Your integrity risk appetite dissected | Regulatory Risk | Deloitte Netherlands


Your integrity risk appetite dissected

The next leap in systematic integrity risk analysis

In this second part of our SIRA blog series, we dive deeper into the subject of risk appetite. A clearly defined integrity risk appetite can lead to the improved use of SIRA as a strategic tool and subsequently power operational performance. Aligning strategy and business objectives is key to a solid risk appetite.

By Manon van Bakel en Sebastiaan van der Weide

Risk appetite as foundation for SIRA as a strategic tool

The effectiveness of SIRA as a strategic tool can benefit from a thoroughly defined integrity risk appetite. Defining precisely what risks you are willing to accept or not will further optimize your integrity risk management. A solid risk appetite powers operational performance.

Over the past years, the Dutch Central Bank (DNB) has repeatedly stressed the need for financial institutions to implement and sufficiently design their integrity risk appetite. DNB stated that many financial institutions are unable to explain their definition of their integrity risk appetite (hereafter referred to as “risk appetite”) and how it can be applied in their organization.

That conclusion is in line with what we see at many financial institutions: there often is an overarching risk appetite, but most of the time it is outdated, not in line with company strategy and/or not specified for all types of compliance risks. On top of that, no one in the organization really knows what this vaguely described risk appetite actually means for his or her day-to-day work.

In this second blog episode about using SIRA as a strategic tool we talk about how you should define your risk appetite and dissect it into concrete do’s and don’ts for your organization. By doing that, SIRA can become a tool that strengthens your risk management instead of being an administrative burden. By sufficiently defining risk appetite and implementing it into the daily practice of your organization, your organization becomes more compliant, you gain control over your compliance risks at lower cost and your operational processes can be simplified . A solid risk appetite powers operational performance.

Alignment between risk appetite and strategy

Key to a solid risk appetite is aligning it with the strategy and business objectives. Clear specifications of value drivers and strategic risks are part of this. The second step is the specification of risk acceptance principles that set the limits to which actual risks can be compared. This could be a list of risky clients (e.g. shell banks or trusts), products, transactions, geographical locations and/or channels that pose an unacceptable risk to the organization.

The organization’s risk capacity should be taken into account when assessing this: do we have the capacity and required skills to sufficiently mitigate the risks posed by for instance these types of clients? In order to achieve a defined risk appetite that is accepted and understood by the entire organization, it is important to go through these steps with all the relevant stakeholders, e.g. the business lines, compliance, legal, compliance program management.

Aligning risk appetite with strategy will ultimately set the benchmark for the integrity risks the organization is facing. A small Netherlands-oriented retailer bank for instance might conclude that it does not want to serve complex clients, like trust offices, which are also internationally active. A trust office is not the type of client that the organization is strategically aiming for and these clients pose an unacceptable risk because there aren’t enough employees with the required skills and knowledge to onboard these clients. Therefore, serving these clients would be too complex and cost inefficient.

Translation to operational level

Once the risk acceptance principles have been defined, they need to be operationalized and actual risk levels should be measured to define whether risk levels remain within the risk appetite. Therefore compliance policies, processes and controls have to be adjusted accordingly.

For the small bank from the example this step means that during client onboarding—also known as CDD (customer due diligence)—it has to be decided whether or not to accept a client based on the limits of the risk acceptance principle in the risk appetite. These limits enable the business to decide and act upon the set strategy and integrity risk appetite in different situations. For example, if an analyst concludes that the client qualifies as a trust, he knows that this client cannot be onboarded as it leads to an unacceptable risk.

It is this part in the process where you can see that thoroughly defining your risk appetite pays off. We experienced at several organizations that a clearly defined integrity risk appetite saved relationship managers a great deal of time, because they could decide in an early phase not to onboard certain clients. Now they have a clear checklist or digital tool that helps them to decide quickly and thoroughly.

A key challenge financial institutions struggle with is how to apply a redefined risk appetite to the existing client base. How to handle mature client relationships that fall outside of the newly defined risk appetite? Options to consider are adjusting the risk classification, ring-fencing the client in order to subject the client relationship to more stringent monitoring and no new product offering. For example, exiting the client relationship or setting up a waiver to formally accept that the financial institution deviates from its compliance risk appetite by continuing such a client relationship. Each and every option should be carefully considered as legal rights of customers can limit your options (e.g. the right to have a bank account as a European citizen).

Adjusting risk appetite continuously

Possible breaches of the organization’s risk appetite are commonplace. It is therefore important to generate and report management information that clearly shows the risks that the financial institution is taking. Any disparity between the risks that are actually taken and the risks that the board thinks are taken should be removed as much as possible.

A clear view on actual risks and possible breaches enable the organization to evaluate if it is in line with the intended responses to compliance risks. This might mean that the risk appetite needs to be redefined or adjusted. Also changes in the environment can lead to an ad-hoc redefinition of your risk appetite. Examples of this are clients in countries that suddenly become politically unstable or in industry sectors that become more prone to corruption or money laundering due to recent scandals in the news.

A properly defined risk appetite advances the assessment of integrity risks, thereby strengthening the execution of a SIRA. To have clear insights in the integrity risks of the client portfolio, your approach needs to be data driven. In our next blog about using SIRA as a strategic tool we’ll talk about the key components of this data driven approach.

SIRA: clear insight into your integrity risks

More information?

For more information please contact our experts via their contact details below.

Did you find this useful?