In recent years, financial regulators have called a lot of attention to the quality of the systematic Integrity Risk Assessment (SIRA) as a starting point for proper risk management. An important part of this is the integrity risk appetite. Here you can read more about what an integrity risk appetite entails and how to determine it yourself. It also describes the pitfalls when drawing it up.
What does an integrity risk appetite entail?
An integrity risk appetite answers the questions which integrity risks the institution finds acceptable after control measures have been applied. But also which risks the company does not want to run anyway.
An integrity risk appetite statement explicitly indicates which integrity risks the institution is prepared to accept. Ideally, the integrity risk appetite should be prepared before the SIRA is drawn up. Supervisor DNB notes that in practice, it is also often an interactive process.
How do I establish an integrity risk appetite?
You set the risk appetite on the integrity risks you identify for your organisation. Examples of integrity risks include: internal and external fraud, money laundering and cybercrime.
Two examples of an integrity risk appetite statement:
- We do not participate in facilitating money laundering and terrorist financing by our clients. We therefore have no to low risk appetite for deviations from the Wwft and the Sanctions Act. Some deviation is possible in the situation where the client and/or UBO is prosecuted for financial-economic activities but whose judgment is not yet final. A deviation is only possible when submitting decisions to senior management and in case there are sufficient measures in place to follow the process until the verdict is final.
- Our most important core value is reliability. We therefore also do not engage in fraudulent activities. Not by our employees and not by our suppliers and other cooperation partners. Our risk appetite for internal fraud is zero. All signals of non-integrity are taken seriously. Detected fraud is investigated and dealt with within the deadlines set for this purpose and measures are taken to prevent new cases.
A risk appetite is dynamic by definition. After all, developments in the company and in the outside world can lead to adjustment of your risk appetite.
Pitfalls when preparing an integrity risk appetite
When preparing an integrity risk appetite, there are several pitfalls. Projective Group describes what to watch out for.
- Integrity risk appetite is separate from organisational objectives.
Many entrepreneurs see a risk appetite as hindering the achievement of objectives. We see that thinking about risk appetite also means thinking about what risks can be taken precisely to achieve organisational objectives.
- Integrity risk appetite belongs to a department or an individual
Too often, a risk appetite is drawn up by an individual, without checking whether you can and want to propagate this as management. As a result, a risk appetite loses value. A good risk appetite is by definition a shared, person-independent view. All employees must be able to connect to it in their daily work. The tone at the top is decisive here.
- An integrity risk appetite is a legal obligation
Having an integrity risk appetite stems from the legal provisions in the context of sound and controlled operations, and supports you in complying with the Wwft and Sanctions legislation. When it comes to customer integrity, it is not just about what is or is not legally allowed, but rather about principles you consciously stand for as an organisation. These principles are not always black and white, or static. For instance, we see that tax evasion is less and less accepted, even though in principle it does not have to be an illegal activity.
- Integrity risk appetite is not a priority
There are daily situations imaginable where it is necessary to revert to your risk appetite. A simple example: a project to implement a new CRM system has been delayed. This may lead to a situation where you have to consider whether the security of your current system still fits within your risk appetite to ‘not allow any internal fraud’ and/or this leads to an exceeding of this risk appetite. If so, you may need to take additional control measures.
A clear risk appetite can be a compass for your employees in how to deal with, for example, the situation where a loyal customer passes on a new direct debit account number in the name of another account holder. After all, this increases the risk of facilitating money laundering.
- Integrity risk appetite is too general
An organisation that only states that it does not want to run any integrity risk and does not specify this, does not give direction to the risks it actually runs. A good risk appetite is based on a thorough analysis of the inherent risks at the level of its products and services, distribution channels and partnerships, customers and employees. This will also help you avoid unnecessary costs and missed benefits.
Want to know more?
Could you use some help in conducting an integrity risk analysis or determining your risk appetite? Our consultants will be happy to support you. Feel free to contact us.