Tips for Designing Policies and Procedures to Mitigate Compliance Risks

The compliance program exists to manage regulatory risk. The first step to design or review any compliance program is an assessment of the firm’s regulatory obligations and the adequacy of its compliance efforts. This can be achieved through a risk assessment and gap analysis.

• Risk assessment: A proactive approach to identify risks and catalogue related controls, the risk assessment should be conducted regularly, at least once a year, and whenever rules are amended, new rules are adopted, or the business experiences significant change.
• Gap analysis: Compares the firm’s risk assessment to applicable regulations to determine whether any additional controls are required or advisable.

Firms may find it helpful to institute a risk rating system to identify, assess, and manage potential compliance vulnerabilities. This can be calibrated to the severity and likelihood of each threat. High ratings signal high risks, which can help prioritize the deployment of mitigation strategies. Regular review and updates to the risk ratings can ensure they accurately reflect changes in the business environment and regulatory landscape, allowing the firm to update policies and procedures as necessary and in a timely manner.

The compliance program risk assessment is advisable for U.S. Securities Exchange Commission (SEC) and UK Financial Conduct Authority (FCA) registered firms. The SEC mandates that all registered advisers, irrespective of their geographic location, must establish a compliance program and conduct a tailored compliance risk assessment. The FCA also mandates that firms have adequate compliance policies and procedures.

Designing policies and procedures to mitigate compliance risks

Following an initial risk assessment, the firm must design policies and procedures that explain how to mitigate those risks. Policies and procedures should be reviewed each time the risk assessment is updated, a gap analysis is performed, and whenever the business adds new functions or regulators release new rules.

This approach guides the development of policies and procedures and helps firms navigate the complexities of compliance while fostering trust and transparency.

Tips for drafting compliance policies and procedures include:

• Strive for clarity: Design policies and procedures that are as clear and easy for employees to follow.
• Emphasize required cadences and documentation: If a procedure calls for daily action, the frequency should be clearly stated and prominently featured. Additionally, procedures involving specific actions should include guidance on how those actions should be documented.
• Assign responsibility: Procedures should assign responsibilities to specific business functions or roles, rather than individual names. This ensures the procedures remain evergreen and do not require updates when personnel changes occur.
• Flexibility is crucial: Procedures should include a process for making, considering, and granting or denying exceptions and waivers, or issue a separate policy on exceptions. The exceptions process could involve establishing a committee or designating a particular role to handle such requests (for example, an employee’s supervisor, a business head, or the CCO).

Common risks addressed by compliance policies and procedures

Compliance policies and procedures typically cover a wide range of issues designed to ensure reliable operations and regulatory adherence. 

• Operational risks: A number of SEC rules aim to secure operational effectiveness, including rules on valuation, liquidity, custody, recordkeeping, reporting, privacy, cybersecurity, business continuity, and disaster recovery. The FCA also requires firms to identify risks to their business and maintain systems and controls to manage them. By introducing strong operational controls, firms can enhance their profitability and maintain compliance.
• Conflicts of interest: Conflicts of interest can arise from various sources, including client-to-client, investor-to-investor, client and employee, client and adviser, and third-party relationships. Firms should maintain an inventory of potential conflicts and consider what policies and procedures can help the firm put its client’s interest first when it has an incentive to do otherwise. Effective conflict management involves conducting a thorough assessment, designing and documenting policies and procedures, and enforcing them.
• Employee ethics: Managing personal conflicts of interests starts with a clear code of ethics or code of conduct. This requires everyone to consider how their personal interests might conflict with the best interests of their clients, while also providing guidance to ensure that clients come first. The code of ethics serves as the foundation for addressing all other conflicts the firm may face.
• Trading risks: Trading is a particularly sensitive source of potential risk because it creates opportunities for traders and portfolio managers to prioritize one client’s interests over another’s—or to place the interests of the firm or the trader ahead of clients. Traders may have incentives to reserve opportunities for themselves or favored clients, allocate trades unfairly after the fact, or fail to acknowledge errors that could otherwise cost the firm money. These areas require careful management, as they are often subject to regulatory scrutiny. Procedures that include regular reviews and clear trading policies can help prevent issues during exams and ensure firm practices remain aligned with current regulations.
• Valuation risks: Firms may also have an incentive to manipulate the valuation of portfolio assets to increase the value of portfolios that pay asset-based fees. This conflict is exacerbated by the difficulty of valuing thinly traded assets. Firms require an expert in the national standards for valuation to help develop policies and procedures that implement those standards and devise controls to spot and correct deviations. Forming a valuation committee is a common approach to managing complex valuation questions and related conflicts.
• Rules on political contributions: To guard against political corruption, the SEC limits political contributions by certain investment management employees. Violations can result in significant consequences, including loss of two years of advisory fees. Implementing strong controls over contributions can help avoid regulatory penalties.

Want to learn how to build a robust compliance program?

Download our guide to learn key considerations for setting up and maintaining a program that not only addresses some of the SEC’s and FCA’s key regulations but also equips you to effectively manage evolving compliance demands.

Download

How we help 

Whether you are looking to launch, grow, or protect your business, a robust compliance program is essential. At ACA Group, we offer a comprehensive suite of advisory, managed services, and technology solutions designed to help you build, oversee, and maintain a best-in-class compliance program.

Partnering with ACA Group provides more than just compliance solutions—it offers a strategic advantage that supports your firm throughout its entire lifecycle. We enable you to stay ahead of regulatory changes, manage challenges, and focus on achieving business success with confidence. Our wide range of solutions includes: 

• ACA Signature: Choose from our three distinctive models—Partner, Core, or Essential – to customize your services according to your firm's size, specific requirements, and ongoing compliance obligations. These scalable consulting offerings can be paired with managed services, regulatory technology, cybersecurity, and ESG to effectively address your regulatory commitments and day-to-day responsibilities.  
• Managed services: Outsource your compliance management tasks to simplify your processes, save time, and enhance business outcomes. Whether you need support with regulatory filings, AML due diligence, marketing, eComms or social media reviews, investment performance, or code of ethics and personal trading, we’ve got you covered.    
• Outsourced Chief Compliance Officer (OCCO): Optimize compliance oversight by passing your compliance requirements to our experts, helping to lower expenses and providing best practices.      
• RegTech: Unlock the full potential of your compliance strategy with ComplianceAlpha^®, ACA’s scalable governance, risk, and compliance software offerings. Our integrated solutions empower you to streamline processes, enhance oversight, and meet regulatory demands with ease.

In addition to compliance, we also protect your firm with tailored ESG, Cybersecurity, Privacy & Risk, and Investment Performance services—enhancing both your risk management and long-term resilience.

Contact us today to learn how ACA Group’s specialized expertise, advanced technology, and proven processes can help your business achieve its compliance goals, scale efficiently, and protect your reputation in a complex regulatory environment.