Most advisers take time in March to attend to compliance matters, including the annual update of their disclosures in Form ADV Parts 1 and 2. Another compliance matter, often overlooked, is the performance of the advisory firm’s annual risk review. One might think that with all the time spent on compliance matters this is just another burdensome task. However, the annual risk review can be a very positive experience for the firm and its members.
The risk review typically is an internal document that is not required to be filed with the IARD, SEC or other regulator. It should identify real risks to the firm – such as the obvious disaster recovery planning we all must do – and ways in which the firm’s processes and personnel can act to reduce the likelihood of a risk manifesting or the impact of that risk on the firm when it occurs. Like many tasks, this is easier said than done.
You are probably thinking something along the lines of “and just how isn’t this burdensome” or “how can I make this easy”. Here are some thoughts on how you can make that annual risk review a positive. Think of the process as a chance to evaluate your business from a different standpoint than you usually employ. Consider items such as
· What is inherently risky about the processes you use? This looks at items such as frequency and manner of trading, discretion over client funds, custody, the role of cash in the business, products recommended or sold, and the like.
· What might be risky about your personnel and their roles? Here we consider potential issues such as insider trading and personal accounts, embezzlement, failure to keep records, social media usage, stealing client information, and so on.
· Finally, what are the general business risks you face? These might include the aforementioned disaster recovery planning, as well as issues with third party vendors of goods and services, the markets and the economy (yes, we all have to keep that in focus), changes in the laws and regulations applicable to you and a long list of similar concepts.
Where I see the blessing in all this is the ability to see where your firm, its personnel and processes are in good shape and how minimal the actual risks may be. Taking the time for the risk review sends a signal to your employees, clients and yourself (not to mention regulators) that you take the business seriously and will continue to employ, serve and protect them all.