Sound Practices for Your Annual Review
The annual review of the compliance program is critical to ensure policies and procedures are adequately designed and operating effectively. The annual review process itself can feel overwhelming and raise fears that a chosen approach is not sufficiently comprehensive or consistent from year-to-year. However, those concerns can be alleviated by simplifying the annual review process into three phases, each consisting of a few key elements. By giving consideration to these essential elements, a Chief Compliance Officer will ensure a comprehensive annual review that satisfies the spirit and letter of the compliance rules (Rule 206(4)-7 under the Investment Advisers Act of 1940 and Rule 38a-1 under the Investment Company Act of 1940).
The annual review process is comprised of three distinct phases: planning, performing, and presenting. Each phase leads to the subsequent phase; planning leads to performing and performing leads to presenting. The elements underlying the planning phase optimize resources and prioritizes attention to the high value and relevant areas and developments. Performing the annual review involves various tests but relies on fundamental elements to demonstrate the validity of the process. Presenting the results of the annual review, including formulating action plans, ensures the program receives the support of management and continually evolves to better mitigate risks. Across these three phases, there are a total of ten essential elements that collectively create a comprehensive and compliant annual review.
Within the planning phase, there are three essential elements: scoping, scheduling, and sourcing.
Scoping involves determining which policies, procedures, risks, and aspects of the business will be included in the annual review. The scope of the annual review should emphasize high priority regulatory and operational risks facing the organization and its clients, particularly those identified through the annual risk assessment. Further, scoping should consider the results of previous annual reviews and the related exceptions, as well as recent regulatory risk alerts. Effective scoping can enable a firm to justify allocating its limited resources to high risk activities (such as side-by-side management) or new business practices (such as using algorithmic models), and rationally excluding lower risk activities (such as Form ADV delivery).
Scheduling is determining the timing of performing the annual review while taking into account any complementary activities (such as internal control audits), and competing tasks (as annual financial statement audits or year-end client reporting). For example, if a firm obtains a SOC 1 report for a SSAE No. 18 engagement, then that engagement could potentially provide documentation, workflow walkthroughs, and even testing results useful in performing the annual review. Conversely, if competing tasks create resource constraints, then scheduling annual review activities that tax the same resources, systems, and documentation can create delays and unnecessary stress. Leveraging complementary tasks and avoiding competing tasks can increase the efficiency of the annual review and optimize available resources.
Sourcing is determining the information and personnel necessary to perform the annual review activities. Sourcing involves thoughtful consideration for the availability and skillset of personnel, system limitations and capabilities (such as functions or licenses), and possible external resources (such as consultants or auditors). Compliance teams might enlist members of other departments to assist with document production, interviews, or testing and analysis. If certain systems are necessary to perform aspects of the annual review, then sourcing will need to assess the availability of systems and necessary personnel or if compliance personnel can obtain the requisite licensing and training.
Within the performing phase, there are three essential elements: documentation, data, and detection.
Documentation is the keystone for the annual review, as the operating effectiveness of the policies and procedures can only be demonstrated through documentation. In performing the annual review, the compliance team will need to identify, gather, and review the documentation for the areas in scope, as well as maintain the appropriate documentation to evidence the tests and conclusions. A common best practice is to retain the records substantiating sample selections, the testing results, and observations. Documentation can be maintained in hard copy or electronic format; the critical requirement is that the documentation is organized and retrievable, assuming it will ultimately be requested in the context of a regulatory examination.
Data and digital information is a vital component within the annual review, both in terms of producing documentation and performing testing steps. Specifically, it’s difficult to consider an annual review comprehensive without some form of data analysis, whether it is reviewing electronic correspondence, verifying performance and attribution figures, screening trade blotters, or recalculating fees and valuations. If the personnel performing the annual review lack the experience or tools to pull and analyze data efficiently, then processing gigabytes of downloads and reports could complicate the annual review.
Detection is revisiting any exceptions or incidents identified during the year. The value in reviewing previously detected exceptions and incidents is to confirm that: (a) the issue was remediated appropriately and completely; (b) the necessary revisions were made to processes, procedures, and/or training; and (c) the incident did not recur. This process is similar to reviewing the closure of exceptions and recommendations from the previous annual review. Recidivist and chronic exceptions that continue despite being detected can undermine the effectiveness of a compliance program more significantly than a single material exception.
Within the presenting phase, there are four essential elements: reviewing, reporting, remediating, and reflecting.
Reviewing the results and observations identified by performing the annual review tests is key to confirm the validity of conclusions, and the consistency with the planning phase. Without a quality review process, it is possible that the linkage between groups of exceptions could be overlooked, or for false positives to be incorrectly flagged as exceptions. This is critically important when someone other than the Chief Compliance Officer performs the testing activities; the Chief Compliance Officer should have a solid and confident grasp of the documentation, testing, and results.
Reporting involves communicating the results of the annual review to relevant members of management. There is a general consensus that firms should document the results of the annual review in some form, as it both evidences the fulfillment of the annual review requirement and it is an effective tool for compliance personnel to demonstrate communications to management. The variety of approaches for reporting run the gamut from formal narrative reports, to spreadsheet summaries, to slide presentations, to simply stated memos. The key consideration is to provide transparent, informative, and actionable information to management regarding the design and operating effectiveness of the compliance program.
Remediating is determining how the firm will respond to any observations, recommendations, and action items resulting from the annual review. Remediation could include revising policies or procedures, correcting exceptions, or implementing new controls. A common best practice is to prepare a project plan to summarize action items, assign responsible parties, and establish deadlines and tracking. Yet, depending on the nature of an action item, a firm may opt to remediate it immediately upon identification. Prioritizing action items can become challenging with limited resources and competing demands. Despite this, firms should rank action items linked to material exceptions, conscious missteps, and those that mitigate economic harm or risk to clients as high priority items.
Reflecting is pausing at the end of the annual review to consider how the current process should inform the next annual review. The relief associated with completing the annual review can overshadow the value in reflecting on the lessons learned from planning, performing, and presenting the current annual review.
In moments of reflection, the compliance team can consider new risks, tests, documentation, and other thoughts that came to light while the information is fresh. For example, firms could memorialize thoughts on which system reports were best for certain tests, or learning points from process walkthroughs that revealed complementary controls. Reflecting on the current process can help jumpstart the next annual review and make the next planning phase more efficient and effective.
10 Essential Elements of the Annual Review Process:
Scoping
Scheduling
Sourcing
Documentation
Data
Detection
Reviewing
Reporting
Remediating
Reflecting