Want to Improve Your Compliance Program? Know What Risk Controls to Test and How Often

Creating a risk assessment lets you know where the risks are and where to focus your compliance efforts. Once you have a compliance risk assessment, knowing which risk controls to test and how often is the next step to strengthening your compliance program. But how do you know which controls and how often you should test them?  In this episode of the Oyster Stew podcast, Oyster’s experts share their expertise on how to successfully design tests around risk controls. 

Risk comes in all shapes and sizes, and risk tolerance varies between firms. With Oyster Solutions compliance management software, “risk” doesn’t have to be a four-letter word. When you use Oyster Solutions, compliance risk is easily managed, categorized, scored and charted.  Easy-to-read dashboards give transparency and definition to your firm’s risk management strategy. Oyster Solutions software documents risk, customizes risk tolerance and scores risk based on your firm’s needs. You then have the information to define and measure your controls through policies, procedures and strategic testing workflows, creating an easily customizable risk mitigation plan.

Transcript

Transcript provided by TEMI

Libby Hall:  Hi, and welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. Creating a risk assessment lets you know where the risks are and where to focus your compliance efforts.  Once you have a risk assessment, knowing which controls to test and how often is the next step to strengthening your compliance program. But how do you know which controls and how often you should test them? In today’s podcast, Oyster CEO Buddy Doyle and two of our outsourced CCOs, Brent Nicks and Dean Pelos share their expertise on successfully designing tests around risk controls. Let’s get started, Buddy.

Buddy Doyle:  Thank you, Libby. I’m pleased today to be joined by Brent Nicks and Brent Nicks of Oyster Consulting. Dean Pelos, Brent, welcome back. It’s good to have you.

Dean Pelos:  Good to be here. Thank you.

Brent Nicks:  Thank you so much.

Buddy Doyle:  Today we are talking about how to design your testing as it relates to your risk assessment.  That discipline of looking at your risk, looking at the strength of the control and evaluating what your assumptions were, that strength through your testing. It’s really the testing that tells you whether that assessment was accurate or not, and where you continue to find residual risk or that residual risk. Maybe originally you thought your controls were better than the testing shows. Don’t be afraid to change that assessment to match the reality. That’s really what you’re trying to do, you want to improve your control environment over time, but you can’t do that without a really factual assessment of your control environment. And as you do things, you will learn. So, to just kind of throw it out to the group, just to get the conversation started of how you look at your risk assessment and how you make some decisions about which risks you’re going to test and how frequently. So why don’t we start with Brent.  You can throw out a few ideas and we’ll have Dean jump in and help us understand all the things that you guys have done in your past.

Brent Nicks:  Sure. Thanks, Buddy. I think the first thing that I would throw out there is an effective testing program.  While part of your annual risk assessment is really an ongoing and throughout the year practice where the risks that you’re identifying may very well fluctuate between how severely you categorize them even into a year.  That could be on the basis of a lot of things. And maybe, just to frame this up, the risk assessment itself that’s going to develop your testing could be the product of a lot of things. Not only the work that you’ve done in the previous year and what you know about your own program, but regulatory changes, entry year, things that are coming, business model shifts by the firm, new business lines, retiring business lines, that could even be affected by new hires into the firm.  Where a risk profile may change based upon the individuals that you brought in, whether it be complaint or regulatory items from the past, or business practices or business lines that are core to the new hire that wasn’t part of the firm’s business model before. So it’s a very fluid situation. And then, as you learn what you know about your own firm, then you start feeding in what you know about what’s coming in through the environment. So whether that be through exams, your own friends exams, through SROs, states, the SEC, and then keeping a good read on notice to members, interpretive guidance from the SEC exam priorities. And then literally, you just throw this all in and it’s a big stew and there’s where you’re evaluating your own risk and how you’re going to assess the items that you need to tag for testing. So there’s your starting point, and I don’t know, Dean, if you have anything maybe to add off of that.

Dean Pelos:  Yeah, thanks, Brent. No, that’s a good point to bring up. You do throw everything together. It kind of organizes you and keeps you understanding what the priorities are at the firm that you are putting a compliance program together for. From my standpoint, I always look at how things have developed over a period of time. If I’m going in and conducting a 3120 review on a broker dealer or some sort of 206(4)-7 report on an investment advisor doing an annual review or a gap analysis of some nature, I always look for firms that have conducted their own risk analysis because it highlights things that you may not necessarily catch when you’re conducting an annual review of an entity. A good risk assessment will detail a lot of things maybe don’t apply to the business itself, but the things that do apply to the business that you’ve identified with, you can bring out things that gap analysis may not necessarily catch and then be able to focus on that and make adjustments to the program so that you have a more effective program.

I think those are extremely important things to consider.  I always make those recommendations to clients at Oyster that they conduct that detailed risk analysis so that they can identify and prioritize things that maybe they haven’t caught in the past. And then develop and implement change by testing those areas that they haven’t really identified, and then be able to put that into their compliance program, into their policies and procedures and have controls around that.  The frequency of the testing might vary based upon how much of a risk it is initially. And then ultimately at some point in time you, you want to see the testing decrease a little bit cuz you’re hoping that changes will be made within the program itself.

Buddy Doyle:  Dean, that’s a good point.  Brent, you had something to add.

Brent Nicks:  Thank you very much. I was going to say that the frequency was going to add to the fluid nature of the testing and the annual review. Where I think frequency could be a shifting spectrum, both increasing and decreasing depending on what you’re finding through your existing testing or how your business model adjusts. But one of the most important things to think about is once you’ve identified the risk, how best do you approach it? What kind of risk is it?  What type of test development does it need? Is it transactional based? Is it something where a risk is evident on a triggering event such as personal trading by your employees or firm trading alongside with clients? Or is it longer term or periodic in nature where you might be looking at say best execution reviews over a period of time?

Are you finding issues with those that are supporting your execution efforts or more in depth, which driving to your program or forensic testing, which is looking for the trends and patterns where you may know the soft spots are, and you’ve got to spend some time really digging into the data. And I think the very first decision is when you’re identifying the risk and past the severity is how best to approach the testing environment. How do you develop the test? What type of test do you need to get to the heart of the matter?

Buddy Doyle:  Yeah, and I think planning out those testing protocols is really important. And then not being so committed to those specific testing protocols that you don’t learn as you’re going to, both the scope of the test and the frequency of the test based off of what you’re finding. I think we’ve had some examples of that this year that across both the broker dealer and investment advisor world.  As you think about the DOL prohibited transaction exemption, for example, that requires retrospective testing at least annually. But you can do it more frequently if you like, when you first put in a policy and you first put in a process, a new form, a new disclosure, it might be important to test that right away so you can correct behavior quickly rather than wait for a year. You may assess the DOL PTE and say, I’ve got to do my retrospective review on an annual basis. When does that start?  What does the rule say about when is the first annual basis up, where you have to be completed? So I think those are all things where you kind of work them into your program because there’s something new that has come along. Dean, have you seen any best practices around new rule implementation or maybe even new focuses of regulators on existing regulations where they have a different interpretation?

Dean Pelos:  I don’t see any kind of real changes in terms of how a regulator would look at it. I always assume that a regulator is going to come in and enforce the new challenges that we’re faced with the OLPT, obviously being the big one this year and the upcoming new marketing rule. I think they’re going to be areas of focus for regulators in the future where, like you mentioned, the retrospective review.  I think it’s imperative that after the first month of filling out your rollover forms and then testing to make sure that they are accurately completed by your access persons and then curbing that, so to speak. So to say that there are certain things within the rule that we’re challenged with here. We need to make sure that these forms are completed in an accurate fashion so that you’re abiding by the rule.  And if you get that done within the first couple of months, your risk obviously goes a lot lower. Any new rules that come into play, I think if you can implement those rules and accurately test for them, increase your frequencies of testing so that it doesn’t become an issue, I think are areas where you want to approach it that way.

Buddy Doyle:  Brent, any additional thoughts? I know you’ve come from a regulatory background, I’m sure y’all’s processes were similar, but somewhat different given that you’re evaluating the risk of a firm from an outside perspective to do an audit versus the inside perspective to do an audit.  Any sort of advice for folks on the new rule implementation process?

I think this year actually gave us a really good opportunity to see how that would play out with the changes in the enhancements in the marketing rule with the SEC is for firms that are obviously the advisors that were affected by this rule, the first thing that really comes to play is you had a known risk under the existing communications, advertising and solicitor rules that were in place before this amalgamated rule that took over. You had a known risk. And the first question is upon the review of the new rule is what’s changed in the risk profile and what is now a risk that the firm is willing to accept or what has changed in that risk? And in particular with the marketing rule, we’ll say with potential use opening up of endorsements and testimonials in a way that’s maybe a little broader in a lot of ways, seeming a little more inviting, but at the same time inviting much more risk into the firm.

Brent Nicks:  So you can’t think about it the same way that you did before. So after you review the rule, and then determine what the level of risk or what you may change, or whether you’re going to change anything. Maybe you’re going to keep your same position, but once you’ve accepted the new risk review, the existing testing protocols for what you were doing before, does it address a new level of risk? Does it address the changes in the existing regulation? And then you, at that point, may very well have to amend your protocols to adjust for what you’re doing. So that’s a really a long-winded way, Buddy, to say assess the rule and then determine what risks you’re looking to accept. And then once you have done that, then you can come in, amend your test to best offset those new risks, if and when you’re willing to accept those risks. And I think you have to do it in that manner.  You’ve got to digest the rule before you really know what the true issue is.

Buddy Doyle:  Yeah, I think when you look at the advertising rule in particular, there’s some lessons to be learned from that, that includes what you were talking about with testimonials, right? There are risks to doing testimonials that go beyond the fact that it’s now not illegal to do a testimonial. Before that risk was pretty straightforward and you had a very brief decision tree, did you do a testimonial? Yes, that’s bad, right?  Whereas now you have the ability to do testimonials within certain boundaries and with certain disclosures. So you have a choice to make. And if you make the yes choice to go down testimonials, then you have sub risks that come along with that around how accurate are your disclosures? How are you tracking compensation or disclosures? What is compensation for a testimonial? Is it a discount on your fee?

If you already had that discount for the last five years, is that still compensation? So you really can open up some questions that until you’ve got good answers about that, either through regulatory guidance or legal counsel or the fact that you won the arbitration. I think that you’ve got some different things to look at about that if you advertise performance. You no longer have to rely on clover capital because that’s gone. The rules are clear what you have to do.  If you don’t advertise performance, make sure you’re not advertising performance.  And that is the way to manage that risk. If you don’t advertise performance yet everyone in your firm is advertising performance, then you’ve probably assessed your risk, and you will find that as you’re testing communications and things. And that should adjust your risk assessment to say, maybe we need a procedure, or maybe we need training, or whatever it is to get those things under control.

And that’s the thing that you can’t always tell out of your testing is what direction you go next. But it’s a very important component of it, and it all works together to keep your policies, your procedures, your risk assessment, and your testing program all in one program.  So I think that’s going to be really important. Great. You mentioned changes and personnel changes in, and maybe the type of business that you’re doing throughout the year that’s sort of a different animal than a new rule where we’re all figuring it out together for the first time. But can you talk a little bit about when you want to take a look at your risk assessment around lines of business or new personnel?

Brent Nicks:  Sure. It’s going to be varied. I know that’s not a great answer, but the firms who are fairly straightforward in their business model and aren’t making a ton of active changes, obviously that would need to be a little less frequent. But as senior compliance in your firms, I think the one thing that I would offer as a suggestion is to at least have access to or be plugged into the committees and the groups that are discussing those, and on the frequency that those meet, whether that be the new hire committee or a new product evaluation committee, a review and oversight committee, whatever is in existence in your firm. And that’s going to give you the most direct and immediate access to be able to determine when you feel a new risk, not a known risk has made its way onto your radar, or maybe it’s an enhancement to an existing risk as the firm’s changing.

So, the frequency may be intermittent during the year is based on how often things are meeting and when things are occurring. But the advice here is you’ve got to be plugged into it. You’ve got to be a regular communicator in those avenues and in those committees so that you have the earliest opportunity to evaluate that risk and to determine how you’re going to plug that into what you do.  And to reinforce something you said just a second ago, Buddy, sometimes the risk to the test is really a two-way street. The risk you’re willing to absorb is sometimes going to be highly dependent upon your technological ability to be able to test for certain things. So if you are using very manual processes and spreadsheets and eyeball tests to certain things, your appetite for grabbing onto additional risks should be a little less, simply because your ability to identify and to timely identify certain things could hurt. So technology is an extremely important part of a testing program.

Buddy Doyle:  Yeah, I agree with that. And, the documentation of that test, the documentation of the results and the decisions that you make to accept risk and to mitigate risk, have to be well documented in a place where you can go back and look at those over time and evaluate your decision making. What else do we want to hit on, guys?

Brent Nicks:  But one of the things that maybe we haven’t touched and is super important is once you accept the risk, you can have a testing item in place that you believe may mitigate the risk, but do you within your organization have the institutional individual expertise in the area to effectively mitigate the risk or could effectively evaluate the test? And then once you’ve done that piece, you have to be able to have a technology piece or some other way to be able to execute the testing, but then to archive the results. But that biggest piece that we haven’t really touched, which you can have a test in place, but if you don’t have internal expertise, actual institutional knowledge in the area that you’ve gotten into, you may have taken on an unacceptable risk and testing to it may be a moot point.

Dean Pelos:  The proprietary technology that firms have is important. The way that we go about assessing risk and testing risk, I think are things, areas of focus too that we should talk about a little bit. You know, talking about Oyster Solutions. We have a program that’s in place. We have the knowledge of the people that created the risk assessments that we use that will help evaluate a firm regardless of the kind of business structure that firm has.

Buddy Doyle:  Yeah, so I think, Dean,taking that in, we certainly do have our platform, our ways of going about identifying tests that we’d like to run in an understanding of the products and services. We’ve had to hire 60 people here to really kind of get a good broad view of the industry from the buy side, the sell side, the transactional side of things, and where those different constituents meet. And sometimes it’s the same firm, where you’ve got a broker dealer and investment advisor. Managing those conflicts of interest can be important. So there can be times where you look at a risk and you’re asking yourself, in what market cycle does this product work well, and in what market cycle does this product suffer. And if you don’t know the answer to that, it is perfectly appropriate to reach out to third parties to get some expertise in a product in a service.

Some of these things are brand new product offerings that haven’t been tested in every market cycle. And so you’re guessing at these things. So you really need to make sure you are comfortable that you’re not going to know everything coming into this about a product, about a type of business, and that you should continue to get yourself educated and informed on that, whether that’s by people in the business that you’re working with, whether it’s your own research, or whether it’s using third parties or ideally some combination of all of it that comes together in your compliance program. As we map risk to procedures, we map risk to products. We match risk to rules to lines of business, and then map the workflows to test and get those scheduled.  We’re always coming back and saying, is their test really good enough.

Are we testing for the things we should be testing for?  But also asking yourself, will this 20-year run of lower interest rates continue forever or will there maybe be a change where interest rates start going up at some point? And what does that mean to the way we’ve tested in the past? Because normal is different today than it was before. So I think those are all really important questions. You may not know digital assets.  You may not be comfortable with cryptocurrencies, but you’ve got clients looking for them, and you’re not sure whether it’s a Ponzi scheme or not. If you’re not sure whether it’s a Ponzi scheme or not, you probably want to assume it’s a Ponzi scheme until such time as you’re comfortable that you understand how this all works and that you’re informing your clients of all the risks if you’re an RIA; that you’re making sure it’s suitable if you’re a broker dealer, and that you’re managing those clients and making investments that are in the best interest of their clients, or the recommendations are in the best interest. So I think all of these things change over time. And if you haven’t updated your risk assessment since Reg BI became a reality, you’re probably about two years behind.  But I would encourage you to think through that. And don’t be embarrassed if you don’t know everything.  That acknowledgement is how you learn. So I would say take that in and keep asking those questions.

Dean Pelos:  One other item too, that just came up for me recently was I had conducted an annual review of one of my clients who’s an investment advisor and they manage private funds. What was happening with them though, was they never conducted a risk assessment in previous years under a different compliance officer. So when I took it over, I went back and I conducted my normal annual review and came across the fact that they had not conducted a risk assessment. When I did conduct that risk assessment, I identified four or five different areas that I’ve got to focus on in the coming months to be able to correct some inefficiencies that were never identified prior.  So for me, having the Oyster Solutions system that we have in place, identified some areas of focus moving forward for me. So I was able to put that in my report, show it to management, and management was in agreement with me that these were areas that we needed to test and improve upon moving forward. So that was very helpful. And I think that there’s a lot of firms out there that should consider using risk assessments in the future if they’re not already using them, because there are things out there that you can identify that would really benefit a firm moving forward.

Buddy Doyle:  Well, the alternative way of managing risk, I guess, is to keep some cash and your passport close by. But that’s a whole different podcast. Brent, any other words of wisdom you want to get in there?

Brent Nicks:  Dean,to take off on what you were saying just a second ago, the benefit of a continuous risk assessment and which is best supported by a technology solution is making the testing evolution that much easier because for every remediation event, every risk identified where tests are showing that risk to not be reducing, you’ve got a quick way to determine which tests you really need to focus in on and determine, am I doing it the best way possible.  Is there a way to tweak it  or do we need a new approach? So there’s really no great way to quickly assess the testing environment that you’ve set up without conducting that risk assessment.

Buddy Doyle:  So thank you, Dean. Thank you Brent, for participating in today’s podcast with us.  And thank you to our listeners who keep coming back over and over again. If you have any questions about this topic or any of the other topics you’ve heard about on Oyster, feel free to reach out to us. Our website is oysterllc.com.

Libby Hall:  Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review.  Reviews make it easier for people to find us. Have a great day.

About The Podcast Speakers
Photo of Buddy Doyle

Buddy Doyle

As the CEO of Oyster Consulting, Buddy Doyle has led the charge to create a successful organization built on the belief that transforming experienced industry practitioners into consultants adds more value to our clients.

Photo of Brent Nicks

Brent Nicks

Brent brings a wealth of experience and expertise in the Chief Compliance Officer (CCO) and Supervision roles, as well as developing sales in wealth management products.

Photo of Dean Pelos

Dean Pelos

With over 30 years of experience as a financial services professional, Dean Pelos has extensive experience helping firms maintain regulatory compliance, grow sales, and control costs. Dean has a strong background in compliance for investment advisers and broker-dealers and additional experience specializing in regulatory compliance for investment companies.

View Our Team