Executing Firm-Wide Risk Assessments and Annual Reviews of Your Compliance Program

Why are firm-wide risk assessments and annual reviews of your compliance program important? The answer is pretty cut and dry.

The Compliance Program Rule (Rule 206(4)-7 of the Advisers Act) requires all registered investment advisers to: 

• Appoint a competent, knowledgeable, & empowered Chief Compliance Officer; 

• Establish a set of written policies and procedures (a Compliance Manual) “reasonably designed to prevent violation of the Advisers Act”; and

• Review, no less than annually, the adequacy of their policies and procedures and the effectiveness of their implementation.

To display competency to regulators, it is crucial that all advisory firms implement a process to effectively evaluate areas of risk that may threaten the firm, the firm’s clients, and the firm’s professional reputation.

The bottom line? Understanding how to evaluate risks will be critical in decision-making processes that may make or break your firm’s profitability.

Who is Responsible?

Let’s revisit the notion of designating a competent, knowledgeable, & empowered Chief Compliance Officer (CCO). The person in the CCO position should be competent and knowledgeable as per the Advisers Act and empowered with full responsibility, authority, and resources to develop and enforce the firm’s policies and procedures.

The CCO needs to maintain a position of sufficient seniority within the firm in order to compel individuals within the firm to remain compliant. In instances where the firm maintains a compliance department comprised of several individuals, the CCO may assign tasks to other individuals as they see fit but should complete the Annual Review independently. (We’ll discuss the Annual Review (Rule 206(4)-7) in more detail a little further down.)

What Can I Do to Comply with the Rule?

Our objective is risk management, the process is a risk assessment, and the risk matrix is a tool we can use to assist us in accomplishing our objective.

Risk assessment is a 4-step process:

1. INVENTORY – Compile a list of risks posed by the firm’s business practices.

2. RATE – Assign a “rating” to each risk using a risk matrix to determine the significance of each inventoried risk. The risk matrix assigns a score to each risk based on the probability that the risk will occur and the severity of the risk, should it occur.

3. MITIGATE – Implement policies and procedures that are designed to mitigate the risks you’ve identified. Prioritize the risks based on their ratings.

4. REVISIT, REVIEW, REVISE – As things change in your business, revisit the risk assessment and make revisions as needed.

Where Are the Risks?

A successful risk assessment will help you determine where the risks reside within your firm, which of those risks take priority in your mitigation tasks, who is responsible for conducting and documenting these tasks, and how frequently the tasks should be completed.

Here are some sample categories of risk as well as some sample associated risks within each category:

Compliance Oversight

• Staff are not aware of rules and regulations
• Staff has disciplinary history that has not been disclosed
• Online behavioral advertising is not properly disclosed
• Electronic communication violates firm policies
• Compliance manual not accurate/updated
• Due diligence of service providers not being performed

Regulatory

• Form ADV is not updated in a timely manner
• Additional state registrations and IAR U4 filings are not accurate and/or filed in a timely manner
• Previous exam/audit deficiencies

Code of Ethics

• Personal trading policies are breached
• Violations are not addressed properly or timely

Portfolio Management

• Actual trades do not match IPS
• Proprietary accounts are favored over client accounts
• Soft dollar benefits are not properly disclosed
• Trade error log is not maintained or errors are not identified and/or corrected immediately

Client Processes

• Changes to advisory contracts not documented 
• Clients’ investment objectives are not properly communicated (missing IPS)
• Fees are not refunded properly after client termination
• Compliant file not maintained

Marketing/Advertising

• Errors or misrepresentations within advertisements
• Missing or incomplete disclosures
• Social media sites contain violations of firm policies

Business Continuity Planning & Data Security

• Procedures for protecting client information are not in place
• Cybersecurity threats have not been properly addressed
• Firm has not tested the business continuity plan

Books & Records

• Not maintained according to rules and regulations
• Unorganized

Don’t forget to use your intuition! If there is something making you uncomfortable and/or keeping you up at night, consider it a high-priority risk (even when you aren’t sure whether or not you’re “breaking the rules”). 

Here is a sample risk assessment table:

When to Assess Risk

Periodic risk assessments help ensure that the policies and procedures of your firm are up-to-date in all areas which could result in potential regulatory compliance deficiencies or violations.

Conducting an Annual Review by the CCO satisfies the requirement to review the firm’s policies and procedures for effectiveness of implementation on at least an annual basis. The Annual Review is a running document that may be updated throughout the year and should contain:

• A summary of the relevant findings discovered during the previous year’s compliance tasks;
• Significant changes to the firm’s service & fee offerings and/or its personnel;
• Recent regulatory developments; and
• An action plan for the upcoming year based on the review designed to mitigate risk identified during the Assessment and Review.

I can’t emphasize enough the importance of conducting regular risk assessments and how much better you’ll sleep at night knowing you have a plan in place to identify and mitigate risks associated with your firm.

Here are some key takeaways to consider:

• Conduct and periodically refresh your risk assessment;
• Establish and implement comprehensive policies and procedures;
• Maintain organized records of all compliance-related activities;
• Conduct an Annual Review of the program to ensure reasonable assurance that policies and procedures are being followed and are effective; and
• Obtain written acknowledgements from staff to ensure understanding and compliance with your program.

About the Author
Shelby Brown joined XY Planning Network as a Compliance Consultant in May 2019. Prior to joining XYPN Shelby gained extensive experience filing initial registration applications for State- and SEC-Registered investment advisors of all sizes as well as assisting in the design and development of a compliance program that can be immediately implemented.

Shelby’s Investment Advisor Certified Compliance Professional^Ò (IACCP^Ò) designation, earned in 2016 through National Regulatory Services (NRS), certifies that she is equipped with the knowledge and tools necessary to implement and manage a successful compliance program at any investment advisory firm.

Growing up in Lake Tahoe, Nevada has instilled a love of the outdoors in Shelby. You can find her on the golf course, at the beach, or in a campsite in the summer and snowshoeing, crafting, or soaking up a good book by the fire in the winter. Home is where the heart is, but Shelby and her husband also love to travel and take photographs to display around their home. They are always planning their next adventure!