Risk management – avoid it at your peril

Independent financial advisers may not have been exposed to the various elements of risk management and they therefore could inadvertently neglect them to the detriment of their business, Jessica Dass writes.

Risk can be described and defined in many ways. In simple terms, it is a possibility that something unpleasant could occur and prevent you from achieving your business objectives. We all face some degree of risk when we conduct our business – it just needs to be managed. Various components apply to an independent financial adviser’s (IFA’s) business to a greater or lesser extent.

Managing risk is a crucial part of running your business. The Australian Securities and Investments Commission (ASIC) expects risks to be documented, managed and controlled. The regulators’ standards are clearly set out in the Corporations Act and ASIC’s regulatory guides, and you must be familiar with their requirements. Failure to manage risk could result in adverse actions by the regulators – to the detriment of your business.

DEVELOP RISK MANAGEMENT FRAMEWORK

The first step is to develop a risk management framework (RMF). This is not a single document which is drafted and put on a shelf until the next review date. The RMF brings together systems, structures, processes, and people who identify, manage and monitor risks. It is, in fact, the over-arching framework that brings together all risk functions and activities. 

VIEW ALL

View all

Your RMF must identify risks associated with achieving strategic objectives. These may be client engagement, appropriate strategic advice, superior technical knowledge, marketing, staff retention, profitability and the like. All identified risks must be explicitly addressed and managed, so they must be documented. Eventually, when you prepare your business plan, you need to reflect your RMF.

PREPARE RISK APPETITE STATEMENT

The next step is to develop your risk appetite statement (RAS). This statement is established by your board and provides personnel at all levels of the business operations, whether internal or external, with a clear understanding of the risks that the organisation can accept.

RASs are strategic and broad and may be quantitative or just qualitative – such as a high appetite for risk to generate higher investment returns for clients demanding high growth strategies.

On the other hand, the board may have an extremely low appetite for fraudulent activity. These could be reported on the basis of tolerances where, in this example, the board may have a zero tolerance for fraud.

FORMULATE RISK REGISTER

Next comes your risk register. You need to brainstorm and identify risks that could prevent you from achieving your business objectives. Once a risk is identified, it is allocated to a relevant risk category and you begin the risk-rating process. 

There may be many variables, but it is best to identify those that you consider to be ‘material risks’ and then develop mitigation strategies for them so that these risks can be accepted within your risk appetite.
See some of the risk rating categories in the table below and check if they apply to your business.

ALLOCATE RISK RATINGS

To make matters more interesting, you need to develop risk ratings. There are two types of risk ratings: inherent and residual. 
Inherent risk rating is the rating allocated to the risk as it applies to your business. An inherent risk rating is measured by considering the likelihood and the impact of a particular risk occurring. 
Residual risk is what remains from your inherent risk after certain controls or mitigation strategies are applied. If your controls are effective, the residual risk can be accepted as it will have a lower rating than inherent risk.

This can be gauged from the table below.

Some examples of financial planning risks that you may include in your risk register are:

1. Failure to achieve financial planning objectives
2. Loss of key financial planners
3. Negligence by a financial planner which leads to improper advice
4. Breach of regulatory obligations (includes identity checks of clients as required by Anti-Money Laundering and Counter-Terrorism Financing legislation, maintaining records as per legislative requirements, fee disclosure requirements)
5. Perpetration of wilful fraud by financial planners for personal gain
6. Compromise of security level of client data due to internal or external cyber crime
7. Failure to maintain professional membership and adhere to the code of industry body

Other items to consider:

1. What is not on the register?
2. What is a risk or event that would keep you awake at night?
3. What are your key risks? Are they featured in the risk register?

A detailed walk-through needs to be done for the relevant risks and documented in the risk register. Risk is not static. Risks change due to endogenous (internal) issues – such as a change in your business strategy – or exogenous (external) issues – such as legislation.

CREATE HEAT MAP

Constant awareness is required to manage risks continuously. A risk register must therefore be seen as a ‘living document’. To manage your risks, develop what is known as a ‘heat map’. This is a table that identifies where your inherent risks lie on a graph which measures the likelihood of occurrence against the consequence if any of these risk events occurred.

Another heat map should also be prepared to identify your residual risks in the same manner. Your board can then quickly check whether your material risks have satisfactory controls and fall within their risk appetite statement.

It is not unusual to have key persons go through their risks on the risk register in face-to-face meetings with a dedicated risk person to satisfy themselves that the rating on various risks has not changed and that controls are satisfactory.

CONDUCT QUALITY CONTROL ASSURANCE

Now we are in operation and we need to monitor and report on identified risks as well as potential new and emerging risks. One way is to carry out a quality control assurance (QCA). Usually a dedicated risk person – who is independent from operations – conducts a QCA. The purpose of the QCA is to test the design and operating effectiveness of the controls documented in the risk register. 
QCA provides assurance that the internal controls are in place, effective, and that the risk of incidents arising is reduced. It could be done quarterly for the comfort of your board. In mature risk systems, an audit risk and compliance committee may be interposed to receive risk reports and then make recommendations to a board.
As well, there needs to be a function that ensures satisfactory risk governance. In brief there are usually three lines of defence: operations (risk owners/managers), risk management function, and finally an internal audit. You need to address all these.

CONCLUSION

In conclusion, an IFA could specialise in this area and implement an effective RMF. This can however distract an IFA from the primary role of financial planning and helping their clients to achieve their financial and lifestyle goals. An alternative can be to outsource the development, management and monitoring of risk management activities, but this can be expensive depending on the scale of your business operations.
ASIC expects that risks will be formally documented, managed and controlled. In particular, read two documents – s912A (1) of the Corporations Act and ASIC Regulatory Guide 104: Meeting the general obligations – and familiarise yourself with requirements. Failure to manage risk could result in an adverse action by the regulator to the detriment of your business. 

Jessica Dass is chief risk officer at Fiducian Group Limited.