Annual Risk Management Review Checklist

The annual amendment is due within 90 days of fiscal year end via IARD. Reconcile AUM, employee counts, custody disclosures, and any disciplinary updates against the prior year's ADV before submitting.

Brochure delivery is required within 120 days of fiscal year end, with a summary of material changes if applicable. Track delivery and acknowledgment per client in the CRM; missed delivery is a routine SEC exam citation.

Reg BI requires Form CRS at the first recommendation, new account, or new service for every retail relationship. Pull the new-client list since the last review and confirm CRS delivery and signed acknowledgment for each.

For each IAR, verify that state notice filings cover the states where the rep has clients. New residence-state clients without a corresponding registration are a common state-exam finding.

Pull the complaint log, supervisory exception reports, and any internal escalations. Capture each incident with the rule implicated, date detected, owner, and current status.

Walk a realistic scenario with key staff — a custodian outage on a rebalance day, or a wire-fraud attempt against an HNW client. Capture decision points, escalation contacts, and any gaps in the runbook.

Simulate loss of primary access to Black Diamond, Orion, Tamarac, or Addepar and confirm that performance reporting and trade entry can continue from backup. Compare actual recovery time against the stated RTO.

Restore a CRM record, a portfolio system database, and a document-management folder from backup into a sandbox environment. Attach the restore log as evidence for the next regulatory exam.

Walk every department through their risks and update the register. Custodian conversions, alts platform additions, and staff turnover usually surface new risks since the last review.

Use a 1–5 likelihood × 1–5 impact matrix. Inherent score is the risk before controls; residual is after the controls already in place. Anything that lands residual in the red zone needs a documented response strategy.

Pull the residual scores; the top five drive the year's risk plan and feed the management review packet. Note owner, mitigation already in place, and any additional investment requested.

Three-way reconciliation: internal fee calculation, custodian fee debit, and client invoice. Billing discrepancies are the leading cause of advisor restitution in SEC exam findings.

Standing letters of authorization can trip the custody rule if the SEC no-action conditions aren't met. Confirm Form ADV disclosure, signed third-party authorization, and written client confirmation are on file for every SLOA.

Sample 10–20 trade tickets per advisor and confirm principal review evidence. Watch for cross trades, allocation issues, and any trades touching the firm restricted list.

Reg S-ID requires a written ITPP with red-flag detection and response procedures. Update for any new account types, custodian portals, or vendor onboarding paths added this year.

Use KnowBe4, Proofpoint, or Hoxhunt to run the campaign. Capture both the click rate and the credential-entry rate; both should trend down year over year. A common pass threshold is under 10% click rate.

Pull the click list and assign mandatory remediation modules. Repeat offenders escalate to a one-on-one with the CCO and a follow-up campaign within 60 days.

Pull a representative sample from Smarsh or Global Relay and search terms like 'Gmail', 'WhatsApp', 'Signal', and 'personal phone'. Off-channel communication has driven over $2B in SEC enforcement actions since 2022.

Confirm MFA on every Schwab, Fidelity, Pershing, and Altruist portal login, the CRM, and the document-management system. While there, review session timeout and password rotation policies for drift.

Pull current SOC 2 Type II reports for the custodian, portfolio system, CRM, archiving vendor, and any cloud-hosted tax or planning tools. Note any qualified opinions and follow up with the vendor on remediation timelines.

A vendor is high-risk if it processes client PII, has access to client data, or sits in the trade or fee-billing flow. Compare the current vendor list against last year's and flag anything new.

Collect SOC 2, financial statements, breach history, and a completed vendor questionnaire. Document CCO risk acceptance before the vendor goes into production with client data.