Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News February 27, 2012 Issue

A Look Inside OCIE’s Risk Assessment Process

Ever wonder how OCIE conducts its risk assessments to determine which registered investment advisers it will examine?

On a panel discussing various aspects of OCIE’s agenda and operation at the Practicing Law Institute’s annual SEC Speaks program, OCIE assistant director Andrew Bowden described the SEC’s methodology of risk assessment. The panel also answered a few questions about facilitating exams and avoiding referrals to the Division of Enforcement.

OCIE’s risk assessment methodology generally can be divided into three phases, said Bowden:

  • Gathering inputs;
  • Identifying and prioritizing risks; and
  • Examination planning.

Phase one – gathering inputs.

Inputs for risk assessment can include examination findings from other agencies, filings by the registrants themselves, communications with other divisions and offices within the SEC (Office of the Whistleblower, Tips/Complaints/Referrals system, Divisions of Enforcement, Investment Management, Risk, Strategy, and Financial Innovation, etc.), media and news stories, third party performance databases, other industry databases, and the industry itself.

OCIE has launched a risk governance initiative, said Bowden. OCIE staff has been meeting with the senior leadership in larger organizations to discuss risk management and to gain a better understanding of the risks industry members perceive as significant to their organizations.

We are trying to gather the best thinking in the industry and use it to draw thoughtful conclusions, said Bowden. It is not an exact science, and a good deal of humility is part of the process, he said, "I don’t want to give a sense of precision about it."

Phase two – identifying and prioritizing risks.

OCIE’s process of identifying and prioritizing risk involves both quantitative and qualitative components, he said. As part of the quantitative analysis, the staff leverages the expertise of financial engineers to evaluate data and "separate the signal from the noise."

Such experts understand the complexity of certain businesses, can evaluate outliers with respect to peers, compare current data with past performance trends, and detect other changes and limits to technology.

The qualitative analysis relies more on the human factor, building relationships that inform the risk assessment process and promoting good decision-making from within. To further its qualitative analysis, OCIE communicates with colleagues in Enforcement, Investment Management, and other divisions and offices within the SEC for a better understanding of the information OCIE reviews, and to learn what issues are ‘top of mind’ in other areas of the SEC, said Bowden.

Phase three – examination planning.

The third phase of risk assessment in OCIE is the examination planning itself. The allocation of resources is a dynamic process, said Bowden. OCIE creates a six-month examination plan that is specific as to the registrants the staff will examine and the issues to review related to those entities. The plan is always subject to change depending on the information coming into OCIE – from tips, complaints and referrals, for example. Every six months though, OCIE reviews and recalibrates its examination plan.

Panel commentator and former SEC chairman Harvey Pitt asked what registrants can do to facilitate the examination process.

The number one best thing, said OCIE director Carlo di Florio, when we do risk assessments, we’re looking for firms to have a robust process to identify risks. We also want to see a control structure in place to mitigate and manage those risks. How engaged is senior management in the process? Does the front line business have good incentives for compliance? Does the internal audit function provide good independent verifications?

We’re also looking for basic examination facilitation, he said. A firm should have its documentation ready and make firm personnel at all levels available, for example.

It does help the exam move more quickly if a firm is ready with documentation, said OCIE deputy director Norm Champ. Our request lists are out there. Ask yourself, "where do I go to get these documents?"

Anything a firm can do to help us understand its particular business is appreciated as well, said Champ. It is a comment that we get, he said, and the staff is sensitive to that concern.

Former SEC commissioner Roel Campos asked when something turns from a "fix it please" in a deficiency letter into a referral to the SEC’s Division of Enforcement.

We do look for a proactive good culture, self-identification of issues, and internal escalation, said di Florio. Invariably, there are better outcomes under those circumstances. Where a firm doesn’t identify an issue, or identifies it but doesn’t escalate it appropriately, or the firm is not forthcoming with the regulators, those are circumstances that can lead to a referral. The decision to refer is always a facts-and-circumstances analysis, he said.

Other facts and circumstances that can lead to a referral are recidivist behavior, repeated warnings by the SEC that go unheeded, the culture at the firm, and the level of cooperation, said Champ. Champ noted that a former collegue of his once said "one way to guarantee a referral to Enforcement is to treat the examination like an Enforcement action from the start."