Episode 24: Steps for Performing a Risk Assessment

Episode 24 features Core Compliance’s Lead Senior Compliance Consultant, Tina Mitchell. Tina’s back to discuss the integral steps to performing a Risk Assessment and informs our audience of core risk areas. She also provides key examples and scenarios that listeners can apply to their own assessments.



CCO Buzz: Hello and welcome back! We hope you had a great candy-filled Halloween, but now it’s time to get back to business. This week, on episode 24 of the CCO Buzz, we have Core Compliance’s Lead Senior Compliance Consultant, Tina Mitchell. Tina’s back to discuss the integral steps to performing a Risk Assessment. She informs our audience of core risk areas, but also provides key examples and scenarios that listeners can apply to their own assessments.

So, Tina are advisory firms required to perform risk assessments?

Tina Mitchell: While not specifically stated in any rule, advisers are fiduciaries and as such they should be performing risk assessments to identify the risks that are associated with their firms, so they can properly be addressed.

CCO Buzz: Understanding that they should, how does an advisory firm perform a risk assessment?

Tina Mitchell: Well the first step is, actually, identifying a firm’s risk and that they actually come in many shapes and sizes. There’s different types of risk, such as regulatory risk, operational risk, financial risk, and then there’s areas that carry risks.

So just to give you an example of some of them that are core to most advisers…


  • Custody. And that’s because most firms debit fees from client accounts.
  • Privacy. All firms collect non-public information from clients- so it’s important to have safeguarding steps in place.
  • Cybersecurity. Is actually still a hot topic with the SEC and one that effects all firms.
  • Code of Ethics. This is covering employee training and other conflict areas, such as outside business activities.
  • Then there’s Valuation and Advisory Fee Billing. Is a firm’s fees billing being calculated in line with client agreement and disclosures?
  • Regulatory Filings is another one. Has a firm identified all the required filings they need to make? And are they being made in a timely manner?
  • And then Disclosures. They need to be transparent and include all conflicts and how the firm addresses the conflict.

So recently, we published a “Risk Management Update,” which is on our website, on performing risk assessments and in that update, we outlined some of the potential risks. And the sample business model we used is really not uncommon to firms these days. But to put this in a bit of perspective, we listed 20 risks associated with that business model and that was just naming a few of them.

So, after a firm identifies their risks, the next step is going to be to make sure the firm has written policies and procedures covering the risks and appropriate monitoring controls in place. You then want to assign a risk level to each risk because you want to keep in mind that the policies, procedures, and controls are in place, so the risk level is going to help the firm determine which risks need more attention than others.

For example, a common firm risk is not having signed client agreements and suitability documentation on file. A firm should have policies and procedures on how this is collected, and a good control can be a new client list – a new client checklist actually, that must be completed by the employee opening the new account. And that confirms the receipt of the information. So, if a firm has all that in place, then I would say the risk level can be ranked as low.

There are certain risks that are inherent even with controls in place and those are the ones that should be ranked higher. An example would be cybersecurity since cybercrimes and ever changing.

The next step is going to be to document the assessment. This is important because the SEC does believe that if you don’t document something, then you probably didn’t do it. So, at a minimum you’ll want to have listed the applicable risk areas you’ve identified, the types of risks, what policies, procedures, and controls are in place to address those, the risk level you assigned, and the date the assessment was performed.

And they lastly, you’re going to want to make sure risk mitigation steps are being monitored. Firms should actually perform risk assessments, at least, annually since there could be regulatory changes that could affect the firm.

CCO Buzz: That’s a bit for firms to consider, is there anything else our audience should note about risk assessments?

Tina Mitchell:  I would say that it’s important for senior management to oversee the risk assessment process and to also think about potential risks when they’re considering new or changing business practices. Additionally, consider having an outside service provider, such as Core Compliance, perform an assessment periodically to help ensure there is a comprehensive assessment program in place.

For more information, please give us a call at (619) 278-0020. Thanks!

CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn or Twitter @CoreCLS. Thank you and we hope you tune into next week’s episode of the CCO Buzz.


Leave a Reply

Your email address will not be published. Required fields are marked *