A data driven approach to SIRA

Up until now most integrity risk analyses are based on expert sessions, which make these assessments highly subjective. Both first and second line employees bring their personal work situation to such sessions. We often see that first line employees don’t think of SIRA as something important, and that second line employees are fearing another DNB assessment. This obviously will affect how they asses risks.

If for instance the organization has never encountered a hack, the professional judgement might be that cyber risk is not an important issue for the organization, while in fact cyber threats can have a large negative impact on the organization. And then there is the difference between experts in the same field: some might say a certain risk and its impact are high, while others might assess both as low. Who to believe then?

Data are key when assessing integrity risks

In this blog series we explain how SIRA can become an effective strategic tool instead of just another paper construct. In the first blog SIRA as a strategic tool we talked about what is necessary to bring the maturity of SIRA to a higher level and in the second blog we dove deeper in defining your risk appetite and why that is important for SIRA. In this third blog we explain why a data driven approach is essential if you want to use SIRA as a strategic tool.

Don’t get us wrong. Professional judgement is still necessary for analyzing integrity risks. But instead of relying on a gut feeling, experts should incorporate internal and external data in their assessments to increase the reliability of SIRA. For each of the risk indicators relevant data should be extracted and external developments identified. That requires high-quality data and proper data management that make sure that the data will be used systematically.

Monitoring external data to identify integrity risks in an early stage

External data governance is often a big hurdle for organizations. European financial and banking legislation is changing at an ever-increasing pace, for instance. Timely detection of upcoming legislative and supervisory changes is necessary to be able to remain compliant. This means that it is not enough to let one or two persons keep an eye on regulatory developments; this needs to be done systematically to make sure that you won’t miss essential new legislation.

The same goes for other external data that is relevant for your integrity risks. Social media posts about your organization, reports on news websites and in industry journals, financial news, impactful events in countries where you have a lot of clients; there is too much information for individuals to follow, but with advanced analytics technology it is possible to stay up to date on relevant developments automatically. There are tools that do not only identify current risk signals and anticipate emerging risk events, but that also help you seize the opportunity hidden within them. These tools can help you with a data driven approach of SIRA.

SIRA as an effective strategic tool

A data driven approach will help you to build a SIRA that is also an effective strategic tool. It helps you to gain insight into the likelihood of risks and their impact, control effectiveness and residual integrity risks your institution is exposed to.

In our next blog about using SIRA as a strategic tool we’ll talk about reporting and monitoring. If you manage external data correctly, how do you make sure that alerts end up on the desk of the right person?

Deloitte developed a SIRA methodology that can help your organization to use SIRA as an effective strategic tool. Want to know more? Please download the brochure.

More information?

For more information please contact our experts via their contact details below.