Our client, a Dutch insurance company, asked us to help them with their Systematic Integrity Risk Analysis (SIRA). We identified the integrity risks facing the organisation, facilitated workshops to formulate recommendations, validated these with management, and closed the loop by reporting C-level decisions back to the workshop participants. The result: a greater willingness to change within the organisation, a list of actionable improvement points and increased efficiency.
Buy-in at the top
Our client, a Dutch insurance company, came to us for help with their Systematic Integrity Risk Analysis (SIRA). On the one hand, for the actual assessment, but also to ensure that the SIRA would be adopted by senior management. “The SIRA is meant to be a risk assessment of the integrity risks you face as an organisation,” explains Johan Septer, an expert in the field. “For this assessment, you define the risks and come up with scenarios where the integrity of your organisation can be compromised. This can be internal, such as inappropriate behaviour, discrimination or bullying, or external, such as money laundering and terrorist financing. To really know what’s going on in an organisation, or what possible scenarios could pose integrity risks, you need the input of the business”.
Unfortunately, due to the high demands of regulators, SIRA is often so complex and technical that the first line loses control, leaving the second line and the risk line to fend for themselves. The result? A SIRA that sits in a drawer until the regulator asks for it, and is otherwise not used as a tool to implement worthwhile changes in the organisation. What’s more, the increasing complexity of this risk assessment is making it harder and harder to carry out internally, increasing the demand for external experts.
To really know what’s going on in an organisation, or what possible scenarios could pose integrity risks, you need the input of the business.
Keep it manageable
It’s important to emphasise that the content of the SIRA should be a first-line responsibility. However, we recognise that you need to guide management through this process. So the first question was: how do we make SIRA more accessible to management?
By taking a thematic approach, we could make SIRA more tangible and manageable. While you need to validate the entire risk profile at least once a year, it’s a good idea to focus on just a few themes for a deeper evaluation. So, when building the SIRA, look at things that have changed in the organisation – these aspects obviously need to be looked at more closely. And look at initiatives in other departments that can be used as springboards. For example, if HR is conducting a survey on employee satisfaction, you could use the results as input for the integrity risk assessment, or even include some questions on integrity risks in the questionnaire.
“Ultimately, SIRA is nothing more than a collection of individual risk assessments. You don’t have to do a thorough analysis of every single aspect every year. You can pick a few topics to work on and then rotate those topics year after year,” says Johan Septer. “I would say you need to look at a topic thoroughly at least once every three years, and if there are changes in the organisation that could affect integrity risks, you need to look at those topics as well. But you can keep it manageable by breaking it down into smaller parts.”
You don’t have to do a thorough analysis of every single aspect every year. You can pick a few topics to work on and then rotate those topics year after year.
Ask the experts: SIRA workshops
Another thing we’ve done is to organise workshops with first line managers and other people in the organisation who are not compliance professionals. Having different perspectives can lead to much better insights than just compliance professionals looking at these things. “We presented the cases from the previous SIRA to management and discussed them. Are these really the most important cases? Or do you see other risks in the organisation that could be at play here?” Johan Septer explains. “We had invited different people from different departments to look at the risk of external fraud. It’s interesting to see how some people have worked together for 10 years, but they don’t know exactly what each other does. They all see part of the process, but not the whole thing. Bringing all that knowledge and experience together gives much better insight than leaving it all to the risk and compliance department,” says Septer.
What we didn’t do was spend time rating the risks. “The regulator requires you to quantify the gross and net risks, but instead of wasting time discussing whether a particular risk is a 4 or a 5, we focused on more meaningful questions,” explains Johan Septer. “What are the risks we face? Are there new risks or risks that have been eliminated? Do we have sufficient control over them? Are the management measures we’re taking effective? These are the questions management is interested in.
By taking this different approach to SIRA, we get an actionable list of things we need to improve and do differently. In this way, this mandatory risk analysis has real value for the organisation.
Bringing knowledge and experience from all departments together provides far better insights than leaving the entire analysis up to only Risk & Compliance.
To the point reporting
After involving management in SIRA, we also presented the results to them in a different way. Not with the usual mega spreadsheet: complex, full of colour and completely unreadable. If you make the report that confusing, it becomes useless. “We kept the report concise, providing insight and depth where needed. Questions like ‘what’s our risk profile’ make for interesting discussions, because one person might think a risk is small, while another might say it’s the biggest risk the company faces. We also offer recommendations from within the company, gathered during the workshops. What do the people who work with these products and experience these risks every day think? Management then decides on the improvements suggested by the workshops. And, just as importantly, we communicate these decisions back to the people on the frontline so that they are kept in the loop. People like to know that their efforts have produced results. And if they are the ones who suggested the changes, they will be much more receptive to them. It’s a question of raising awareness and at the same time valuing their knowledge and expertise,” concludes Johan Septer.
It’s a question of raising awareness in the organisation, and at the same time valuing the knowledge and expertise of employees.
The power of interaction
We formulated recommendations based on the results of the workshops. We then shared these recommendations with the people who attended the workshops to validate their content. After validation, we presented each of these recommendations to management and asked them whether or not they wanted to act on the advice. “They said yes to many of them. Sometimes we found that action had already been taken, but the people on the floor weren’t aware of it. This also sent a clear signal to management to communicate these decisions better,” says Johan Septer. “This interaction within the company is very powerful and makes for a better organisation overall.”
Once the SIRA is complete, we can help the organisation implement these action items if they wish. “With this particular client, we agreed to take them through the next 3-year cycle. Because it is a cycle. If you only think about SIRA in the 4th quarter, when you’re already so busy with year-end tasks, it’s not going to go so well. Instead, think about planning the SIRA workshops in the summer, when there’s more time, and keep it in mind throughout the year,” suggests Johan Septer. “If IT is planning a cybercrime risk analysis, why not include the behavioural and integrity component in that right from the start? It’s a super-efficient way of working, and it already gives you a basis for your SIRA. Of course, this way of working requires some planning, you have to think ahead to manage this efficiently.
With another client, we’re involved in weekly project meetings to advise on SIRA. So we can offer tailored solutions to each client: whether you want to do the implementation yourself, have us involved in high-level advice, or want us to get down to the nitty-gritty and work with you on these actions weekly: anything is possible!
About Projective Group
Established in 2006, Projective Group is a leading Financial Services change specialist. With deep expertise across practices in Data, Payments, Transformation and Risk & Compliance.
We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic. We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.