Why SiRO?

SIRO is Management Solutions' tool for GRC and business continuity management in regulators, financial institutions and large corporations.


SIRO has all the required GRC, Business Continuity and Audit management functionality to meet the Supervisor's expectations, through the following vertical modules:

  • Core: supports the administration of shared data (organization, processes, risk categories, business lines, etc.) for full system management.
  • Risk Management: integrates all functionality necessary for risk management (advanced self-assessment of risks and controls, indicators and alerts, incident/event management, action plans, specific reporting and dashboards).
  • Compliance: allows registration of degree of compliance with rules and regulations, setting of controls, monitoring of risk levels and application of action plans.
  • Business Continuity: supports BIA analysis to determine critical processes, testing of IT contingency plans and business recovery plans in contingency situations, registering of problems found and setting of action plans.
  • Audit: supports audit plans and management of the work necessary for their implementation, management and monitoring of groups of auditors, and recording of findings, recommendations and action plans necessary to address any shortcomings.
  • Internal model-based capital and insurance portfolio calculation engine: supports more advanced calculation than the basic version of SIRO.





Operational Risk architectures based on integrating separate specialist applications are problematic (coherence, interfaces, extra costs, substantial effort to reconcile information). An integrated and fully configurable solution provides risk managers with a global picture of risk.

SIRO's scope has evolved from Operational Risk management to include governance, internal control, compliance, modeling and optimization of the insurance portfolio in large industrial corporations as well as specific management of IT, legal, reputational and outsourcing risks.

Consolidated tool

Available since 2004; mature and advanced tool.

Proven tool

Has passed supervisory audit and validation processes.


Implemented in a large number of Financial Institutions. Large user base.

Evolutive and scalable

Methodological and functional updates.


A common core supports the most advanced Risk and Business Continuity Management methodologies, but is flexible to adapt to the individual needs of organizations.


SIRO-ARE mathematical-statistical engine incorporates the most advanced techniques on the market, the widest range of distributions for severity modeling, ability to work with scenarios, and maximum flexibility thanks to R language interpretation.

Sophisticated reporting

Dashboards, interactive graphics, data export to Excel, production of regular reports for management and business areas. Large number of predefined and customized reports. Production of documents (Word, PowerPoint) in the client’s format.

Other areas

Specific versions for areas outside GRC such as Insurable risk (Insurance policy optimization) and Business Continuity.




Common data management

Processes, Risks, Controls, Organizational Structure, Users and Roles, Risk Categories, Business Lines, etc.


  • Can be integrated into the corporate intranet.
  • Allows automatic data capture from enterprise master data sources.
  • Allows data transfer to external systems.
  • Focus on risk users. Minimum workload.
  • Full traceability of changes.
  • Possibility to attach documents and links.

    Risk Control - Self Assessment (RCSA)

  • Work organization through campaigns.
  • Customizable assessment workflow.
  • Continuous assessment.
  • Assessment methodology quantifiable.
  • Assessment auditability.
  • Online VaR calculation through Monte Carlo.
  • User help.
  • Specific assessments:
  • Outsourcing risk.
  • Legal risk.
  • IT risk.
  • Reputational risk.
  • Independent control assessment.

    Action Plans

  • Direct relationship with risks and controls. Action plans can be linked to incidents/losses and indicators in addition to risks and controls.
  • Possibility to attach documents and links to plans.
  • Alert generation.
  • Action plans as a result of high risk assessment scores, input of significant events, outlier indicators or deficient controls.
  • Integration of action plans with audit recommendations.

    (Advanced Risk Engine)

  • Data analysis and cleansing, hypothesis verification and identification and setup of Operational Risk categories.
  • Frequency and severity distribution fitting.
  • Integration of sources:
  • Internal loss database.
  • Qualitative data (scenarios).
  • External events.
  • VaR calculation.
  • Back testing.
  • Stress Testing.
  • Sensitivity and stability analysis.
  • Regulatory reporting.
  • Integration with R language.

    Operational Risk - Loss Database

  • Registration of events.
  • Capture:
  • Individual, screen-based.
  • Massive, screen-based (Excel).
  • Automated capture interface.
  • Capture workflow.
  • N:1 relationship with risks.
  • Possibility to attach documents and links to events.
  • Integration with Action Plans.


  • KRI, KCI and KPI support.
  • Indicator register with rating scale definition.
  • Capture:
  • Individual, screen-based.
  • Massive, screen-based (Excel).
  • Automated capture interface.
  • N:1 relationship with risks and with risk categories.
  • Single and composite multivariate indicators providing a detailed/aggregated picture.
  • Alert generation.
  • Integration with Action Plans.

    Insurable Risk/Insurance
    Portfolio Optimization

  • Management and valuation of physical assets.
  • Insurance portfolio management.
  • Loss capture.
  • Frequency and severity distribution modeling.
  • “What-if” analysis.
  • Franchise and reinsured risk optimization.
  • Captive insurer management.

    Business continuity/BIA analysis

  • Process criticality rating (BIA) focused on establishing Continuity Plans.
  • Discontinuity impact assessment.
  • Continuity plan management.
  • Evaluation of continuity plans through continuity testing.

    Cross-functional features

  • Integrated statistical calculation engine.
  • Interactive graphics.
  • Regular, integrated reports.
  • Document management on the system’s database or on a corporate document manager.
  • Element comparison backed by database.
  • Profiling and authentication can be delegated.
  • Online historical and data query.
  • Traceability and auditability of changes.
  • Two-factor authentication (2FA).
  • Access log.
  • Chat workflows.

    Technical architecture

    SIRO is offered in two forms: Software as a Service (cloud), guaranteeing maximum security and service levels, and on-premises, with a customizable architecture designed to adapt to the organization's specific technology.



    Three-layer architecture

    • A Java server that implements a servlet container and a Java Server Pages (JSP) engine, of which there are versions for almost all current Operating Systems: WebSphere, Tomcat, WebLogic, etc.
    • A Relational Database Management System (RDBMS): Oracle, SQL Server, etc.
    • A web server (optional), usually part of the intranet infrastructure, where user authentication is delegated.
    • Client: user PC with a web browser.

    Technical features

    • Developed independently of the operating system, Java Application Server and Relational Database Management System used.
    • Security can be delegated to the existing corporate Single Sign On/Intranet architecture.
    • Protection of URLs and against malicious access.
    • Corrective maintenance and support with flexible Service Levels tailored to each individual organization.


    The different SIRO modules are widely implemented in organizations of various kinds and endorsed by Regulatory Authorities.

    Among the types of entities in which SIRO is installed, Central Banks and regulatory and supervisory bodies, large international financial groups, local financial entities, insurance companies, corporations in industrial sectors, etc. stand out.


    Regulatory and supervisory bodies


    Financial institutions with an international presence


    Financial institutions with a local presence


    Insurance companies and other corporations

    Management Solutions

    Management Solutions is an international consulting Firm whose core mission is to deliver business, risk, financial, organization and process-related advisory services, targeted at both functional aspects and the implementation of related technologies.

    Management Solutions currently has a multidisciplinary team (functional, mathematical, technical and systems integration) of 2,500 professionals, and operates through 31 offices (15 in Europe, 15 in the Americas and 1 in Asia) from where we serve customers operating in over 40 countries in Europe, the Americas, Asia and Africa (Senegal, Equatorial Guinea, etc.).

    Management Solutions' differentiating factor lies in its in-depth knowledge of the businesses in which its clients operate and in its high degree of sector-specific and functional specialization.

    For further information: www.managementsolutions.com

    For further information

    Eduardo Pérez-Hickman
    Partner at Management Solutions

    Jorge Sánchez Rojas
    Manager at Management Solutions