An optimized and holistic SIRA

A SIRA is not perceived as a yearly box-ticking exercise

Having a strong and effective SIRA is an explicit focus of the Dutch regulator DNB. If organizations only see the integrity risk assessment as a box ticking exercise, they fail to use the SIRA for its intended purpose. If approached properly, SIRA can be a strategic tool that can help to:

• Effectively identify, assess, mitigate and manage integrity risks
• Properly monitor the effectiveness of the risk appetite 
• Strengthen compliance risk management activities, processes and procedures 
• Optimize first and second line monitoring and control testing in a risk based manner
• Gain a better insight into the organization’s risk profile

The above mentioned benefits of a well performed SIRA shall lead to long-term advantages such as efficiency and a reduction of cost of compliance. Ultimately it will put the organization in control of integrity risks.

The wide scope of SIRA

An optimized SIRA starts with considering or thoroughly defining the organization’s risk appetite. We wrote about this in the second blog of this series 'Your integrity risk appetite dissected'. Which risks are you willing to take and which risks are not acceptable for your organization?

We have experienced that there is sometimes still a discrepancy between the general SIRA scenarios organizations use and their actual business model and strategy. Therefore, SIRA scenarios must reflect the actual risks the organization is exposed to as a consequence of its strategy, business objectives and risk appetite. The holistic goal is to achieve a continuous alignment which will improve the quality of the scenarios and thus better prepare your organization for any (latent) integrity risks that you might encounter. Besides that, the SIRA could also lead to an adjustment of the organization’s strategy or business objectives in terms of de-risking and cost efficiency.

As an example, the SIRA may identify that a certain target group exposes the organization to a too high integrity risk due to the absence of effective controls. The organization may decide to either no longer service such a target group because of a too high cost of compliance or to allocate the target group to another segment with stricter monitoring.

The data-driven character of the SIRA

In an optimized SIRA business and compliance experts should use internal and external data to assess the integrity risks, like we wrote in the third blog of this series 'A data driven approach to SIRA'. For each of the SIRA scenarios relevant data should be extracted and external developments identified to ensure a more quantitative assessment. That requires high-quality data, proper data management and well-managed processes that make sure that the data will be used systematically.

By making SIRA data-driven the outcomes will be more objective and less susceptible to biases. Many organizations are working towards or have already established a data-driven SIRA execution. They all acknowledge the strength of data which allows them to gain a better insight into their actual risk profile and related integrity risks.

The SIRA is a team effort of both compliance and business

Business and compliance departments should both be involved in an integrity risk assessment. Where business is mostly in the lead for performing SIRA, compliance can act as an advisor and challenger. Facilitating a discussion between first and second line experts leads to increased awareness on integrity risks within the organization. The outcome of SIRA helps to identify the risk areas in need of stronger or new controls. The second line can support the business with designing and implementing these stronger controls.

By following this process of close cooperation, the organization as a whole will become more resilient to integrity risks.

A strong improvement loop is essential

Like we said before: a perfect SIRA is not a yearly box ticking exercise for DNB. To utilize the benefits of SIRA properly, a feedback loop is needed to ensure follow-up on SIRA outcomes and to keep strengthening the SIRA process as a whole. Part of the feedback loop may imply the updating of the risk appetite based on SIRA outcomes. Next to that, SIRA identifies integrity risk areas in need of extra attention. This can lead to the adjustment of controls when necessary. Furthermore, the feedback loop gives insight into updates needed in policies and procedures.

Integrity risks should be continuously monitored so that they can be used for strategic decision making. If organizations have a monitoring system in place — like we described in the previous blog 'Real-time insight into your integrity risks' — they’ll get an alert if there’s a significant mutation in data or in one of their integrity risks and can then immediately act upon it.

In this blog series, we have given you the blueprint of a more holistic and optimized SIRA. The next step for you is to utilize these insights to start improving your own SIRA. SIRA will then become the effective strategic tool that will give you the edge in dealing with integrity risks.

More information?

Deloitte developed a SIRA methodology that can help your organization use SIRA as an effective strategic tool. Want to know more? Please contact Harold, Christiaan or Joes via their contact details below.