Financial companies are required to perform an analysis of the integrity risks in a systemic and periodic manner. Integrity – in addition to solidity – is a prerequisite for a healthy financial system. To promote the integrity of the financial sector, it is important for a financial institution to have its integrity risks under control. That is why integrity risk management is one of DNB's cross-sectoral supervisory themes for 2015.
''A good integrity risk analysis is essential for being able to comply with the requirements for corporate integrity and the regulations set forth in the Financial Supervision Act (Wft), the Act on the Prevention of Money Laundering and Financing of Terrorism (Wwft), and the 1977 Sanctions Act (SW)."
"In practice, institutions often seem to implement the regulations with a process-based and fragmented approach. As a result, the available capacity is not used effectively and efficiently."
Source: Thema’s DNB toezicht 2015 (themes DNB supervision 2015)
With the investigation, DNB seeks to stimulate institutions to think more often and more proactively about (the control of) integrity risks, to increase internal awareness, and to make better use of their capacity. Among others, banks, insurance companies, pension funds, and trust offices are required to perform such an analysis.
In the meantime, DNB has already written to a number of parties from various sectors (banks, insurers, payment institutions, and trust offices) and has asked them for their most recent systematic analysis of integrity risks for this investigation. We will now discuss the components of the systematic integrity-risk analysis (hereinafter: SIRA). What is meant by 'systematic'? Which integrity risks should be considered in any case? How should the analysis be performed?
Integrity and integrity risks
Integrity – in addition to solidity – is a prerequisite for a healthy financial system. Therefore, integrity has been included as an explicit objective of financial supervision in the financial supervisory legislation. The law states that an enterprise should conduct an adequate policy that ensures corporate integrity. DNB defines integrity as follows:
- the prevention of conflicts of interest;
- the avoidance of involvement in:
- criminal acts and other offenses;
- certain clients, and;
- societally indecent acts.
To promote the integrity of the financial sector, it is important for a financial institution to have its integrity risks under control. Having control over these risks is part of conducting business. The legal targets of surveillance are corporate integrity and reliable directors and other (co-)policymakers of businesses.
DNB defines the integrity risk as a "threat of damage to reputation or an existing or future threat to equity or results of an institution as a result of inadequate compliance with legal requirements".
In short, the point is that companies prevent getting involved in actions that go against the law and/or actions that are societally unseemly.
Managing integrity risks
In order to be able to control these integrity risks, a company should perform a systematic analysis of the integrity risks on a periodic basis. Generally, this cycle of analysis will be completed every year. The analysis should show that the company:
- has identified its relevant integrity risks;
- is organised in a way that the integrity risks are under adequate control, and;
- can take adequate action in the case of possible incidents.
The outcome of the systematic analysis can then result in additional preventive measures (additional policies, procedures, and measures) or detective measures (monitoring).
Systematic analysis of integrity risks
In order to analyse the integrity risks systematically, and to then take the necessary measures to limit the risks, the following steps will be taken:
- Periodically identifying relevant risks
- Analysing the chance of materialisation and impact of risks
- Having control over operational management/determining appropriate measures
- Monitoring follow-up
These phases comply with the systematic risk analysis as described by DNB in ??the brochure ‘Good practices – fighting corruption’.
Activities per phase
1. Preparation phase
The goal of this phase is to adequately perform the steps of the risk identification and risk analysis. Among others, this phase should at least include that attention is given to:
- Scope analysis
- Internal and external sources (among which laws and regulations)
- Parties involved
- Period that is covered by the risk analysis
- Determining context
- Determining inherent risk profile
The starting point for carrying out the risk assessment is the organisation's inherent risk profile.
An inherent risk is defined as a risk that is inherently (apart from existing control) associated with the activities and products of the institution, be it the environment in which an institution is operating.
In order to be able to determine the inherent risk, an organisation will draw up a note in the context of the risk analysis, which offers a description of the inherent risk profile. In summary, this note pays attention to the activities, the location of the activities, the method of distribution, and the customers and the question of what inherent risk profile this results into.
2. Periodically identifying relevant risks
In this phase, the company identifies which risks may play a role. In this respect, it is important to recognise that the integrity risks that a business is faced with depends on the nature, size, and location of the activities and on the clients and other relations. Therefore, the (extent of the) integrity risks differ per organisation. This phase results in an outline of the identified integrity risks.
According to the DNB, examples of risks within the risk category Integrity Risk that many financial companies are faced with include the following risk items:
- money laundering;
- financing of terrorism;
- internal and external fraud;
- fiscally improper actions;
- disadvantaging of third parties, and;
The legislator has provided the following topics to which the financial institution should absolutely pay attention (source: website DNB):
- the setup of a management cycle aimed at the control of integrity risks;
- the prevention of conflicts of interest;
- the way in which incidents that pose a threat to corporate integrity of a financial organisation are dealt with;
- the contact with persons that hold an integrity-sensitive position, and;
- customer due diligence (CDD): determining the identity, the nature, and the background of the clients.
3. Analysing the chance on materialisation and impact of risks
Next, the probability and impact of the risk is determined for each risk. For this, probability and impact is defined as follows:
- Probability concerns the chance of a risk to occur.
- Impact concerns the consequences of the occurrence of the risk.
By giving each subject a 'score', the size of the risk can be determined (chance x consequence). Based on this score, identified risks can be put in order.
4. Having control over operational management/determining appropriate measures
For each risk, the current control measures will be identified, and whether and which additional mitigating measures need to be formulated. During this process, the 'risk appetite' of the organisation will be taken into account.
In order to be able to analyse the integrity risks periodically and systematically, the steps that have been described above will have to be repeated periodically (yearly).
DNB will provide feedback on the results of the investigation to the parties that are part of the investigation. Furthermore, DNB will develop guidance regarding the conductance of the risk analysis in 2015.
In case you would like to find out more about this subject, or in case you need help in conducting your systematic analysis of integrity risks, Charco & Dique is at your service. For more information, you can contact Charco & Dique by telephone at +31 (0) 20 416 5403 or via email at firstname.lastname@example.org.