New

York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

THE IMPORTANCE OF RISK ASSESSMENT AND FORENSIC TESTING FOR INVESTMENT ADVISERS By: SEC Compliance Consultants, Inc. The National Examination Program (NEP) of the Office of Compliance Inspections and Examinations (OCIE) of the Securities Regulation Commission (SEC) currently stresses a risk-based approach to examinations. NEP is committed to focus its examinations on higher-risk registrants and/or selected higher risk areas of a registrants business. This will enable OCIE to better effectively manage its limited resources. In a February 2012 publication by the SEC titled Examinations by the Securities and Exchange Commissions Office of Compliance Inspections and Examinations1the SEC stated that the following factors would determine how the SEC will define the scope of an examination: 1. Examinations generally focus on risks presented by the registrant. In some examinations, the staff focuses on particular risk or risks that led to the examination. In other examinations, the staff seeks to identify risks requiring attention, and also seeks to obtain a more general understanding of the entitys compliance and internal control environment. 2. In most cases, the staff considers the quality of the registrants compliance systems and its internal control environment when determining the scope of the examination and the areas to be reviewed. Risk assessment performed by the adviser itself is key in establishing (and proving) a quality compliance system and a solid internal control environment that may potentially limit the scope and duration of an SEC examination. The SEC would expect an adviser to have analyzed the risks of its business and adopted procedures and controls to mitigate such risks. In fact, a current inventory of risks identified by the adviser that forms the basis for its policies and procedures, including any changes made to the inventory and the dates of those changes, is routinely requested by the SEC in its document requests, and so is any written guidance that the adviser has provided to its employees regarding its risk assessment process and the process for creating policies and procedures to mitigate and manage compliance risks. The more thorough the process is, the more likely the SEC will see that the registrant is striving to be compliant.

www.sec.gov/about/offices/ocie/ocieoverview.pdf

________________________________________________________________________________________________________ 1

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

Understanding the Risk Assessment Process The Relevance of Risk Assessment for Investment Advisors Risk assessment is a phrase used to describe the process of identifying and estimating the exposure to real and potential risks. Forensic testing is colorful shorthand to refer to periodic tests used to evaluate the effectiveness of controls. Risk assessment and forensic testing are pillars for a sound compliance program. Risk assessment is arguably the most vital activity that Chief Compliance Officers (CCO) should oversee in the development of an adequate compliance program. In adopting Investment Adviser Rule 206(4)-7 and Investment Company Rule 38-1, the Compliance Rules, the Securities and Exchange Commission (SEC) stated that each adviser, in designing its policies and procedures, should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm's particular operations, and then design policies and procedures that address those risks. 2 The intention is for each advisor to create a customized compliance program based on a risk assessment that is appropriate given the nature and scope of the advisors business. It is apparent that compliance expectations for investment advisors continue to escalate as the industry swells in terms of assets. Risk Assessment Options When determining how to approach risk assessment, an advisor should consider its size and the depth of its business. There are various theories and approaches with regard to risk assessment and management including, but not limited to, those enumerated in The Committee of Sponsoring Organizations of the Treadway Commissions Internal Control Integrated Framework,3 Enterprise Risk Management, 4 Key Risk Indicators,5 and Statement on Auditing Standards (SAS) No. 109,6 to name a few. Many financial firms rely on a variety of methodologies. However there is not a one-size fits all solution; a publicly traded large institution may require a much more technical process than a typical investment advisor. In the context of an advisors compliance program, the rationale is to prevent, detect, and when necessary correct any areas where there may be violations. A violation is often the result of a risk event. When formulating a risk assessment process, there are several types of risks that an advisor should keep in mind; these risks can be classified by the potential consequence, such as: financial risk, informational risk, reputational risk, and regulatory risk. Some of these risks have more obvious implications than others; however, the less obvious ones can be just as severe.
2

3 4

5
6

Compliance Programs of Investment Companies and Investment Advisers. Release No. IC-26299 and IA-2204 (December 17, 2003). http://www.coso.org/publications/executive_summary_integrated_framework.htm http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf http://www.continuitycentral.com/BusinessSpecificKeyRiskIndicatorspartone.pdf http://www.continuitycentral.com/BusinessSpecificKeyRiskIndicatorsPart2.pdf https://www.aicpa.org/download/members/div/auditstd/SAS109.PDF

________________________________________________________________________________________________________ 2

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

The risk assessment process should be comprehensive, factoring in all relevant and potential risks. Aside from the benefits to an advisors compliance program, conducting a risk assessment of your firm can add value by forcing an advisor to take new perspectives on operations, affiliations, relationships, and even outside industry practices. The desired outcome of every business decision should be to add value. When considering the risk of certain decisions versus the potential reward, advisors are not only considering the benefits presented to clients, but also shareholders of the entity itself. A Team Effort While the CCO should oversee or manage the process, an effective risk assessment cannot be carried out by one person alone - regardless of size of the firm. Risk assessment requires insight into the essential functions within the firm and this is often only available through input from operational personnel. Operational expertise and various perspectives add value to the process. It is very important that supervisors buy into the risk assessment process, not only for the financial and reputational benefits but as part of the firms culture of compliance. Documentation Tools Documenting the risk assessment process has two primary benefits. First, documentation is one of the hallmarks of an adequate compliance program. Evidencing the risk assessment process adds credibility and confidence to the compliance program. Secondly, documentation can serve as a tool to navigate the risk assessment process. Risk Assessments can be documented in various ways. A grid or matrix can be used to show the various areas of compliance, where each risk corresponds to controls. Lists or inventories are another alternative, but can presumably be less detailed and could tend to be too simplistic for many firms. Charts, graphs, and heat maps can be used and are often preferred as visual summaries. These tools can also communicate the results of the risk assessment to those parties that were not involved with the process, which makes them ideal for high level reporting, such as to a firms or funds Boards of Directors. A Practical Approach to Risk Assessment Regardless of the theories an advisor wishes to incorporate and the personnel involved, the purpose of the risk assessment is five-fold and includes the following components: (1) identifying the potential regulatory and operational risks associated with the activities conducted within each area of the compliance program; (2) measuring those risks with a standard set of terms or metrics; (3) prioritizing any gaps associated with those risks; (4) formulating a timely action plan to manage the risk; and (5) monitoring those risks on an ongoing basis.
________________________________________________________________________________________________________ 3

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

Identifying the Risks Identifying risks is the initial phase in the risk assessment process. There are two major categories of risk that advisors should consider: risks inherent to the industry (such as soft dollars, performance marketing, direct debiting fees, and code of ethics) and business specific risks (such as affiliations, business lines or products, and client profile). Risks can be efficiently identified through a four step process as follows: Step One Start with the Compliance Rule. The adopting release for the Compliance Rule identifies certain areas that each advisor should address in its policies and procedures to the extent they are relevant. To initiate the risk identification process, the advisor can brainstorm some of the risks in these same areas by asking basic questions. Portfolio management processes How are investment opportunities identified and allocated? How are client restrictions or mandates monitored? Trading practices Are trades bunched or blocked for multiple clients? How are trades allocated? Are disclosures about trading practices accurate and understandable? Proprietary trading Does the advisor allow personal trading in the same securities that are traded for client accounts? How are conflicts managed to ensure that clients interests always come first? Accuracy of disclosures Has the advisor adequately disclosed its business, affiliations and activities to clients? How often are disclosures reviewed and updated? Safeguarding of client assets How are client assets protected from unauthorized access or transfer? If clients ever send checks directly to the advisor rather than the custodian, how is this handled? Books and Records How are e-mails retained? How are books and records secured from unauthorized alteration or use and protected from untimely destruction? Marketing Are marketing materials reviewed for misleading statement and applicable disclosures? How are solicitor arrangements documented, disclosed, and supervised? Valuation of client holdings and Advisory Fees Does the advisor use the custodians to value client portfolios? Does the advisor fair value positions or over-ride third-party valuations? What valuations are used for the basis of advisory fees? Privacy How is access to confidential client records controlled? How does the firm dispose of confidential information? Business continuity plans How effective is the disaster recovery or business continuity plan? Does the firm have loss of key man/woman provisions?
________________________________________________________________________________________________________ 4

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

Step Two Review Form ADV Part 1 and Part 2A. Read through Form ADV Part 1 (IARD) as if you were evaluating the firm from an outsiders perspective a potential client or a regulator. Where are the potential risks? For example, if your advisor has affiliated companies, potential related risks should be included in your risk assessment. Does the advisor recommend that clients purchase insurance through a related entity? Is the advisor receiving compensation? Disclosures regarding discretion, brokerage, solicitors, and affiliations are easy places to begin. While the disclosures in Part 2A of Form ADV may be narrative and specific, they generally involve inherent risks. Not only are Form ADV responses used to provide relevant, material information about a firms operations, but also the responses are used by the SEC in order to create a risk profile for each firm. Step Three Walk through the major operational and regulatory areas of the firm. Which areas present more risk and what has not been identified yet? Is there a proper delineation of responsibility and oversight within the organization to prevent and deter unethical behavior? Brainstorm with operational level personnel, leveraging the expertise and knowledge base of all staff. Be creative about the less obvious risks and create scenarios on how certain risks might manifest themselves. Step Four Industry Information. The advisor needs to stay current on the rules and regulations. Best practices and industry buzz can assist the advisor in knowing where to focus. The advisor can find guidance by looking to industry publications, SEC releases and speeches, and service provider knowledge bases. The adviser should also always monitor SEC pronouncements on perceived high-risk and focus areas and adjust its risk assessment process accordingly. Also, advisors should not overlook the value of using peers or competitors as a benchmark. Assess how they are approaching compliance risks and how their operations and business lines evolving. This identification process should yield a comprehensive inventory of relevant risks. Depending on the documentation tool used, an advisor may take this opportunity to drill down to link these risks to a procedure. It is also useful to link policies and procedures to applicable staff members who are responsible for executing the policies and supervising their effectiveness. It is beneficial to conduct interviews to ensure individuals take responsibility and memorialize that responsibility in writing.

________________________________________________________________________________________________________ 5

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

Measuring the Risks Identified At this stage, the advisor should measure the risks identified by considering their impact and probability (or likelihood) of a risk event in the absence of controls (these risk are often referred to as inherent risks). Likelihood represents the possibility that a given event will occur, while impact represents its effect should it occur. When evaluating impact, the advisor should look at the impact to clients or potential clients, the impact to disclosure, financial impact, impact to reputation, and regulatory impact. The advisor should also consider materiality when assessing impact. Probability is the anticipated frequency of a risk event given the regularity of the activity or process that is associated with the risk. For example, the risk of incorrectly assessing quarterly advisory fees could occur on a quarterly basis. Adequate controls will decrease the probability. The measurement should provide a baseline for an advisor to assess how well its policies and procedures control or manage the inherent risk i.e.: decrease the probability or impact. Projecting and estimating these measurements should be based on the nature of the risk. Estimates of risk likelihood and impact often are determined using data from past observable events and forensic testing. This helps to provide a more objective basis rather than entirely subjective estimates. Caution should be used when using past events to make predictions about the future, as factors influencing events may change over time. In addition, internally generated data based on an advisors own experience may reflect subjective bias. Advisors may want to consider having an independent third party assist with the risk assessment or some other piece of the compliance program. There are various methodologies that can be used to measure the impact and probability of risks, such as: Quantitative (1,2,3,4,5 etc), Qualitative (low, medium, high), and Relative (average, below average, above average). Qualitative assessment techniques alone may be used for multiple reasons. For example, the results of qualitative assessments can capture subjective elements and be easily interpreted. Additionally, it may not make sense to quantify the risks when consistent data is not available. Quantitative techniques are typically associated with more complex risk assessments and are generally used in conjunction with qualitative assessments. Although an entity need not use common assessment techniques across all areas of its business, an advisor will find it advantageous to use a consistent process and attempt to simplify the process to the extent possible. The following is an illustration of applying a methodology to risks associated with obtaining best execution. ABC firm identifies a potential risk in that execution is being done through an affiliated broker. Qualitatively, the firm opines that this is a significant risk because the firm could use an electronic communication network (or ECN), but chooses to use the affiliated broker for 90% of all transactions executed. The firm could be perceived as putting in its own best interest ahead of its clients best interest if the firm is not comparing execution alternatives and documenting its due diligence review. Quantitatively, the firm could use a 1-5 scale and rate this risk as a 5 or use algorithms to determine an estimated monetary measure. Alternatively, the firm could measure this risk in relative terms. If executing the majority of trades through an affiliated broker could present high regulatory, financial, and informational risk, the advisor may rate the risk simply as high or above average when compared to other potential risks.
________________________________________________________________________________________________________ 6

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

Another alternative measurement approach may be to apply the performance measurements used by management in determining the extent to which objectives are being achieved. It may be useful to use the same unit of measure when considering the potential impact of a risk to the achievement of a specified objective. Management may assess how events correlate, where sequences of events combine and interact to create significantly different probabilities or impacts. While the impact of a single event might be slight, a sequence of events might have a more significant impact. Where potential events are not directly related, management assesses them individually; where risks are likely to occur within multiple business units, management may assess and group identified events into common categories. There is usually a range of possible results associated with a potential event, and management considers these potential results as a basis for developing a risk response. Prioritizing the Risks Based on Measurements Once an advisor has measured its inherent risks that is, the impact and likelihood of a risk event in the absence of controls it is time to create an action plan and prioritize the risks by first addressing the areas that have the greatest exposure in terms of their measurement. A practical technique to prioritizing risks is assessing how well existing controls address those risks. By evaluating the adequacy and effectiveness of controls, an advisor can gauge the amount of inherent risk that is not mitigated by existing controls; often referred to as residual risk. Revisiting the best execution example, the inherent risk is the risk that the firm could be obtaining better execution by using another unaffiliated broker to execute transactions. However, if the advisor reviews transactions and compares them against market executions and finds that the transactions executed by the affiliated broker are generally better than those executed elsewhere, the advisor essentially has potentially reduced its risk. The control is the review and comparison of trades executed in the market versus those executed by the affiliated broker. Therefore, the residual risk is the instances in which the affiliated broker might not execute at a better price than another broker. Management should recognize that some level of residual risk might exist even after the application of controls. Areas with higher residual risks should receive a priority in an action plan. Just as risk can be measured in relative terms, priorities can be classified in relative terms (high, medium, and low) or in a timeline with target dates or timeframes. An action plan should call for the development or improvement of policies, procedures, and control activities to address these risk areas with the intent to mitigate the impact and/or probability of these risks occurring. Managing the Risks In executing the action plan, the advisor should take into account its risk tolerance and each risks cost and relative benefit as a result of the activity that creates the risk. The advisor should identify controls

________________________________________________________________________________________________________ 7

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

that are expected to bring risk likelihood and impact within the advisors risk tolerance. Controls may be implemented to avoid risk, reduce it, share it and when appropriate, accept it. For example, the advisor may determine that the risk related to potential conflicts or perceived conflicts associated with employees trading in their personal investment accounts is not worth accepting. That advisor could adopt a policy prohibiting personal trading. Another advisor may not want to be so prohibitive with employees. This second advisor may be willing to accept the potential risk that an employee trade could present a perceived conflict despite implementing policies and procedures intended to shield this risk. Such an arrangement would not only be a potential regulatory risk, but it could also be a potential concern to clients. The advisor may be willing to accept the risk taking into consideration that employees shouldnt be unduly constrained with regard to their personal finances as a result of their affiliation with the advisor. Monitoring the Risks Risk assessment, and the management of those risks, is not a one-day or a one-time project. Both should be viewed as an ongoing activity. An advisors risk assessment should be revisited during the annual review of the compliance program. We advocate the annual review of the compliance program be conducted as a rolling review, include documented forensic testing, and tie back to the most recent risk assessment. As an advisors business and applicable regulations change, the advisors overall compliance program will need to evolve. Thus, an advisor should keep the risk assessment process evergreen by ensuring that it is relevant and reflective of the current operational and regulatory environment. The action plan itself should be periodically monitored and revisited. Designing and Applying Realistic Forensic Tests Forensic testing provides the best approach to monitoring risks and testing compliance functions. The SEC staff has stated repeatedly during the 2006 CCOutreach Seminars7, and in numerous speeches and articles, that advisors should conduct various types of forensic testing as part of their annual (and interim) reviews of their compliance program. The term forensic testing is generally associated with technical sleuthing, such as linking evidence to criminal behavior as glamorized in popular television programs. However, the actual practice is far less intimidating or exciting. When the SEC references forensic testing, the agency is intending to reference the testing that advisors should be conducting of their compliance programs in order to identify areas where there are weaknesses8. This style of testing involves gathering operational data or information and analyzing it (either directly or through various manipulations) in order to draw conclusions with regard to certain compliance functions and controls. If the concept still seems enigmatic, a good place to start for examples of forensic testing is the SEC Examination Request List. Not only will the request list give you a good idea of where you should be
7 8

http://www.sec.gov/info/ccoutreach.htm http://www.sec.gov/info/cco/adviser_compliance_questions.htm

________________________________________________________________________________________________________ 8

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

conducting forensic testing, but it will also offer some insight as to what the SEC will be doing when they visit you to conduct an examination. Examples of Types of Forensic Tests Certain forensic tests are rather straightforward. Example 1 Advisory Fees: This can be accomplished by sampling and recalculating fees, trending instances of refunds, comparing advisory fee revenues from quarter to quarter, and cross-referencing advisory fee receivables with amounts collected from clients. If a CCO or his or her designee tests advisory fee calculations and finds that there are inaccuracies, it would be sensible to conclude that the risks of inaccurately assessing fees is not mitigated to an appropriate level and that the compliance program in this area is weak. Example 2 Reporting of Personal Trades: Likewise, if a CCO or his or her designee reviews reports submitted by access persons with regard to personal securities transaction requirements and finds that the reports are incomplete or late, it could be an indication of weak controls. If one particular employee or members in a particular department are consistently submitting insufficient reports, it could be an indication that risks within that department are not fully addressed. Additionally, analytical testing could include cross-referencing personal trading activities with client transactions (or pre-approval documentation) or comparing the profitability of employee transactions to client transactions. The results of these reviews indicate whether or not gaps remain in the compliance program, thus leaving exposure to certain risks identified and assessed. Example 3 Accurate Pricing: Why does the SEC request a list of client portfolio holdings as of certain dates? The SEC may use the holding reports to review for window dressing or for accurate pricing. Many firms use exchange quotes and broker quotes to value their securities, but firms also should use multiple sources and cross-check them to ensure they are accurate. If a broker is used, the advisor should conduct due diligence on that broker by inquiring as to whether the broker is a market maker and whether the broker back-tests the prices. One approach to testing the dependability of security valuation is an acid test, where the selling price of the security in the open market is compared to the most recent pricing obtained for that security from the pricing service. As an illustration, if a security is priced at $50/share on the 30th of the prior month and the advisor executes a sale of the security in the open market on the following trading day for $35/share, in the absence of material market or company specific developments or news, then an advisor should take additional steps to evaluate if pricing risks are adequately mitigated by using that particular pricing source. Other areas of compliance testing can be considered a bit more onerous or technical. For example, the analysis of a trade blotter can produce a wealth of information if an advisor is willing to become comfortable with breadth of data. It is not surprising that we find this to be an area where

________________________________________________________________________________________________________ 9

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

many firms fall short in their forensic testing. A CCO does not have to be a scientist to conduct these reviews, although a basic understanding of programs such as Excel or Access is helpful. Forensic testing of a firms trade blotter should include searching for patterns that occur over time and that may violate the firms internal controls or the law. A typical SEC request list provided during an examination almost always asks for the advisors transactions. The request generally follows the following format: Please provide the following fields of data: (a) trade date, (b) settle date, (c) type of transaction (buy, sell, etc.), (d) security name, (e) CUSIP, (f) ticker symbol, (g) quantity of shares or principal amount, (h) price, (i) total commissions, (j) commission per share, (k) accrued interest, (l) other fees, (m) net amount for client, (n) client name, (o) client account number or code, (p) name of executing broker-dealer, and (q) an indication if trade is stepped-out. Why does the SEC request this information? There are multiple reasons; the most notable of which is that a trade blotter contains a vast amount of flexible data that can be manipulated to assess several different operational areas. There are a number of forensic tests that the SEC can perform with regard to the trade blotter. An advisor should perform these same tests internally. Here are a few tests that an advisor can conduct:

Review transactions to detect any unreported agency or internal cross transactions. For example, review transactions where there are opposite sides of a transaction in a security on the same day, at the same price, through the same broker, and generally, but not necessarily, for the same number of shares. Review if any clients were consistently the buyer or seller in cross transactions and calculate the profitability of buys and sells to see if the firm is dumping securities into certain client accounts. Review the total commissions (and average commission rate) paid to each broker-dealer, the particular client accounts that generated such commissions, and note the average commission per share. This could indicate various issues such as undisclosed soft dollar arrangements and directed brokerage for client referrals. Review for patterns of short-term trading in client accounts. Ensure that this is consistent with client mandates, the clients desired level of risk, and the firms trading philosophy as disclosed to clients. Review the allocation of IPOs and their profitability to determine if any clients were favored in IPO allocations. Review bunched transactions to ensure that clients included in the bunch received comparable prices and paid comparable transaction costs. Further, investigate any instance where certain accounts are consistently excluded from bunched transactions.

________________________________________________________________________________________________________ 10

New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029

Review transactions involving thinly traded securities to look for indications of market manipulation. Also, review transactions that could be large enough to move the market. Review portfolio turnover for indications of churning (or reverse churning) in client accounts.

As with a risk assessment and other compliance related activities, forensic tests should result in documented conclusions (e.g., no unreported cross transactions in Q4-2006). While there may be some apprehension for fear that documentation could create a roadmap for the SEC when they stop by for a visit, this documentation can demonstrate how the firm proactively addresses and follows-up on compliance issues. Capitalizing on Knowledge Understanding the meaning of risk assessment and forensic testing, and realizing that both activities have practical and useful solutions, places an advisor in a position to get the most compliance mileage out of limited resources. A compliance program built on a thoughtful risk assessment and one that incorporates consistent forensic testing will provide an advisor confidence that it is satisfying regulatory expectations. About SEC Compliance Consultants, Inc. SEC Compliance Consultants, Inc. (SEC3) provides compliance consulting services to financial institutions globally, including hedge fund and private equity fund managers and other investment advisers, investment companies, broker-dealers and transfer agents. SEC3 can assist with regulatory compliance needs and bridge the gap between a firms operations and current regulations. For details, please visit www.seccc.com or contact Janaya Moscony at 1-212-706-4029, ext. 214.

________________________________________________________________________________________________________ 11

________________________________________________________________________________________________________ 12