Home > News & Insights > Insights & Publications

2/4/19 - Compliance-Risk Assessments for Asset Managers: Part One

Thorough assessments of business and operational risks are core to an effective compliance program. This article discusses how asset managers regulated by the Securities and Exchange Commission might incorporate risk assessments into their compliance programs. In a second article, we will walk through an example that illustrates how to do this.

What Is a Risk Assessment?

A risk assessment is a formal and rigorous process to evaluate the level of risk for a firm undertaking a particular business activity or process. A compliance-risk assessment focuses on the risks that arise when laws, rules, and regulations trigger an obligation that, if not met, could expose the firm to potential enforcement actions, examination deficiencies, monetary fines, and/or reputational damage. A basic example of such an obligation is that investment advisers required to register with the SEC under the Investment Advisers Act of 1940 (commonly known as the “Advisers Act”) must implement codes of ethics pursuant to Rule 204A-1. A more specific example, which we discussed in a recent Currents article, is that the use of electronic communications by an investment adviser’s representatives triggers obligations to monitor, retain, and protect such communications pursuant to various rules under the Advisers Act.1

Are Investment Advisers Required to Conduct Risk Assessments?

There is a clear expectation that registered investment advisers (RIAs) employ an effective process to assess risks regularly. The adopting release to the compliance rule (Rule 206(4)-7 under the Advisers Act) states: “Each adviser, in designing its policies and procedures, should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm's particular operations, and then design policies and procedures that address those risks [emphasis added].”2 Identifying risk exposures is the necessary first step in designing — and, by extension, periodically assessing the adequacy and effectiveness of — a compliance program.

How Is This Different from a Risk Matrix? 

Many advisers develop what they might refer to as a “risk matrix” around the time their firm registers with the SEC. While these serve the same purpose as a risk assessment, and examples of thorough and useful risk matrices do exist, practices vary widely, and risk matrices often take the form of static inventories rather than dynamic, rigorous assessments. They have a number of other common shortcomings as well, including that they are often:

  • Unwieldy and/or risk-agnostic. The list of risks is sometimes so extensive that the matrix becomes difficult to maintain and effectively focus on the most important risks. Also, many risk matrices do not include an objective assessment of the corresponding levels of risk (e.g., “low,” “medium,” or “high”) for each identified risk, which is necessary to ensure that compliance resources are allocated accordingly.  
  • Lacking in context. The list of risks and conflicts are often not associated with specific regulatory obligations, policies or procedures, or controls.
  • Not integral to the compliance program. Developing and maintaining the risk matrix is treated as an exercise, rather than a useful tool to drive the compliance-management process.
  • Out of date. The risk matrices are reviewed only during the firm’s annual review, or they have not been updated since they were developed. 

What Are Best Practices for Compliance-Risk Assessments?

If the above list sounds familiar, it is worth considering leading practices adopted by some of the largest and most complex organizations — including those outside the asset-management industry. For example, large banking organizations invest considerable resources, including dedicated staff, to develop and implement processes for assessing compliance risk that are metrics-driven, highly automated, and that roll up into enterprise-wide risk management programs. While SEC staff may not expect that level of sophistication for most investment advisers, the following concepts and practices can be instructive:

  1. Make the results matter. Risk assessments are more meaningful when the results drive the allocation of testing, training, staffing, and technology resources to the areas of greatest risk. This ensures, by definition, that the firm takes a risk-based approach to compliance.
  2. Be objective. Risk is inherently subjective, but leading practitioners quantify available information on risk factors to minimize subjectivity and focus assessors’ attention on areas that require judgment. For example, tracking compliance breaches and customer complaints and associating those breaches and complaints with specific risk areas can enable a more objective assessment of inherent risk.
  3. Establish a straightforward methodology. The particulars, such as risk scales and risk taxonomies, matter far less than actionable and repeatable results. Documenting a methodology encourages consistency and makes results more accessible to management and regulators alike, but an overly complex methodology is counterproductive.
  4. Incorporate first-line assessments. Business-line managers play an important role in leading organizations’ compliance-risk assessments, including by completing self-assessments in which they weigh in on risk levels and control issues. First-line assessments also serve as an effective vehicle for collaboration between compliance and business managers.
  5. Perform regular and ad-hoc assessments. As mentioned above, risk assessments should be performed annually, at a minimum, and when significant changes to the business or regulations occur. A policy or other governance document should describe factors that trigger an ad-hoc risk assessment, including external factors (e.g., OCIE risk alerts) and internal events (e.g., testing findings).

Regular and robust risk assessments are essential to compliance programs. Promontory’s asset-management group has deep experience with assisting or reviewing RIAs’ risk-assessment processes and can help ensure that advisers of varying size and complexity have effective risk-assessment processes.

Contact Us

Jane Jarcho
Special Adviser
jjarcho@promontory.com
+1 202 384 1200 

Conway Dodge 
Managing Director
cdodge@promontory.com
+1 202 370 0461

Michael Sullivan 
Managing Director
msullivan@promontory.com
+1 202 370 0507

Michael Vorhis 
Principal
mvorhis@promontory.com
+1 202 384 1182


FOOTNOTES

  1. These obligations arise from three separate rules: the books and records rule (Section 204 of the Advisers Act and Rule 204-2 thereunder), the compliance rule (Rule 206(4)-7 under the Advisers Act), and Rule 204A under the Advisers Act, which requires firms to have strong written policies and procedures in place to prevent the misuse of material nonpublic information.
  2. Final Rule: Compliance Programs of Investment Companies and Investment Advisers,” The Securities and Exchange Commission (Dec. 17, 2003).