To safeguard the integrity of the financial sector, the law requires financial institutions to have adequate policies in place to ensure sound business practices. Without a Systematic Integrity Risk Analysis (SIRA), an institution cannot properly comply with integrity legislation.
The SIRA methodology is applicable for the mandatory risk assessment under the Wwft. Whereas a risk assessment under the Wwft is limited to the integrity risks of money laundering, terrorist financing and circumvention of sanction regulations, the SIRA deals with all forms of integrity risks. A risk assessment under the Wwft is therefore often done in practice during the implementation (and as part of) the SIRA.
Regulations permit a risk-based approach, but indispensable is proactive thinking about integrity risks and a well-considered risk analysis. With this, the risk analysis also forms the basis for an integrity risk management vision and strategy.
Regulators pay special attention to the SIRA. In that context, DNB has drawn up, among other things, a User Guide and published additional guidance on its website. This shows that DNB pays particular attention to the following seven points when assessing a SIRA. A SIRA should:
Conducting a risk assessment yourself? The following steps are important:
The law and the regulator require a systematic approach to this way of managing risks. And systematic also means that it is a cyclical process: you have to go through the inventory, analysis and the (review of the effectiveness of the) control periodically.
The SIRA should be independently monitored by the compliance function.
For the proper execution of the SIRA, the organisation outline and risk profile (including risk appetite) are important starting points. These are guiding when performing the risk analyses and qualifying their outcomes. And ensure that risks are (mandatorily) tailored to the nature and size of your specific company.
Determining the organisational outline and risk profile primarily provides insight into:
The above information will need to be numerically supported to highlight the importance of certain distribution channels, products or customer groups.
This organisational overview therefore includes a (qualitative and quantitative) analysis of the risk factors. The DNB Good Practices set out how institutions should first identify the areas in which it faces integrity risks. For each integrity risk, the contributing factors should be identified.
It should also describe the company’s risk appetite. For this purpose, an Integrity Risk Appetite will have to be determined. This risk appetite indicates the extent to which the institution is willing to run certain risks. The integrity risks discussed in the organisational chart will be measured against the integrity risk appetite in the SIRA in order to determine whether risks fall within the appetite and/or control measures need to be in place to mitigate the risk (far) away.
The institution will then use the risk factors to identify the relevant inherent integrity risk. These risks are also referred to as gross risks and assume a situation where the company has not yet implemented any control measures.
Examples of integrity risks:
The institution identifies relevant integrity risks using relevant scenarios. In other words, it defines the ways in which a risk can occur. It is important here to consider the possible causes and consequences of a risk event.
Using the scenarios, the following is determined for each integrity risk:
The result is the gross risk. The scale used to classify the risks is determined by the company itself and can therefore be different for each company. The gross risk is then measured against the integrity risk appetite.
The above should therefore lead to a risk analysis that includes one or more scenarios for each risk factor. For each scenario, the inherent risk and the risk appetite must be determined.
After determining the gross risk per scenario, the control measures for each scenario are also determined. By subsequently estimating the effectiveness of these control measures, the organisation gets a picture of the net risk per scenario. By setting this net risk against the risk appetite of the organisation, the action to be taken to mitigate the net risk is then determined. This could include:
The company notifies all relevant business units of the policy and procedures and measures. In addition, care should be taken to implement and systematically review the policy and procedures and (improvement) measures.
The company has procedures in place to ensure that any shortcomings or flaws that are identified are reported. Usually, reporting is done to the compliance function. The company should also have procedures in place to ensure that identified shortcomings or deficiencies relating to the integrity of the company (under the supervision of the compliance function) lead to appropriate adjustments.
Would you like to learn how to independently conduct a SIRA that meets the requirements of regulators? Then follow our training course, which takes you step-by-step through the process of creating a SIRA within your own organisation. Read more about the SIRA training.
Besides helping you with the implementation, we can also support you with a quality check of your SIRA. Here, we use our sector insights and any new scenarios based on developments in the market and supervision. Read more about our services or contact us for a consultation without obligation.