SEC Highlights Importance of Risk Assessments

The SEC stated in their 2015 Examination Priorities that, as was the case in prior years’ priorities, the Commission will conduct “focused, risk-based examinations”. This guidance confirms that investment advisers should be engaged in identifying risk areas and working to correct any deficiencies prior to the SEC conducting an examination. We have also recently seen a number of our client firms being requested by prospective investors to show them their risk assessments.

All investment advisers owe fiduciary duties to their clients. This means that advisers have an obligation to act and provide investment advice in their clients’ best interest. The SEC says advisers owe their clients a “duty of undivided loyalty and utmost good faith” and describes this as not engaging “in any activity in conflict with the interest of any client” and taking “steps reasonably necessary to fulfill your obligations” as well as taking “reasonable care to avoid misleading clients”. The Commission expects you to provide “full and fair disclosure of all material facts to your clients and prospective clients” under this obligation. The idea of a fiduciary duty is the foundation of the rules set forth in the Investment Adviser Act of 1940 and should be taken seriously by all investment advisers. Below we have outlined some concepts that will refresh your memory and help you get “back to basics” when it comes to risk assessment and mitigation.

There are several ways an investment adviser can approach an analysis of their risks and conflicts of interest and each adviser should identify those risks and conflicts of interest that are relevant to their particular business. The identification of risks and conflicts should be easily repeatable and should be firm-wide. Such a process may include any or a combination of the below as described in a 2009 SEC CCO Outreach Seminar.

  • Top-down: a simple approach to risk assessment in which management identifies the conflicts of interest and other risks the firm confronts.
  • Layered: committees are used to identify the conflicts of interest and other risks present within each area of expertise (e.g., portfolio management committee, brokerage committee, pricing committee, IT oversight committee, internal controls committee and corporate governance committee). Such committee input is compiled and summarized into a firm-wide program.
  • Bottom-up: each employee or group of employees provides input regarding the potential conflicts of interest and other risks that the firm confronts in the employees respective areas of expertise.
  • Dedicated risk staff: a group of individuals are responsible for managing the risk assessment process and ensuring risks are properly assessed, inventoried and managed.

Identification of potential risks will then lead to an inventory of risks that reflect the firm’s current environment. These identified risks should not be static and should evolve and change as the firm changes. By performing this type of risk identification process, a firm can demonstrate that they are cognizant of their risks and that they are taking steps to diminish them on an ongoing basis. A large percentage of recent SEC examination request lists have included a request for documentation pertaining to the standard operation procedures for risk mitigation.

The questions advisers should be asking themselves when reviewing their policies and procedures to ensure proper assessment of risks should include:

  • Have you conducted an effective “risk assessment” (i.e., evaluated how your activities, arrangements, affiliations, client base, service providers, conflicts of interest, and other business factors may cause violations of the Advisers Act or the appearance of impropriety)?
  • Did this risk assessment serve as the basis for developing your compliance policies and procedures?
  • Do you periodically re-evaluate your risk assessment to determine that new, evolving, or resurgent risks are adequately addressed?
  • Are your compliance policies and procedures designed to manage and control the compliance risks identified in your risk assessment?
  • Does the implementation of your compliance policies and procedures reflect good principles of management and control?
  • Do you regularly conduct transactional or quality control tests to determine whether your activities are consistent with your compliance policies and procedures?
  • Do you conduct periodic tests to detect instances in which your policies and procedures may be circumvented or where there may have been attempts to take advantage of the gaps in your policies and procedures?
  • Do these tests produce exceptions or other reports? Does knowledgeable staff review these reports, follow up on any exceptions, and resolve problematic items found in a timely manner?

An easy way to keep all of these procedures in a centralized place is to create and maintain a Compliance Calendar. Included in such a calendar would be reminders to perform testing and analysis of current firm policies and procedures as outlined in the firm’s Compliance Manual. Firms should remember to reference the risk inventory created when conducting their annual review to document the processes implemented and their findings from forensic testing conducted.

SEC3 can assist your firm in assessing and improving your risk policies and controls. We can also assist specifically with conducting risk assessments, providing a customized compliance calendar and an annual review. For further information, please contact your SEC3 representative or contact us at

Lastly, please make sure to check out our upcoming events here. Email announcements to follow shortly.