Operational Risk Checklist

Walk through the risk register with operations, trading, advisory, and IT leads. Capture new risks introduced by custodian changes (e.g., Schwab/TDA conversion aftermath), new product approvals, vendor onboardings, and staff turnover. Cross-departmental gaps — wire fraud handoffs between ops and advisors are a perennial example — surface here.

Use the firm's heat-map scale (typically 1-5 on each axis). Inherent risk first, then residual after controls. Anything landing in the red zone needs an owner and a mitigation plan in this cycle.

Pull the standing letter of authorization (SLOA) inventory from the custodian. Verify each SLOA meets the SEC no-action conditions (Form ADV disclosure, third-party authorization on file, written confirmation from custodian) — failing any condition means the firm has custody and owes a surprise exam.

Sample at least 10 outgoing wires and ACH instruction changes from the quarter. Confirm verbal callback to a known number on file before processing. This is the single most common operational loss vector — email-spoofed wire fraud.

Pull the trade error log; confirm same-day reporting and resolution within the firm's 5-day SLA. Verify error account losses are absorbed by the firm, not the client, and that tax/cost-basis adjustments flowed through the custodian correctly.

Spot-audit personal device usage and confirm Smarsh/Global Relay archiving is capturing all approved channels. Texting through MyRepChat or Hearsay Relate must be enforced — the SEC has assessed over $2B in off-channel fines since 2022.

Walk advisors and CSAs through recent attempted-fraud examples — urgency cues, instruction changes from email-only, lookalike domains. Capture attendance for the compliance training log.

Each red-zone risk gets a named owner, target residual rating, and remediation due date. Carry-forward items from prior cycles get explicit re-justification — repeated open findings are an exam citation waiting to happen.

Update KRIs the firm tracks: NIGO rate on new accounts, ACATS rejection rate, trade error count and dollar impact, complaint volume, OFAC false-positive rate, fee-billing variance. Flag any KRI breaching its threshold.

Pull principal-review exceptions from ComplySci or MyComplianceOffice — outsized trades, concentration, unsuitable-on-face flags, advertising pre-approval gaps. Confirm each exception was cleared with documented rationale.

Three-way reconciliation: internal billing calculation in Orion/Black Diamond, custodian fee debit, client invoice. Variance over the firm's threshold (typically $25 or 5%) triggers a refund or correction memo.

Send the report to the management committee, CCO, and (if applicable) board risk committee. Include heat map, KRI dashboard, open findings, and incident summary. Archive the distributed PDF in NetDocuments under the books-and-records retention path.

Use the firm's RCA template (5-whys or fishbone). Distinguish process gaps, control failures, and human error. Note whether the same root cause has surfaced in prior cycles — repeat causes warrant escalation to the management committee.

For AML-flagged incidents, the SAR clock is 30 days from detection. For client-data incidents, check Reg S-P safeguards rule and state breach-notice statutes. Document the determination even if the conclusion is no filing required — exam staff will ask.

Every incident closes with a named owner, due date, and verification step. Track to completion in the firm's findings tracker; do not close on commitment alone.

Capture SEC risk alerts, FINRA notices, state securities bulletins, and DOL guidance issued this quarter. Note which firm policies need amendment (Reg BI disclosures, ADV brochure, ITPP, AML program).

Spot-check CRM-driven Form CRS delivery at recommendation events, and confirm the annual ADV Part 2 delivery (within 120 days of fiscal year-end) ran clean for any clients onboarded mid-cycle.

Pull the LexisNexis Bridger / World-Check screening report. Verify rescreening fired on every beneficiary add, trustee change, and entity beneficial-owner update — not just at account opening.