RIA Compliance and Practice Management Blog

SEC RIA Compliance: Conducting a Risk Assessment

Posted by RIA in a Box

Mar 28, 2015 11:54:00 AM

Every registered investment adviser (RIA) firm registered with the SEC is required to establish and maintain a written politics and procedures manual designed to equip the firm with the ability to prevent and detect potential regulatory violations. While all RIA firms may share some similar policies and procedures, it’s crucial that the Chief Compliance Officer (CCO) of an investment advisory firm ensure that the firm’s policies and procedures have been customized to address the unique risks of that firm’s particular business model.

The Purpose of the Risk Assessment

In order for a compliance program to be properly designed, it’s important for the CCO to first take a step back and conduct at least an annual risk assessment designed to accomplish the following:

  1. Determine what types of risks may be present at the firm
  2. Assess whether adequate controls are in place to manage or mitigate such risks
  3. Make modifications to update the firm’s current policies and procedures to address new identified risks

The importance of conducting regular risk assessments cannot be emphasized enough. It’s quite difficult to know if a firm’s compliance policies and procedures are sufficient if the firm has not first identified what particular risks need to be addressed in such policies and procedures. During a regulatory examination, the CCO should not be surprised when the SEC wants to learn more about the firm’s risk assessment process.

When conducting a risk assessment, an adviser should identify a detailed list of operational and compliance risks associated with the business.  A thorough assessment not only addresses the firm’s business model and its affiliate relationships, but also everyday business transactions between the firm, its clients, and key service providers. Firms must continually revise and reevaluate their risk profile. A periodic risk assessment helps ensure that the policies and procedures of the firm are up to date in all areas which could result in potential regulatory compliance deficiencies or violations.

The Ten Critical Features of an RIA Technology System

Guidance on Conducting a Risk Assessment from the SEC Staff

While a bit dated, staff from the SEC published a pair of risk assessment documents in 2007: a risk assessment flow chart and a risk inventory guide. Paired together, these two documents can be a good starting point for SEC-registered firms to begin to create an inventory of potential firm risks which need to be evaluated.

In the SEC staff’s sample risk inventory guide, the SEC identifies 12 potential risk categories:

  1. Marketing / performance
  2. Form ADV/ disclosures
  3. Invoices / fees
  4. IPO offerings
  5. Soft dollars / kickbacks
  6. Compensation
  7. Objectives / restrictions
  8. Trade ticket
  9. Trade execution
  10. Non-public information
  11. Personal and proprietary trading account
  12. Money / securities to / from broker / custodian

Other Risk Assessment Considerations

The above categories should not be viewed by any means as an exhaustive list of risk categories but may serve as a good starting point for newly-registered SEC firms that are beginning to implement a risk assessment process. In addition to the above categories, some new emerging areas of risk that should be evaluated by the CCO during a firm’s risk assessment include:

  1. Books and records maintenance
  2. Proxy voting
  3. Branch office supervision
  4. Disaster recovery / business continuity plan (BCP)
  5. Cybersecurity

As RIA compliance consultants, we strongly recommend that the CCO of all SEC-registered RIA firms ensure that the risk assessment process is properly designed and conducted frequently enough to identify and address new areas of risk as the firm’s business model evolves.

Download our Annual Review Checklist


Topics: RIA Operations, RIA Compliance

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts