Core Steps For Performing and Documenting a Risk Assessment

As fiduciaries, investment advisory firms have a responsibility to identify and address risks that are applicable to their business practices and service offerings.  Regulators continually remind firms of their responsibility through the issuance of speeches, written guidance, exam deficiency letters, and even enforcement actions.

For small- to mid-size firms, the responsibility of performing a risk assessment and reporting findings and recommendations is usually delegated to the firm’s Chief Compliance Officer (“CCO”) by senior management. Larger firms generally have a risk committee or department that handles this task.

On the surface, performing a risk assessment may seem to be a relatively simple process; however, a lot can be missed if not done properly.  To that end, this month’s Risk Management Update provides step-by-step guidance to help firms ensure they have a robust process in place.


First Step – Identifying Risks

To begin the process, you’ll need to determine the type of risks that apply to your firm.  The main risk types to consider include:

  • Financial risk – How will the risk affect the viability of the firm?
  • Operational risk – What baring does the risk have on firm operations?
  • Regulatory risk – Are there regulatory requirements surrounding the risk?
  • Reputational risk – Will the risk affect the reputation of the firm and/or its personnel?

Next, think about areas that carry risk. While the financial industry is fraught with risks, not all areas apply to all advisers. However, there are several principal areas that apply to most investment advisers, which are outlined below:

  • Portfolio Management and Trading
  • Investment Due Diligence
  • Allocation of Investment Opportunities
  • Custody of Client Assets and Securities
  • Privacy and Safeguarding of Proprietary and Client Non-Public Information
  • Cybersecurity
  • Valuation
  • Advisory Fee Calculations and Compensation Arrangements
  • Performance Marketing and Promotion of Advisory Services
  • Business Affiliations and Related Conflicts of Interest
  • Business Continuity Planning
  • Regulatory Filings
  • Employee Trading
  • Insider Trading
  • Recordkeeping
  • Client Complaints
  • Anti-Money Laundering
  • Due Diligence of Third-Party Service Providers
  • Compliance Program Controls


Risks associated with the above areas will vary based on a firm’s business practices. As an example, let’s consider the following case study:

XYZ Advisors, Inc. (“XYZ Advisors”) provides discretionary investment management services to individuals, high net worth clients, pensions, and 401k plans. Most clients reside in the U.S., but there are a couple of high net worth clients that live in Europe. XYZ Advisors offers various investment strategies, which are allocated among equities, fixed income, mutual funds and exchange-traded funds, based on a client’s overall objectives and risk tolerance. From time to time, the firm also recommends alternative investments (e.g., private funds) to certain qualified clients. Senior management will generally invest in alternative investments with clients to show they have “skin in the game.” Research analysts provide investment recommendations based on fundamental research to the firm’s investment committee, who determines the investments for each strategy and approves alternatives for recommending to clients.

The firm bills fees quarterly in advance and does not charge performance-based fees. Advisory fees are based on the type of investment strategy selected. XYZ Advisors has the authority to debit advisory fees from individual and high net worth client accounts. Fees are billed directly to the pension and 401k plans.

XYZ Advisors has an affiliated company that is commonly owned and is a licensed insurance agency. Certain firm personnel are licensed insurance agents, and some are registered with an outside broker-dealer. The firm uses third-party service providers for reconciliation, proxy voting, email retention, and data backup. All required books and records are maintained electronically.

Notably, this firm’s business model is not necessarily atypical for investment advisers and happens to carry several potential risks. Below is just a sampling:

  • Investment decisions and the basis for the decisions are not documented;
  • Recommendations made to clients are not in line with investment objectives;
  • Research analysts received material non-public information during a research call;
  • Clients are not properly qualified before recommending a private fund;
  • Investments in limited offerings are not allocated in a fair manner;
  • Employees received an allocation in alternative security that should have been offered to a qualified client;
  • Incorrect mutual fund share class is being purchased for clients;
  • Strategy changes are made in discretionary accounts to higher fee strategies without proper documentation of what prompted the change (e.g., change in client risk tolerance);
  • Undisclosed benefits and/or compensation are being received by the firm and/or employees;
  • Clients are subject to third party fees that are not fully disclosed;
  • The firm is providing services in a country without being registered or claiming the applicable exemption;
  • The firm is unaware that a client has been added to the OFAC SDN list;
  • The firm does not have a valuation process in place for privately-held investments;
  • Ongoing review and monitoring of privately-held investments are not being performed;
  • An employee outside business activity is not being supervised;
  • Conflicts surrounding business practices are not being identified, mitigated, and disclosed;
  • Employee personal trading is not being reviewed;
  • The firm does not perform reviews of its cybersecurity protocols;
  • Periodic due diligence is not being performed on third-party service providers; and
  • A business continuity plan is not tested to confirm that backup data can be retrieved in a timely manner.

The above list runs the gamut for types of risks, as a number of these have the potential to cause regulatory, financial, operational, and reputational issues if not properly addressed.

When considering risks, it is important to take a holistic approach and think about what could go wrong.  Spend time with employees in operations, trading, portfolio management, and accounting to obtain an in-depth understanding of firm processes.  Also look for possible gaps that could cause problems, and review firm financials to see where the money comes from and where it’s going. 

  • Identify critical issues in a timely manner;
  • Identify policies and procedures that have become outdated; and
  • Provide an opportunity for a regular review of business practices and compliance policies.


Second Step – Mapping Identified Risks to Policies, Procedures, and Controls

A vital component of risk management is ensuring that all applicable risks are addressed with policies, procedures and internal controls.  This process is sometimes easier said than done as it will involve firm personnel and, in some cases, technology.

Below is an example using one of the case study’s risks:

  1. Recommendations made to clients are not in line with investment objectives.
    1. Compliance policies and procedures should require:
      1. obtaining written documentation from new clients;
      2. performing initial suitability reviews; and
      3. having advisory personnel contact clients at least annually to determine if any changes have occurred.
    2. Control protocols should include:a new client checklist that confirms receipt and review of client documentation;
      1. implement parameters and restrictions into trading system for electronic monitoring;
      2. document client contact by advisory personnel and results;
      3. ongoing review of account holdings and investments by advisory personnel; and
      4. periodic sample testing by compliance personnel of client investments vs. documentation in client file.


Third Step – Determining Risk Assessment

Risk levels are dependent on various considerations, including the types of associated risks and the amount of residual risk that remains once mitigation steps have been implemented.  Risk levels can be based on a high, medium, low determination or a numeric system, such as 1 to 5.

Risks that fall under more than one type of risk and/or have a material amount of residual risk should have a higher level than ones that have little to no residual risk. 


Fourth Step – Documenting Risk Assessment

Create a risk assessment spreadsheet or matrix that lists the following core information:

  • Business Practices
  • Associated Risks
  • Type of Risks
  • Risk Level (include a summary description of what each level means)
  • Policies, Procedures, and Controls in Place
  • Date Review Performed
  • Additional Mitigation Steps Needed
  • Follow Up Taken (include date)

Ideally, you should have a risk matrix that covers each calendar year. A copy of each matrix should be provided to senior management for review and approval and should be retained as part of the firm’s books and records.


Fifth Step – Monitoring Risk Mitigation Controls

Reviewing current mitigation steps is vital, especially when changes occur to the business and/or applicable regulations. Risks that have been assigned high-risk levels should be monitored on a more frequent basis. Importantly, performing this function can be part of a firm’s annual review process, but it should not be solely a compliance responsibility.  The departments/personnel performing the mitigation steps should remain alert and inform the CCO when updates should be made.



The ramifications of not performing a risk assessment can be very costly for advisory firms.  Being proactive in this area is essential for senior management to adequately oversee business practices and ensure adherence to applicable regulatory requirements.

For assistance, please contact us at (619) 278-0020 or visit us at for more information.



Author: Tina Mitchell, Managing Director, Consultation Services; Editor: Michelle Jacko, CEO, Core Compliance & Legal Services (“Core Compliance”).  Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

For more information or assistance with creating a monthly testing plan, risk assessments, or your annual review, please contact us at (619) 278- 0020, or visit us at for additional information.

Leave a Reply

Your email address will not be published. Required fields are marked *