Oyster Stew - A Broth of Financial Services Commentary and Insights

Risk Assessments - Keeping Your Firm Focused

March 25, 2020 Season 2 Episode 12
Oyster Stew - A Broth of Financial Services Commentary and Insights
Risk Assessments - Keeping Your Firm Focused
Chapters
Oyster Stew - A Broth of Financial Services Commentary and Insights
Risk Assessments - Keeping Your Firm Focused
Mar 25, 2020 Season 2 Episode 12
Buddy Doyle, Polly Cordle

This week's episode features Oyster CEO Buddy Doyle and Polly Cordle, Managing Director of Oyster Solutions Software, discussing the importance of risk assessments, especially in today's volatile financial situation.  Included are best practices for creating and maintaining risk assessments, regulatory reporting around risk, and how Oyster Solutions Software makes maintaining and reporting risk assessments easy.  

Show Notes Transcript

This week's episode features Oyster CEO Buddy Doyle and Polly Cordle, Managing Director of Oyster Solutions Software, discussing the importance of risk assessments, especially in today's volatile financial situation.  Included are best practices for creating and maintaining risk assessments, regulatory reporting around risk, and how Oyster Solutions Software makes maintaining and reporting risk assessments easy.  

Speaker 1:
0:05
Welcome to this week, serving oysters, do a mix of financial services, commentary and insights. Each week we'll discuss what is happening in the industry based on what we see as we work with regulators and clients. We hope you come away with the knowledge and tools to help you make the best decisions for your firm's future.
Speaker 2:
0:24
So buddy, I think we are here to talk about risk assessments today.
Speaker 3:
0:29
Yes, I think risk assessments are a really important component of managing an organization. And it's, it's interesting how many times we go into well established firms and start looking at the enterprise wide risk assessment and realized there isn't one.
Speaker 2:
0:51
I was just getting ready to say wait, you find one when you get there. Yeah, it is amazing to me how many of our clients don't have an actual risk assessment and I recognize that that at least I, I don't know that there's a direct rule that requires it, but it's always asked about by a regulator. And so we always recommend that they have one. But there are a lot of firms that still don't. So I think it's a great conversation to have. Like where do you even start when you, when you put together this grand risk assessment?
Speaker 3:
1:26
Well where I usually start with the risk assessment is an inventory of risks and that generally is just sort of a free form. Kind of write down as many things as you can think of. Uh, don't overanalyze it. Don't get into why it's a risk or anything like that. Just start with a list and you can get other team members in your organization around you and just ask them, what's your biggest risk, uh, as an organization? What are the things that you're worried about? And instead of trying to get to, you know, uh, over engineered in it, uh, just write down the topic, just a name and get your inventory squared away. That is step one. Once you've gotten your inventory together, then you start asking yourself, you know, how you would prioritize that risk. And this is one of the beauties of having a well established risk assessment is it really does help you prioritize everything else that comes with this.
Speaker 3:
2:35
It's amazing how much firms can spend to mitigate a very small risk and leave large risks on attended. And so a nice risk assessment will have a severity of the risk as sort of an inherent risk that happens as a result of just being in the business, operating in a product or regulatory scheme that just comes with the territory and how big is that risk and that that risk can fall into certain components. It could be a financial risk, uh, which is really, really important to understand. And ultimately most of these risks indirectly lead back to a financial risk, if not directly back to a financial risk. Um, is it an operational risk, uh, where you could, uh, potentially have a series of errors where you have to go back and spend a lot of time cleaning things up, even if it's not a big money, a waste from an operational expense, it could cost you a lot of time and in some cases, operational risk and have a great big price tag on them.
Speaker 3:
3:55
If you think about the potential magnitude of an error in your corporate actions department where you missed a stock split and make a trade or something in the last, you know, couple of weeks here with the volatility in the markets, how bad could that have potentially become with the 30% market swing? Um, there are reputational risks, uh, which we can debate sort of the pros and cons of reputational risk. Um, every major organization out there that's ever been successful, uh, that, that has any history to it has probably had some sort of regulatory finding to it. Um, but they continue to thrive and grow because of the way they address, uh, the way they make mistakes and how they recover from them. So there's a bunch of different ways to look at risk and to categorize those. And then it's just agreeing on how you're gonna measure it, what's high, what's medium, what's low or, or how you want to quantify the severity of that risk.
Speaker 2:
5:11
Yeah. And it seems like that risk list is constantly changing. For example, here we are in March of 2020 and I don't think any of us had spelled out a pandemic on our risk assessments in the past, but I think it's probably gonna be on line item going forward.
Speaker 3:
5:29
Well there are a lot of firms that have not. And there are some firms that certainly have a, I remember updating risk assessments during the SARS outbreak for example. Uh, so, uh, for a, there regulators were sort of talking about pandemics and then things go quiet. So there is a cycle to your risk assessment and there are times when things will be high risk that weren't high. Certainly painted comes to mind these days. And depending on sort of your perspective, I mean I, I've seen people as recently as last week calling this a low risk item who, you know, has of this rate, consider it completely high risk so mine's can change, things can evolve very quickly. So, um, it should be a recurring process to go back and review your inventory, but also second guess your opinion now that you have new information.
Speaker 2:
6:35
Yeah, absolutely. And, and you know, the regulations change, the environment changes. So it, it makes sense that those lists are going to change too. And it's certainly not a one size fits all risk assessment. Those are going to differ from to firms as well.
Speaker 3:
6:50
They do. And there's some good places to go, you know, on a routine basis. When I, when I look at the annual letters from FINRA and the sec talking about their examination priorities, I always line those up to the current risk assessment to ask myself from a regulatory risk perspective, am I still in sync with the regulators or have they come up with something new and novel that I haven't considered before that I now need to come in and document and assess. But that part is not the assessment part. That part is the what are at risk parts.
Speaker 2:
7:35
Sure. That goes back to the inventory and, and, and reassessing your inventory every year and then reassessing your assessment.
Speaker 3:
7:43
Yeah. So assessing risk is a little bit different in terms of what you want to make sure that you do. Uh, one question that we ask in our risk assessments and we document that is do you have a procedure that helps mitigate that risk? Do you have a system that mitigates that risk? Um, do you have both? And how good is that mitigation? Um, and I think within systems there are certain things where if you have a workflow system, that's the only way you do it. And uh, it makes you do it consistently every single time. Even a high risk inherent risk, uh, can be controlled so sufficiently, then you can feel very confident that your residual risk after that controlled is very, very low and you may not come back and test that risk as frequently as you would if you had a procedure that is more the honor system or that doesn't have a systematic [inaudible].
Speaker 2:
8:57
Sure. And that's kind of in the solution system. That's kind of the way we approach. So as we in the solution system, we have a built out risk assessment that we implement with our clients and we have an inventory of risk we go through with them, we've scored them, uh, based on our experience. Um, anything that touches a regulator, anything that the regulators have identified as a hot topic or that has to do with a regulatory violation, we score that really high and the only way that we'll score a control on the high level is if there is a system involved. If there's absolutely no ability for human error to get in there, then I'll give them a high score. Now I'll let them argue the point and ultimately it's their system and if they want to score something high, we'd certainly, we'll let them score it high, but that's kind of how I explain it to them.
Speaker 2:
9:47
It's just like you said, unless there's a system in place to keep there from being a break somewhere along the line, I consider it the, you can't really call it completely high unless you know, for example, like a registration in the state, there are trading systems that won't let a trade go through unless that registered rep is registered in the state of the client's residence. That to me is a perfect control. You know, it's, it's as near a perfect control as I can get. So I'm going to score that really high, but there are other systems that don't have that kind of trading halt in it. And that makes me uncomfortable. And so I, I've, I might come down more to a medium. Yeah. And that that's the way I usually approach it.
Speaker 3:
10:36
And what happens is, uh, and I would encourage you, if you haven't done a risk assessment at your organization to start simple, high, medium, low is a fine way to start a risk assessment. As you mature as an organization, you'll come up with a lot of other ways to respond and be out in front of risk and you can get more sophisticated in your scoring methods and, you know, get to medium, high, medium, low, or even a quantitative type of approach to risk assessments. But begin at the beginning, make it as easy as you can to get started and then grow it from there. But to Polly's point, you know, there are really perfect systems of controls. And so when I get to a system control, you know, one of the things I want to make sure I understand is how well tested was that system before it went in.
Speaker 3:
11:39
How frequently are we looking at the controls in there and the parameters, but the things that don't have a systematic control, that's where you want to ask yourself what is the residual risk? You know, when you compare it to the inherent, and that should help you document how frequently you want to come back and test that control to help you assess that control. Whether it's monthly, quarterly, annually, every two years, every three years you get to decide that. But there's a methodology that you want to apply to focus on the gaps between your high inherent risks and your high inherent controls.
Speaker 2:
12:20
Sure. And, uh, you know, I tell clients all the time, there are some things you can't control away client complaints. Um, you know, in a bad market, in a tough market and a volatile market, you, you can't control, the clients are going to get emotional. I mean, that's, that's going to happen. This is their life savings that you're dealing with. And they're, they're gonna be clients that, um, you know, get concerned and someone might complain along the way. So, you know, it's not necessarily that you can control away every risk that you come across. And I don't think that the regulators and, and you, you weigh in here buddy, but I, my opinion is the regulators aren't expecting you to control the way every risk. They're expecting you to be aware of the risks that you have and that's important to them, that you understand the risk to your business carries.
Speaker 3:
13:11
I agree with that. And I do think that client complaints are a great, uh, uh, way to pride yourself to go back and look at the particular underlying risks that may have come from that complaint and how well your controls are established. Uh, could you have avoided that complaint? And sometimes the answer is yes, and sometimes the answer is no. But, uh, it is true that in most environments, regulators do not expect you to have a perfect system of controls. They expect you to have a reasonable system of controls or a robust system of controls. And, and over time those things kind of over around. It does feel like at some point in our history here, we have expected perfection out of regulation and there's been no quarter given for small, uh, you know, I think back to the broken windows theory of small and fractions are, are massive and fractions kind of thing. And, and, and I may be overstating it a little bit from a regulatory perspective, but that's certainly what it felt like, uh, from, uh, from being on the industry side of things and, and working with their clients is that the expectation of perfection was there for awhile. I think right now we're, we're in a, uh, expectation of, of reasonable and robust controls depending on the level of risk you're taking.
Speaker 2:
14:46
So, buddy, I know what in solutions we have a really nice way that the, you, we, we detail the entire risk assessment. We define the risk, we give you a summary of the risk, and then we detail your control. And if there's a workflow that goes along with that control, we'll link it right in there with the control and we have a detailed, um, list of that. But what we ultimately recommend that they turn over to a regulator if asked, is really more of a visual representation where it's, it's really kind of comparing the risk and controls without giving them all of that, that back ground detail. What do you recommend that, um, clients if asked for their risk risk assessment, how do you recommend that they document that? And, um, and, and what do you recommend when asked about what to give to regulators and how to document it and, and keep that record?
Speaker 3:
15:44
Well, I certainly liked the visual look of the charts and graphs that, that the approach that you've taken poly, you know, waste your solutions. I think that is, uh, helpful, uh, for your executive leadership team. And it also helps regulators understand sort of how you've approached the risk assessment. They will ask potentially more detailed questions. And I'm a pretty transparent guy with regulators. If they ask me a direct question, I'm going to give them a direct answer and they can go as far down into your books and records is as they want to. Uh, FINRA has a rule 82 10 that says we can ask you for stuff. You've got to give it to us. And uh, if you, if you create a document that is a firm record, so you need to be thoughtful about it. But I do think that the graphical representation is absolutely the best starting point for a risk assessment, uh, with the, with the client because it talks about the topic, it shows your assessment of the inherent risk and the mitigating controls. And they don't typically, when you've done a thorough job, try to second guess your judgment. Uh, in a harsh way. They, they really do from my perspective, appreciate leave thought that goes into a risk assessment because that usually drives the priorities for everything else. Uh, to show that your program is, is robust. It's a, a thoughtful program and, uh, it's a great starting point to, to deal with the regulatory exam.
Speaker 2:
17:42
Yeah. The, um, the visual representation I think is really helpful, like you said, for senior management to be able to say, well, why is out of whack? What, what could we do better in this category? You know, why is this risk higher than this control? And I, and I think it does the same for the regulators. So when you turn that over, they can say, well, okay, well, client complaints, I get that one, that one's always going to be more risk than you can control. Um, you know, but, but why over here, you know, is your registration risk so much greater than your control, you know, to go to our example from earlier. Um, so yeah, I mean, I think it's, it's helpful for senior management and for, um, and for the regulators when you present it in that visual way. But yeah, to your point that I actually had a, someone asked me the other day about what they could request and my answer was, well, what, what will you say to them if they ask you for something you didn't want to give it to them? Are you going to tell them? No. I mean like I just can't imagine sitting across the table and saying to a regulator, I'm not going to give you that. So yeah, I to pretty much give them what they asked for. I can't imagine the response I would get if I said no. So,
Speaker 3:
18:53
and I do think there are expectations of risk assessments with certain topics within an organization. They enterprise risk assessments are desired and certainly, uh, something that regulators, uh, have talked about the benefits, uh, the need for, uh, and I think it enlarge your organization and it has become the standard and an expectation. Uh, and if you don't have one, you're likely gonna have one after your exam is over. Uh, not immediately but shortly thereafter. But within the anti money laundering programs, risk assessments have long been expected and understanding client risk and how to risk score clients and things like that. That is something that I think the large firms have certainly, uh, figured out and, and been moving towards. A lot of smaller firms are still coming around on that. Uh, and the other topic where there is an absolute expectation that you would have a risk assessment is for your cybersecurity or information security programs.
Speaker 2:
20:07
Very good point.
Speaker 3:
20:08
The NIST framework for that is a great go to resource, uh, to help you understand what are the topics you want to cover in a cyber security risk assessment. Uh, in the, in the AML program, uh, the FFI E C, uh, AML testing manual, uh, gets into that, uh, uh, risk assessment process as well. These are, are relatively big things to take on. They take a lot of time and effort to get all the way through and if, if you ever look at that FFIC manual, it's pretty long and it's got a lot of content to it. Um, but it is a valuable resource. Uh, if you can stand to get through the, you know, 800 pages or so of content,
Speaker 2:
21:05
I'm sure that's fun reading. Yeah. I would dare say that we are going to be seeing, um, business continuity plans showing up as a definite, um, line item on these things in the future. Just like, uh, like cyber security. I think there's going to be a bigger push now in our current environment to see how people are able to respond in this situation and, and kind of start scoring themselves on that item.
Speaker 4:
21:33
I agree.
Speaker 3:
21:35
Although I don't know why you would say that.
Speaker 2:
21:38
I know it's, it's an odd topic to bring up. Um, and then this time, um, well buddy, I think we may be out of time, so hopefully we've provided at least a glimmer of insight into risk assessments.
Speaker 3:
21:52
Yeah, I think we've covered, uh, the high level approach to risk assessments and it's important to remember though, you'll never have a perfect risk assessment, which is why you always need to come back and reassess on a routine basis and why. It always helps to get the business units involved and making sure that you've done a good and thorough job.
Speaker 2:
22:18
Yeah, absolutely. [inaudible] just like anything else in a compliance program or in any business, I think it's an ever evolving process. It never stays the same. It's, it's always going to be changing. Um, that's the way of the world. So, yeah, it definitely needs to be something that's taken into consideration at least annually.
Speaker 1:
22:41
Thanks again for listening to the oyster stew podcast. Don't forget to subscribe so we can continue to bring you resources to help you make the best decisions for your firm. If you're struggling with the topic and you'd like us to do a podcast on it, or you'd like a free consultation, feel free to reach out to us@eightohfourninesixfivefivefourzerozeroorbyvisitingourwebsiteatoysterllc.com.
×

Listen to this podcast on