The Financial & Operations Compliance Risk Assessment Model is a risk management tool to help identify, define, assess and weigh risks in respect to IIROC Dealer Member firms and determine priority focus in IIROC’s examination cycle of Dealer Member firms.
Several factors are considered in an assessment of a dealer’s financial operations and compliance risk.
The pure risk that is intrinsic to the specific business of the Dealer Member firm, without considering the impact of any related internal controls, established policies and procedures, or risk management practices.
Relate to the Dealer Member firm’s ability to operate effectively and efficiently based on its resources and processes.
back to top
The risk that arises from the nature of the Dealer Member firm’s business activity. It relates to the inherent business exposure associated with providing a particular product or service, taking into consideration the type and complexity of the business.
The risk that the Dealer Member firm does not have an effective method for identifying the appropriate strategy to change its business/operations, effectively converting the strategy into a business plan, and/or implementing the planned changes seamlessly.
The risk that the Dealer Member firm is unable to maintain ongoing financial viability for the protection of client assets.
Quality of management and staff
The risk of not having the right people with the appropriate skills and attributes in the right jobs to operate effectively.
Adequacy of changes of systems
This risk arises from the Dealer Member firm’s reliance on computer and information systems in its daily operations. It represents the risk that those application and information systems are; inadequate in meeting business needs, unreliable or does not fulfill its goals, and/or unavailable to adequately support operations.
Adequacy of operational procedures
The risk of not having formal and effective policies, procedures, and practices that ensure the effectiveness of processes, accurate and complete financial and management reporting, business continuity, etc.
back to top
Lines of business or financial products
The risk associated with the intrinsic nature of the lines of business in which the Dealer Member firm is engaged.
The risk is impacted by the diversity and complexity of the lines of business (including the extent to which judgements and assumptions are integral to the business operations), the nature of the customer base (retail vs. institutional), as well as the types of client accounts maintained by the Dealer Member firm (cash vs. margin vs. trust accounts).
The risk associated with the intrinsic nature of the financial products offered by the Dealer Member firm.
The risk is impacted by the diversity and complexity of financial products offered, location and depth of markets, volume of transactions, as well as whether the Dealer Member firm is acting as an agent or principal.
The risk that the business strategy adopted by the Dealer Member firm is sub-optimal.
Consideration should be given to the Dealer Member firm’s ability to identify the need for change, and the frequency of changes to strategic direction.
Strategic business alliances
The risk that the Dealer Member firm is unable to identify the need for strategic business alliances, select an appropriate business partner, effectively implement the integration of operations and/or the failure to achieve synergy in operations, based on the strategic direction established by the Member.
The risk that the Dealer Member firm is unable to identify the need for and effectively implement, corporate, lines of business, or business unit reorganization(s) to enable the achievement of optimal results based on the strategic direction established by the Dealer Member.
The risk is also impacted by any recent changes in ownership.
The risk that the Dealer Member is unable to maintain a sufficient and/or relatively stable level of risk adjusted capital to ensure solvency.
The risk that the Dealer Member is unable to maintain an adequate and/or relatively stable level of profit.
Dealer Member firms are ranked from highest to lowest on the following quantitative factors obtained from Monthly Financial Reports based on a twelve month period.
- Total Equity - 12 month average of the Total Financial Statement Capital as reported on Statement B, Line 4.
- Total Revenue - 12 month average of the Total Revenue as reported on Statement E, Line 21.
- Return On Equity (ROE) - 12 month average of Total Profit/Loss as reported on Statement E, Line 31, less Interest on subordinated debt as reported on Statement E, Line 25 divided by Total Equity.
- Balance Sheet Leverage Ratio – 12 month average of (Sum of total assets (A31) less Funds deposited in trust for RSP and other similar accounts (A2) less Cash held in trust with acceptable institutions, due to free credit ratio calculation (A3) less Securities owned and segregated due to free credit ratio calculation (A8)) DIVIDED BY (Subordinated Loans (A67) plus Total Capital (A73)).
- Liquidity - 12 month average of Total Liquid Assets as reported on Statement A, Line 12 divided by the 12 month average of Total Assets as reported on Statement A, Line 31.
- Level of Early Warning Reserve - 12 month average of Total Early Warning Reserve as reported on Statement C, Line 12 divided by the 12 month average of Total Net Allowable Assets as reported on Statement B, Line 6.
The risk associated with adverse outcome of pending litigation against the Dealer Member firm, especially for amounts not already provided for, as well as negative reputational effect.
Knowledge and experience
The risk of management and staff not having adequate knowledge and experience to carry out their responsibilities effectively.
Consider the quality and depth of recruitment, and training and development policies and practices, the qualifications, expertise and attributes of management and staff.
The risk associated with human resource volatility, including the change in key management and staff, organization and reporting line restructuring and/or downsizing.
Consider the rate and level of turnover and the factors that precipitated the turnover.
Adequacy of resources
The risk of not having sufficient management and staff to ensure operating procedures and risk management practices are effectively carried out.
Key person reliance
The risk associated with heavily relying on only one person in a key position or function.
The availability of back-up for the position, effectiveness of succession planning and/or the adequacy of cross-training provided to other individuals, impact the risk.
The risk that systems and technology functionality are inadequate to meet business needs, or that technology and communications hardware and software are not adequate in meeting user requirements and impact data processing and effective operation.
This risk is higher if there is frequent and/or major system development or change projects.
The risk that currently installed operational technology is not available due to system or software outage. This risk includes system unavailability due to insufficient processing capacity for volume being handled.
This risk may be due to technical failure, virus attacks, shutdown due to hacking or other external circumstances, and is compounded with inadequate system backup and/or ineffective disaster recovery procedures.
The risk of unauthorized access to hardware, software, communication systems, data storage systems or data resulting in intentional or unintentional record tampering and/or loss of sensitive information.
The risk that information systems are not adequately developed, tested or implemented based on user requirements, resulting in operating errors and/or inefficiencies.
The risk is impacted by the amount of system change, the complexity of the system and extent of integration of the new system into the existing environment.
Process and data integrity
The risk of failing to completely and accurately process and account for transactions due to inaccurate data or process failure (including information flow, decision making processes, etc.).
The focus is particularly on transactions that impact cash, securities and client accounts.
The risk associated with not maintaining a reliable financial reporting infrastructure that supports accurately determining and effectively disseminating financial information, including information on capital positions, in a timely manner.
The risk that arises from problems that occur due to a firm’s reliance on an external service provider for the performance of core functions.
back to top
Risk Control Category
Board, management and staff
The risk that the governance structure and process, as well as culture or values held by the board of directors, management and staff of the Dealer Member firm, are not aligned with effective risk management.
Risk management and control
The risk that risk management practices and internal controls of the Dealer Member firm are not effective due to inadequate/inappropriate design and/or ineffective execution, thus affecting the reliability of reported financial information and/or the safeguarding of assets.
back to top
Specific Control Category
Corporate governance effectiveness
The risk that the governance structure and process is ineffective in ensuring effective corporate governance, including the timely, proactive flow of relevant (risk) information to all key stakeholders and the "tone at the top".
Corporate governance is the process which guides the business affairs of the Dealer Member. It is a set of relationships amongst the Dealer Member’s management, board of directors, shareholders and stakeholders (including its regulator, IIROC) and a means to attain corporate objectives and monitor performance.
Effective corporate governance at a Dealer Member may be evidenced by a combination of the following characteristics:
- Sufficient number of qualified directors on the board based on size of firm.
- Appropriate ratio of the number of independent (‘outside’) directors to affiliated directors.
- Separation of board chair and Chief Executive Officer.
- Board appoints senior management team and determines their compensation.
- Frequent (i.e. monthly) board meetings with documented agenda, minutes, resolutions and voting.
- Existence of board committees (i.e. executive, audit and finance, human resources, compensation, and risk management) and that committee composition include members with subject matter expertise.
- Board oversees corporate compliance program by reviewing regular reports on compliance with regulatory rules, adequacy of internal controls and risk management.
- Board approves corporate strategic plan and monitors performance.
Owner/managed Dealer Members may also evidence effective corporate governance by:
- Demonstrating their direct involvement in identifying and in monitoring the principal risks faced by the firm.
- Establishing, maintaining, and monitoring a compliance program that identifies and addresses material risks of non-compliance.
- In the absence of adequate segregation of duties, direct involvement in the daily supervision of the financial, trading and compliance functions of the firm.
- Existence of a written annual strategic plan of the firm and documented regular performance monitoring.
- Appointing outside directors (where practical).
Management and staff culture
The risk that management culture does not foster and promote an environment of adherence to financial & operations compliance and control consciousness. The risk is impacted by the appetite for risk, the level of ethical and moral values displayed, and the professional conduct of management and staff on the whole.
Consider the attitude towards controls and drivers of the control process, attitude towards supervision and relationship with regulators, willingness and ability to keep abreast of current issues and concerns.
Risk management framework
The risk that the Dealer Member firm does not have an effective method to identify, prioritize, assess, monitor and manage the risks that it faces.
Consider the existence of documented inventory of risks/risk frameworks, risk management strategy and policies, as well as evidence of effective risk management being in place.
The risk that arises from problems that occur due to a firm’s reliance on an external service provider for the performance of core functions. Consideration in assessing outsourcing control includes the existence of outsourcing policies and procedures, outsourcing agreement(s) with service provider(s), an internal champion, review of the service provider, an internal control report of the outsourced entity’s system, a business continuity plan, access and control of the books and record of the Dealer Member.
Liquidity and Cash Management
The risk that the Dealer Member does not have effective controls over its liquidity and cash management activities. Consideration in assessing liquidity control includes the existence of written policies and procedures, assessment of cash requirements, limits and monitoring of liquidity levels, diversification of sources of funds including funding types and funding providers, contingency funding plan and stress testing.
Existence and quality of an internal audit function
The risk of not having an internal audit function, which is independent and capable in performing objective quality assurance and consulting activities, designed to add value and improve the Dealer Member firm’s operations.
The risk is impacted by the internal audit function’s ability to systematically evaluate and help improve the effectiveness of risk management, control, and corporate governance processes of the Dealer Member firm.
Timeliness and accuracy of security segregation
The risk of not properly calculating customer securities to be segregated.
The risk of not segregating securities on a timely basis.
Quality of internal controls
The risk associated with poorly designed or implemented internal controls.
Consider the adequacy of documented internal control policies and procedures; extent of management monitoring and supervision, segregation of duties, the maintenance of effective reconciliation processes relating to external parties, information generated from information systems, as well as on control/suspense accounts.
back to top
Financial & Operations Compliance