To mitigate risks, you have to know what risks are present in the first place. In terms of the Anti-Money Laundering Directive (AMLD/WWFT), it is vital that the details and scenarios of and potential changes to these sometimes complex risks are known before appropriate risk mitigation strategies can be implemented in order to control the risks. The AMLD states that risk analysis is essential and the Systematic Integrity Risk Assessment (SIRA) is the process used to this end. This risk assessment requires organisations to effectively assess integrity-related risks. This not only involves mapping the risks, but requires the involvement of the business and experts to ensure that a comprehensive overview of the risks is in place. The SIRA process is a legal obligation. If this risk analysis is not performed, an organisation cannot comply with risk-based integrity legislation. Organisations covered by this obligation are banks, insurers, payment and exchange institutions, notaries, real-estate firms, trust offices and pension funds. Examples of integrity risks are: money laundering, terrorism financing, circumventing sanctions regulations, corruption (bribery), conflict of interest, internal and external fraud, regulations in relation to the evasion or avoidance of tax, market manipulation.
Current analyses need improvement to fulfil requirements
After assessing more than 170 integrity risk analyses in 2015, De Nederlandsche Bank (DNB) ascertained that more than 80% of these analyses do not fulfil requirements and that many organisations have not even performed integrity risk analyses. DNB published a document with clear guidelines to assist organisations. Both the law and the regulator require a systematic approach to risk management. ‘Systematically’ also means that this is a cyclic process; in other words, that you have to go through the inventory, analysis and the (assessment of the effectiveness of the) control periodically. After all, risks are not static in nature. Both internal and external factors will change the risks faced by organisations.
Legal requirements for the SIRA
To ensure that organisations conduct business ethically, the legislator has included a whole range of obligations in financial legislation that the organisation must fulfil. Systematic inventory and integrity risk analyses play a central role in this. The output of the risk analysis is primarily a document for the management team. The organisation must take appropriate measures so that any risks are actively managed. Management, Compliance, Risk Management and the business conduct the integrity risk analysis together. The first line, i.e. the business, is primarily responsible for the quality and implementation. This is where the risks will become evident. The role of Compliance (i.e. the second line) is one of process monitoring, facilitation and testing. Other departments, such as Risk Management or IT Security, can also provide the required input. The directors have ultimate responsibility for the integrity risk analysis.
BlueMonks provides wisdom
A strong house must have strong foundations. With the company’s experience of performing SIRAs for multiple (financial) institutions, BlueMonks can help you to create these very strong foundations, allowing you to become effective and have full control of the integrity risks. Do you require our wisdom? Please ask one of our BlueMonks at wisdom@bluemonks.nl
