From Mandatory Task to Steering Instrument
Following the consultation paper in 2024, DNB finalised the Good Practices SIRA 2025 on 1 July 2025, with publication taking place on 26 August. This new version replaces the 2015 edition. The most significant change: institutions are given more freedom in their approach. Moving away from a rigid regime and the tyranny of Excel, towards a dynamic, institution-specific implementation.
As a result, the SIRA no longer needs to feel like a tick-box exercise or a mandatory chore but can evolve into a powerful steering instrument that helps set the right priorities and implement appropriate control measures.
Four Key Focus Areas
1. Governance and Involvement
What does DNB say?
The role of the executive board, supervisory board, and second line has been strengthened. Board members must demonstrate that they actively use the outcomes of the SIRA when setting priorities and making decisions.
How should this be organised?
An effective structure requires clear roles and responsibilities, with reporting lines based on accurate data. This ensures the SIRA becomes an integral part of decision-making and management.
2. Organisational Risk Profile, Scenarios and Data Analysis
What does DNB say?
A solid organisational risk profile forms the foundation. DNB explicitly calls for attention to qualitative factors such as cultural assessments, complaints, and media coverage, in addition to quantitative data. Scenarios should be concrete, realistic, and institution-specific rather than generic sets. Data analysis and Key Risk Indicators (KRIs) help identify risks in a timely manner.
How should this be organised?
Ensure a comprehensive and up-to-date risk profile that goes beyond a checklist. Link scenarios to processes and indicators, and substantiate these with, for example, test findings, to create a clear audit trail.
This emphasis on qualitative factors also aligns with the discussion at the recent VCO IRM seminar. In DNB’s keynote, it was stressed that institutions should not only focus on processes and data, but also on the underlying risk culture. As Frank Schröder explained there: soft controls, such as behaviour, communication and leading by example, together with hard data and professional judgement, form the foundation for a sound SIRA.
3. Proportionality and a Broad Risk Perspective
What does DNB say?
Measures, actions, and decisions must be proportionate to the level of risk. Institutions may also explicitly avoid or reject certain risks rather than merely mitigating them. DNB additionally emphasises socially (un)acceptable aspects such as geopolitical developments, ESG, culture, and whistleblowing. Sector-specific examples have been added for trust offices, pension funds, and insurers.
How should this be organised?
Refine the risk appetite and ensure measures are proportionate to the greatest risks and the organisation’s characteristics. Topics such as ESG, cybercrime, and outsourcing are increasingly part of this, including behavioural aspects.
4. Cyclical Approach and Monitoring
What does DNB say?
The SIRA is a dynamic process. Institutions must periodically update risks, test the effectiveness of measures, and adjust where necessary. DNB also calls for attention to negative side effects, such as unintentionally excluding customer groups or perceived discrimination.
How should this be organised?
A cyclical approach requires review dates, feedback loops, and central documentation. This enables institutions to refer back to previous cycles—whether scheduled or triggered by incidents—and demonstrate the process to the executive board and the regulator.
Alignment with Our Approach
With the Good Practices SIRA 2025, DNB provides institutions with clear direction: more dynamism, more customisation, and greater emphasis on governance. This creates scope to focus on the real risks and the corresponding control measures.
In recent years, we have already supported many institutions in using the SIRA as a steering instrument rather than a mandatory exercise—precisely the development DNB is now emphasising. The principles outlined in the Good Practices also align seamlessly with the design of our Risk Assessment tool.
The discussion at the recent VCO IRM seminar showed that this is not only a matter of processes and data, but also of risk culture and soft controls. The consensus there was clear: an effective SIRA requires the right balance between the hard and soft aspects of internal control. This makes the SIRA not just an assessment, but an instrument that contributes to better governance and sustainable integrity in practice.
Want to know more? Get in touch with us.
