A new SEC requirement can actually be good for your business.
The SEC is beginning to look at "best practices," said Linda Shirkey, president of Shirkey Consulting in Houston, a 13-year-old company in the business of helping advisors meet compliance requirements and accomplish other regulatory tasks. "The SEC wants advisors to run better businesses," she said, and its in this spirit that Shirkey's firm helps advisors prepare their "risk assessment documents."
It seems the SEC is slipping more and more into its audits. As soon as we think we've got a set of policies and procedures to keep the agency happy, it comes along and expands its list of documents that it will request during your next audit. So, if you're behind on your "compliance reading," the risk assessment document is a result of the SEC's requirement that you maintain (and test annually) a disaster recovery/business continuity plan.
Essentially, this document demonstrates to the agency that you've reviewed your investment advisory business and identified areas of high risk that, in turn, should be tied into your firm's policy and procedures manual, Shirkey said. Topics that should be in your policy and procedures manual and, correspondingly, in your risk assessment document, include advertising, advisory agreements, affiliated entities, agency cross transactions, anti-money-laundering, annual review, best execution, books and records, business continuity, client intake and termination, code of ethics, complaints, conflicts of interest, corporate records, custody, directed brokerage, disaster recovery, disclosures, due diligence, electronic data safety, employee hiring and firing, e-mail, ERISA funds, fees, fiduciary duty, financial stability, insider trading, internal controls, investment processes, performance, portfolio management, principal trades, privacy, proxy voting, reconciliation of accounts, registration, regulatory filings, soft dollars, solicitors, supervision, trading, valuation, and wrap accounts.
So, to help an advisor create his company's risk assessment document, Shirkey starts with the policy and procedures manual and gears the document--an Excel spreadsheet she has created--to the above topics. Why an Excel spreadsheet? Typical of many government regulations, an advisor is told he must do something but isn't given a format with which to do it. "The SEC has given suggestions for how the document should be put together and showed a few samples at the chief compliance officer outreach meetings it conducted around the country in 2006, but doesn't provide a template, per se," Shirkey said.
The spreadsheet Shirkey has created is a five-column affair, with the first column listing the topics in the policy and procedures manual. "The second column is a definition of the risk posed by each topic" Shirkey said. "The third is a weighting column indicating the risk is low, medium, high or not applicable. The fourth is where we explain how the firm is addressing the topic if the risk is rated medium or high. And the fifth column refers to the place in the PPM where the reader will find a discussion of how the risks are being mitigated." Shirkey sometimes includes an extra column, depending upon the client, in which she lists the staff person responsible for monitoring a particular risk item.
Looking back at the list of topics, how does one assess the risk inherent in, say, soft dollars? "For something like that, the advisor might state in his PPM that his firm is following the safe harbor rule 28(e) [i.e., Section 28(e) of the Exchange Act of 1934]. Further, they would discuss in their manual how they are monitoring adherence to the safe harbor and who's responsible for doing it. The manual might say, for instance, 'We're only going to purchase items with soft dollars that fall under Section 28(e)' or, to be more specific, 'We will only buy research with our soft dollars and our chief compliance officer must preapprove any soft dollar purchases as well as semi-annually review invoices for soft dollar purchases to ensure only research is being bought,'" Shirkey said.
The beauty of this process of reviewing the policy and procedures manual and coordinating it with a risk assessment document, Shirkey said, is that advisors stop and look at their businesses from a higher level. "Everybody thinks they're doing the right thing when it comes to compliance, but this exercise forces them to see what they're doing from an outsider's perspective," Shirkey said.
Other high-risk areas? Business continuity might be perceived by an outsider as a high-risk area, Shirkey said, particularly if the firm just has one or two principals. And outsiders are more than just regulators... they're clients, too. "When you address all your risks in a risk assessment document, you are also formulating answers to questions clients will inevitably ask that usually start with, 'What happens if...' "
Finally, the process benefits employees of the firm, as well. "Our clients find that this final step of creating the risk assessment document puts their entire compliance program into perspective for their employees and becomes the catalyst for recognizing that compliance is not only to protect the clients of the firm, but also the firm itself," Shirkey said.
But do you really want to create a document that tells the SEC there is regulatory risk in certain procedures? "Take proxy voting," Shirkey said. "There's a conflict of interest issue if the firm is voting a proxy for a company where a client sits on that company's board. The risk is insider trading. Or the risk might be that you say you're voting your clients' proxies but the employee responsible for that is just sticking them in his desk drawer." The SEC isn't looking to see that you have a perfect program but that you have an assessment process in place. If the advisor discovers his employee isn't voting his clients' proxies when he should be, Shirkey said, you tell the SEC you fired the employee--exactly what your policy and procedures manual says you will do if the situation arises--and that's to your credit. "What you don't want is a neon arrow pointing to you saying you screwed up but, rather, that you fixed the problem," Shirkey said.
Before you tear your hair out because you never heard of a risk assessment document, realize that states might do things differently if you're only state-regulated. "Some state auditors just want to be able to come in and check off the box on their audit form saying, 'yes, the advisor has a disaster plan,' whereas the SEC wants to know you have a procedure, when you last ran it, whether it worked, etc.," Shirkey said.
How does Shirkey's firm help you? "If the advisor hasn't done a risk assessment before, we draft one based upon what we know of the firm, we walk through and discuss it with the client, and then we change it so they're comfortable with it," Shirkey said. After the first year, she said, the advisor can hire her firm again--or not. "They can tweak it themselves during or at the end of the year and, if they want to run it by us or retain us as part of their annual review process, we'll review it for them," she said.
Shirkey offered plenty of public-domain resources to help advisors learn more about this requirement and/or pursue fulfilling the requirement on her own:
Regulation of Investment Advisors from Lemke, Thomson West publishing -- also known as "the blue book" -- at $535/year, is well worth the expenditure both for SEC- and state-registered firms. It is a well written, complete, and very useful reference tool. See www.thomsonwest.com.
The SEC's Web site is a treasure trove. The box in the upper right corner of the home page has "Funds and Advisors" and "Fund and Advisor CCO" buttons that contain reference and educational information. The material behind each button is well worth exploring.
State Securities Board websites often list their regulations and have FAQs concerning the application of the regulations. State regulators are often available to speak at functions (like local FPA meetings) and answer questions regarding their requirements, examinations and enforcement actions.
The North American Securities Administrator Association is the professional organization of state securities regulators and creates model regulations that often become the basis for state practices. (Texas examines to the NASAA model rather than to Texas rules.
The National Society of Compliance Professionals is a nonprofit professional organization that holds an annual conference and sends out monthly bulletins. Membership is $400/year.
And of course, the Financial Planning Association's Web site.
So, risks are part of your business, and resources are available to help you manage those risks. Now it's up to you to document them.
Get practice-building tips and information from our team of experts delivered to your e-mail inbox every Thursday. Sign up for our free Practice Builder e-newsletter.