Risk Management Panel at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Robert B. Hirth, Chairman, Committee of Sponsoring Organizations of the Treadway Commission
Fred Shane, Chief Risk Officer, Commonwealth Financial Network

Should CCOs be Taking on the Additional Role of a Chief Risk Officer?

It Depends, of Course
• Compliance requirements, degree of regulation, risk
• Objectives
• Complexity
• Size
• Ability to source talent
• Peer companies
• Regulatory constraints
• NO single right answer, NO one size fits all

The SEC is starting use concepts of risk measurement in their inspection program.

SEC’s “Core Initial Information Examiners Request of Investment Advisers” includes the following:

  • “On-going Risk Identification and Assessment Inventory of compliance risks that forms the basis for policies and procedures and notations regarding changes made to the inventory.
  • Documents mapping the inventory of risks to written policies and procedures.
  • Written guidance provided to employees regarding compliance risk assessment process and procedures to mitigate and manage compliance risks.”

The SEC has published an “Investment Adviser Scenario Analysis/Risk Matrix” on its web site: http://www.sec.gov/info/cco/cco_matrixguide.pdf

The SEC has also published a “Risk Inventory Guide” on its web site:  – http://www.sec.gov/info/cco/red_flag_legend_2007.pdf The Guide lists twelve categories of risks for an investment adviser. According to the SEC,

“[a]s a CCO responsible for your firm’s compliance, you should determine what risks are present and how they might affect your firm and its operations, assess whether the controls in place to manage or mitigate these risks are adequate, and make or recommend modifications to the compliance policies and procedures as necessary.”

Risk management is a bigger scope than compliance.

Risk Reporting and Tracking

Use a Risk Management Database

  • Impact Risk
  • Likelihood Risk
  • Vulnerability Risk
  • Priority Risk
  • Velocity – how fast does it happen?
  • Persistent – How long is the impact?

Internal controls – GO beyond the brute force automated systems and think of them as control activities. Meetings can be a control.

Update articulates principles of effective internal control

Control Environment

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment

6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities

10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication

13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.