Risk Assessments are Essential To Healthy Compliance Programs


Does Your Firm Perform an Annual Risk Assessment?

Knowing and addressing risks is a key requisite for investment advisers in maintaining a strong compliance program.  In May 2006, the Securities & Exchange Commission (“SEC”) issued guidance on establishing and reviewing compliance programs[1], which outlined the following:

“The compliance policies and procedures should address the practices and risks present at each adviser. No one standard set of policies and procedures will address the requirements established by the Compliance Rule for all advisers because each adviser is different, has different business relationships and affiliations, and, therefore, has different conflicts of interest. Because the facts and circumstances (i.e., risks) that can give rise to violations of the Advisers Act are unique for each adviser, each adviser should identify its unique set of risks, both as the starting point for developing its compliance policies and procedures and as part of its periodic assessment of the continued effectiveness of these policies and procedures.”

Performing risk assessments at least annually can prove invaluable in identifying your firm’s unique risks. If done correctly, a risk assessment not only identifies risks that a firm faces, but also helps to determine if the firm has properly addressed each risk by mapping the risks to the firm’s policies, procedures, and controls.


What Are Your Requirements?

Rule 206(4) -7[2] under the Investment Advisers Act of 1940 requires investment advisers registered with the SEC to maintain a compliance program, which includes but is not limited to: (i) adopting and implementing written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (ii) reviewing those policies and procedures at least annually to determine their adequacy and effectiveness.

While risk assessments are not specifically required, they are a very important part of a firm’s compliance program and play a vital role in identifying areas where the firm faces risk.  This allows an advisory firm to create appropriate policies and procedures to address the risks.

What Are the Main Components of a Risk Assessment?

To begin the risk assessment, the Firm should identify the distinct risks for their organization. This can be accomplished by assessing each area of the business with the applicable managers and identifying the risks within their assigned areas of responsibility.  Once the firm has identified its particular risks, an analysis of the firm’s policies and procedures should be conducted to determine what processes and controls are currently in place to address these risks and which person and/or department within the firm is responsible for the subject area. These findings can then be memorialized in a risk matrix, which should list each identified risk and assign a rating as to the level of risk (i.e., High-Medium- Low). Next, the matrix should detail the current controls and procedures in place that address the risk, along with the responsible party(ies).  Lastly, the matrix should include recommendations on any steps needed to further mitigate the risks and a timeline for completion.

While this process may be performed by the Chief Compliance Officer (“CCO”), many firms utilize an independent third party to perform this assessment to get a more unbiased view of existing firm practices.  Regardless of who performs the risk assessment, it is imperative that any recommendations on further addressing the risks get implemented promptly.

What Types of Risks Should Be Considered?

When trying to determine a Firm’s risks, consider the following types of risks:

  • Regulatory Risks: changes in applicable regulations or rules would have an impact on the firm. For example, a new regulation is adopted that prohibits or curtails certain activities upon a firm includes in its service offerings.
  • Compliance Risks: the robustness of the firm’s compliance program in ensuring adherence to required securities regulations. For example, during a regulatory examination, a firm is found to be in violation of applicable regulations and receives a heavy fine.
  • Enterprise Risks: those risks that may seriously hamper a firm’s operations and business practices.  For example, the loss of a key member of a firm’s organization.
  • Operational Risks: the stability and strength of the firm’s operational systems, overall processes, and firm personnel. For example, not having adequate staff to administer and oversee the new account opening process.
  • Financial Risks: the firm’s ability to meet financial obligations. For example, a severe and lengthy drop in the stock market results in a large drop in the number of advisory fees collected.

Important Risk Management Steps:

  • Keep CCO informed of modifications to the firm’s business practices or processes:  This will help to ensure that previously identified risks are not exacerbated by these modifications, and also whether new risks should be considered and addressed.
  • Schedule follow-up meetings to review action items based on the risk assessment: This helps ensure that the steps needed to address the identified risks are completed and fully implemented.
  • Build risk assessment findings into your annual review testing regime:  This step helps the Firm ensure actions taken to deal with the identified risks are effective.
  • Build risk assessment findings into your Firm’s compliance training program:  This step can help enhance your culture of compliance and make your employees know and part of the risk identification and management process.
  • Consider risk assessment findings when reviewing and revising your Policies and Procedures:  This helps to ensure that your Firm maintains strong and effective procedures that address all the firm’s applicable risks.


A risk assessment can be an invaluable tool for firms to create and maintain a worthwhile and effective compliance program that addresses the unique risks a particular firm faces.  Firms should consider building this invaluable tool into their compliance review processes and, if practical, consider utilizing the services of an independent compliance professional to help identify and address your firm’s distinctive risk profile.

For more information on the above, or if you have questions regarding the Custody Rule and how it applies to your Firm, please contact us at (619) 278-0020. Thank you.


Author:  Core Compliance & Legal Services, Inc.; Editor: Tina Mitchell, Managing Director, Consultations Services; Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity Firms and banks on regulatory compliance issues. This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

[1] Questions Advisers Should Ask While Establishing or Reviewing Their Compliance Programs https://www.sec.gov/info/cco/adviser_compliance_questions.htm

[2] Investment Advisers Act of 1940 http://legcounsel.house.gov/Comps/Investment%20Advisers%20Act%20Of%201940.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *