A new SEC requirement can actually be good for your business.
The SEC is beginning to look at "best practices," said Linda Shirkey, president of Shirkey Consulting in Houston, a 13-year-old company in the business of helping advisors meet compliance requirements and accomplish other regulatory tasks. "The SEC wants advisors to run better businesses," she said, and its in this spirit that Shirkey's firm helps advisors prepare their "risk assessment documents."
It seems the SEC is slipping more and more into its audits. As soon as we think we've got a set of policies and procedures to keep the agency happy, it comes along and expands its list of documents that it will request during your next audit. So, if you're behind on your "compliance reading," the risk assessment document is a result of the SEC's requirement that you maintain (and test annually) a disaster recovery/business continuity plan.
Essentially, this document demonstrates to the agency that you've reviewed your investment advisory business and identified areas of high risk that, in turn, should be tied into your firm's policy and procedures manual, Shirkey said. Topics that should be in your policy and procedures manual and, correspondingly, in your risk assessment document, include advertising, advisory agreements, affiliated entities, agency cross transactions, anti-money-laundering, annual review, best execution, books and records, business continuity, client intake and termination, code of ethics, complaints, conflicts of interest, corporate records, custody, directed brokerage, disaster recovery, disclosures, due diligence, electronic data safety, employee hiring and firing, e-mail, ERISA funds, fees, fiduciary duty, financial stability, insider trading, internal controls, investment processes, performance, portfolio management, principal trades, privacy, proxy voting, reconciliation of accounts, registration, regulatory filings, soft dollars, solicitors, supervision, trading, valuation, and wrap accounts.
So, to help an advisor create his company's risk assessment document, Shirkey starts with the policy and procedures manual and gears the document--an Excel spreadsheet she has created--to the above topics. Why an Excel spreadsheet? Typical of many government regulations, an advisor is told he must do something but isn't given a format with which to do it. "The SEC has given suggestions for how the document should be put together and showed a few samples at the chief compliance officer outreach meetings it conducted around the country in 2006, but doesn't provide a template, per se," Shirkey said.
The spreadsheet Shirkey has created is a five-column affair, with the first column listing the topics in the policy and procedures manual. "The second column is a definition of the risk posed by each topic" Shirkey said. "The third is a weighting column indicating the risk is low, medium, high or not applicable. The fourth is where we explain how the firm is addressing the topic if the risk is rated medium or high. And the fifth column refers to the place in the PPM where the reader will find a discussion of how the risks are being mitigated." Shirkey sometimes includes an extra column, depending upon the client, in which she lists the staff person responsible for monitoring a particular risk item.
Looking back at the list of topics, how does one assess the risk inherent in, say, soft dollars? "For something like that, the advisor might state in his PPM that his firm is following the safe harbor rule 28(e) [i.e., Section 28(e) of the Exchange Act of 1934]. Further, they would discuss in their manual how they are monitoring adherence to the safe harbor and who's responsible for doing it. The manual might say, for instance, 'We're only going to purchase items with soft dollars that fall under Section 28(e)' or, to be more specific, 'We will only buy research with our soft dollars and our chief compliance officer must preapprove any soft dollar purchases as well as semi-annually review invoices for soft dollar purchases to ensure only research is being bought,'" Shirkey said.
The beauty of this process of reviewing the policy and procedures manual and coordinating it with a risk assessment document, Shirkey said, is that advisors stop and look at their businesses from a higher level. "Everybody thinks they're doing the right thing when it comes to compliance, but this exercise forces them to see what they're doing from an outsider's perspective," Shirkey said.
Other high-risk areas? Business continuity might be perceived by an outsider as a high-risk area, Shirkey said, particularly if the firm just has one or two principals. And outsiders are more than just regulators... they're clients, too. "When you address all your risks in a risk assessment document, you are also formulating answers to questions clients will inevitably ask that usually start with, 'What happens if...' "