Glossary Systematic Integrity Risk Assessment (SIRA)

Systematic Integrity Risk Assessment (SIRA)

To ensure the integrity of the financial sector, the law requires financial institutions to have adequate policies to ensure sound business practices. Without a Systematic Integrity Risk Analysis (SIRA), an institution cannot properly comply with integrity legislation.

The SIRA methodology is applicable for the mandatory risk assessment under the Wwft. While a risk assessment under the Wwft is limited to the integrity risks of money laundering, terrorist financing and circumvention of sanction regulations, the SIRA covers all forms of integrity risks. In practice, a risk assessment under the Wwft is therefore often conducted during the implementation (and as part of) the SIRA.

Risk assessment

Regulations allow for a risk-based approach, but what is essential is a proactive consideration of integrity risks and a thorough risk analysis. Risk analysis also provides the basis for an integrity risk management vision and strategy.

Regulators pay special attention to the SIRA. In that context, DNB has drafted, among other things, a User Guide and provided additional guidance on its website. This indicates DNB’s particular focus on the following seven points when assessing a SIRA. A SIRA should:

  1. be recent and conducted periodically;
  2. cover multiple business units;
  3. pay attention to multiple integrity risks;
  4. provide insight into various gross risk scenarios and multiple risk factors (see below);
  5. provide an overview of the probability and impact; these scores should be clear and plausible;
  6. identify and assess control measures for each scenario according to a clear and plausible methodology. In addition, the company should indicate whether control measures are also effective and what demonstrates this;
  7. make a description of net risks.

Conducting a risk assessment 

Conducting a risk assessment yourself? The following steps are important:

  1. Preparation (organisation chart)
  2. Risk identification
  3. Risk assessment (probability and impact)
  4. Analysing control measures
  5. Monitoring and follow-up

The law and the regulator demand a systematic approach to this way of managing risks. And systematic also means that it is a cyclical process:  you must go through the inventory, analysis and the (review of the effectiveness of the) control periodically.

In the SIRA, independent oversight by the compliance function should be maintained. 

SIRA organisation outline and risk profile

For the proper execution of the SIRA, the organisation outline and risk profile (including risk appetite) are important principles. These are guiding principles for conducting risk analyses and qualifying their outcomes. They ensure that risks are (mandatorily) tailored to the nature and scope of your specific company.

Determining the organisational outline and risk profile primarily provides insight into:

  • the company’s activities; the location of its operations (country or geographical risk)
  • the product, transaction and service risk;
  • the client risk and delivery channels risk;
  • the employees and internal culture;
  • the relationships with ‘third parties’ (such as suppliers and outsourcing partners).

The above information needs to be supported numerically to clarify the importance of certain distribution channels, products or customer groups.

This organisational overview therefore includes a (qualitative and quantitative) analysis of the risk factors. The DNB Good Practices outline how institutions should first identify the areas where integrity risks exist. For each integrity risk, the factors involved must be identified.

The risk appetite of the company must also be described. For this, an Integrity Risk Appetite needs to be determined. This risk appetite indicates the extent to which the institution is willing to take certain risks. The integrity risks discussed in the organisational chart will be compared against the integrity risk appetite in the SIRA in order to determine whether risks fall within the appetite and/or if control measures need to be present to mitigate the risk.

1. Identify and analyse integrity risks (gross risk)

The institution will then utilize the risk factors to identify the relevant inherent integrity risk. These risks, also known as gross risks, assume a situation where the company has not yet implemented any control measures.

Examples of integrity risks:

  • money laundering;
  • terrorism financing;
  • circumvention of sanctions regulations;
  • corruption (bribery);
  • conflict of interest;
  • internal and external fraud
  • evasion or avoidance of tax regulations;
  • market manipulation;
  • cybercrime; and
  • socially improper conduct.

The institution identifies relevant integrity risks using relevant scenarios. In other words, it describes the ways in which a risk can occur. It is important to consider the possible causes and consequences of a risk event.

Using the scenarios, the following is determined for each integrity risk:

  • The likelihood of a risk occurring
  • The impact of a risk is: the costs or damage incurred when a risk materializes

The result is the gross risk. The scale used to classify the risks is determined by the company itself and can therefore vary from one company to another. The gross risk is then compared against the integrity risk appetite.

The above should therefore result in a  risk analysis in which one or more scenarios are included for each risk factor. For each scenario, the inherent risk and the risk appetite must be determined.

2. Conducting a SIRA in your organisation

After determining the gross risk for each scenario, the control measures are also determined for each scenario. By then assessing the effectiveness of these control measures, the organisation gains an understanding of the net risk for each scenario. By comparing this net risk against organisation’s risk appetite, it is then determined which actions should be taken to mitigate the net risk. This may include:

  • Improving control by taking additional measures
  • Possibly insuring risk (this does not include outsourcing)
  • Changing or discontinuing certain activities, services and/or products

The company informs all relevant business units about the policy, procedures and measures. Additionally, care must be taken to ensure the implementation and systematic review of the policies, procedures, and (improvement) measures.

3. Risk analysis and follow-up

The company has procedures in place to ensure that any shortcomings or flaws that are identified are reported. Typically, these are reported to the compliance function. Additionally, the company should also have procedures in place to ensure that identified shortcomings or deficiencies regarding the integrity of the business operations (under the supervision of the compliance function) lead to appropriate adjustments.

SIRA training

If you want to learn how to independently conduct a SIRA that meets regulatory requirements, our SIRA course could be just what you need. During the training we will
Guide you through the process of conducting a SIRA within your own organisation.

Read more about the SIRA training

Want to know more?

In addition to helping you with implementation, we can also assist you with quality control of your SIRA. We use our industry knowledge and any new scenarios based on market developments and regulatory requirements. Read more about our services or contact us for a no-obligation consultation.

Contact us
Our services

Latest insights

READ MORE