In the final rule release for Rule 206(4)-7 of the Investment Advisers Act of 1940 (“Investment Advisers Act”), which requires investment advisers registered with the Securities and Exchange Commission (“SEC”) to adopt and implement written policies and procedures, the SEC indicated that when designing investment advisory policies and procedures each investment adviser “should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations and then design policies and procedures that address those risks.” This process of an investment adviser identifying these risks is commonly referred to as a risk assessment. As RIA Compliance Consultants previously discussed, a risk assessment should serve as a mechanism for an investment adviser to identify its unique set of risks and evaluate what risks are present and how such risks affect the investment adviser and its business operations. A risk assessment should be a critical step used when developing strong written policies and procedures.
Although Rule 206(4)-7 under the Investment Advisers Act does not specifically indicate that investment advisers must conduct a risk assessment, in numerous speeches since the implementation of Rule 206(4)-7 SEC officials have emphasized the importance of the risk assessment and have indicated that an investment adviser’s compliance program cannot accurately reflect the investment adviser’s business without the investment adviser first conducting a risk assessment. Additionally, an investment adviser can expect that during an SEC examination the examiner will request information regarding the investment adviser’s risk assessment process.
The following is an excerpt from a recent letter received by an investment adviser notifying them of an SEC examination:
“The initial phase of a routine examination generally includes a review of the firm’s business and investment activities and its corresponding compliance policies and procedure. The examination staff will request information and documents and speak with the firm’s employees to ensure an understanding of the firm’s business and investment activities and the operation of its compliance program. Using the information obtained, the staff will assess whether the firm’s policies and procedures appear to effectively address the firm’s compliance program in particular areas. The information requested and the purpose for request the information is described below.
…Information about the firm’s compliance risks is requested, and the written policies and procedures that the firm has established and implemented to address those risk — to provide an understanding of the firm’s compliance risks and its corresponding controls. This information would include, for example, any inventory performed of the firm’s compliance risks and its compliance manuals or policies and procedures.”
In addition to the general information indicated above, more specific information is requested under the “Examination Information Request List.” The following are some of the items specifically requested under the “Information Regarding the Adviser’s Compliance Program, Risk Management and Internal Controls” section of this list:
“-A current inventory of the Adviser’s compliance risks that forms the basis for their policies and procedures, including any changes made to the inventory and the dates of the changes.
-Any documents maintained that map the Adviser’s inventory of risks to their written policies and procedures.
-Any written guidance that the Adviser have provided to their employees regarding their compliance risk assessment process and the process for creating policies and procedures to mitigate and manage compliance risks.”
The examination letter quoted above should be a strong indication to SEC registered investment advisers of the importance of the risk assessment process when an investment adviser is developing and implementing its compliance program. An investment adviser should develop a method for documenting the risk assessment process so that the investment adviser is prepared to provide this information to an examiner during an SEC examination. Documenting the risk assessment process is crucial in order for the investment adviser to prove during an SEC examination that it understands the process for developing and maintaining a strong compliance program. It is also important to keep in mind that the risk assessment process is not something that simply needs to be done at the time the policies and procedures are initially developed. An investment adviser should review and update the risk assessment as necessary, but no less than annually when the investment adviser performs its annual assessment. Although this article addresses the specific SEC requirements and requests, state registered investment advisers can learn from this information as well since may state securities regulators have similar requirements and expectations.
For more information concerning the risk assessments, RIA Compliance Consultants is hosting a webinar on July 25, 2013, at 12:00 PM CDT. This webinar, “Conducting a Risk Assessment/Risk Inventory” is designed to provided additional information about the risk assessment process, including the need for and the value of conducting a risk assessment. For more information or to register for this event, click here.