Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News March 12, 2012 Issue

The Nuts and Bolts of Risk Assessment

No clue how to build a risk matrix?

Wondering where to start and who should help?

Or perhaps you haven’t cozied up to your risk appetite profile in a while, and you want to be sure you’re covering the territory of the latest risks and conflicts.

The risk matrix.

When the topic is risk management, the discussion often begins with development of a risk matrix. Whether it’s a nine-square or a fifty-page Excel spreadsheet, it can be a great "one-stop" tool.

The SEC has posted a sample risk matrix for advisers on its web site. The sample shows how the matrix can change under increasingly complex business models, and due to growth or change in the adviser’s business. The model matrix includes four columns with the following headings (from left to right):

  • Potential Risks;
  • Examples of quality control processes and compliance policies and procedures to mitigate risks;
  • Examples of review procedures and forensic tests performed; and
  • Required disclosures/good practice disclosures.

The model document includes sample risks under each scenario that can be mined for applicability to your own business.

One assistant CCO we spoke with identified risks down the left-hand column of their firm’s matrix first by areas of firm operation, such as trading desk, record keeping, social media/website, etc., listing the risks presented under each area.

The matrix "double-prioritized" risk – first by riskiest areas of operation and then within each area by highest to lowest risk. The columns included action headings similar to the SEC’s model, but also a column for ‘owner of relevant documentation,’ and ‘board review.’

The CCO would add line items to the matrix as they arose throughout the year, and at least annually, but in some years more often as circumstances changed, would review and re-evaluate the priority of each included risk.

Other sample matrixes we found included columns identifying the risk level (high/medium/low), personnel responsible for compliance, frequency of monitoring, and a notes column for relevant information that may not fit neatly under one of the other specific column headings.

The SEC’s Division of Investment Management (IM) itself established a risk matrix back in 2004, compiling a chart of both internal and external risks related to investment management oversight. The columns in its matrix included any mitigating or aggravating factors related to the identified risk, recommended responses, and a ranking of the severity of the risk, probability of the risk, and the time-sensitivity of the risk. IM’s first draft was 45 pages long, and identified 170 risks.

The risk matrix is only one method of capturing, evaluating, mitigating and monitoring the risks related to your business, however.

Choosing the best tool for your business.

One CCO for a manager-of-managers said her shop doesn’t use a risk matrix at all. The firm maintains a master memorandum of identified risks, responses, policies and procedures, ownership of recordkeeping, and frequency of monitoring.

"Sometimes people get overwhelmed by a spreadsheet, but with the memo, they can focus on the risks relevant to their own responsibilities," said the CCO. Also, every employee at the firm, all the way up through senior managers and the executive team, has a risk appetite chart on their desk. On a scale of one through four, risks are plotted based on the impact to the firm or a specific department should a risk occur (x axis), versus the likelihood of occurrence (y axis).

"We understand that some people process things visually, and this a good tool for that," said the CCO. Having it on everyone’s desk is a constant reminder that risk evaluation is a daily part of the business. It also indicates when a matter should be escalated within the firm, she said.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization dedicated to enterprise risk management, offers information on risk appetite frameworks and how to set one up. The Institute of Internal Auditors has taken COSO’s framework and turned it into a step-by-step PowerPoint presentation.

Identifying potential risks.

Any number of sources are available to assist in the identification of risks relevant to your business:

  • Model matrixes;
  • Risk questionnaires;
  • Past deficiency letters;
  • Self review;
  • Employee input; and
  • Conflict of interest inventories.

For example, industry organizations often provide members a risk questionnaire that can help firms identify risks in their business. Protiviti offers a Business Risk Management Process that asks questions such as "when new key business risks are identified, is an ‘owner’ of the risk (with the appropriate skills and experience) promptly determined and charged with the responsibility and accountability to develop, implement, and manage an appropriate business risk management process?" Investment management lawyer Lorna Schnase authored a definitive white paper entitled "A 4-Step Risk Assessment for Investment Advisers," that is complete with a sample matrix and inventory of risks.

A conflicts of interest inventory is a great place to start when reviewing the conflicts applicable to your business for inclusion in a risk management document.

Some organizations solicit the identification of risks and potential methods of mitigation from their personnel. "Going to the source" for input from those actually involved in or exposed to the risk-producing activities can be invaluable to the risk assessment process.

Whether the firm uses a matrix, a memo, or another form of risk management tool, the chief value in the tool comes over time. As more of a firm’s actual business practices are memorialized and controls are documented, the tool becomes very high quality. Still, said one compliance expert, at the end of the day it is the work of firm personnel together with the compliance and legal folks that controls risk in an organization, no document is a "magic bullet."