You need a program to be able to assess, account for and mitigate multiple forms of risk—regulatory, legal, business fraud, technology, operations, counterparty, vendor and other forms of risk. The output should be your firm’s overarching inventory of risks.
The SEC doesn’t tell you how you must analyze your firm’s risks, but examiners surely will notice if you don’t do the job at all or don’t do it well enough. The compliance program rule (Advisers Act rule 206(4)-7) states that each adviser, in designing its P&Ps should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations, and then design P&Ps that address those risks.
SEC examiners assuredly will request to see your inventory of risks, risk matrix or similar documents you keep to demonstrate your risk assessment process. Expect a deficiency if you can’t produce these records. Examiners aren’t the only ones looking for your risk assessment—some investors are seeking risk matrices to do deep dives on compliance and operations for a due diligence exercise.
While there is no per se requirement to conduct a risk assessment it is a “must do” since there has been an increased focus by all regulators’ over the last couple years on risk assessments. The Commission’s National Exam Program has been meeting with senior management of advisory firms to understand firms’ approach to risk management and to initiate a dialogue on key risks.
It is a recommended best practice to conduct a risk assessment annually. Typically, the assessment is conducted in conjunction with your annual review of your firm’s compliance program. The risk assessment will further aid you in determining what ongoing testing you will need to implement and how frequently you will need to test.
Still have questions? Click here to share your questions with our editors.