As regulatory expectations evolve, financial institutions are under increasing pressure to demonstrate integrity, transparency, and effective control. One framework gaining international recognition is SIRA (Systematic Integrity Risk Assessment), a methodology developed in the Netherlands to proactively identify and manage integrity risks. While not mandated outside the Dutch regulatory landscape, SIRA’s structured, enterprise-wide approach is attracting growing interest across Europe.
At Projective Group, we’ve drawn on our Dutch colleagues’ expertise to embed SIRA into our broader risk and compliance practices, helping clients strengthen their control frameworks and align with emerging best practices. UK-based Clarisse Mallem and Netherland-based Gaby van den Berkmortel and Ernst-Jan Mante discuss how adapting the SIRA model can help other jurisdictions achieve Financial Crime best practices.
What is SIRA?
SIRA is a methodology mandated by Dutch regulators such as De Nederlandsche Bank (DNB) under national laws like the Wft (Financial Supervision Act) and Wwft (Anti-Money Laundering and Anti-Terrorist Financing Act). It requires financial institutions to systematically identify, assess, and manage integrity risks. Ranging from money laundering and fraud to conflicts of interest and sanctions breaches, integrity risk is defined by the regulator as: “threat to the reputation of, or the current or future threat to the capital or the results of a financial institution due to insufficient compliance with the rules that are in force under or pursuant to the law”[1]. These are risks specifically arising from potential violations of ethical standards.
Unlike traditional compliance checklists, SIRA is a cyclical and enterprise-wide process.
Why SIRA, and why is it relevant to non-Dutch entities?
SIRA emerged in the 2010s to strengthen ethical business conduct and prevent financial-economic crime and has been evolving due to amongst others a changing risk landscape (geopolitics, ESG, digitalisation/cybercrime, etc.) and the need for customisation. Many institutions had inadequate risk assessments and governance controls, prompting the regulator to formalise expectations through the SIRA framework.
The push helped organisations move beyond reactive compliance and embed integrity risk management into the DNA of financial institutions.
While other jurisdictions have similar requirements to conduct regular risk assessments, the SIRA model is increasingly being adopted by financial institutions outside the Netherlands as an industry best practice.
What are some of SIRA key principles?
SIRA provides a structured, cyclical framework for financial institutions to identify, assess, and manage integrity risks. The regulator’s guidance is pragmatic[2], recognising the limitations of processes and procedures that only create the “illusion of control”. In essence, it reiterates adequate risk management best practices and ensures that the assessment is conducted less as an academic exercise and more as an effective, evidence-based, proportionate analysis that is then integrated into daily operations and provides an opportunity for continuous improvement.
What have been the key challenges in the Netherlands.
Performing an adequate SIRA has its challenges, and Projective Group has played a role in supporting our clients in implementing and maturing their SIRA frameworks. The key challenges faced by our clients were:
1. Complexity of integration - SIRA requires a deep understanding and sharing of business model, risk profile and risk appetite in the organisation
2. Data and technology gaps - Effective risk assessment depends on high-quality data.
3. Embedding risk thinking - SIRA outcomes must not just be documented but actively used to inform business strategy, product design, and customer onboarding.
4. Cultural resistance - Shifting from a compliance-driven mindset to a risk-based culture required significant internal change. Some organisations viewed SIRA as a regulatory burden rather than a strategic tool, limiting its impact.
Lessons Learned and … Shared
Our journey with our clients to implement SIRA has reinforced several key principles that now underpin our Group-wide approach to risk and control:
- Proactivity over reactivity: SIRA has helped us improve our accelerators to support a proactive, forward-looking risk culture.
- Enterprise-wide visibility: By mapping risks across business lines and geographies, we’ve empowered our clients to have a clearer view of their integrity risk profile and where to focus their efforts.
- Data-driven decisions: Leveraging analytics has enabled our clients to prioritise data-driven risks-based approach.
- Continuous improvement: Our diverse experience in risk assessment across geographic locations and clients means that we’ve built in mechanisms for regular review and recalibration, ensuring our accelerators are living documents that evolve with the risk landscape and industry best practices.
A strategic advantage
A successful SIRA depends on an organisation’s focus on its specific “integrity risk belief” (i.e. its perceived inherent risk exposure) and appetite, its culture and behaviour. When leadership sets a clear tone from the top, it creates the right conditions for SIRA to take root.
In such environments, the organisation as a whole takes ownership of controls and drives continuous improvement. SIRA then shifts from a compliance obligation to a tool for self-regulation, embedding integrity into daily decisions and fostering a proactive risk culture.
Conclusion
The Dutch SIRA framework offers a robust model for integrity risk management. Its structured, data-driven, and enterprise-wide, risk-based approach addresses many of the gaps in traditional compliance methods. While not mandatory (yet?) outside the Netherlands, applying SIRA principles can enhance resilience, regulatory alignment,ethical standards and a continuously involved workforce
Though adoption can be complex, it’s a strategic investment: mitigating compliance risk, strengthening defences against financial crime, and enabling informed, forward-looking decisions can be very effective and efficient in the end.
Looking to build in-house capabilities to perform a SIRA? Check out the training "Successfully Conducting a SIRA" offered by Ministry of Compliance. This training is a practical and hands-on course based on the latest regulatory expectations and industry best practices.
If you need support with your financial crime risk assessment, through the lens of systematic integrity risk, contact us to explore how our accelerators and pan-European experience can help.
If you need support with your financial crime risk assessment, through the lens of systematic integrity risk, contact us to explore how our accelerators and pan-European experience can help.
[1] This quote was extracted from the good-practices-integrity-risk-analysis.pdf accessed on the 16th July 2025. Note that the good practices are under consultation and may change in the future.
[2] On 19 November 2024, DNB published the SIRA Good Practices for consultation. Please click here to see our insight.
