A healthy compliance program seeks to contribute to the continuous improvement of the enterprise. A risk management program can provide a foundation for monitoring progress toward risk mitigation.
In my last blog, I discussed the first step of a risk management strategy: assessing and developing an inventory of risks both known and worth knowing. By the time the assessment is complete, you should have identified the areas where risk mitigation is indicated. Some participants may be incentivized to seek improved regulatory exams, efficiencies in technology and staffing, and broader engagement within the enterprise as a whole. Others may envision opportunities to reduce the impact of workload logjams, apply more of their time to complex projects, or proactively address gaps between compliance and other business units.
This blog addresses the second step: implementing a risk management program based on the assessment. This step harnesses momentum from the inventory process to design a structured approach for addressing and monitoring identified risks. The approach involves prioritization that leads into mitigation strategies.
Quantifying the risks inventoried in the assessment paves the way for prioritization. The formula for quantifying risk is often represented in this equation:
risk = likelihood x severity
This formula is straightforward and concise, even in the context of broadly varying underlying circumstances, and can be methodically applied to known risks (past exam results, past enforcement, customer complaints, and so on) and potential risks (a new business line, staffing turnover, budgetary matters, regulatory uncertainties, and the like) to provide a meaningful basis for prioritization.
To the equation components, a firm can apply numerical values (1 to 5), colors (white, green, yellow, red), or terms (remote, possible, likely, extremely likely). These results are objective: a number, a color, or a descriptor. However, getting to a result involves significant subjective input from qualified professionals whose experiences with the enterprise and its strategic business direction will ultimately determine the value. This subjective insight from qualified, experienced personnel is key to the process, since a simple equation cannot account for the myriad factors that influence risk.
For example, let’s consider how to quantify the risk associated with hiring new sales personnel. Many would agree this represents moderate risk and might assign it 3 out of 5 on a numeric scale, due to the possible risk associated with new registered representatives and the moderate severity of a compliance issue. However, this objective measure does not take into account the firm’s business strategy for growth of its sales force, so subjective insight is necessary to more accurately quantify risks.
In this example, a firm hiring sales personnel into geographically dispersed locations without onsite principals may have a different level of risk exposure than a firm hiring into an established brick-and-mortar OSJ. Alternatively, a firm with lofty new expansion goals may have a different risk profile than a firm seeking to replicate established hiring trends.
Considering the status of hiring in light of specific circumstances like these requires insight into the overall business. These insights help prioritize risks and design the mitigation strategy.
Ebook download | AI insights survey: Adopters, skeptics, and why it matters.
It must be acknowledged that the fundamental process of assigning a score to a risk factor can make some compliance professionals queasy. What if the firm ranks a risk 5 out of 5, then fails to achieve progress toward mitigating the risk? What if a risk ranks 1 out of 5 but turns out to be the underlying cause of an otherwise unanticipated material risk event? While no risk management program can accurately predict all targets and outcomes, quantifying risk provides a framework to move forward.
Once the risks have been quantified, it is time to develop a risk management program: a straightforward action plan with reasonable goals.
As in the ranking process, development of the program should take into account both the objective valuation and the subjective assessments of each risk factor. Though it may be difficult to gain consensus on the appropriate steps to address any given risk, external resources such as regulatory guidance and rule-making can be useful:
A fundamental concept of the risk management process is that there is no end point; there is only progress. Progress can be measurable by trends that begin at the point of implementation and develop over time. The hypotheses, projections that certain actions will have a certain effect, provide the firm with checkpoints and opportunities to revise expectations. The risk management program should provide a basis for ongoing monitoring that will enable measurement against the hypotheses. Results should be readily understandable, but not promissory.
FINRA provided a usable example of a reasonable objective in describing the role of its Risk Control Assessment (RCA) as a component of its overall examination program, stating, “the goal of [the RCA] is to have our examiners better prepared when they arrive at firms and more focused on those areas that present a real risk” (link). This is clearly understandable, without committing to a specific result, by using “better” and “more” rather than “best” and “most.”
Strategies can range from minor tweaks to broad overhauls. Whatever the plan, it is both reasonable and practical to determine targets in the context of real-life circumstances, available resources, and of course, the constraints of what seems to consistently be a shorter-than-imaginable 12-month compliance year. The firm might make a minor modification to an exception report, it could dedicate additional resources to an existing risk factor, it might determine that resources can be shifted from one individual or department to another for a fresh set of eyes, or it might start from scratch and overhaul a supervisory procedure entirely. Any of these approaches, and many variations in between, are worthy of consideration.
On the continuum of compliance risk management, realized or prospective, less or more: progress is progress.
The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates. Fidelity does not assume any duty to update any of the information. Fidelity and any other third parties are independent entities and not affiliated. Mentioning them does not suggest a recommendation or endorsement by Fidelity.
1083629.1.0