How to Build a Risk Management Plan

By oysterroot

Graphic representing the steps in selecting a risk management plan.

Risk is inherent in daily life. We all constantly wade through varying degrees of risk, from weather, pollution, plastics, neighborhood dogs, even the sandwich you had for lunch.  But what about risk at a larger scale?  How do companies identify, manage and monitor risk, known as enterprise risk or enterprise risk management (ERM)?

 The American Institute of Certified Public Accountants, AICPA, knows a lot about risk and the management of risk.  The AICPA’s report, 2023 State of Risk Oversight Report by AICPA,  includes specific information on financial service firms and the risks they face.  They have identified 5 major themes in enterprise risk management:

  • Risk management processes may not be keeping pace with realities in the global business environment
  • Stakeholders are expecting business leaders to “up their game” regarding how they anticipate and manage risks.
  • Entities struggle to integrate risk management and strategic oversight.
  • Fundamental risk management elements are in place, but there is room for enhancing risk metrics to monitor emerging risks from both internal and external drivers.
  • Risk governance is an important responsibility for the full board of directors; however, most delegate that to a subcommittee.

The report also highlights that Financial Services firms exhibit the highest level of enterprise risk management maturity.  Financial Services firms are particularly focused on enhancing their ERM program, partly driven by regulatory expectations and the complex risk environment of the financial sector.

Making strategic decisions at your firm often involves weighing one risk against another – should we hire another adviser to manage more clients and assets, or wait? Should we integrate the latest technology to help us get ahead, or will it drain the firm’s capital?  Do we have the policies, procedures and supervision in place to ensure we are limiting exposure during our daily operations? The answers to risk-related questions are often not binary, but exist on a spectrum of possibilities.  Successful businesses manage their firm’s risk profile by: 

  • understanding the business impact of risk;
  • defining risk and the parameters of the firm’s tolerance;
  • monitoring for these risks;  
  • conducting regular risk analysis
  • providing risk reporting; and,
  • understanding the effects of changing parameters.

Building a Strategic Approach to Risk Management

Conduct a Risk Assessment

It is vital to conduct a firm-wide risk assessment to fully understand the various risks your firm is exposed to, and then decide how you are going to manage them. This includes understanding your firm’s risk appetite. How much risk in any given area are you willing to take? 

Once your firm’s risks are identified, you must classify each risk based on the likelihood it will occur, the severity of the risk, and the tools available to manage it.

We’ve Been Using Risk Assessments for Years – Here’s What We Have Learned

Key Risk Categories in Wealth Management

Regulatory Compliance

One of the primary risks to broker-dealers, investment advisors and other wealth management firms is behavior of its employees. When financial advisers or registered reps do not follow regulatory and firm rules, it can result in fines and reputational damage. Ensuring your firm has a robust compliance program with tailored policies, procedures, and testing in place is a vital component to protecting against risk. 

Building a Robust Broker-Dealer Compliance Framework

Strategies for RIA Compliance: A Roadmap for Registered Investment Advisers

Operational Risk: Operational risks generally include failures in firms’ internal processes, people, and systems, or in third-party vendor systems your firm uses. Outdated systems or manual processes can increase the likelihood of costly mistakes. Effective enterprise risk management (ERM) involves identifying these operational risks and implementing robust control measures to mitigate them.

Data Protection and Cybersecurity Risk:  Data vulnerabilities can lead to cyberattacks and breaches or can occur internally through employee actions.  Conducting thorough risk analysis of your firm’s cybersecurity practices ensures that sensitive client data remains protected.

Market Risk:  Changes in market conditions and geopolitical conditions can impact client portfolios and drive new behaviors. A comprehensive ERM program should consider how these strategic risks affect both short- and long-term business objectives. 

Environmental Risk: Environmental disasters or localized environmental disruptions can affect how your firm performs vital functions, potentially disrupting service to your clients. Identifying risks related to environmental factors and incorporating them into your strategic plans is essential for resilience.

Additional Resources: 

Risk Management – An Ongoing Process

The Risk Oversight Report points out the importance of continuous improvement in risk management practices to keep pace with the evolving risk landscape, which includes economic volatility, technological advancements, and geopolitical tensions. Risk identification and management should be an ongoing process ensuring that firms are always prepared to address both anticipated and emerging risks.

Enterprise Risk Management Moving Forward

Wealth management firms face a more challenging risk environment today than ever before. Regulators are expecting firms to do more to monitor and reduce risk, protect the markets and protect their clients. Clients are expecting firms to do more to mitigate risk, particularly around cybersecurity and personal data protection. New risks are appearing, and the criminals are getting more sophisticated in their schemes to manipulate the system. Firms not properly monitoring risk may face significant fines from the regulators, reputational damage and inhibited growth.  

Implementing a well-structured ERM program is a strategic move that ensures long-term success. By identifying risks, defining risk appetite, and implementing robust risk analysis practices, firms can make informed decisions that promote stability and growth.

Specialized Risk Management for Financial Service Firms

Every business has risks, but financial services firms have unique risks that apply only to them, and they need professional attention and monitoring.  Oyster Consulting’s risk management experts can help your firm identify risks, conduct risk analysis, and develop control measures to mitigate risk effectively. Our consultants gained their expertise by serving in leadership positions in financial service firms and as former regulators overseeing the industry.  

Get The RIA Registration Guide Streamline your RIA’s SEC registration with expert-backed strategies.   
Plan Your BD Registration  Avoid delays and missteps—get strategic guidance for your broker-dealer launch.   

Related Content

pink and orange camera lens represents REG SCI compliance

Blog

Reg SCI Compliance: How to Prepare for Your Annual Audit

What is Regulation SCI? In late 2014 the Securities and Exchange Commission (SEC) voted to adopt rules designed to strengthen the technology infrastructure of the US securities markets, requiring entities to have comprehensive policies and procedures in place for market impacting technologies. Regulation Systems Compliance and Integrity, dubbed “Reg SCI” in the financial community, these […]

Learn More

Article

The Complete Guide to Starting Your Wealth Management Firm in 2025

Starting a new Registered Investment Advisor (RIA) or broker-dealer is an exciting choice for a financial professional. However, it is also very complex. Whether you’re planning a RIA startup, exploring broker-dealer setup, or pursuing a hybrid model, navigating registration requirements, building infrastructure, and ensuring compliance from day one takes more than good intentions. At Oyster […]

Learn More
a wealth management team considering starting a firm

Article

Starting a Wealth Management Firm: Steps for Success

If you’re ready to break away and build your own firm, now is the time. Whether you’re pursuing broker-dealer formation or new RIA registration, starting a wealth management firm offers the freedom to design a business model that aligns with your goals, values, and clients’ needs. But launching a firm—particularly one that is required to […]

Learn More
Get In Touch Scroll Up