Annual Risk Assessment Checklist

Pull the firm's regulatory map: SEC vs. state RIA jurisdiction (the $100M AUM line), FINRA rules in scope for any BD affiliation, and state insurance / securities registrations per IAR. Note any rules that changed since the last assessment — Reg BI guidance, marketing rule amendments, and state-level off-channel comms updates are common additions.

The brochure must reach every existing client within 120 days of fiscal year end, plus material-change updates as they occur. Pull the CRM delivery log and reconcile against the active client list — gaps are the most-cited finding in routine SEC exams.

Form CRS must be delivered at first recommendation, new account opening, and any new service to retail clients. Sample a quarter of new accounts opened this year and confirm acknowledgment is on file in the CRM or document system.

Sample rollover recommendations, account-type changes, and product switches. The file should show the why — alternatives considered, costs compared, conflicts disclosed. Boilerplate check-the-box rationales are the typical exam finding under PTE 2020-02 and Reg BI.

Capture every gap surfaced during the regulatory review — missed deliveries, thin Reg BI files, lapsed state registrations, advertising not pre-approved. Categorize by severity so remediation can be paced.

Each finding gets a named owner, target close date, and verification method. Track to closure in the next compliance committee meeting; recurring open findings cycle-over-cycle is itself an exam citation.

Pull twelve months of NIGO new-account submissions and trade errors from the custodian portal (Schwab, Fidelity, Altruist, Pershing). Look for patterns by advisor, account type, or form — repeat NIGO on the same form means a process or template fix, not a one-off training note.

Verify the policy requires verbal callback to a known number — never the number on the email — for any wire instruction change or first-time third-party transfer. Sample recent wires and confirm the callback log was completed before release.

Pull current SOC 2 Type II reports for the CRM, planning software, archiving vendor, custodian-adjacent tools, and any sub-processors handling client PII. Flag any vendor whose report is older than 14 months or whose subservice organizations changed.

Reconcile access-person personal-trade attestations against brokerage feeds in ComplySci or MyComplianceOffice. Pull the gifts and entertainment log; anything over the firm's de minimis threshold (often $100) needs pre-clearance and a written rationale.

Score each operational risk on likelihood and impact, note the existing controls, and call out residual risk. The COO and CCO should both initial; this register feeds the next board / IC compliance update.

Run the EDR vulnerability report against firm-issued laptops. Flag any device missing OS patches over 30 days, disk encryption disabled, or running unsupported software. Personal devices accessing client data are a Reg S-P finding — confirm BYOD policy is enforced.

Pull MFA enrollment reports from Schwab Advisor Center, Fidelity Wealthscape, the CRM (Wealthbox, Salesforce FSC, Redtail), and any client portal. Single-factor logins on accounts with PII are the most common cyber finding in SEC sweep exams.

Use KnowBe4, Proofpoint, or the firm's standard simulator. Target a wire-fraud lure since that's the realistic attack vector for advisory firms. Pass threshold is typically click rate under 5% with no credential entries.

Verify Smarsh, Global Relay, or Bloomberg Vault is capturing every advisor mailbox plus compliant texting (MyRepChat, Hearsay Relate). Off-channel personal-Gmail and unmonitored iMessage drove $2B+ in SEC fines in 2022–2024 — sample a few advisors and confirm no shadow channels.

Update contact trees, breach-counsel retainer info, custodian fraud hotlines, and the Reg S-P customer notification template. Walk through a ransomware tabletop with the IT lead and CCO; the SEC's amended Reg S-P now requires customer notice within 30 days of unauthorized access.

For staff who clicked or entered credentials in the simulation, schedule one-on-one re-training plus a 30-day re-test. Repeat failers escalate to the CCO; this trail is what supervision wants to see at the next exam.

Run the drift report in Tamarac, Black Diamond, or iRebal. Any account whose current risk score has moved more than one band above the documented Riskalyze / Tolerisk profile is a suitability concern — flag for advisor outreach and rebalance.

Apply scenarios in Riskalyze, HiddenLevers, or Morningstar Direct: equity -20%, rates +200 bps, credit-spread widening. Identify accounts where worst-case drawdown exceeds the client's stated tolerance and queue planning conversations before the next review meeting.

Pull every standing letter of authorization that allows third-party transfers. The 2017 IM no-action conditions still apply: ADV disclosure, signed client authorization on file with the custodian, written confirmation of each instruction. Missing any condition pulls the firm into custody and a surprise exam.

List positions over 10% of household assets, plus illiquid holdings (non-traded REITs, interval funds, private placements). Confirm the suitability file documents the client's understanding of liquidity terms and gates — interval-fund redemption queues are a 2024–2025 enforcement focus.

Three-way tie-out: internal fee calculation, custodian fee debit, and invoice delivered to the client. Confirm the methodology — average daily balance vs. period-end vs. period-start — matches what the IAA and ADV disclose. Mismatches are the leading source of fee-related restitution orders.

Identify functions that must run within 4, 24, and 72 hours after a disruption — trade execution, client communication, fee billing, payroll. Map each to its system, vendor, and named backup operator. The matrix drives every other BCP test.

Walk through a realistic scenario — primary office unavailable, custodian portal down for a trading day, ransomware on the file server. Include reps from the custodian relationship team, IT MSP, and archiving vendor. Document the gaps surfaced.

Verify a recent CRM backup restores cleanly to a sandbox, and confirm the custodian's secondary access path (phone trade desk, alternate portal) is documented and tested. Untested backups are common — the test is what makes them real.

Confirm the partners and key staff can retrieve essential records — IAAs, ADV, partnership docs, vendor contracts — without office-network access. Verify the password vault has emergency-break-glass procedures documented for principal incapacity.

Walk the CCO through the consolidated findings — regulatory, operational, cyber, investment, BCP — and the remediation plan owners and dates. This briefing memo is what the next compliance committee meeting starts from.

CCO captures the final assessment file: signature, narrative summary, and the consolidated PDF report for the books-and-records system. This file is the first thing pulled in a routine SEC or state exam covering risk governance.