The Importance of Risk Management for Your Compliance Program

5 min read
July 30, 2018

Many firm owners find compliance to be one of the more slippery aspects of the business. It’s the one topic they just can’t get a grip on. Between ambiguous regulatory interpretations and the evolution of the industry as a whole, many firms struggle to stay on top of their compliance program. Fortunately, there is one critical concept that, when properly leveraged, provides a clear and concise path to getting a handle on compliance once and for all. That concept is risk management.

Compliance is all about risk management. This concept is best understood by grasping the process by which various compliance topics of regulatory focus can be broken out into areas of risk. By creating a list of risks, the compliance officer can gain a high level view of all risks that may potentially impact the firm, and will also have the opportunity to rate those areas of risk in a way that allows the firm to determine which areas of risk are most important to focus on.

So why is this important?

Time Management

Most firm owners do not have the time to read each and every regulatory publication that has ever been issued. Regulatory statutes are often written in legalese, making it difficult to adopt practical applications of the regulations. Many rules are outdated and no longer relevant to modern practices and issues facing RIAs. Therefore, regulatory agencies are constantly changing and amending regulations, making it nearly impossible to stay abreast of each and every risk that faces a firm from a compliance standpoint. That is why it is critical that compliance officers identify the areas of risk that most likely pose a threat to the firm, and do so in an organized manner. Most firms simply do not have the time to do anything more comprehensive.

Display Competency to Regulators

Much of what regulators want to see in an audit or examination revolves around the competency of the compliance officer. Although every single item may not be perfectly addressed in the firm’s policies and procedures, if the compliance officer has the ability to speak intelligently about the compliance program, it provides the examiner with the confidence that proper supervision is being executed. Nothing displays a more thorough understanding of the “rationale” behind compliance concepts like being able to communicate with regulators about how the compliance program evaluates and addresses risks.

You don't want to be your own CCO, and we don't blame you. Check out how much  simpler Registering your RIA with XYPN can be

Protecting the Clients and the Firm

Risks that are imposed upon the firm impact the clients, and vice versa. Clients trust advisors with personal, non-public information that includes intimate details of their life and paints a vivid financial picture. With that trust comes the fiduciary obligation to act in the client’s best interest. Identifying areas of risk that could impact a firm’s compliance program results in the identification of risks that could impact the firm’s clients, and ultimately the RIA as a whole.

Strategic Decision-Making

Compliance concepts impact other aspects of an RIA’s operations. For instance, understanding the compliance implications of trading with discretion may impact the firm’s decision as to whether or not it will have discretionary trading access. Perhaps the regulatory jurisdiction has a minimum net capital requirement for discretionary trading. If so, this compliance concept has an immediate impact on the firm’s accounting needs.

Or perhaps the state regulatory agency takes issue with hourly financial planning fees, declaring them to be excessive in certain cases. In this situation, the advisor may instead choose financial planning models that do not include the payment of hourly fees. When it’s time to build the website, the hourly service will not be included. So in this case, the compliance concept of fees and compensation directly impacts marketing through the website.

To summarize, while in the process of launching and running your firm, it is imperative that you implement a strategy to effectively evaluate areas of risk that may threaten your firm, your clients, and even your professional reputations. From a strategic standpoint, knowing how to evaluate risks will be critical in decision-making processes that may make or break your firm’s profitability. This is most effectively accomplished by performing a risk assessment.

What Is a Risk Assessment?

A risk assessment is the process by which a list of potential risks is compiled, and each area of risk is given some type of score or rating that corresponds with both the probability that the risk will occur and the severity of the potential consequences in the event of a deficiency stemming from that particular area of risk.

For example, perhaps the area of risk is client advisory contracts. In a firm that has gotten off to a slow start and hasn’t had many contracts executed, this may be considered a low probability, medium severity risk.


The probability of a mistake being made on a particular document decreases as the number of documents that are executed decreases. However, if there was an error on the document, it may be fairly severe because that error could potentially have been executed on multiple documents. This is an example thought process that may or may not be indicative of any one firm’s circumstances.

Once each area of risk has been provided with a rating, the compliance officer can decide which areas of risk will be further investigated based on the most probable, and/or most severe areas of risk. This provides the opportunity to narrow the number of compliance items that need to be visited for the review, greatly reducing the period of time it takes to “review” the compliance program.

Why spend time reviewing trading practices if the firm is financial planning only?

For the high-risk items, the review is completed by documenting the process by which the compliance officer has reviewed and updated the relevant documentation, policies and procedures regarding the area of risk that was deemed to be high risk. This information can be also be used to make changes to other areas of the firm’s operations.

By repeating this process on an annual basis, the compliance officer will show proficiency in performing ongoing supervision for the compliance program. And the best part about executing a risk assessment is that the process becomes exponentially less painful each time it is executed.

New call-to-action

Scott-Gill-Square-ColorAbout the Author
Scott is a licensed Securities Principal with experience in both RIA and broker-dealer compliance. He began his financial services career in 2006 as a Registered Representative with E*Trade Financial in Alpharetta, GA. He has also worked with J.P. Morgan Private Banking in Chicago, IL and with Wells Fargo Advisors in Chapel Hill, NC.

Scott’s most recent role before joining Team XYPN was as Compliance Officer of Carolinas Investment Consulting, in Charlotte NC. He’s a graduate of The University of North Carolina at Chapel Hill and holds FINRA Series 63, 65, 24, 4 and 53 Licenses.

Scott lives in Charlotte NC with his wife Meredith, and their two Sons Tyson and Jackson. In his free time, Scott enjoys watching sports, exercising, and operating the charitable organization he created upon his father’s passing.

You can connect with him on LinkedIn.

Subscribe by email