite is established before drafting the SIRA. The supervisor DNB notes that in practice, it is also often an interactive process.
How do I establish an integrity risk appetite?
You set the risk appetite for the integrity risks you identified for your organisation. Examples of integrity risks include: internal and external fraud, money laundering and cybercrime.
Two examples of an integrity risk appetite statement:
- We do not participate in facilitating money laundering and terrorist financing by our clients. We therefore have no to low-risk appetite for deviations from the Wwft and the Sanctions Act. Some deviation is possible in the situation where the client and/or UBO is prosecuted for financial-economic activities but where the verdict is not yet final. A deviation is only possible with the decision-making presented to senior management and if sufficient measures are in place to follow the process until the verdict becomes final.
- Our main core value is reliability. Therefore, we do not engage in fraudulent activities. Not by our employees, nor by our suppliers and other partners. Our risk appetite for internal fraud is nil. All signals of non-integrity are taken seriously. Detected fraud is investigated and dealt with within the deadlines set for this purpose, and measures are taken to prevent new cases.
A risk appetite is by definition dynamic. After all, developments in the company and in the outside world can lead to adjustments of your risk appetite.
Pitfalls when drafting an integrity risk appetite
When creating an integrity risk appetite, there are various pitfalls. Projective Group describes what to watch out for.
- Integrity risk appetite is separate from the organisation’s objectives.
Many entrepreneurs see a risk appetite as an impediment to achieving objectives. We see that contemplating risk appetite also means considering which risks can be appropriately taken to achieve organizational goals.
- Integrity risk appetite belongs to a department or an individual
Too often, a risk appetite is drafted by an individual without considering whether this can be effectively conveyed and endorsed by management. As a result, a risk appetite loses its value. A good risk appetite is by definition a shared, person-independent view. All employees should be able to connect with it in their daily work. The tone at the top is decisive here.
- An integrity risk appetite is a legal obligation
Having an integrity risk appetite stems from the legal provisions in the context of sound and controlled business operation, and supports you in complying with the Wwft and Sanctions legislation. When it comes to customer integrity, it is not just about what is or is not legally allowed, but rather about principles you consciously stand for as an organisation. These principles are not always black and white, or static. For instance, we see that tax evasion is becoming less accepted, even though it may not necessarily be an illegal activity.
- Integrity risk appetite is not a priority
There are daily situations where it’s necessary to refer back to your risk appetite. A simple example: a project to implement a new CRM system has been delayed. This may lead to a situation where you need to consider whether the security of your current system still fits within your risk appetite of ‘not allowing any internal fraud’ and/or if this exceeds your risk tolerance. In that case, you may need to implement additional control measures.
A clear risk appetite can be a compass for your employees in how to deal with, for example, the situation where a loyal customer passes on a new direct debit account number under a different account holder’s name. After all, this increases the risk of facilitating money laundering.
- Integrity risk appetite is too general
An organisation that only states that it does not want to run any integrity risk and does not specify this, does not give direction to the risks it actually runs. A good risk appetite is based on a thorough analysis of the inherent risks at the level of its products and services, distribution channels and partnerships, customers and employees. This will also help you avoid unnecessary costs and missed benefits.
Want to know more?
Could you use some assistance in conducting an integrity risk analysis or determining your risk appetite? Our consultants are happy to support you. Feel free to contact us.