Every registered investment adviser (RIA) firm registered with the SEC is required to establish and maintain a written politics and procedures manual designed to equip the firm with the ability to prevent and detect potential regulatory violations. While all RIA firms may share some similar policies and procedures, it’s crucial that the Chief Compliance Officer (CCO) of an investment advisory firm ensure that the firm’s policies and procedures have been customized to address the unique risks of that firm’s particular business model.
The Purpose of the Risk Assessment
In order for a compliance program to be properly designed, it’s important for the CCO to first take a step back and conduct at least an annual risk assessment designed to accomplish the following:
- Determine what types of risks may be present at the firm
- Assess whether adequate controls are in place to manage or mitigate such risks
- Make modifications to update the firm’s current policies and procedures to address new identified risks
The importance of conducting regular risk assessments cannot be emphasized enough. It’s quite difficult to know if a firm’s compliance policies and procedures are sufficient if the firm has not first identified what particular risks need to be addressed in such policies and procedures. During a regulatory examination, the CCO should not be surprised when the SEC wants to learn more about the firm’s risk assessment process.
When conducting a risk assessment, an adviser should identify a detailed list of operational and compliance risks associated with the business. A thorough assessment not only addresses the firm’s business model and its affiliate relationships, but also everyday business transactions between the firm, its clients, and key service providers. Firms must continually revise and reevaluate their risk profile. A periodic risk assessment helps ensure that the policies and procedures of the firm are up to date in all areas which could result in potential regulatory compliance deficiencies or violations.
Guidance on Conducting a Risk Assessment from the SEC Staff
While a bit dated, staff from the SEC published a pair of risk assessment documents in 2007: a risk assessment flow chart and a risk inventory guide. Paired together, these two documents can be a good starting point for SEC-registered firms to begin to create an inventory of potential firm risks which need to be evaluated.
In the SEC staff’s sample risk inventory guide, the SEC identifies 12 potential risk categories:
- Marketing / performance
- Form ADV/ disclosures
- Invoices / fees
- IPO offerings
- Soft dollars / kickbacks
- Compensation
- Objectives / restrictions
- Trade ticket
- Trade execution
- Non-public information
- Personal and proprietary trading account
- Money / securities to / from broker / custodian
Other Risk Assessment Considerations
The above categories should not be viewed by any means as an exhaustive list of risk categories but may serve as a good starting point for newly-registered SEC firms that are beginning to implement a risk assessment process. In addition to the above categories, some new emerging areas of risk that should be evaluated by the CCO during a firm’s risk assessment include:
- Books and records maintenance
- Proxy voting
- Branch office supervision
- Disaster recovery / business continuity plan (BCP)
- Cybersecurity
As RIA compliance consultants, we strongly recommend that the CCO of all SEC-registered RIA firms ensure that the risk assessment process is properly designed and conducted frequently enough to identify and address new areas of risk as the firm’s business model evolves.