Rule 206(4)-7 of the Investment Advisers Act of 1940 requires that registered investment advisers implement a compliance program that is reasonably designed to prevent violations of the securities rules and regulations. Risk assessments can assist you in evaluating your existing compliance program’s effectiveness and ensure it is designed appropriately, given the way you run your RIA.
Identify all risk areas
Begin by reviewing all of your business activities across your firm. Think about your firm’s business model, who your clients are, the role of your employees, and the products and services you offer. Expand your thought process to include conflicts of interest, potential regulatory violations, and potential breach of contract and client mandates. Review findings from recent SEC or State inspections and include any deficiencies that were identified.
Assign a Rating to Potential Risks
Once you have gathered all of your business activities and potential risk areas you must assign a rating to each. Many advisors utilize something simple, like low, medium, and high as risk categories. When assigning a rating consider the regulatory risks, financial risks, and operational risk of each item. Consider the probability of having an issue in the particular business activity, as well as the impact an issue would have on your organization.
Map each risk to your policies and procedures
For each risk identified above, ensure the proper policy and procedure have been implemented. Higher risk areas often require additional internal controls and more extensive policies and procedures.
Perform annual review
Your policies and procedures are meant to be updated on an ongoing basis as needed. At least annually the Advisor should review all business activities and update the risk assessment and policies and procedures.
Each week I will post a risk assessment on a specific business area and discuss some of the specific applicable risks.