Improving and embedding the SIRA methodology
One of the major Dutch banks faced a challenge with regard to the SIRA. The person who internally facilitated the annual SIRA left the bank. There was a lack of a thorough procedure and therefore the internal organization was not sufficiently able to carry out the SIRA independently within the necessary timelines. It was also found that the SIRA was an enormously time-consuming process that did not yet meet the requirements of the regulator and market standards. Some observations:
- SIRA was performed at the decentralized level of integral processes, which led to irrelevant scope discussions and also negative sentiment towards SIRA within the bank;
- The scope was broader than just integrity risks (SIRA also covered prudential risks, for example);
- Previous SIRAs do not yet contain a proper organizational overview;
- There was a lack of a thorough list of risk scenarios;
- Not all relevant stakeholders and many non-relevant stakeholders were involved;
- The SIRA could not be used as a steering document by senior management.
This bank asked Compliance Champs to facilitate the SIRA for the entire bank and also to set up a thorough procedure (including roles and responsibilities) so that the organization could eventually start working on this independently.
Going beyond compliance
In line with the clients’s needs and the gaps identified in the SIRA, Compliance Champs has introduced and implemented a recalibrated procedure within the bank. This procedure has been discussed in advance with key stakeholders within the bank from the first, second and third line of defense and finally approved by the competent risk committee. Ultimately, this procedure resulted in a SIRA report that can be used as a steering document by the bank’s senior management and the responsible owners in the first and second line. Compliance Champs not only focused on how SIRA could be aligned with external requirements and market standards, but also how the SIRA could be implemented more efficiently. Some improvements made:
- Placing prudential risks out of scope, so that the scope only covered integrity risks;
- Executing SIRA at the organization-wide level instead of at the process level;
- Drawing up an organizational overview so that the risk analysis is supported as much as possible with qualitative and quantitative data;
- Defining granular risk scenarios for each integrity risk area;
- Risk analysis is carried out in various workshops with relevant stakeholders, which has led to good discussions and a more unambiguous risk view within the organization;
- Thorough substantiation of the risk scores, so that these scores are reproducible and objectified as much as possible;
- The facilitating role regarding the SIRA is slowly being transferred from second-line to first-line;
- The SIRA procedure is described in a formal policy document that also describes the various roles and responsibilities of the first, second and third line. This created more ownership at the first line.
- Further standardization of SIRA by creating templates which will result in significant time and cost savings.
The final report has been positively assessed by the senior management, Compliance, and the external auditor. The further formalization and standardization of SIRA within the bank has ensured that the next SIRA can be implemented more effectively efficiently and that the permanent organization can continue independently. Senior management have a detailed picture of the most important integrity risks and shortcomings in control measures, so that appropriate adjustments can be made.
With this, Compliance Champs has made itself redundant. The standardization of SIRA also provides a basis for automating parts of the process.
Would you like to know how we can help you with your SIRA challenges? Please contact us.