Practical Steps for Assessing Risks
PRACTICAL STEPS FOR ASSESSING RISKS
In recent years, more and more financial institutions are electing to conduct a risk assessment as part of an annual compliance program check. Not only does a risk assessment help in the development of policies and procedures, but also can serve as a mitigation tool to help identify and proactively address potential threats to lower risk exposure. In this month's Legal Risk Management Tip, we will explore the starting points for creating a risk inventory, provide tips and factors for evaluating risks, discuss tools and systems to use as risk management controls and summarize actions to help support your compliance program.
A. Starting Points for Creating a Risk Inventory
The goal of a risk assessment is to establish quantifiable data points that can serve as a qualitative analysis of existing controls to determine residual risk. Prior to undertaking this task, however, you will need to understand what you are trying to accomplish. Large organizations tend to have a risk department that analyzes risks at an enterprise level - taking into consideration market risks, operational risks, regulatory risks, compliance risks and financial risks. Smaller firms generally do not have the resources or infrastructure to accomplish this, but instead, will focus on the enterprise's compliance risks. To conduct a compliance risk review, consider taking the following steps:
- Step 1: Inventory your compliance obligations under both the federal securities laws and pursuant to your disclosures to clients and investors.
- Step 2: Identify areas of conflicts of interest. As you approach this, think about, in very realistic terms, what could go wrong? How could clients be harmed? Write these possible problems down. Consider the types of abusive conduct that has already been identified by the SEC in enforcement actions - but be more expansive in your analysis. Think about your service providers, too, and how their conduct - or misconduct - might harm your clients. Your goal here is to identify conflicts of interest that, if unmitigated, could lead to violations of any type.
- Step 3: Match existing compliance practices to your inventory of obligations and conflicts of interest, and find any gaps.
- Step 4: Assess the effectiveness of existing compliance functions. In this stage, determine whether a particular compliance function makes violations less likely, and results in the prompt identification of violations.
- Step 5: Identify additional compliance procedures that are warranted based on changes to the firm's business model and products or services, and consider new regulatory requirements.
Similar approaches should be taken for the evaluation of market, credit and operational risks, which are typically conducted by line managers, portfolio managers, operations personnel and/or a risk management officer. For smaller firms, this analysis could also be overseen by the Chief Compliance Officer.
To capture these data points, consider developing a risk inventory spreadsheet and determine the metrics for measurement. For example, many firms opt to use a high, medium and low risk measurement or a numeric system (such as 1-5). Generally, a focus area is assigned a "high" risk assessment level if the reviewer believes that an area is not in full compliance with the regulatory requirements or if a deficiency was noted in a prior regulatory exam or annual review report and was not corrected or addressed. A focus area is assigned a "medium" risk assessment level if the reviewer believes that an area is one which will likely draw attention to the SEC due to a lack of some internal control. A focus areas is assigned a "low" risk assessment if the reviewer believes that the internal controls appear adequate.
Firm Priority (1-5, 1 being top priority)
Use of social media for prospecting
Low (just audited; only uses one account - LinkedIn)
Will limit content to announcing firm events and new hires
Rolled out new offering
Mitigate through training
Failed to conduct 2016 Annual Review
Engaged compliance counsel this month
B. Evaluating Risks
Once the risk inventory is complete, it is important to take steps to assess the risk management framework. If the firm has a Chief Risk Officer, then the findings should be compiled by the line managers and delivered to that individual; in smaller firms, typically the Chief Compliance Officer assumes that role and escalates to senior management.
When assessing risks, several subject matters should be considered, including:
- Whether the firm's policies and procedures address the risk area;
- Findings from past SEC / regulatory examinations and annual reviews;
- Gaps identified by area managers throughout the year;
- Exception reports generated from risk management and monitoring systems;
- Customer complaints / litigation;
- Conflicts of interest (including dual roles of supervisors);
- Compensation arrangements;
- Use of key service providers;
- Insurance coverage;
- Internal controls for privacy, cybersecurity, Code of Ethics and Code of Conduct;
- Books and records retention; and
- Supervisory structure.
Once a risk is identified and prioritized, several outcomes can occur.
The outcome decision is based on the information available and must be responsive to change. The decision should also be based on the firm's goals, processes, systems, resources, capabilities and skills. It is all about having a process that helps eliminate, or at least lessen the impact of a risk. One size does not fit all.
C. Tools and Systems: Developing Risk Management Controls
As risks are assessed, discussions should ensue about what controls, tools and technology should be leveraged to assist in addressing risk management concerns. Often these controls involve technology solutions, which may require additional funding from the business. To this end, Senior Management may request that Compliance conduct an evaluation as to why one control is better than another and may request for alternatives to be considered for a variety of reasons, including costs. Consequently, in this role, Compliance is tasked with collecting data and mapping that to the internal control and potential risks associated with the product or activity in order for the risk managers to make a strategic business decision.
Other tools which frequently are used by Compliance in their risk management efforts include:
- Internal audits and forensic testing
- Participation in Committee Meetings (Risk Management, Operations, Best Execution and Ethics Committee discussions)
- Training on risk management and compliance obligations
Take action by starting with the highest risks first and discuss with line managers how the firm can drive something down from a high to a low risk. Develop protocols and test whether those internal controls are working; if gaps remain, address and try again. As appropriate, report progress to the Board of Directors (or equivalent) and/or Senior Management.
For the risk assessment process to be successful, Senior Management and the Board of Directors must be fully engaged. Policies, systems and processes must be dynamic and customized to support the firm's risk culture. The risk appetite of the organization must be clearly defined with respect to the risk tolerances and business boundaries. There should be a method to evaluate the risks and summarize the results in a measurement that is easily communicated and understood. To be effective, risk management should be incorporated into strategic planning, business processes, performance measurement and incentive compensation, with the overall process reviewed annually. Ideally, a compliance risk assessment should be conducted each year to help advance the compliance program agenda and prioritize efforts. Documenting results will help senior management to understand what is needed in terms of resources - from personnel to technology and training. Through forward thinking and timely recognition, many risks can be effectively mitigated.
For more information on these and other considerations, please contact us at firstname.lastname@example.org, or (619) 298-2880. Also, please visit our website for additional Legal Risk Management Tips.
Author: Michelle L. Jacko, Esq., Managing Partner, Jacko Law Group, PC. JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.
This article is for information purposes and does not contain or convey tax or legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer or tax adviser.