Approaching risk as a compliance management strategy can help balance the day-to-day work within a compliance department for the greater good of the compliance program. When successful, the rewards can include risk mitigation, better exam results, technology and staffing efficiencies, and broader engagement within the compliance department.
The process begins with a risk assessment and involves identifying the sources of risk, assessing and quantifying the risk, and then implementing a strategy designed to manage the risk. Over time, the value of risk management can be realized as the company monitors the impact on its overall risk profile as a proactive recurring exercise.
Risk assessments present an opportunity to conduct an “if only” exercise: if only we could better manage our workloads and reduce fatigue among our personnel; if only we could apply technology effectively without compromise to risk; if only we could address complex issues with the time and attention they deserve, get more from our exam program, improve our regulatory exam results…if only.
Most compliance programs have established routines for addressing day-to-day risks within the firm. For instance, components of communications risk are addressed through surveillance engines; aspects of trade risk are addressed through exception reports; risks presented in branch offices are addressed in part through onsite exams; and so on. Such are the foundations of the compliance program.
Risk management is meant to challenge the boundaries of the day-to-day. It requires a broad perspective to assess what risk does exist, and what risk might exist. A risk assessment begins with the development of an inventory of risks.
Two approaches come to mind as effective for initiating a risk inventory, or for expanding the inventory that already exists: internal and external.
Using internal resources
One simple but effective means of gathering data is to ask personnel to list the top ten risks they believe present threats to the enterprise. Contributors should come from all ranks and diverse roles and responsibilities. There should be no limitation to the magnitude or complexity so that near- and long-term goals can be taken into account. While some consistency is probable, it is unlikely that all lists will be identical, considering that each employee has a unique vision relevant to their role. It is also possible that the most common risk cited is not one that has been top of mind at the management level. Consistency across the lists provides foundational data and illustrates consensus. Differences provide opportunities to consider unique risks that may not be readily visible from all perspectives but which may merit risk mitigation.
A second complementary approach is to ask personnel what risk they would address if there were no limits on time or resources. This approach offers the vision and insight of staff with a chance to provide input to the management process while yielding additional insight to risk that might otherwise be overlooked.
Using external resources
External resources are equally valuable in gathering data for a risk inventory. Numerous external resources exist that provide meaningful content. Among them are the SEC’s Examination Priorities, FINRA’s Annual Regulatory and Exam Priorities Letter, NASAA’s IA and BD Annual Section Reports, each a valuable if not essential tool. Also valuable are trade association and vendor reports such as SIFMA’s Capital Markets Outlook and the Verizon Data Breach Investigations Report. These resources provide meaningful context related to financial services and capital markets from a relevant perspective. Importantly, some of these resources are updated annually, providing feedback on legacy topics and introducing new considerations year on year.
FINRA has provided an example of an approach to risk assessment that offers a potential roadmap. Several years ago, FINRA solicited responses to its Risk and Control Assessment (RCA), seeking participation by BDs of all sizes. Firms were asked to complete a lengthy questionnaire that addressed categories of risk attributable to all types of firms: risk governance, cyber security, anti-money laundering, and some additional categories depending on the nature of the firm’s business: commission-based brokerage, IA asset management, trading, execution and clearing, investment banking/research-specific products, and conflicts of interest. Any or all of these categories could be used by a compliance department as a reasonable framework for cataloguing a risk inventory.
The lessons learned from FINRA’s exercise merit consideration. The RCA addressed areas of compliance and risk along the common ground of then-current rulemaking. But the RCA also ventured into lines of questioning that FINRA acknowledged were not tied to a rule or requirement. This approach illustrates an important component of how risk should be identified: not just the risk that is known, but also the risk that may be worth knowing.
It is notable that some of the areas of inquiry pursued by FINRA years ago subsequently emerged as hot topics. For instance, as early as 2015, the RCA asked about firms’ engagement with “virtual currencies.” Other versions of the RCA inquired about hiring practices related to RRs with disclosure events, and succession planning. Each of these areas has since emerged as an area of potential risk and has been the subject of guidance or rulemaking. In this respect, FINRA’s RCA exercise sheds light on how the process of identifying risk can be both evaluative and forward looking.
To summarize, when identifying risk within the firm, consideration of both internal and external input and consideration of both known and potential risks provides a broad foundation that can be built upon year after year for effective risk assessment.
For more, see part II of this blog.
The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates.
Links to external resources referenced in this blog:
FINRA Risk and Control Assessment | https://www.finra.org/sites/default/files/2017_RCA_PDF.pdf |
FINRA’s Annual Regulatory and Exam Priorities Letter | https://www.finra.org/rules-guidance/guidance/reports/2023-finras-examination-and-risk-monitoring-program |
NASAA’s IA and BD Annual Section Reports | https://www.nasaa.org/regulatory-resources/annual-reports/ |
SIFMA’s Capital Markets Outlook | https://www.sifma.org/resources/general/2023-capital-markets-outlook/ |
Verizon Data Breach Investigations Report | https://enterprise.verizon.com/resources/reports/dbir/ |
1076357.1.0