Dear Compliance Professional,
As a result of the many SEC audits we have participated in over the past few months, we have begun to get a clearer picture of what concerns the SEC most these days. While it is safe to say that everything concerns the SEC most, we have been able to pick out a few particular trends that may help you decide where to focus your (limited) compliance resources. This Compliance Alert! will discuss the all-important, but oft misunderstood, risk assessment process.
The SEC View
It is axiomatic that an effective compliance program must be built on a foundation of effective risk management. Anyone doubtful of the importance the SEC places on risk management need only look as far as the SEC’s core initial document request for investment adviser examinations. This request typically includes “information about the compliance risks that the firm has identified (e.g., an inventory of compliance risks) and the written policies and procedures the firm has established and implemented to address each of those risks.”
The SEC is adamant that no compliance program can ever be sufficient unless the adviser has incorporated some type of risk identification process. A recent deficiency letter makes the SEC’s position on this issue abundantly clear:
“Registrant’s failure to formally assess and document all potential compliance risks and conflicts of interest may create significant risk exposure for Registrant and its clients. The staff reminds Registrant that its risk identification process should include procedures to ensure that risks to the firm are identified on an ongoing basis.”
The Risk Assessment Process
While there are many methods for conducting the risk assessment process, we favor a four-step method. We also favor the use of a risk management matrix to help organize and document each of these steps.
Step 1: Prepare a Comprehensive Risk Inventory
Begin the process by creating a list of risks posed by your advisory business. At a minimum, consider the areas referenced in the SEC Compliance Rule (e.g., portfolio management, trading practices, custody, personal trading, disclosures, marketing, valuation, privacy, books and records, business continuity). Pay particular attention to the specific compliance risks in areas repeatedly highlighted by the SEC (e.g., cross-trades, directed brokerage, soft dollars, gifts, outside business activities, private funds, best execution, solicitation arrangements, pay-to-play). Then address the risks posed by any other pertinent areas (e.g., ERISA, tax, deficiencies cited in prior SEC inspections, competition, client relations). Finally, consider any conflicts of interest which could lead to violations if not mitigated or fully disclosed.
Helpful Tip: While you should consider a wide variety of risks, only include those risks in your risk matrix that actually pertain to your advisory business.
Step 2: Measure the Risks Identified
Consider both the likelihood of the risk occurring and how harmful it would be to your business and your clients if the risk were to actually occur. Assign a rating to each risk (e.g., high-medium-low or 1-5). This allows you to prioritize the risks by addressing the areas that have the greatest exposure.
Helpful Tip: Determine what the consequences will be if a risk is assigned to one rating category versus another. Does one risk rating warrant the creation of new procedures while another, lesser rating, does not?
Step 3: Map the Risks to Policies and Procedures
Map each risk listed to the specific policy and procedure that is intended to either eliminate the risk or, if eliminating the risk is not possible, mitigate the risk. Where this step reveals gaps (e.g., no policy or procedure exists to address a particular risk), develop appropriate procedures
Helpful Tip: Not all risks may be significant enough to warrant written procedures. Informal procedures or firm practices may be sufficient.
Step 4: Review and Update
Because the risk assessment process should be ongoing, you need to periodically, but no less than annually, update your inventory of risks and risk management matrix. Issues that should trigger an immediate review include a change in your advisory business (e.g., new services, new affiliations, changes in key personnel), regulatory changes (e.g., new SEC rules, No-Action Letters, speeches of SEC staff) and/or any internal compliance matters (e.g., compliance violations, customer complaints).
Helpful Tip: Any circumstance that suggests that your risk assessment is out-of-date or inadequate should trigger an interim review process.
Policies and Procedures
The risk assessment process should be memorialized in your firm’s compliance policies and procedures manual.
While many advisers may describe this process as “overkill”, you will find that engaging in the risk assessment process will give you greater confidence in the adequacy of your compliance program and, perhaps just as importantly, in your dealings with the SEC.