PRACTICAL STEPS FOR ASSESSING RISKS
In recent years, more and more financial institutions are electing to conduct a risk assessment as part of an annual compliance program check. Not only does a risk assessment help in the development of policies and procedures, but also can serve as a mitigation tool to help identify and proactively address potential threats to lower risk exposure. In this month's Legal Risk Management Tip, we will explore the starting points for creating a risk inventory, provide tips and factors for evaluating risks, discuss tools and systems to use as risk management controls and summarize actions to help support your compliance program.
A. Starting Points for Creating a Risk Inventory
The goal of a risk assessment is to establish quantifiable data points that can serve as a qualitative analysis of existing controls to determine residual risk. Prior to undertaking this task, however, you will need to understand what you are trying to accomplish. Large organizations tend to have a risk department that analyzes risks at an enterprise level - taking into consideration market risks, operational risks, regulatory risks, compliance risks and financial risks. Smaller firms generally do not have the resources or infrastructure to accomplish this, but instead, will focus on the enterprise's compliance risks. To conduct a compliance risk review, consider taking the following steps:
Similar approaches should be taken for the evaluation of market, credit and operational risks, which are typically conducted by line managers, portfolio managers, operations personnel and/or a risk management officer. For smaller firms, this analysis could also be overseen by the Chief Compliance Officer.
To capture these data points, consider developing a risk inventory spreadsheet and determine the metrics for measurement. For example, many firms opt to use a high, medium and low risk measurement or a numeric system (such as 1-5). Generally, a focus area is assigned a "high" risk assessment level if the reviewer believes that an area is not in full compliance with the regulatory requirements or if a deficiency was noted in a prior regulatory exam or annual review report and was not corrected or addressed. A focus area is assigned a "medium" risk assessment level if the reviewer believes that an area is one which will likely draw attention to the SEC due to a lack of some internal control. A focus areas is assigned a "low" risk assessment if the reviewer believes that the internal controls appear adequate.
SAMPLE:
| Focus Area | Line Manager | Identified Risk | Severity Level | Firm Priority (1-5, 1 being top priority) | Notes |
| Marketing | Joe | Use of social media for prospecting | Low (just audited; only uses one account - LinkedIn) | 3 | Will limit content to announcing firm events and new hires |
| Sales | Susan | Rolled out new offering | Medium | 2 | Mitigate through training |
| Compliance | Alex | Failed to conduct 2016 Annual Review | High | 1 | Engaged compliance counsel this month |
B. Evaluating Risks
Once the risk inventory is complete, it is important to take steps to assess the risk management framework. If the firm has a Chief Risk Officer, then the findings should be compiled by the line managers and delivered to that individual; in smaller firms, typically the Chief Compliance Officer assumes that role and escalates to senior management.
When assessing risks, several subject matters should be considered, including:
Once a risk is identified and prioritized, several outcomes can occur.
The outcome decision is based on the information available and must be responsive to change. The decision should also be based on the firm's goals, processes, systems, resources, capabilities and skills. It is all about having a process that helps eliminate, or at least lessen the impact of a risk. One size does not fit all.
C. Tools and Systems: Developing Risk Management Controls
As risks are assessed, discussions should ensue about what controls, tools and technology should be leveraged to assist in addressing risk management concerns. Often these controls involve technology solutions, which may require additional funding from the business. To this end, Senior Management may request that Compliance conduct an evaluation as to why one control is better than another and may request for alternatives to be considered for a variety of reasons, including costs. Consequently, in this role, Compliance is tasked with collecting data and mapping that to the internal control and potential risks associated with the product or activity in order for the risk managers to make a strategic business decision.
Other tools which frequently are used by Compliance in their risk management efforts include:
Take action by starting with the highest risks first and discuss with line managers how the firm can drive something down from a high to a low risk. Develop protocols and test whether those internal controls are working; if gaps remain, address and try again. As appropriate, report progress to the Board of Directors (or equivalent) and/or Senior Management.
D. Conclusion
For the risk assessment process to be successful, Senior Management and the Board of Directors must be fully engaged. Policies, systems and processes must be dynamic and customized to support the firm's risk culture. The risk appetite of the organization must be clearly defined with respect to the risk tolerances and business boundaries. There should be a method to evaluate the risks and summarize the results in a measurement that is easily communicated and understood. To be effective, risk management should be incorporated into strategic planning, business processes, performance measurement and incentive compensation, with the overall process reviewed annually. Ideally, a compliance risk assessment should be conducted each year to help advance the compliance program agenda and prioritize efforts. Documenting results will help senior management to understand what is needed in terms of resources - from personnel to technology and training. Through forward thinking and timely recognition, many risks can be effectively mitigated.
For more information on these and other considerations, please contact us at [email protected], or (619) 298-2880. Also, please visit our website for additional Legal Risk Management Tips.
Author: Michelle L. Jacko, Esq., Managing Partner, Jacko Law Group, PC. JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.
This article is for information purposes and does not contain or convey tax or legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer or tax adviser.
Jacko Law Group provides tailored legal services and effective strategies for success, delivering exemplary solutions to complex legal and regulatory challenges to ensure that both business efforts and compliance obligations are satisfied.
