Systematic Integrity Risk Assessment (SIRA)

To safeguard the integrity of the financial sector, the law requires financial institutions to have adequate policies in place to ensure sound business practices. Without a Systematic Integrity Risk Analysis (SIRA), an institution cannot properly comply with integrity legislation.

The SIRA methodology is applicable for the mandatory risk assessment under the Wwft. Whereas a risk assessment under the Wwft is limited to the integrity risks of money laundering, terrorist financing and circumvention of sanction regulations, the SIRA deals with all forms of integrity risks. A risk assessment under the Wwft is therefore often done in practice during the implementation (and as part of) the SIRA.

Risk assessment

Regulations permit a risk-based approach, but indispensable is proactive thinking about integrity risks and a well-considered risk analysis. With this, the risk analysis also forms the basis for an integrity risk management vision and strategy.

Regulators pay special attention to the SIRA. In that context, DNB has drawn up, among other things, a User Guide and published additional guidance on its website. This shows that DNB pays particular attention to the following seven points when assessing a SIRA. A SIRA should:

  1. be recent and conducted periodically;
  2. cover multiple business units;
  3. pay attention to multiple integrity risks;
  4. provide insight into various gross risk scenarios and multiple risk factors (see below);
  5. provide an overview of the probability and impact; these scores should be clear and plausible;
  6. identify and assess control measures for each scenario according to a clear and plausible methodology. In addition, the company should indicate whether control measures are also effective and what demonstrates this;
  7. make a description of net risks.

Conducting a risk assessment 

Conducting a risk assessment yourself? The following steps are important:

  1. Preparation (organisation chart)
  2. Risk identification
  3. Risk assessment (probability and impact)
  4. Analysing control measures
  5. Monitoring and follow-up

The law and the regulator require a systematic approach to this way of managing risks. And systematic also means that it is a cyclical process:  you have to go through the inventory, analysis and the (review of the effectiveness of the) control periodically.

The SIRA should be independently monitored by the compliance function.

SIRA organisation outline and risk profile

For the proper execution of the SIRA, the organisation outline and risk profile (including risk appetite) are important starting points. These are guiding when performing the risk analyses and qualifying their outcomes. And ensure that risks are (mandatorily) tailored to the nature and size of your specific company.

Determining the organisational outline and risk profile primarily provides insight into:

  • the company’s activities; the location of its operations (country or geographical risk)
  • the product, transaction and service risk;
  • the client risk and delivery channels risk;
  • the employees and internal culture;
  • the relationships with ‘third parties’ (such as suppliers and outsourcing partners).

The above information will need to be numerically supported to highlight the importance of certain distribution channels, products or customer groups.

This organisational overview therefore includes a (qualitative and quantitative) analysis of the risk factors. The DNB Good Practices set out how institutions should first identify the areas in which it faces integrity risks. For each integrity risk, the contributing factors should be identified.

It should also describe the company’s risk appetite. For this purpose, an Integrity Risk Appetite will have to be determined. This risk appetite indicates the extent to which the institution is willing to run certain risks. The integrity risks discussed in the organisational chart will be measured against the integrity risk appetite in the SIRA in order to determine whether risks fall within the appetite and/or control measures need to be in place to mitigate the risk (far) away.

1. Identify and analyse integrity risks (gross risk)

The institution will then use the risk factors to identify the relevant inherent integrity risk. These risks are also referred to as gross risks and assume a situation where the company has not yet implemented any control measures.

Examples of integrity risks:

  • money laundering;
  • terrorism financing;
  • circumvention of sanctions regulations;
  • corruption (bribery);
  • conflict of interest;
  • internal and external fraud
  • evasion or avoidance of tax regulations;
  • market manipulation;
  • cybercrime; and
  • socially improper conduct.

The institution identifies relevant integrity risks using relevant scenarios. In other words, it defines the ways in which a risk can occur. It is important here to consider the possible causes and consequences of a risk event.

Using the scenarios, the following is determined for each integrity risk:

  • The probability of a risk occurring
  • The impact of a risk is: costs or damage when a risk has occurred

The result is the gross risk. The scale used to classify the risks is determined by the company itself and can therefore be different for each company. The gross risk is then measured against the integrity risk appetite.

The above should therefore lead to a risk analysis that includes one or more scenarios for each risk factor. For each scenario, the inherent risk and the risk appetite must be determined.

2. Conducting a SIRA in your organisation

After determining the gross risk per scenario, the control measures for each scenario are also determined. By subsequently estimating the effectiveness of these control measures, the organisation gets a picture of the net risk per scenario. By setting this net risk against the risk appetite of the organisation, the action to be taken to mitigate the net risk is then determined. This could include:

  • Improving control by taking additional measures
  • Possibly insuring risk (this does not include outsourcing)
  • Changing or discontinuing certain activities, services and/or products

The company notifies all relevant business units of the policy and procedures and measures. In addition, care should be taken to implement and systematically review the policy and procedures and (improvement) measures.

3. Risk analysis and follow-up

The company has procedures in place to ensure that any shortcomings or flaws that are identified are reported. Usually, reporting is done to the compliance function. The company should also have procedures in place to ensure that identified shortcomings or deficiencies relating to the integrity of the company (under the supervision of the compliance function) lead to appropriate adjustments.

SIRA training

Would you like to learn how to independently conduct a SIRA that meets the requirements of regulators? Then follow our training course, which takes you step-by-step through the process of creating a SIRA within your own organisation. Read more about the SIRA training.

Want to know more?

Besides helping you with the implementation, we can also support you with a quality check of your SIRA. Here, we use our sector insights and any new scenarios based on developments in the market and supervision. Read more about our services or contact us for a consultation without obligation.