Dear Compliance Professional,
Continuing on with our New Year’s compliance resolutions. . .
Conduct a Risk Assessment
It is clear from the recent trend of SEC examinations that regulators are sanctioning advisory firms that do not conduct an annual risk assessment. A risk assessment involves identifying and prioritizing issues pertaining to an advisory firm’s operations that may create risk to the interests of the firm and/or its clients. Accordingly, advisers need to (i) identify areas of risk that may be part of their firm’s everyday operations; (ii) assess whether the controls in place for managing or mitigating these risks are adequate; and (iii) make modifications to their firm’s compliance policies and procedures as necessary. Areas of regulatory interest that should be part of any risk assessment include (as applicable):
- Marketing/Performance;
- Form ADV Disclosures;
- Invoices/Fees;
- IPO Offerings;
- Soft Dollars;
- Compensation;
- Trade Tickets;
- Trade Execution;
- Non-Public Information; and
- Personal and Proprietary Trading.
Conduct Compliance Testing
All advisers are required to conduct transactional or quality control tests that will assist their advisory firm in determining whether its activities are consistent with its compliance policies and procedures. The strategic areas that are often the focus of testing conducted by SEC examiners include all the usual suspects:
- Portfolio Management;
- Trade Allocation;
- Brokerage Arrangements;
- Trade Execution;
- Valuation;
- Personal Trading;
- Safety of Client Assets; and
- Marketing and Performance Advertising.
Compliance testing and risk assessment are really just different sides of the same coin. Whereas the risk assessment is used to identify areas of risk that must be addressed by compliance controls and procedures, compliance testing is the process used to determine of whether such controls and procedures are actually working.
Update Your Disaster Recovery Plan
All advisers are expected to have a firm-appropriate disaster recovery and business continuity plan. The core initial SEC examination request letter typically asks for “access to written plans, policies and procedures that provide guidance in preparing for and responding to emergencies, contingencies and disasters.” Your disaster recovery plan should take into account the unique types of disasters and contingencies that could apply to your firm. Such considerations should incorporate your firm’s size, geographic location and mission critical systems. Typically, a disaster recovery plan should address natural threats (e.g., floods, fires, snow and ice storms, tornados, hurricanes, earthquakes and wind damage); technical threats (e.g., power disruptions, heating, ventilation or air conditioning failure, telecommunications failure, hardware/software failure, gas leaks and water damage) and human threats (e.g., bomb threats, disgruntled employees, thefts, riots, terrorism and vandalism). Single-person advisory firms should also incorporate the loss of key personnel into their disaster recovery plan.
If your plan was drafted some time ago, this is an appropriate time for a thorough review. Business needs change, key employees come and go, service providers stop providing expected services and disaster recovery plans can quickly become outdated. In this day and age of super storms like Katrina and Sandy, I suspect that we all take threats to the continuity of our businesses much more seriously. I can assure you that the SEC does.
Test Your Disaster Recovery Plan
As it is critical to ensuring the overall effectiveness of your advisory firm’s ability to respond to a disaster, testing your disaster recovery plan should be a top priority during the coming year (and every year thereafter). It is not enough, however, to tell employees in advance to stay home one morning because the building was “destroyed.” That is akin to telling a student that there is going to be a pop quiz . . . next Tuesday. Though that certainly would have been greatly appreciated by this author during his days as a student, it does tend to defeat the purpose of seeing how well your plan and your advisory firm’s personnel will hold up when confronted by an extraordinary occurrence. We suggest not only conducting the test without prior warning, but developing a checklist for your personnel to complete during the testing of the plan.