Annual Risk Assessment Checklist

Annual enterprise risk assessment for an RIA or hybrid wealth firm covering regulatory, operational, cybersecurity, investment, and business-continuity risk. Run by the CCO with input from operations, IT, and the CIO; sign-off completes ...

1

Regulatory Compliance Review

  1. Inventory applicable SEC, FINRA, and state rules
    • Pull the firm's regulatory map: SEC vs. state RIA jurisdiction (the $100M AUM line), FINRA rules in scope for any BD affiliation, and state insurance / securities registrations per IAR. Note any rules that changed since the last assessment — Reg BI guidance, marketing rule amendments, and state-level off-channel comms updates are common additions.

  2. Confirm annual Form ADV Part 2 delivery
    • The brochure must reach every existing client within 120 days of fiscal year end, plus material-change updates as they occur. Pull the CRM delivery log and reconcile against the active client list — gaps are the most-cited finding in routine SEC exams.

    Collects file
  3. Audit Form CRS delivery records
    • Form CRS must be delivered at first recommendation, new account opening, and any new service to retail clients. Sample a quarter of new accounts opened this year and confirm acknowledgment is on file in the CRM or document system.

  4. Review Reg BI best-interest documentation
    • Sample rollover recommendations, account-type changes, and product switches. The file should show the why — alternatives considered, costs compared, conflicts disclosed. Boilerplate check-the-box rationales are the typical exam finding under PTE 2020-02 and Reg BI.

  5. Log open compliance findings
    • Capture every gap surfaced during the regulatory review — missed deliveries, thin Reg BI files, lapsed state registrations, advertising not pre-approved. Categorize by severity so remediation can be paced.

    Collects list
  6. Build a remediation plan with named owners
    • Each finding gets a named owner, target close date, and verification method. Track to closure in the next compliance committee meeting; recurring open findings cycle-over-cycle is itself an exam citation.

2

Operational Risk Assessment

  1. Pull NIGO and trade-error logs
    • Pull twelve months of NIGO new-account submissions and trade errors from the custodian portal (Schwab, Fidelity, Altruist, Pershing). Look for patterns by advisor, account type, or form — repeat NIGO on the same form means a process or template fix, not a one-off training note.

  2. Review wire and ACH callback controls
    • Verify the policy requires verbal callback to a known number — never the number on the email — for any wire instruction change or first-time third-party transfer. Sample recent wires and confirm the callback log was completed before release.

  3. Refresh the vendor SOC 2 inventory
    • Pull current SOC 2 Type II reports for the CRM, planning software, archiving vendor, custodian-adjacent tools, and any sub-processors handling client PII. Flag any vendor whose report is older than 14 months or whose subservice organizations changed.

  4. Audit personal trading and gift logs
    • Reconcile access-person personal-trade attestations against brokerage feeds in ComplySci or MyComplianceOffice. Pull the gifts and entertainment log; anything over the firm's de minimis threshold (often $100) needs pre-clearance and a written rationale.

  5. Update the operational risk register
    • Score each operational risk on likelihood and impact, note the existing controls, and call out residual risk. The COO and CCO should both initial; this register feeds the next board / IC compliance update.

    Collects file
3

Cybersecurity Risk Review

  1. Scan advisor endpoints for vulnerabilities
    • Run the EDR vulnerability report against firm-issued laptops. Flag any device missing OS patches over 30 days, disk encryption disabled, or running unsupported software. Personal devices accessing client data are a Reg S-P finding — confirm BYOD policy is enforced.

  2. Verify MFA on custodian and CRM access
    • Pull MFA enrollment reports from Schwab Advisor Center, Fidelity Wealthscape, the CRM (Wealthbox, Salesforce FSC, Redtail), and any client portal. Single-factor logins on accounts with PII are the most common cyber finding in SEC sweep exams.

  3. Run a firmwide phishing simulation
    • Use KnowBe4, Proofpoint, or the firm's standard simulator. Target a wire-fraud lure since that's the realistic attack vector for advisory firms. Pass threshold is typically click rate under 5% with no credential entries.

    Collects list
  4. Confirm email and text archiving coverage
    • Verify Smarsh, Global Relay, or Bloomberg Vault is capturing every advisor mailbox plus compliant texting (MyRepChat, Hearsay Relate). Off-channel personal-Gmail and unmonitored iMessage drove $2B+ in SEC fines in 2022–2024 — sample a few advisors and confirm no shadow channels.

  5. Refresh the incident response runbook
    • Update contact trees, breach-counsel retainer info, custodian fraud hotlines, and the Reg S-P customer notification template. Walk through a ransomware tabletop with the IT lead and CCO; the SEC's amended Reg S-P now requires customer notice within 30 days of unauthorized access.

  6. Schedule remedial security training
    • For staff who clicked or entered credentials in the simulation, schedule one-on-one re-training plus a 30-day re-test. Repeat failers escalate to the CCO; this trail is what supervision wants to see at the next exam.

4

Investment and Financial Risk Analysis

  1. Review portfolio drift against risk profiles
    • Run the drift report in Tamarac, Black Diamond, or iRebal. Any account whose current risk score has moved more than one band above the documented Riskalyze / Tolerisk profile is a suitability concern — flag for advisor outreach and rebalance.

  2. Stress-test portfolios for rate and equity shocks
    • Apply scenarios in Riskalyze, HiddenLevers, or Morningstar Direct: equity -20%, rates +200 bps, credit-spread widening. Identify accounts where worst-case drawdown exceeds the client's stated tolerance and queue planning conversations before the next review meeting.

  3. Audit SLOAs for custody-rule compliance
    • Pull every standing letter of authorization that allows third-party transfers. The 2017 IM no-action conditions still apply: ADV disclosure, signed client authorization on file with the custodian, written confirmation of each instruction. Missing any condition pulls the firm into custody and a surprise exam.

  4. Flag concentrated positions and alternatives
    • List positions over 10% of household assets, plus illiquid holdings (non-traded REITs, interval funds, private placements). Confirm the suitability file documents the client's understanding of liquidity terms and gates — interval-fund redemption queues are a 2024–2025 enforcement focus.

  5. Reconcile quarterly fee-billing calculations
    • Three-way tie-out: internal fee calculation, custodian fee debit, and invoice delivered to the client. Confirm the methodology — average daily balance vs. period-end vs. period-start — matches what the IAA and ADV disclose. Mismatches are the leading source of fee-related restitution orders.

5

Business Continuity and Sign-Off

  1. Refresh the critical-function and RTO matrix
    • Identify functions that must run within 4, 24, and 72 hours after a disruption — trade execution, client communication, fee billing, payroll. Map each to its system, vendor, and named backup operator. The matrix drives every other BCP test.

  2. Run a BCP tabletop with key vendors
    • Walk through a realistic scenario — primary office unavailable, custodian portal down for a trading day, ransomware on the file server. Include reps from the custodian relationship team, IT MSP, and archiving vendor. Document the gaps surfaced.

  3. Test custodian failover and CRM backup
    • Verify a recent CRM backup restores cleanly to a sandbox, and confirm the custodian's secondary access path (phone trade desk, alternate portal) is documented and tested. Untested backups are common — the test is what makes them real.

  4. Verify offsite document and credential access
    • Confirm the partners and key staff can retrieve essential records — IAAs, ADV, partnership docs, vendor contracts — without office-network access. Verify the password vault has emergency-break-glass procedures documented for principal incapacity.

  5. Brief the CCO on findings and remediations
    • Walk the CCO through the consolidated findings — regulatory, operational, cyber, investment, BCP — and the remediation plan owners and dates. This briefing memo is what the next compliance committee meeting starts from.

  6. Sign off on the annual risk assessment
    • CCO captures the final assessment file: signature, narrative summary, and the consolidated PDF report for the books-and-records system. This file is the first thing pulled in a routine SEC or state exam covering risk governance.

    Collects signature Collects paragraph Collects file