In November 2024, DNB published the consultation version of its long-awaited Good Practice for Systematic Integrity Risk Analysis (SIRA, hereinafter referred to as ‘Good Practice’). The Good Practice replaces DNB’s SIRA Good practices document and poster from 2015 (hereinafter referred to as ‘Guideline’). The Guideline contained a format for SIRA and identified eleven specific integrity risks. The format was quickly adopted as ‘the right way’ to conduct a SIRA. The prevailing sentiment was that following the format prescribed by DNB would be less risky from an enforcement perspective than following one’s own path. The question whether a different approach to implementation might be better was left unasked. Institutions are now encouraged to think for themselves and choose a risk management approach that fits them. But how to approach the SIRA? And how do they pass the scrutiny of the regulator?
With the Good Practice, supervised institutions are encouraged to take the initiative in establishing and maintaining a risk management process tailored to the institution. In addition, emphasis is placed on an adequate feedback loop and the importance of a continuous monitoring of risks. Based on the Good Practice and our experiences as advisors to a wide range of financial institutions, KPMG Forensic offers five tips for a stronger SIRA:
- Follow a method for conducting the SIRA with clearly defined roles and responsibilities. Develop a structured method, but maintain flexibility to adapt to new risks, products, and other developments. Ensure sufficient commitment from various levels of the organization.
- Utilize data – including those on customers, products, services, transactions, and incident reports – to detect trends. Why has customer group type X increased? Why do we have more cash deposits in period X? Can we explain transactions to and from neighboring countries of sanctioned countries? Data does not have to be perfect to start the SIRA: Address imperfections as part of the SIRA. Institutions can also use the SIRA to identify which data still needs to be unlocked or which data fields need improvement.
- Use the knowledge available within your institution. While credit risk and financial risk management often have well-established processes and are housed in a risk management department, the SIRA has long been seen as a separate process with its own methodology. Optimize and harmonize different risk management processes and utilize the knowledge gained in other processes. Additionally, incident, whistleblower, and fraud reports can be used to identify integrity risks and (the lack of) control measures.
- Utilize external information. Geopolitical and technical developments, as well as developments in financial markets, have an impact on institutions. Do not wait for each new SIRA cycle to analyse this impact, but if necessary, conduct targeted SIRAs to quickly respond to emerging risks. This is not only relevant from a risk management perspective but also from a strategic perspective.
- Make it fun and innovative! Too often, the SIRA is seen as an additional burden on top of all the other work, or there are discussions about very abstract risks. Incorporate training or team events and allocate time for a workshop. Consider the future (“What will the world, our institution, and our services look like in 2030? What do our customers need? What are emerging risks? Which technologies will bring us the most benefit and what are the downsides?”). Add elements of gamification to the SIRA workshop and make the process easier by using the right tooling. Instead of scoring risks, you could also rank them. It is easier to identify which risk is greater than another one than to assign a score based on the likelihood of this risk materializing per year.
If you are interested in how KPMG can help you shape and facilitate your SIRA, we are ready to assist you.