Compliance Solutions for Investment Advisers

FAQs — Risk Assessment


What is a risk assessment?

A risk assessment involves identifying those aspects of an investment adviser’s operations that pose meaningful risk of regulatory violation and then quantifying the level of risk based on the likelihood of occurrence and the severity of the violation if there were an occurrence.

What is the purpose of a risk assessment?

An initial risk assessment helps advisory firms properly design their compliance programs. Periodic risk assessments help investment advisers make sure that their existing policies and procedures are sufficiently comprehensive and robust to address all areas in which the adviser is at risk of violating the Advisers Act.

Are investment advisers required to conduct a risk assessment?

While there is no specific rule or regulation that requires investment advisers to conduct a risk assessment, it is strongly suggested that each adviser, prior to developing and implementing their compliance policies and procedures, undertakes a thorough assessment of its conflicts of interest and compliance risks. SEC officials have stated in numerous speeches that no compliance program could accurately reflect the adviser’s business without such a prior risk assessment.

What is the process for conducting a risk assessment?

Although the exact methodology may vary from adviser to adviser, the risk assessment process generally consists of the following steps:

Step 1:       Preparing an Inventory of Risks and Conflicts of Interest

Step 2:       Measuring the Risks Identified

Step 3:       Mapping Risks and Conflicts to Policies and Procedures

Step 4:       Periodically Reviewing and Updating the Risk Assessment

How does an investment adviser prepare an inventory of applicable risks and conflicts of interest?

An investment adviser should identify potential compliance, operational, financial, reputational and strategic risks associated with the adviser’s particular business model, advisory practices and ongoing compliance responsibilities. In addition, an investment adviser must consider conflicts of interest that may create risk to the advisory firm or its clients.

What are some specific areas of “potential” risk that should be reviewed?

A good starting point are the specific areas of concern cited in the adopting release for Rule 206(4)-7 under the Advisers Act (e.g., the Compliance Rule):

  • Portfolio Management Processes;
  • Trading Practices;
  • Proprietary Trading;
  • Accuracy of Disclosures;
  • Safeguarding of Client Assets;
  • Books and Records;
  • Marketing;
  • Valuation of Client Holdings and Advisory Fees;
  • Privacy; and
  • Business Continuity.

In addition, a thorough review should include recent regulatory developments, industry best practices, firm disclosure documents, recent SEC deficiency letters, SEC “hot topics” of the moment (e.g., social media) and any other areas that are pertinent to that particular investment adviser (e.g., performance-based fees).

Once an investment adviser has identified all the relevant areas of risk, then what?

The SEC suggests that an adviser ask a series of questions to help identify any risks present. For example, in the area of portfolio management, an adviser should ask whether the firm maintains current and complete information regarding each client’s financial and family circumstances, investment objectives and restrictions, and risk tolerance.

How does an investment adviser measure the risks that have been identified?

While there are certainly many ways to measure risk, one way is for the adviser to consider the (i) likelihood (e.g., the probability that a given event will occur); (ii) impact (e.g., the effect the event will have on clients or potential clients, disclosures, finances, reputation and regulatory obligations should it occur); and (iii) probability of a risk event in the absence of controls (e.g., the anticipated frequency of a risk event given the regularity of the activity or process that is associated with the risk).

Should an investment adviser treat all risks as equal?

No. Once an adviser has measured their firm’s inherent risks (e.g., likelihood, impact and probability in the absence of controls), the adviser should prioritize the risks by addressing those areas that have the greatest exposure.

What kind of rating system should an investment adviser use?

It really does not matter as long as the adviser can distinguish one risk category from another. Some advisers use “high” “medium” and “low” while others use a numerical rating (e.g., 1 to 5). The goal is to identify those risks that are significant enough to merit adopting written policies and procedures.

What is the process for mapping the inventory of risks to the investment adviser’s policies and procedures?

Each risk that has been identified as significant enough to merit being addressed by a written policy and procedure should be mapped to that specific policy and procedure. For example, if the investment adviser has determined that a lack of consistency between client portfolios and investment objectives is a significant compliance risk, the adviser would map that risk to the firm’s portfolio management policies and procedures.

What should an investment adviser do if a significant risk is not addressed by a corresponding policy and procedure?

As the lack of controls creates a risk to the firm and/or its clients, the adviser must develop a new policy and procedure to address that risk.

How often should the risk assessment be updated?

At least annually, but more frequently if circumstances require it. For example, adding a new type of advisory service, regulatory changes or changes in the structure of an adviser’s business and/or operations would certainly merit an interim risk assessment.

What records is an investment adviser required to keep with regard to the risk assessment process?

Advisers Act Rule 204-2 requires investment advisers to keep copies of the following material pertaining to the risk assessment process:

  • Inventory of risks posed by the investment adviser’s business.
  • Initial and annual risk assessment.
  • Risk management matrix.

What risk assessment records does the SEC usually request prior to a regulatory examination?

The Staff of the SEC may request some of all of the following documents and information pertaining to the risk assessment process:

  • A current inventory of compliance risks that forms the basis for your firm’s policies and procedures and if changes were made to this inventory of risks during the examination period, please indicate what these changes were and the corresponding date of the change.
  • Any document your firm has, such as a matrix or a spreadsheet, that maps its inventory of risks identified above to its written policies and procedures.
  • Any written guidance that your firm has provided to its employees regarding its compliance risk assessment process and the process of creating policies and procedures to mitigate and mange its compliance risks.
  • Information regarding the means by which your firm’s personnel have ready and continuing access to risk assessment policies and procedures.


Important Information

The information contained in this Frequently Asked Questions is only a summary and is not intended to be a comprehensive analysis of the rules and regulations applicable to registered investment advisers. It is not intended to constitute legal or compliance consulting advice or apply to any one investment adviser’s particular situation. For more information, please see our Terms of Use.