One of the tenets of Modern Portfolio Theory is that risk and return are related; that is, a higher degree of risk in a client’s investment portfolio is expected to generate a higher return. Conversely, less risk is expected to generate a lower return. More risk in a compliance program, however, will only generate the return of regulatory examiners on a more frequent basis. This is not what Dr. Markowitz had in mind.
Financial regulators take risk management very seriously, particularly the SEC. RIAs should expect at least a handful of questions on a regulatory examination regarding the firm’s risk management practices. More specifically, be prepared to produce and explain:
- An inventory of risks
- How such risks formed the firm’s policies and procedures, and documents mapping risks to policies and procedures
- When new risks were added or removed
- Risk mitigation efforts
Let’s break this down into some concrete but simple examples to illustrate how a small RIA can establish a strong risk management program.
Getting a Handle on the Unknown
There’s no uniform definition of risk, but I particularly like the one from Black’s Law Dictionary, Eighth Edition: “the uncertainty of a result, happening, or loss.” Risk is essentially the unknown.
Risks can vary immensely for different firms in terms of severity, likelihood of occurrence, applicability and ability to mitigate. Analyzing and categorizing each risk according to these assessment points is the foundation upon which policies and procedures can be constructed and informed decisions can be made.
A simple way to document and maintain such an assessment is an Excel spreadsheet with each risk listed in a different row, and each assessment point listed in a different column.
When assessing the likelihood of occurrence, answer the following question: What is the likelihood that Risk X actually occurs? Query the triggers of Risk X, how frequently such triggers have occurred in the past, and the likelihood that such triggers (or new triggers) could happen again in the future. A firm that engages in more frequent trading, for example, may be more likely to experience a trade error than a buy-and-hold firm that rebalances to a model portfolio on an annual basis. When assessing severity, answer the following question: if Risk X were to actually occur, how much would it negatively impact my clients, my business, my reputation and my finances? Query the potential fallout from Risk X, and the corrective actions needed to right the ship. A three-hour power outage and a Hurricane Sandy-like event are both risks that could impact a firm’s business continuity plan, but the severity levels are obviously different between the two.
When assessing applicability, answer the following question: How applicable is Risk X to my firm? Query the extent to which activities are performed that would cause Risk X to occur and any regulatory requirements causing the firm to be in-scope of a particular rule. For example, there is a risk that a firm may publish an advertisement that is in violation of SEC advertising rules. This risk is clearly more applicable to a firm that utilizes social media, distributes weekly newsletters and updates its website daily, e.g.
When assessing ability to mitigate, answer the following question: To what extent can I mitigate or eliminate this risk? Query what mitigation efforts are already in place, and what additional steps should be undertaken to bring the risk down to an acceptable level. To mitigate the risk of insider trading, for example, a firm could institute lexicon-based email review software, curtail use of expert networks or require quarterly certifications of compliance from employees. A corollary question to be answered separately highlights one of the many benefits of performing a risk assessment: If I cannot eliminate or mitigate the risk, is this a risk worth taking?
For all assessment points, choose a uniform scale. Scales can take the form of descriptors (low, medium, or high), colors (green, yellow, red), or numbers (1 to 5). Whatever scale a firm chooses, include a brief legend to describe the logic behind it.
Each policy and procedure of the firm should be tailored to address a specific risk identified in the risk assessment. Thus, as a firm’s risk assessment changes, so too should the firm’s policies and procedures.
Both are dynamic and should not simply sit on the shelf collecting dust; review both the risk assessment and correspondent policies and procedures at least on an annual basis, or when new risks arise. Not having a risk assessment process is not a risk worth taking.