More On Legal & Compliancefrom The Advisor's Professional Library
- Privacy Policies and Rules Whether an RIA is SEC or state-registered, the firm must have policies and procedures in effect to protect clients privacy. Policies and procedures should explicitly require an RIA to send out its privacy notice each year.
- Agency and Principal Transactions In passing Section 206(3) of the Investment Advisers Act, Congress recognized that principal and agency transactions can be harmful to clients. Such transactions create the opportunity for RIAs to engage in self-dealing.
In this industry, when you mention risk, the first thing that probably comes to mind is compliance. Increasing regulations and the resulting scrutiny requires advisors to expend countless time and energy protecting their businesses against compliance-related risks. Advisors must ensure that sufficient documentation is in place, disclosures are prominent, and that the best solutions to address clients' needs have been put in place.
Advisors are mistaken, however, if they consider compliance their only risk area. Independent advisors face many areas of risk. This article presents a few salient but often overlooked examples.
You Model the Behavior
Take a look at how you and your employees behave. Do words or actions ever make someone in your office feel uncomfortable? That is the definition of harassment. Color, creed, gender, age, sexual orientation--you should be alert to all of these areas, to what you and your employees say and do.
Remember a principle of leadership: you set the tone for the office, and that tone is instrumental in creating office culture. There is absolutely no room for nasty jokes, swearing, or belittling someone. That type of action is risky and offensive.
Employees can misconstrue your words and actions, even if you meant nothing by them. A discrimination suit brought on by an employee is a time-consuming and emotionally depleting experience. Such cases, even if they are ultimately dismissed, are expensive for small business owners.
Seemingly innocuous comments sometimes produce more pain than ever imagined. In one example I know of, the lighthearted interplay between two spouses working in the same office caused another employee to resign. Make sure you are modeling the type of behavior you want your employees to adopt. Granted, legal cases of harassment are less common in the small business workplace, but don't think that just because your business is small, you are exempt from good behavior.
Once you have done a check of your own behavior, bring the issue of sensitivity to your staff's attention both through the employee handbook and through annual staff meetings (more frequently, if you deem it necessary). Use both avenues to emphasize how words and actions in the workplace must be exemplary.
Cooking Your Books
Compliance oversight is designed to ensure that fraudulent activities don't occur and that clients' monies are safe. But what about your money?
Small business owners often overlook the risk of embezzlement of the firm's funds through unscrupulous bookkeeping. Although you seldom hear about these war stories, they do occur.
The owner of a small business advisory firm is typically busy and looks to delegate as much as possible. It is not uncommon for the firm's bookkeeping to be one such assignment. Sometimes, a trusted employee is given the responsibility. Gone unchecked, that person can occasionally feel tempted.
At a minimum, it is a best practice to audit the books regularly so that you know where your hard-earned money is going. Think twice about having an employee keep the firm's books. Perhaps subcontracting bookkeeping to a third party would be a better idea. In either case, auditing your financial records is a best practice.
On Insurance, Practice What You Preach
Financial planners are used to looking at their clients' financial health from a risk management perspective and checking for adequate life, health, disability, and property insurance. When it comes to their own financial health, however, planners may not be so attentive--and are particularly shortsighted regarding the potential for their own disability. Consider these facts from the Society of Actuaries, the Council for Disability Awareness, and the health policy journal Health Affairs:
- Disability tables show that the likelihood of someone who is 25 years old becoming totally disabled for 90 days or more before age 65 is 44%.
- One in seven working Americans will be disabled for five or more years before age 65.
- Over 90% of disabling accidents and illnesses are not work-related.
In one informal industry survey of financial planners, 45% of the respondents acknowledged they had no disability insurance, and 31% said they had some but not enough. When asked why they took such a risk, one mid-career planner said, "I know I will die, so I need life insurance. But I don't know for sure that I will have a disability." True, but is this a risk you would recommend your clients take?
As we know, it will never happen to you--until it does.
The type and extent of business insurance required for a financial planning practice is as diverse as your own risk tolerance. Just as clients often overlook insurance in their financial lives, business owners also overlook business insurance needs. The need for protection undoubtedly grows as the sophistication, size, and reputation of a firm grows (see Learn and Buy sidebar for specific types of business insurance).
And if Disaster Strikes?
Aside from being properly insured, advisors need to have a plan for office disasters.
A disaster need not be as drastic as fire, flood, or pestilence. More common events, such as local blackouts, computer overloads, and even rodents eating through wires can send a business owner into a tailspin. These events can happen to any of us, and it's best to be prepared.
One key element is to have regularly scheduled precautionary backup measures. Such measures include making sure backup files are kept off-site, along with a directory of all client contact information--both in print and on disk. Many offices maintain an off-site laptop or office setup with all programs installed and ready to become a temporary office, if needed.
You should focus on recovery. How would your organization ensure that business continues or resumes as promptly and smoothly as possible in the event of a disaster? Here are some factors to consider:
- A way to contact key personnel, including next of kin, during off hours
- Responsibilities and limits of authority with clients and vendors
- Floor plan and evacuation designs and procedures
- A to-do list for the priorities during a disaster, and procedures for completing these tasks
- A directory of vendors and suppliers of emergency equipment and supplies
- The location of the alternative work site
Regulators request copies of your disaster recovery plan if you are an RIA. But structure aside, everyone should be prepared to recover from a major disaster or even a minor disruption.
And if You Get Hit by a Bus?
Have any of your clients ever asked you this question? Succession is one of the biggest risks you face if you haven't planned for it. Given the death or disability of an advisor, the typical client given no specific information will shortly take his or her money and leave the firm.
How do you prevent this? Have a clear and specific answer for your clients when they ask, "What happens if you get hit by a bus?" Don't just respond, "I'm working on it." For the protection of your family--if not your clients--being clear and specific allows you to select your successor and create a value for your practice in advance so that you do not leave your loved ones vulnerable to a fire sale if something happens to you.
Advisors routinely talk about how they care for their clients. They genuinely listen to them like no one else does. They know their dreams and aspirations. They improve their clients' lives both over the short and long term. But can you really justify that you care so much about your clients if you don't bother to put a documented legal succession plan in place?
And if Your data is Stolen?
Awareness of the importance of data security increased as a result of recent headlines. Take, for instance, the stolen laptop of a worker at the Department of Veterans Affairs or the security breach of customer data at TJX Corporations. The good news is that these security issues led many business owners to ask a lot of questions, such as, "Who has access to my data?" or "How does the organization that has the data keep it safe?"
The media hype caused many organizations to clean up their data security acts, which is, of course, critical. Here are a few quick tips to enhance employee vigilance with client data. As presented earlier, one way to communicate the importance of enhanced data security is to model the behavior yourself. All of the tips below apply to you, too.
- Talk with employees about confidentiality and privacy.
Don't assume that employees "get it." When you hire an employee, spend time discussing confidentiality as one of the company's key issues. Follow up and reinforce the importance of confidentiality and privacy on a regular basis at staff meetings.
- Have new employees sign confidentiality agreements.
These agreements should articulate that client data is company-owned. Stipulate that employees are not allowed to take client data out of the office unless approved by the planner and that the data can never be used for an employee's personal use.
- Make passwords a big deal.
Having to remember several passwords is a 21st-century problem. Yet establishing secure passwords is key to protecting data. We're beyond the days when easily remembered passwords like birthdays and names are safe. Common recommendations to make passwords more difficult to hack and yet more easily remembered include both of the following.
First, string several words together, misspell a word, or create a memorable word by using the first letter of each word in the title of a favorite song or book.
Then, add upper- and lower-case letters and a combination of numbers and special characters so a password is at least eight characters long.
- Take extra care with laptops.
Make sure all company laptops have encryption software installed. In addition, provide employees with a solid laptop lock. If employees use portable computers in the office, they should keep them locked at all times.
- Make sure everyone is prepared with recovery steps.
Obviously, the key is to prevent a problem. But ensure that employees know what to do and who to call if a theft occurs.
- Shut down the computer.
Reinforce the dictum that employees should log off systems used and turn off the computer at the end of the workday. Disasters can occur when computers are left on.
Evaluate Your Assumptions
This certainly is not an exhaustive list of risks a business owner faces. Rather, it discusses risks that may be less commonly addressed, or overshadowed, by compliance. As small practices grow into bona fide enterprises, business owners will need to pay greater attention to risk management. The various approaches to risk management--avoidance, retention, control, noninsurance transfers, and insurance--can address each risk.
One place to start your own risk assessment is to step back and evaluate the assumptions you make every day. For example, what do you assume about your country, industry, market, business, employees, and yourself?
Our assumptions lure us to believe that these problems will never happen to us, which can leave us unprepared if and when they do occur. Confronting our assumptions helps us address risk for ourselves, our loved ones, and our clients. Chances are it will never happen to you. But for peace of mind, it's smart to be prepared--just in case.