Systematic Integrity Risk Assessment (SIRA) Practical case-study. Amsterdam November 17 th, 2015

Similar documents
Stakeholder Engagement

Compliance in motion A closer look at the Corporate Sector. Deloitte Risk Services March 2015

Deloitte Risk Services B.V. Cyber & Privacy Advisory. Deloitte Cyber & Privacy Risk Services Data Breach Management

Student Analytics. Enabling personal, proactive and fact-based student services. Deloitte Consulting NL Amsterdam, 2016

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Clear, transparent reporting The new auditor s report

5 th ISACA Athens Chapter Conference

Supplier Relationship Management (SRM) Redefining the value of strategic supplier collaboration

MiFID II/MiFIR. Implications for Fund Managers. May Deloitte LLP. All rights reserved.

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

PRIIPs Key Investor Documents The new reporting challenge

KNOW YOUR THIRD PARTY

Risk committee performance evaluation

It s a Regulatory Requirement But does it help and what does this really mean?

ICMA Private Wealth Management Charter of Quality

FFIEC Cybersecurity Assessment Tool

HKMA Seminar Tax Evasion in Hong Kong. 30 October 2013

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

EMEA TMC client conference Using global tax management systems to improve visibility and enhance control. The Crystal, London 9-10 June 2015

Organization transformation in times of change

Integrated Business Services (IBS) Next generation of high performance Shared Services. Deloitte Consulting GmbH February 2016

Operational Risk Management Program Version 1.0 October 2013

Policy : Enterprise Risk Management Policy

Wealth Advisory Services Winning with clients

Malaysia s National Risk Assessment. 1 National ML/TF Risk Assessment (NRA)

Enterprise Risk Management

Business Breakfast. Information on assets hide impossible to declare. Private client services

NamCode. The Corporate Governance Code for Namibia

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Wealth Advisory Services Winning with clients

Global Tax and Legal September OECD s BEPS initiative a global survey Multinational survey results

Sample risk committee charter

Vision on Mobile Security and BYOD BYOD Seminar

Advanced Analytics for Better Insights. Part of the Insurance series: Benefits of a New Policy Administration System: Why Going Live is Not Enough

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Rosemary M. Amato, CISA Deloitte Accountants B.V.

THE DELOITTE CFO SURVEY 2015 Q2 RESULTS PATH TO GROWTH

LGMA Qld Governance and Corporate Planning Village Forum

1. Understanding Big Data

ING Group Compliance Risk Management Charter and Framework

Client Update FINRA Releases Report on Digital Investment Advice Tools

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Enhanced Portfolio Management in uncertain times

Financial services regulatory compliance. Changing demands require the right perspective

Moving Forward with IT Governance and COBIT

Internal Audit Landscape 2014

Risk Considerations for Internal Audit

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

FINAL NOTICE. (1) imposes on Bank of Beirut (UK) Ltd ( Bank of Beirut ) a financial penalty of 2,100,000; and

THE DELOITTE CFO SURVEY 2015 Q1 RESULTS GETTING BACK TO NORMAL

Cybersecurity The role of Internal Audit

Fraud Prevention and Deterrence

U.S. CFO Program The Four Faces of the CFO Deloitte Touche Tohmatsu

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

Aligning Compliance Program Priorities with Business Objectives

Fraud Risk Management Procedures

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

IAB Report on Search Advertising The Netherlands DRAFT June 2015

For Private circulation only Creative. Clear. Focused. Forensic Services

Enterprise Risk Management in Colleges and Universities

Analytics Strategy Information Architecture Data Management Analytics Value and Governance Realization

Life Insurance Charter of Quality

HR Business Partnering A Custom Approach

The PNC Financial Services Group, Inc. Business Continuity Program

IT Governance. What is it and how to audit it. 21 April 2009

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Essentials to Building a Winning Business Case for Tax Technology

Fifth annual survey. Look before you leap Navigating risks in emerging markets

Hands on, field experiences with BYOD. BYOD Seminar

FSB: Reinsurance Regulatory Review Summary of Discussion Paper

A systematic comparison of the German Sustainability Code with the principles of the UN Global Compact and the OECD Guidelines for Multinational

Simplification of work: Knowledge management as a solution

Strategically Detecting And Mitigating Employee Fraud

Darling, do you want to marry me? Business process outsourcing, a shared future together. A possible new business in Luxembourg?

Deloitte Forensic. Deloitte Forensic. Capability Statement

Consulting. Cost cutting Methodology and tools

Anti-bribery and Fraud Protection Policy

Enterprise risk management: A pragmatic, four-phase implementation plan

RISK MANAGEMENT AND COMPLIANCE

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

We believe successful global organisations can confront fraud, corruption and abuse PwC Finland Forensic Services

Agile Master Data Management A Better Approach than Trial and Error

Credit management services Because a sale is a gift until it is paid

Cyber intelligence exchange in business environment : a battle for trust and data

How to achieve excellent enterprise risk management Why risk assessments fail

D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV

Aegon Global Compliance

It s all about the results Moving from process to outcome management for strategic project execution with the Results Management Office

Transcription:

Systematic Integrity Assessment (SIRA) Practical case-study Amsterdam November 17 th, 2015

Objectives The key objective is provide insight how to operationalize regulator s expectations with regard to a SIRA 01/ Provide 02/ Share 03/ Share introduction to SIRA a proven approach for conducting a SIRA Lessons learned 2

Introduction to SIRA The Dutch Central Bank ( DNB ) has shown increased attention for a documented approach for integrity risk identification owned by the business Besluit prudentiële regels Wft, Article 10: A bank ensures a systematic analysis of integrity risks [translated from Dutch] Position of DNB - SIRA Position of DNB - SIRA Rationale for a systematic integrity risk analysis (SIRA) is to ensure that banks are aware of their inherent integrity risk and take adequate corresponding controls. Points of attention for the DNB: A documented identification and weighing of inherent risks Explicitly define a risk appetite Have available a documented link between inherent risks, the risk appetite and controls Document the acceptance of residual risks and follow-up actions Inherent risk The risk that a client misuses the bank to launder funds Appetite Controls Control 1 Control 2 3

SIRA Approach High level approach SIRA should facilitate the business (risk owners) in executing & documenting the decision process re risk identification & mitigation efficiently Defining a SIRA approach - Governance SIRA Process - Determine the scope o Theme s to be addressed by a SIRA o Assessment units (business units, client portfolio segments, countries) o Determine level of detail of assessment - Define risk appetite: qualitative and quantitative - Define risks and underlying risk indicators and quantify (risk profile) - Identify and optimize existing controls and determine residual risks - Align with existing risk management taxonomy and documentation requirements Generic SIRA approach Foundation Process per assessment unit Output Scoping Appetite Inherent risk profile (quantitative) Define & select applicable inherent risks Identify existing controls Complement controls Determine residual risk & remedial actions Consolidation and reporting Embedding in organization 4

SIRA Approach Scoping of themes It is best practice to draft a SIRA roadmap describing assessment of relevant theme s as exemplified below in line with the organization s profile and size Area Organization Conduct Related Personal Conduct Related Client Conduct Related Compliance Theme Anti- Corruption Financial Economic Crime Conflict of Interests Market Abuse Privacy Treating Customers Fairly Reputation and integrity of Bank is hampered by conduct of Bank Active Bribery Failure to maintain books & records to required standards Reputation and integrity of Bank is hampered by conduct of Employees Passive Bribery Conflict of interest between staff and clients and/or Rabobank Reputation and integrity of Rabobank is hampered by conduct of Clients Bribes of clients facilitated by Bank systems External Fraud Internal fraud Anti-Money Laundering (incl. KYC/CDD) Sanctions Tax evasion Between interests of Bank and duty of Bank owed to it s clients Between interests of relationships of Bank with two or more clients Insider dealing/trading Improper disclosure of data Market manipulation Collision Employee/client data protection Transparency of product offerings Complaint handling Inducements Personal Account Dealing 5

SIRA Approach appetite Defining a Appetite Statement and Limits A first step in defining a Appetite is the definition of a Appetite Statement ( RAS ) in cooperation with business management. The RAS should be aligned with the organizational goals of the bank 1. Current strategic goals 2. Evaluating existing RASstatements 3. Definition of RAS for integrity risk Understand current strategic goals Desk research on relevant existing material Interview with key stakeholder Assessment of current risk tolerance and risk limits Define current position as starting point Statement of Commitment Qualitative statements Quantitative statement governance 6

SIRA Approach Exemplary inherent risk profile Per assessment unit an overview of the inherent risk profile based on key characteristics is quantified Inherent risk profile Indicators H H H H H H M M M M M M Client Geography Channel Industry Product Transaction L L L L L L Client risk Maturity client portfolio (%clients< 1 year) Complexity of client structure (%clients > 10 entities in structure) PEP status (% clients with PEP-flag) Assets (% clients assets > 1 mln.) Geographical risk Geographical footprint of transactions (% clients with trans. to high risk countries) Country of incorporation / residence (% clients with residency in high risk countries) Distribution channel risk Relationship model (Y/N) Direct model (Y/N) Industry / Sector risk Client Industry (% clients in high risk industry) Client activity (% clients dealing with high risk industries) Product risk High risk product usage (e.g. Trade Finance) (% clients with high risk products) Transaction risk Cash (%clients with regular cash deposits) Cross-border (%clients with cross-border transactions) 7

SIRA Approach Exemplary risk & control register Defining a clear risk culture is a key requirement in realizing a solid quantitative risk analysis as well as serves the basis for a future risk control log s Inherent risk Controls Residual risk Money Laundering 1 The risk of facilitating money laundering due to misuse of products 2 The risk of facilitating money laundering through misuse of new technologies Sanctions 3 The risk of breaking sanctions by providing services to clients in specific countries 4 The risk of unintentionally breaking sanctions due to a customer not disclosing key information Terrorism financing 5 The risk of facilitating terrorism financing by providing services to Clients which could be suspected to be related to terrorism Frequency Impact Frequency Impact 8

Frequency SIRA Approach Exemplary heat map Plotting risks on a heat map in relation to the risk appetite helps in visualizing risk prioritization Appetite 5 4 3 2 1 1 2 3 4 5 Impact 9

Embedding SIRA should be embedded in the standing organization and business processes as part of a continuous risk management process Sign off on Integrity SIRA trigger (periodic / event) Execute SIRA Collect continuous monitoring results Process results Execute Second Line Monitoring Determine controls Report First Line Monitoring results Determine gaps & remedial actions Implement generic controls 10

Lessons learned What did we learn while executing SIRA at our clients? Proper execution SIRA at large FI requires at least 3 months, especially for executing data analytics for inherent risk profile Manage content and timelines SIRA based on FI s own (compliance) risk management strategy and vision (in stead of committed timelines to regulator) Execution of SIRA requires multi disciplinary team with business (1st line) in the lead, supported by Compliance, ORM and IT (data analytics) SIRA should be evolved and improved over time as part of continuous risk management process, especially Appetite and inherent risk profile can be further improved based on our experience 11

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 210,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information