By Buddy Doyle, Mary Catherine Wilck-Pond, Bill Reilly and Mark NormanShare Article
We’ve Been Using Risk Assessments for Years – Here’s What We Have Learned
Regulators have been approaching their exams and regulatory requirements from a risk-based perspective, and use those assessments to evaluate how firms are controlling for the risks they have.
Transcript provided by TEMI
Libby Hall: Welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. Regulators have been approaching their exams and regulatory requirements from a risk-based perspective. To this end, regulators use risk assessments to evaluate how firms are controlling for the risks that they have. In today’s podcast, Part 1 of 2, about using risk assessments as a tool in your compliance program, Oyster’s experts, some of whom are former regulators themselves, share why they use risk assessments, and you should too. Let’s get started. Buddy,
Buddy Doyle: Thank you, Libby. I’m Buddy Doyle. I’m really pleased to be joined today by Bill Riley, Mary Catherine Wilck-Pond, and Mark Norman. And today we’re going to be talking about risk assessments. You hear an awful lot about risk-based compliance and doing risk assessments for cybersecurity for AML, but Mark, maybe you could start us off today by telling us a little bit about why firms do risk assessments.
Mark Norman: Sure, yeah. It’s not a matter of, you know, whether or not you’ll face risks. It’s a matter of whether or not you’ve proactively identified risks that your firm is going to face, and then have you put controls in place to mitigate those risks. And then in practice, do those controls actually work to mitigate the risks you’ve identified? So as a good business practice, it’s a good thing to do. And then secondarily, or maybe primarily, a reason would be that your regulators are also looking at the risks that your firm faces and then evaluating your firm based on how well you identify and mitigate the risks of your firm.
Buddy Doyle: Yeah, and that’s actually a good point. I know regulators do their own risk assessments of organizations. And Mark, you used to work at FINRA, which is one of the primary regulators for our clients, which are broker dealers and investment advisors. They don’t regulate investment advisors. They know where they are because they host, all of their licensing information and registrations. But at FINRA, I know, they looked at risk in different categories and buckets. Can you give us a little sense of how FINRA looks at risk?
Mark Norman: Yeah, of course. FINRA has nine risk categories, that they’ve identified that their, member firms face. And they’ve got six categories on the financial and operational side. And then three identified risks on the sales practice and business conduct. On the risk side, the FOP risks that they’ve identified are credit market risk, net capital, segregation of customer assets, liquidity, and operational risk. And then on the sales practice and business conduct side, they’ve identified fraud in deception, money laundering, and sales practice risks. Your firm may actually identify more because some of those categories could be subdivided into more specific categories. Those are the big risks that FINRA has identified. And they take each of those nine risks and they say, Does the firm have good controls?
Do they have moderate controls, or do they have poor controls for each of those risks, and they create a grid, and they rank your firm and say, yeah, you’re good, or, Yeah, you’re bad. And they actually make those assessments by virtue of the exams they could conduct. And then even by the phone calls that you might have with your risk monitoring analysts to talk about focus filings or to talk about a cause exam, they’re internally saying to themselves, does my firm understand the net capital implication of A and B and C? Does my firm understand the risks of the products that they’re selling, and do they understand, what kind of trouble they could possibly get into? And then of course, hopefully your risk monitoring analyst is following up with you and saying, well, what are you going to do about A and B and C? And hopefully you have good answers. And, FINRA is satisfied and says, Yeah, these guys are on the ball. They’re really sharp and we don’t need to come visit them as often as I thought.
Buddy Doyle: And Bill, you’re a former state regulator and, of course, there’s 50 states that act in 50 different ways. If you don’t count the state of confusion that often comes from that. But <laugh>, state regulators look at risk assessments, or do they look at risk assessments?
Bill Reilly: Well, thank you Buddy. As you indicated, I’m a former state regulator and used to run the State of Florida Examination Program. One of the things that we did is, there are two focuses, three focuses. Two of them occur a lot more often than the others. State regulators are responsible for state covered advisors. They will also look at broker dealers primarily that may be domiciled in their states, and they also look at branch offices. So, as Mark indicated, there’s a lot of systems out there for handling, risks that are on the broker dealer side. When you’re talking about the states and the SEC, they’re generally the sole regulators of investment advisors. The states have state covered advisors, The SEC has federally covered advisors. The states do have jurisdiction for both state and federally covered investment advisor representatives.
But one of the things that we did in Florida, and some other states also adopted this, we did a rudimentary risk assessment by downloading information contained in the IAPD. A lot of information such as products, services and so forth looking at number of reps, number of branch offices, products and so forth. And what we would do is run a program very similar to what FINRA does, and I’m sure the SEC does. And based upon that, we would come up with a hierarchy of which investment advisors have the highest risk. And then based upon that, we would make a determination as to which firms to focus on. And then, as Mark said, one of the things the regulators utilize is the risk assessment. It is anticipated and expected. It’s in the best interest of a firm, not only for regulation, but also for customer service. Remember, you’ve got your clients out there that you want to make sure they believe in you. They look at the information and the way you operate, and they want to be aligned with the firm that they know has a real focus on regulation.
Buddy Doyle: Bill. Again, regulators sometimes help us look at risk a little bit differently. I know you kind of come around to us routinely and say, we should be looking at these kinds of risk. Where do you get that kind of information from Bill?
Bill Reilly: I think it’s a good point, Buddy. Of course, as everyone knows, risk assessments are not stagnant. And again, you mentioned about internal matters, but you’re right, there’s a lot of things that occur outside of the firm. And one of the things that we always look at – the SEC and FINRA always comes out at the beginning of each calendar year with examination priorities indicating what areas of concern they’re going to look at. What are they finding in their examinations, client complaints and other information that firms may not have good expertise in, or even know that this is something that they should be checking. So I think those annual calendar year priorities also, you look at FINRA comes out with notices and guidance. The SEC comes out with what certain information and guidance during the year. We also look at administrative actions that are brought by the regulators from the state perspective.
One of the things that happens every year, and it happens about this time every year, is NASAA issues an enforcement report, which talks about enforcement issues and actions brought against both registered and unregistered individuals. A lot of good information is contained in those documents. And I also think one thing that’s also important is that from time to time, NASAA will issue a document of investor threats, where they may look at the top 10 investor threats, again from both the unregistered and the registered side. So all good documents, all good information, it may not be applicable to you, but if it is applicable, you need to go back through the process of recognizing it, implementing it, training and testing.
Buddy Doyle: Speaking of training, Mary Catherine, I know you’ve done an awful lot of training to firms. I think these annual priorities are great to work into your needs assessment for annual training. How does your risk assessment inform your needs assessment for training?
Mary Catherine Wilck-Pond: Well, I think that just like you should be looking at policies and procedures on a regular basis, as Bill mentioned, your risk assessment isn’t a one and done. And you need to be looking at that. You need to be paying attention to what’s going on in the industry, and you need to be regularly training your folks, bringing to their attention some of these issues that maybe the SEC, state regulators, and FINRA are finding. And make sure that your staff is very aware of what’s going on out there. And don’t think that training should occur annually and only annually. As things arise, make sure that your staff is aware of what’s happening, and they are very much in tune to what’s going on in the industry.
Buddy Doyle: Yeah. And I think every week here at Oyster, we have our Weekly Huddle where the whole firm gets together and we do sort of the ripped from the headlines section where we talk about the things that are either regulatory hot topics, findings, system outages, market crashes, things like that. And I think you can learn from that process how to get into your risk assessments relatively quickly. And it’s just taking those things and developing that discipline around that. And I know there, it is part of an ongoing process of both managing your risk, maybe avoiding some risk, and looking at how you’re controlling that risk.
Mark Norman: You know, one thing we’ve talked about is all these risks and the regulators have identified these risks and there’s a lot of information out there. It can seem overwhelming because <laugh>, it’s a lot, but these plans need to be tailored to your firm. FINRA has the nine risks. And you might read through ’em and say, Well, the credit risk, well, we don’t loan any money, we don’t own anybody money, nobody has o owes us any money, Right? So you might think to yourself, Well, that’s a risk we’ve identified or not identified, and then you can move on, right? So it’s important to tailor it to your firm and not become overwhelmed with the sheer volume of what, what the regulators are asking, because ultimately, you, you know your business better than the regulators and, and, and the regulators come out and they, they paint with such a broad brush, right?
The rules and regulations they come up with are meant to deal with the largest and most complex firms that we have. So I feel that a lot of times the smaller broker dealers, which there’s a lot more smaller broker dealers than there are big ones, they get caught up in the minutia and the details that that would be really applicable to a huge firm, a firm with 10,000, 20,000 reps. And that’s a place where a consultant can come in to help you separate the wheat from the shaft – Here’s the important things to your firm. You don’t need to worry about everything here because that’s for the big boys to deal with. And here’s the important points for a firm like yours.
Mary Catherine Wilck-Pond: To add that, it goes back to policies and procedures. You don’t necessarily have to have a 100 page policy around something. You also don’t need to have a single paragraph around something. So ensuring that you are tailoring your risk assessment, your policies and procedures to your firm’s business model is just so very important.
Bill Reilly: Yeah. If I can follow up on what Mary Catherine just said, one of the things, and it’s been almost 10 years since I was a regulator, that when people would have issues, they would come in to talk and we would try to resolve an issue. People would say, Mr. Riley, all I have as a registered rep or for my broker dealer is my reputation. Reputations are very important to your business. Firms that don’t have great reputations, people know about it. There’s a lot of information, a lot of talk, and so forth.
Buddy Doyle: You will experience risk, you will assess your risk. You will say, I might get this. It’s got a high inherent risk, I got a good control around this thing. But you will experience risk. We have BCP plans for a reason. And that’s because you will experience risk if you are a successful business. And you may not need to focus on every area of what other firms have in their BCP. As a small firm, you may rely on your clearing firm for their back-office technology. You may not be cutting checks to your clients. They may be cutting checks to your clients, and you can look at how you’re structured and how you operate. And you don’t have to completely get rid of every single kind of risk. There’s, Bill’s in Florida, might be a hurricane in Florida.
That would be a risk that is probably a lot more significant than Iowa. But, you know, Iowa has risks as well. They might have snowstorms. And of course nobody’s going to get a pandemic, but we still have to have them in our plans. Or at least that’s what everybody said during the bird flu. So I think it really is, when regulators are talking about things, sometimes it feels like they’re making you do something for no reason. Sometimes you feel that way for years and years, but I do think that you’ve got to make sure that you understand you will have risks. What do you do when those occur? And if there is a cyber breach, do you have a plan to respond to that? Do you know that you’re supposed to contact your primary regulator? Do you know what the reporting requirements are?
Do you have a team ready to go to get those things resolved? I think those are all things that you need to work through as you’re doing your assessment. And you don’t have to get it perfect the first time. You can’t get it perfect. It, to Mary Catherine’s point, never ends. I am a huge fan of blunt disclosures. Put it in there, talk about it overtly because it is the way to protect your organization. The people that read those blunt disclosures tend to be plaintiff’s council and regulators. You don’t get a lot of questions from your customers about your disclosures. They don’t read them. They’re too big. They take too long. But I think that you want to make sure you have really, really good disclosures. If you can mitigate that risk and you feel comfortable that you can do things, and then there will be times where you just avoid the risk while things play out. A lot of firms have taken that approach with crypto, with digital assets. I’m not going to trade any digital assets because it’s too risky. And I think you let the market settle out until that becomes a normal thing of trading crypto or more normal, closer to normal. And again, you can’t avoid risk. But I do think you can manage through that and I think it’s just impossible to have a risk based approach to compliance without a risk assessment.
Libby Hall: Thanks everyone for listening. If you’d like to learn more about our experts, our Oyster Solutions, Governance Risk and Compliance Software, or how oyster can help your firm, visit our website at oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find us.