By Buddy Doyle
Risk Assessments – Keeping Your Firm Focused
Oyster CEO Buddy Doyle and Polly Cordle discuss the importance of risk assessments, especially in today’s volatile financial situation. Included are best practices for creating and maintaining risk assessments, regulatory reporting around risk, and how Oyster Solutions Software makes maintaining and reporting risk assessments easy.
Understanding the risk of your organization is the key prioritizing your controls. A comprehensive risk assessment will help determine how and when to implement the processes that prevent or detect risk. The current regulatory environment places significant emphasis on customizing certain aspects of your compliance program based on the risks associated with your business model. For example, FINRA has given guidance that Risk-based Exams are the expected protocol for their member organizations. A formal risk assessment allows for the compliance and supervision efforts to be more targeted to the higher-risk issues, protecting the firm as well as the investors.
Oyster’s depth and breadth of industry experience provides significant insight when assessing risk. Oyster consultants combine their knowledge to provide a unique point of view of operations, trading, technology, finance and regulation. In addition to identifying and ranking the risks associated with the types of business at your firm, Oyster will provide recommendations for policy and procedural enhancements to achieve industry best practices for efficiently controlling those risks.
For more information about Risk Assessments or how Oyster can help your firm, call (804) 965-5400 or click here to request a complimentary consultation.
Transcript provided by Temi transcript services
Oyster: Welcome to this week’s serving of Oyster Stew, a mix of financial services, commentary and insights. Each week we’ll discuss what is happening in the industry based on what we see as we work with regulators and clients. We hope you come away with the knowledge and tools to help you make the best decisions for your firm’s future.
Polly Cordle: So Buddy, I think we are here to talk about risk assessments today.
Buddy Doyle: Yes, I think risk assessments are a really important component of managing an organization, and it’s interesting how many times we go into well-established firms and start looking at the enterprise-wide risk assessment and realize there isn’t one.
Polly Cordle: I was just getting ready to say, “Wait, you find one when you get there?” It is amazing to me how many of our clients don’t have an actual risk assessment, and I recognize that, at least. I don’t know that there’s a direct rule that requires it, but it’s always asked about by a regulator, and so we always recommend that they have one. But there are a lot of firms that still don’t. So, I think it’s a great conversation to have. Where do you even start when you put together this grand risk assessment?
Buddy Doyle: Well, where I usually start with the risk assessment is an inventory of risks, and that generally is just sort of a free form, kind of write down as many things as you can think of. Don’t over-analyze it. Don’t get into why it’s a risk or anything like that. Just start with a list, and you can get other team members in your organization around you, and just ask them, “What’s your biggest risk as an organization? What are the things that you’re worried about?” And instead of trying to get too over-engineered in it, just write down the topic, just a name, and get your inventory squared away. That is step one. Once you’ve gotten your inventory together, then you start asking yourself how you would prioritize that risk. And this is one of the beauties of having a well-established risk assessment – it really does help you prioritize everything else that comes with this.
It’s amazing how much firms can spend to mitigate a very small risk and leave large risks on attended. And so a nice risk assessment will have a severity of the risk as sort of an inherent risk that happens as a result of just being in the business, operating in a product or regulatory scheme that just comes with the territory, and how big is that risk? And that risk can fall into certain components. It could be a financial risk, which is really, really important to understand. And ultimately, most of these risks indirectly lead back to a financial risk, if not directly back to a financial risk. Is it an operational risk, where you could, potentially have a series of errors? Where you have to go back and spend a lot of time cleaning things up? Even if it’s not a big money, or a waste from an operational expense, it could cost you a lot of time and, in some cases, operational risks can have a great big price tag on them.
If you think about the potential magnitude of an error in your corporate actions department where you missed a stock split and make a trade or something in the last, you know, couple of weeks here with the volatility in the markets, how bad could that have potentially become with the 30% market swing? There are reputational risks. We can debate sort of the pros and cons of reputational risk. Every major organization out there that’s ever been successful, that has any history to it, has probably had some sort of regulatory finding to it. But they continue to thrive and grow because of the way they make mistakes and how they recover from them. So there’s a bunch of different ways to look at risk and to categorize those. And then it’s just agreeing on how you’re going to measure it: what’s high, what’s medium, what’s low, or how you want to quantify the severity of that risk.
Polly Cordle: Yeah. And it seems like that risk list is constantly changing. For example, here we are in March of 2020 and I don’t think any of us had spelled out a pandemic on our risk assessments in the past, but I think it’s probably going to be a line item going forward.
Buddy Doyle: Well there are a lot of firms that have not. And there are some firms that certainly have. I
remember updating risk assessments during the SARS outbreak, for example. There regulators were sort of talking about pandemics, and then things go quiet. So there is a cycle to your risk assessment, and there are times when things will be high-risk that weren’t high. Certainly pandemics come to mind these days. And depending on sort of your perspective, I’ve seen people as recently as last week calling this a low-risk item who, as of this date, consider it completely high risk. So, minds can change, things can evolve very quickly. It should be a recurring process to go back and review your inventory, but also second guess your opinion now that you have new information.
Polly Cordle: Yeah, absolutely. And you know, the regulations change, the environment changes. So it makes sense that those lists are going to change too. And it’s certainly not a one size fits all risk assessment. Those are going to differ firm to firm as well.
Buddy Doyle: They do. And there’s some good places to go on a routine basis. When I look at the annual letters from FINRA and the SEC talking about their examination priorities, I always line those up to the current risk assessment to ask myself from a regulatory risk perspective, “Am I still in sync with the regulators or have they come up with something new and novel that I haven’t considered before that I now need to come in and document and assess?” But that part is not the assessment part. That part is the “What are the risk?” parts.
Polly Cordle: Sure. That goes back to the inventory and reassessing your inventory every year, and then reassessing your assessment.
Buddy Doyle: Yeah. So assessing risk is a little bit different in terms of what you want to make sure that you do. One question that we ask in our risk assessments, and we document that, is “Do you have a procedure that helps mitigate that risk? Do you have a system that mitigates that risk? Do you have both? And how good is that mitigation?” I think within systems there are certain things where, if you have a workflow system, that’s the only way you do it, and it makes you do it consistently every single time. Even a high-risk inherent risk can be controlled so sufficiently, then you can feel very confident that your residual risk after that control is very, very low, and you may not come back and test that risk as frequently as you would if you had a procedure that is more the honor system or that doesn’t have a systematic workflow.
Polly Cordle: Sure. And that’s kind of in the Solutions system. That’s kind of the way we approach it. So, as we in the Solutions system, we have a built-out risk assessment that we implement with our clients, and we have an inventory of risks we go through with them. We’ve scored them based on our experience. Anything that touches a regulator, anything that the regulators have identified as a hot topic or that has to do with a regulatory violation, we score that really high, and the only way that we’ll score a control on the high level is if there is a system involved. If there’s absolutely no ability for human error to get in there, then I’ll give them a high score. Now, I’ll let them argue the point and ultimately, it’s their system, and if they want to score something high, we’ll let them score it high, but that’s kind of how I explain it to them.
Polly Cordle: It’s just like you said, unless there’s a system in place to keep there from being a break somewhere along the line, you can’t really call it completely high unless you know, for example, like a
registration in the state, there are trading systems that won’t let a trade go through unless that registered rep is registered in the state of the client’s residence. That to me is a perfect control. It’s as near a perfect control as I can get. So I’m going to score that really high. But there are other systems that don’t have that kind of trading halt in it, and that makes me uncomfortable. And so I might come down more to a medium, and that’s the way I usually approach it.
Buddy Doyle: And what happens is, and I would encourage you if you haven’t done a risk assessment at your organization, to start simple: High, Medium, Low is a fine way to start a risk assessment. As you mature as an organization, you’ll come up with a lot of other ways to respond and be out in front of risk, and you can get more sophisticated in your scoring methods and get to Medium-High, Medium-Low, or even a quantitative type of approach to risk assessments. But, begin at the beginning. Make it as easy as you can to get started and then grow it from there. But to Polly’s point, there are really perfect systems of controls, and so when I get to a system control, one of the things I want to make sure I understand is how well-tested was that system before it went in.
Buddy Doyle: How frequently are we looking at the controls in there and the parameters? But the things that don’t have a systematic control, that’s where you want to ask yourself, “What is the residual risk?” You know, when you compare it to the inherent, and that should help you document how frequently you want to come back and test that control to help you assess that control. Whether it’s monthly, quarterly, annually, every two years, every three years, you get to decide that. But there’s a methodology that you want to apply to focus on the gaps between your high inherent risks and your high inherent controls.
Polly Cordle: Sure. And I tell clients all the time, there are some things you can’t control away, like client complaints. You know, in a bad market, in a tough market and a volatile market, you can’t control it, the clients are going to get emotional. I mean, that’s going to happen. This is their life savings that you’re dealing with, and there are going to be clients that get concerned, and someone might complain along the way. So, it’s not necessarily that you can control away every risk that you come across. And I don’t think that the regulators, and you weigh in here Buddy, but my opinion is the regulators aren’t expecting you to control away every risk. They’re expecting you to be aware of the risks that you have, and that’s important to them, that you understand the risk to your business carries.
Buddy Doyle: I agree with that. And I do think that client complaints are a great way to remind yourself to go back and look at the particular underlying risks that may have come from that complaint, and how well your controls are established. “Could you have avoided that complaint?” And sometimes the answer is yes, and sometimes the answer is no. But it is true that in most environments, regulators do not expect you to have a perfect system of controls. They expect you to have a reasonable system of controls or a robust system of controls. And, over time, those things kind of move around. It does feel like at some point in our history here, we have expected perfection out of regulation and there’s been no quarter given. I think back to the broken windows theory of small infractions are massive infractions kind of thing. And I may be overstating it a little bit from a regulatory perspective, but that’s certainly what it felt like from being on the industry side of things and working with our clients is that the expectation of perfection was there for a while. I think right now we’re in an expectation of reasonable and robust controls, depending on the level of risk you’re taking.
Polly Cordle: So, Buddy, I know that in Solutions we have a really nice way that we detail the entire risk assessment. We define the risk, we give you a summary of the risk, and then we detail your control. And if there’s a workflow that goes along with that control, we’ll link it right in there with the control. And we have a detailed list of that. But what we ultimately recommend that they turn over to a regulator, if asked, is really more of a visual representation where it’s really kind of comparing the risk and controls without giving them all of that background detail. What do you recommend that clients, if asked for their risk assessment, how do you recommend that they document that? And what do you recommend when asked about what to give to regulators and how to document it and, and keep that record?
Buddy Doyle: Well, I certainly liked the visual look of the charts and graphs that the approach that you’ve taken Polly, with Solutions. I think that is helpful for your executive leadership team. And it also helps regulators understand sort of how you’ve approached the risk assessment. They will ask potentially more detailed questions. And I’m a pretty transparent guy with regulators. If they ask me a direct question, I’m going to give them a direct answer and they can go as far down into your books and records is as they want to. FINRA has a rule 82-10 that says we can ask you for stuff. You’ve got to give it to us. And if you create a document that is a firm record, you need to be thoughtful about it. But I do think that the graphical representation is absolutely the best starting point for a risk assessment with the client because it talks about the topic, it shows your assessment of the inherent risk and the mitigating controls. And they don’t typically, when you’ve done a thorough job, try to second guess your judgment, in a harsh way. They really do, from my perspective, appreciate the thought that goes into a risk assessment because that usually drives the priorities for everything else. To show that your program is robust, it’s a thoughtful program and it’s a great starting point to deal with the regulatory exam.
Polly Cordle: Yeah. The visual representation I think is really helpful, like you said, for Senior Management to be able to say, “Well, why is this out of whack? What, what could we do better in this category? You know, why is this risk higher than this control?” And I think it does the same for the regulators. So when you turn that over, they can say, “Well, okay, well, client complaints, I get that one, that one’s always going to be more risk than you can control. But why over here is your registration risk so much greater than your control?” To go to our example from earlier, it’s helpful for Senior Management and for the regulators when you present it in that visual way. But yeah, to your point, I actually had someone ask me the other day about what they could request and my answer was, “Well, what will you say to them if they ask you for something and you didn’t want to give it to them? Are you going to tell them?” No. I just can’t imagine sitting across the table and saying to a regulator, “I’m not going to give you that.” So yeah, I tend to give them pretty much what they asked for. I can’t imagine the response I would get if I said “No.”
Buddy Doyle: I do think there are expectations of risk assessments with certain topics within an organization. They enterprise risk assessments are desired and certainly something that regulators have talked about the benefits, the need for, and I think it in larger your organizations it has become the standard and an expectation. And if you don’t have one, you’re likely going to have one after your exam is over. Not immediately, but shortly thereafter. But within the anti-money laundering programs, risk assessments have long been expected, and understanding client risk and how to risk score clients and things like that. That is something that I think the large firms have certainly figured out and been moving towards. A lot of smaller firms are still coming around on that. The other topic where there is an absolute expectation that you would have a risk assessment is for your cybersecurity or information security programs.
Polly Cordle: Very good point.
Buddy Doyle: The NIST framework for that is a great go-to resource to help you understand what the topics are you want to cover in a cybersecurity risk assessment. In the AML program, the FFIC AML Testing Manual gets into that risk assessment process as well. These are relatively big things to take on. They take a lot of time and effort to get all the way through and, if you ever look at that FFIC Manual, it’s pretty long and it’s got a lot of content to it, but it is a valuable resource, if you can stand to get through the 800 pages or so of content,
Polly Cordle: I’m sure that’s fun reading. Yeah, I would dare say that we are going to be seeing business continuity plans showing up as a definite line item on these things in the future. Just like cyber security. I think there’s going to be a bigger push now in our current environment to see how people are able to respond in this situation and kind of start scoring themselves on that item.
Polly Cordle: I agree. Well Buddy, I think we may be out of time, so hopefully we’ve provided at least a glimmer of insight into risk assessments.
Buddy Doyle: Yeah, I think we’ve covered the high-level approach to risk assessments and it’s important to remember though, you’ll never have a perfect risk assessment, which is why you always need to come back and reassess on a routine basis and why it always helps to get the business units involved and making sure that you’ve done a good and thorough job.
Polly Cordle: Yeah, absolutely. Just like anything else in a compliance program or in any business, I think it’s an ever-evolving process. It never stays the same. It’s always going to be changing. That’s the way of the world. So it definitely needs to be something that’s taken into consideration at least annually.
Oyster: Thanks again for listening to the Oyster Stew podcast. Don’t forget to subscribe so we can continue to bring you resources to help you make the best decisions for your firm. If you’re struggling with a topic and you’d like us to do a podcast on it, or you’d like a free consultation, feel free to reach out to us at (804) 965-5400 or by visiting our website at oysterllc.com.