Converting Critical Enterprise Risks into a Usable Risk Matrix

Successful compliance is built upon a solid foundation of risk management.  Effective compliance programs begin with a thorough assessment to identify areas of risk within the organization. Developing a risk management framework is crucial to an organization’s ability to develop appropriate protocols to identify, monitor, and if needed, mitigate the risks.  Aside from the practical benefits a risk assessment can provide, it can also demonstrate to a regulator that a compliance program is “reasonably designed” to prevent violations of federal securities laws[1].  In this Risk Management Update, we will discuss practical ways to develop and implement a risk management program.

What is Risk?

Each firm that considers implementing a tailored compliance program faces the challenge of designing a governance structure that is specific to the business model and strategy of the entity.  In order to understand where to start, firms must answer one basic question, “what is risk?”  Merriam-Webster dictionary defines it as, “possibility of loss or injury; someone or something that creates or suggests a hazard.”[2] Risks can be found at every level in the enterprise from a job function to the entity level.  Identifying these risks and gauging controls formulates an enterprise risk management process.

While a risk assessment or matrix is generally not required by securities laws, it is crucial for firms to have an effective process to identify risks within the organization that may make them vulnerable to violations. The firm must assess those risks as to their importance so resources can be allocated to areas posing the most significant risk.

Identifying risks is a task best accomplished by collaborating with management, representatives from each business unit, compliance and any other stakeholder responsible for the business.  If possible, implementing a risk committee that can brainstorm, assist with evaluating the risks to the firm and weigh in on controls, provides for buy-in across the firm.

Risk can be found in rules and regulations, technology, environment (think pandemic), employees, vendors, contracts, firm relationships and compensation, among other areas.  Once risks are identified, define the risks (e.g. compliance or operational).  The firm should then establish an appetite for the risk.  Determine how much risk the firm is willing to accept while pursuing its objectives before any actions are necessary in order to mitigate the risk.  Consider the resources the firm has and the potential likelihood of the event happening.

 

Implement and Manage

There are many ways to document and complete a risk matrix.  Microsoft Excel or Word can be used for a limited risk assessment or there are elaborate automated systems available for more complicated risk structures. Find one that works for the size and complexity of the business being assessed. The risk matrix is intended to be an ever-evolving framework that should be adjusted routinely as the business changes, controls are deployed, and new risks are identified.  The following steps should be considered when implementing the program.

A. Develop a Risk Inventory

As previously discussed, creating an inventory of risks associated with the firm can help the firm evaluate whether necessary policies and procedures with related controls exist or need to be developed.  It will also help determine the frequency of testing of the compliance program.

Starting this inventory can be a daunting task.  Begin by preparing a comprehensive list of risks posed by the business.  Include risks inherent to the firm’s business model, contractual obligations and types of products and services offered. Consider conflicts of interest posed by compensation, employee, and vendor relationships.  Utilize previous regulatory exam deficiencies, regulatory document request lists, or publicly available risk assessments[3] and determine which requests may be a consideration during your next examination. Regulators often issue guidance and exam priorities outlining focus areas based on previously inspected firms.  These documents often outline priorities and items of importance with a roadmap to expectations regarding risks.  Assess the ramifications of regulatory violations occurring and the need for mitigation.

Gather ideas from colleagues and counterparts at other similarly situated firms.  Industry networking groups and local compliance roundtables are a good resource if conducting an initial assessment.  These methods may also provide insight into risks not previously considered.

Next, step outside the realm of the securities industry and consider non-securities laws, regulations, and relationships that may be applicable to the firm.  Examples include tax, insurance, banking and other financial organizations and affiliates, DOL and ERISA regulations, and client relationships.  Finally, consider the firm’s corporate culture.  Evaluate corporate initiatives, financial strength and reporting, potential reputational risks as well as the firm’s competitors.  These areas are often overlooked when contemplating the totality of risks associated with a firm.

B. Assign a Risk Rating

Upon completion of the inventory, assess each inventoried risk. Determine the significance and assign a rating.  Make a judgement with each risk of what is the likelihood the risk would materialize and the negative impact that event would have on the firm and its clients if the risk were to occur.  Analyzing each item allows the firm to prioritize initiatives so that appropriate resources can be allocated towards those activities that present the highest risk.

Use a risk rating that makes sense considering the breadth and scope of the risks identified.  Larger financial institutions will use complex rating systems calculating risk based on a number of factors including inherent and residual risk among other associated risks.   Using a more simplified version of a risk scale such as color-coding red (dangerous), yellow (proceed with caution), and green (presents little or no risk) or a high, moderate, low ranking system works just as effectively.  With any scale, ensure that it aligns appropriately to the item being evaluated and is easily discernable from the other risks. For example, if a ten-point scale is used without any other values to clarify the assigned rating, recognizing that ten (10) might be high, five (5) might be medium and one (1) would be considered low, how does a ranking of 4 or 6 identify the risk? Firms can be assured that a regulator will focus on these details.

As a part of this step, document the reason the firm made the decision to place risks into one category versus another as recollecting these conversations at a later date may be difficult.  This is where a culmination of the firm’s risk appetite, the regulatory landscape, and the controls in place will shape whether the rating is elevated or not.  Determine what the consequences could be if the risk materializes and assess the importance.  What risks are significant enough to warrant formal, written procedures versus the risks that are less serious that can be managed through other means?

C. Map Risks to Procedures and Controls

For each risk identified that warrants a written policy, correlate or “map” the risk to the appropriate policy and control.  For the remaining risks, identify and evaluate any informal processes currently in place that address the risk.  If the risk is not applicable, indicate why.

Where there is a gap, or in other words, a risk with no correlating policy and control already in place, then the firm should develop one.  Developing and adopting a new policy should not be done in a silo.  The involvement of the management team is important to gain perspective from all stakeholders, but also eliminates crafting a policy that cannot be followed in practice.

When drafting a policy, consider a few things.  First, examine the root cause of the risk.  For example, a root cause of an identified risk might be a single point of failure, or where there is only one employee with knowledge or responsibility for a process but then gets hit by the proverbial bus.  Second, analyze the objective the policy is intended to achieve.  Evaluate the path forward and the probability the objective will be met.  Even with the best of intentions, most risks cannot be eliminated entirely.  That is why it is important to ensure that good controls are recognized, in place and are routinely validated.  Third, contemplate the firm’s tolerance for the risk and the strength of controls needed.  Delve into the feasibility of the procedures and controls being contemplated to address those risks.  Do you mitigate or eliminate the risk?  There is a wide array of controls that can be implemented from prohibitions and pre-approvals to audit or independent verification. As in the example of the single point of failure, cross-training on job functions may be an appropriate control. Finally, explore potential technology solutions that can be leveraged that are either already in place or that can be implemented.  In almost all facets of compliance, there are quite a few innovative technology platforms that assist with oversight and control environments. These types of resources are increasingly more affordable as advancements in fintech continue to evolve.  Weighing the cost of human error, labor, and the financial outlay from a fine or sanction makes these automated controls and the technology behind them more cost-efficient.

Within the policy, ensure there is effective oversight, dual controls or functional separation of duties and an appropriate level of detail that ensures clarity regarding the policy.  Ambiguous language makes it difficult for employees to comply and opens the door to inadvertent violations.

D. Review and Revise

An effective risk framework is not a static environment.  It should continue to evolve as the risks in the firm are identified.  Periodically re-evaluating the firm’s risk is a key component to a successful compliance program.  Contemplate circumstances that may trigger revisions in whole or in part to a previously performed risk assessment. Opportunities to adjust the risk matrix may come as a result of previous or uncovered compliance issues, changes in business initiatives, and movement in the regulatory landscape, just to name a few.  Consider reviewing the program at least annually to ensure that risks are identified, mitigated, or eliminated.

 

Using Your Risk Matrix

Once the framework has been established, it should be the cornerstone to manage the compliance program.  It can guide conversations with management regarding new initiatives in the firm, the implementation of policies, procedures, and controls, as well as increasing compliance resources.  Align the risk assessment towards the key risks identified and use it to guide the testing of the compliance program.  Areas that present the highest risk may need to have a more frequent testing schedule than those with a lower risk rating. Use the risk assessment to understand potential conflicts of interest and make appropriate disclosures.

Periodically review and recalculate identified risks. Assess whether the likelihood or impact of the risks has changed.  Add new risks that have emerged since the previous review and decide whether controls exist or need to be developed.

Use the risk matrix to formulate the annual review of the compliance program and report new or systemic risks to executive management.  This will be a useful tool to help them understand the role of compliance, the risks facing the firm, and the controls designed to mitigate the risk.  As resources are often scarce when it comes to compliance, the matrix can drive related conversations.

 

Conclusion

 Developing a risk framework as the basis for the compliance program resonates with regulators.  The process of mitigating risk begins with identifying the risks. This is a necessary element in implementing and maintaining a strong compliance program. Firms can be assured that at some point, they will be asked by a regulator to produce an analysis of the firm’s risks and how they are mitigated.

To find out about technology solutions and outsourcing services offered by Core Compliance, and how we can further assist with year-end compliance planning and beyond, please contact us at (619) 278- 0020.

 

Author: Core Compliance; Editor: Tina Mitchell, Managing Director, Consultation Services, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and managers to private funds on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.