One of the tenets of Modern Portfolio Theory is that risk and return are related; that is, a higher degree of risk in a client’s investment portfolio is expected to generate a higher return. Conversely, less risk is expected to generate a lower return. More risk in a compliance program, however, will only generate the return of regulatory examiners on a more frequent basis. This is not what Dr. Markowitz had in mind.
Financial regulators take risk management very seriously, particularly the SEC. RIAs should expect at least a handful of questions on a regulatory examination regarding the firm’s risk management practices. More specifically, be prepared to produce and explain:
- An inventory of risks
- How such risks formed the firm’s policies and procedures, and documents mapping risks to policies and procedures
- When new risks were added or removed
- Risk mitigation efforts
Let’s break this down into some concrete but simple examples to illustrate how a small RIA can establish a strong risk management program.
Getting a Handle on the Unknown
There’s no uniform definition of risk, but I particularly like the one from Black’s Law Dictionary, Eighth Edition: “the uncertainty of a result, happening, or loss.” Risk is essentially the unknown.
Risks can vary immensely for different firms in terms of severity, likelihood of occurrence, applicability and ability to mitigate. Analyzing and categorizing each risk according to these assessment points is the foundation upon which policies and procedures can be constructed and informed decisions can be made.
A simple way to document and maintain such an assessment is an Excel spreadsheet with each risk listed in a different row, and each assessment point listed in a different column.