Risk is inherent in daily life. We all constantly wade through varying degrees of risk, from weather, pollution, plastics, neighborhood dogs, even the sandwich you had for lunch. But what about risk at a larger scale? How do companies identify, manage and monitor risk, known as enterprise risk or enterprise risk management (ERM)?
The American Institute of Certified Public Accountants, AICPA, knows a lot about risk and the management of risk. The AICPA’s report, 2023 State of Risk Oversight Report by AICPA, includes specific information on financial service firms and the risks they face. They have identified 5 major themes in enterprise risk management:
- Risk management processes may not be keeping pace with realities in the global business environment
- Stakeholders are expecting business leaders to “up their game” regarding how they anticipate and manage risks.
- Entities struggle to integrate risk management and strategic oversight.
- Fundamental risk management elements are in place, but there is room for enhancing risk metrics to monitor emerging risks from both internal and external drivers.
- Risk governance is an important responsibility for the full board of directors; however, most delegate that to a subcommittee.
The report also highlights that Financial Services firms exhibit the highest level of enterprise risk management maturity. Financial Services firms are particularly focused on enhancing their ERM program, partly driven by regulatory expectations and the complex risk environment of the financial sector.
Making strategic decisions at your firm often involves weighing one risk against another – should we hire another adviser to manage more clients and assets, or wait? Should we integrate the latest technology to help us get ahead, or will it drain the firm’s capital? Do we have the policies, procedures and supervision in place to ensure we are limiting exposure during our daily operations? The answers to risk-related questions are often not binary, but exist on a spectrum of possibilities. Successful businesses manage their firm’s risk profile by:
- understanding the business impact of risk;
- defining risk and the parameters of the firm’s tolerance;
- monitoring for these risks;
- conducting regular risk analysis
- providing risk reporting; and,
- understanding the effects of changing parameters.
Building a Strategic Approach to Risk Management
Conduct a Risk Assessment
It is vital to conduct a firm-wide risk assessment to fully understand the various risks your firm is exposed to, and then decide how you are going to manage them. This includes understanding your firm’s risk appetite. How much risk in any given area are you willing to take?
Once your firm’s risks are identified, you must classify each risk based on the likelihood it will occur, the severity of the risk, and the tools available to manage it.
We’ve Been Using Risk Assessments for Years – Here’s What We Have Learned
Key Risk Categories in Wealth Management
Regulatory Compliance
One of the primary risks to broker-dealers, investment advisors and other wealth management firms is behavior of its employees. When financial advisers or registered reps do not follow regulatory and firm rules, it can result in fines and reputational damage. Ensuring your firm has a robust compliance program with tailored policies, procedures, and testing in place is a vital component to protecting against risk.
Building a Robust Broker-Dealer Compliance Framework
Strategies for RIA Compliance: A Roadmap for Registered Investment Advisers
Operational Risk: Operational risks generally include failures in firms’ internal processes, people, and systems, or in third-party vendor systems your firm uses. Outdated systems or manual processes can increase the likelihood of costly mistakes. Effective enterprise risk management (ERM) involves identifying these operational risks and implementing robust control measures to mitigate them.
Data Protection and Cybersecurity Risk: Data vulnerabilities can lead to cyberattacks and breaches or can occur internally through employee actions. Conducting thorough risk analysis of your firm’s cybersecurity practices ensures that sensitive client data remains protected.
Market Risk: Changes in market conditions and geopolitical conditions can impact client portfolios and drive new behaviors. A comprehensive ERM program should consider how these strategic risks affect both short- and long-term business objectives.
Environmental Risk: Environmental disasters or localized environmental disruptions can affect how your firm performs vital functions, potentially disrupting service to your clients. Identifying risks related to environmental factors and incorporating them into your strategic plans is essential for resilience.
Additional Resources:
- Cybersecurity: Tactics for Mitigating Internal and External Threats
- SEC Amendments to Regulation S-P
- Communication Strategies To Improve Vendor Management
- Generative AI: FINRA Vendor and Communication Rules Still Apply
Risk Management – An Ongoing Process
The Risk Oversight Report points out the importance of continuous improvement in risk management practices to keep pace with the evolving risk landscape, which includes economic volatility, technological advancements, and geopolitical tensions. Risk identification and management should be an ongoing process ensuring that firms are always prepared to address both anticipated and emerging risks.
Enterprise Risk Management Moving Forward
Wealth management firms face a more challenging risk environment today than ever before. Regulators are expecting firms to do more to monitor and reduce risk, protect the markets and protect their clients. Clients are expecting firms to do more to mitigate risk, particularly around cybersecurity and personal data protection. New risks are appearing, and the criminals are getting more sophisticated in their schemes to manipulate the system. Firms not properly monitoring risk may face significant fines from the regulators, reputational damage and inhibited growth.
Implementing a well-structured ERM program is a strategic move that ensures long-term success. By identifying risks, defining risk appetite, and implementing robust risk analysis practices, firms can make informed decisions that promote stability and growth.
Specialized Risk Management for Financial Service Firms
Every business has risks, but financial services firms have unique risks that apply only to them, and they need professional attention and monitoring. Oyster Consulting’s risk management experts can help your firm identify risks, conduct risk analysis, and develop control measures to mitigate risk effectively. Our consultants gained their expertise by serving in leadership positions in financial service firms and as former regulators overseeing the industry.
