Aligning Risk with Policies and Procedures
With risk being an integral part of the business cycle, advisory firms must confront and deal with investment, operational, business continuity, enterprise and compliance risks. If not identified promptly and managed effectively, such risks can lead to loss of clients, inability to carry on day-to-day portfolio management functions, reputational deficit, increased exposure to civil or criminal litigation and regulatory sanctions.
The Adopting Release of the Compliance Programs Rule urges each adviser, when designing policies and procedures, to identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations and then to design policies and procedures that address those risks. The SEC expects firms to revisit and reassess at least annually new risks which may have arisen as a result of changes to the firm’s practice, affiliations, clients or the regulatory environment. Firms can then determine if newly identified risks call for the development of new procedures or the revision of existing ones.
There is no regulatory requirement or even expectation that all identified risks be entirely eliminated. Some risks are inherent to certain business models and need to be monitored and mitigated effectively. Although types and degrees of risk depend on each firm’s particular structure and business model, some common areas to monitor are:
- New employees and contractors
- New services offered to clients
- Business affiliates and related conflicts
- Accuracy of disclosure documents and marketing materials
- Compensation arrangements and related incentives
- Allocation of investment opportunities among clients
- Brokerage arrangements and related conflicts and disclosures
- Arrangements resulting in access to client funds
- Business continuity and succession planning
- Privacy and safety of client data and identity
The firm’s risk assessment is closely connected with the annual review process. The benchmark for the annual review is to determine the adequacy and effectiveness of the firm’s policies and procedures by cross-referencing each risk area identified by the firm with one or more policies and procedures to ensure that the firm:
1) Has policies and procedures that address the risk area
2) That each risk area is adequately addressed by existing policies and procedures.