Investment advisors should pay close attention to the identification, prevention and management of risk. The SEC and some state regulators expect investment advisors to institute a process for identifying compliance risks. The advisor's compliance program should be designed to manage and control each risk area, so clients are protected from harm.
The SEC refers to this process as risk assessment, gap analysis or the compilation of a risk inventory. The SEC examination staff has compiled a number of questions advisors can ask themselves in order to mitigate, manage and control risk. Here are four very important questions that were noted in materials distributed at a recent CCOutreach regional seminar:
- Have you conducted an effective risk assessment? (e.g., evaluated how your activities, arrangements, affiliations, client base, service providers, conflicts of interest, and other business factors may cause violations of the Advisers Act or the appearance of impropriety)
- Did this risk assessment serve as the basis for developing your compliance policies and procedures?
- Do you periodically re-evaluate your risk assessment to determine that new, evolving or resurgent risks are adequately addressed?
- Are your compliance policies and procedures designed to manage and control the compliance risks identified in your risk assessment?
The goal of risk assessment is to prevent violations of the Investment Advisers Act. Furthermore, if violations already have occurred, risk assessment should enable the advisor to detect and correct them.
To ensure that you are engaging in risk assessment, the SEC focuses on the process during an examination. Here are a few of the documents requested that relate to risk assessment:
- A copy of standard operating procedures for the risk identification process that governs how an advisor identifies risks and problems likely to be present at the firm
- A copy of any risk committee meetings held during the inspection period
- A current inventory of compliance risks, including any changes that were made
- Any document, such as a matrix or spreadsheet, that maps the advisor's inventory of his risks.
These documents show examiners that the advisor is on the lookout for risks that may ultimately result in harm to investors. Regulators expect advisors to identify risks that are unique to their firms, business models and locations. A firm in a major metropolitan area faces different risks than an advisor residing in a small town. If an advisor is taking on more international clients, the risk of money laundering increases. If an advisor invests in IPOs, that's a different kind of risk that must be identified and managed.
There are a number of steps an advisor can take to show regulators he is committed to risk identification and assessment, some of which include:
- Meetings with all employees and associated persons to identify any compliance risks or potential problems facing the firm.
- Soliciting input from employees and associated persons regarding compliance risks and potential problems, with assurances of strict confidentiality or anonymous reporting.
- Scrutinizing complaints to uncover compliance risks and potential problems facing the firm.
- Mapping the current inventory of compliance risks and potential problems to the firm's policies and procedures.
- Conducting an annual audit of policies and procedures to determine if they are thorough and effective in preventing, detecting and correcting violations of the securities laws and the Investment Advisers Act.
- Updating, revising and improving the firm's compliance manual as warranted.
- Educating and sanctioning employees and associated persons who do not comply with the firm's policies and procedures.
- All documentation related to risk assessment should be retained for the period prescribed by Rule 204-2 under the Investment Advisers Act.