Chapter 4 - Risks Faced By Investment Dealers.pdf

Transcript

Risks Faced by
Investment Dealers 4

CONTENT AREAS

Risk Management Overview

General Types of Risk

A Risk-Based Approach to Compliance

Risk-Based Models and Methodologies

Risk Controls

Best Practices in Credit Risk Management

LEARNING OBJECTIVES

1 | Describe the major internal and external risks facing investment dealers, and discuss approaches
to assessing and managing these risks.

2 | Identify and categorize the risks to which a dealer member is susceptible.

3 | Explain the risk-based approach to designing and implementing a control environment and
compliance program.

4 | Discuss the factors that the Canadian Investment Regulatory Organization considers when it
assesses a dealer member under its risk trend report methodology.

5 | Develop a framework that relates the relevant aspects of risk assessment and management
directly to a dealer member.

6 | Discuss best practices for credit risk management, including the role of the board of directors
and management of a dealer member, according to the Canadian Investment Regulatory
Organization.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 3

INTRODUCTION
In the previous chapter, we discussed the regulatory administrators and the primary sources of regulatory and compliance
obligations. We also discussed the obligations imposed on securities markets by civil and criminal law and the potential
consequences for the dealer member and its registrants when those obligations are ignored or the rules are violated.
Because the consequences of noncompliance can be dire, every dealer member must take a formal, risk-based
approach to compliance, with robust processes and procedures in place to manage risk.
The purpose of this chapter is to describe the various types and aspects of risk that affect investment dealers and
explain how to manage them using a risk-based approach to compliance. You will learn about risk assessment and
management in the context of the risk-based models and methodologies used by regulators to identify, define,
assess, and weigh sales compliance risks with respect to each dealer member. In addition, we discuss the risk
controls that are typically in place at a dealer member, along with best practices in credit risk management.

RISK MANAGEMENT OVERVIEW

1 | Describe the major internal and external risks facing investment dealers, and discuss approaches to
assessing and managing these risks.

The goal of all business ventures is to make a profit, and all businesses face uncertainty and risk in pursuit of
that objective. Along with general business risks, businesses that operate in heavily regulated environments have
additional requirements in the carrying on of their day-to-day business operations. The investment industry is such
an environment; therefore, dealer members recognize that earning profits must be done in the context of securities
regulations. Any attempt to operate outside the rules would imperil a dealer member’s very existence, which is
predicated on its ability to operate in accordance with rules regarding licensing and registration.
Apart from regulatory and general business risks, dealer members are exposed to risks that are specific to the
industry. All these risks can interfere with business goals and strategies and result in lost earnings, capital, or
reputation. Ineffective management of these risks can have a profound impact, not only on the dealer member but
on partners, directors, officers, and employees of the firm.
For these reasons, every dealer member must have a comprehensive and systematic risk management process
that proactively identifies, assesses, manages, and controls regulatory, strategic, business, and process risks. It
is important to note here that CIRO expects that for every significant area of risk within a dealer member, an
appropriate executive be responsible for managing such area of risk.

DID YOU KNOW?

Under the IDPC rules, a “significant area of risk” is any function, process, or activity within a dealer
member in which a failure to mitigate or control risk could lead to material harm to the dealer member’s
liquidity, solvency, operational capabilities, clients, client assets and other client positions.
Significant areas of risk include the following issues and activities, among others:

Account opening
Account information and records
Account supervision
Client communications
Conflicts of interest
Dealer member records
Minimum capital levels

© CANADIAN SECURITIES INSTITUTE
4 4 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

The compliance function is an integral component of an effective risk management program at every dealer
member.
The design of this function at a particular dealer member is based on the business model of that firm. On this basis,
the compliance department is able to support business and senior management in the operation of the dealer
member by ensuring that business decisions are made and adjudicated based on risk as a metric.
The chief compliance officer functions as a risk manager every day. Risk identification, assessment, and
management have traditionally been associated with compliance or regulatory risk, as well as associated risks such
as risk to reputation and risk of litigation. Other risks can also affect a CCO’s duties. Related control techniques can
help the CCO understand the source of problems and identify the compliance controls that should be implemented
in response.
Almost every activity in the securities industry involves some level of risk. Absolute assurance is not possible.
Therefore, business objectives and regulatory standards must be balanced with an appropriate level of risk
management. Often, a CCO’s role is to offer advice and recommendations to management regarding the type and
level of risk assumed. With this knowledge, management can make informed decisions as to the best action to take
and in so doing, management has embedded the concept of risk management in its decision-making. The CCO’s
activities are supplemented by other compliance risk management processes that are carried out by the compliance
function.
Risk management at a dealer member involves the oversight of all factors that might disrupt or harm the dealer
member or its business. All such risks should be identified, assessed and measured within the firm’s internal control
structure.
The objective of risk management is not to eliminate risk but to balance the level of risk undertaken against the
rewards expected when business goals are met. Certain risks, such as credit risk, are managed within defined risk-to-
reward tolerances. Others, such as operational risk, are supervised and managed to meet expected thresholds. Risk
management tools such as hedging, securitization, and insurance are used to mitigate the risk of loss or to transfer
the risk to other parties under specific events.
Regardless of their particular mix of businesses, all dealer members face similar risks and must establish an effective
and efficient control environment to manage them.
All dealer members should have a process in place to ensure that risk management at the firm is a paramount
concern. Its importance should be evident from the most senior executive level through all ranks of employees.
Though the specific management processes may differ from one dealer member to another, every firm should have
a mechanism in place to identify, analyze, and manage risk. Such processes are typically designed to assess both the
magnitude and probability of an adverse event. As magnitude and probability increase, so should the corresponding
degree of control exercised over the activity. However, all risks should be identified, regardless of their severity.
A typical risk management process involves the following steps:
1. Identify the general categories of risk to which the dealer member is susceptible.
2. Identify, describe, and categorize risks specific to the dealer member or a particular department.
3. Analyze the specific risks to identify their probability of occurrence and the likely nature and severity of the
consequences.
4. Grade the risks according to their level of importance.
5. Prepare policies and procedures to manage each risk, which include recordkeeping requirements.
6. Assign each risk to the appropriate business unit leader.
7. Assign business resources appropriate to each risk.

The dealer member should periodically re-evaluate the existing risk management process to make sure it is current
and functioning.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 5

The concepts of risk assessment and management are inherent in numerous regulatory requirements, both
explicitly and implicitly. In some cases, supervisory standards are defined and prescribed, and certain activities are
controlled by law. This is the case with the capital requirements regime of CIRO. In other cases, regulators require
that dealer members conduct their own risk assessments and implement corresponding controls.

EXAMPLE
Anti-money laundering and terrorist financing laws have elements of both prescriptive and expected control
requirements. On one hand, dealer members are required by law to verify the identity of all clients; on the other,
they must have tailored monitoring processes in place to identify high-risk clients and transactions. The nature of
these processes is very much dependent on the type of business or business model in place at the dealer member.
The anti-money laundering regime may differ from one dealer member to another, for example (although
elements such as client identification might be very similar).

BALANCING COMPLIANCE AND BUSINESS
To properly manage risk, CCOs must have a solid base of regulatory knowledge that enables them to defend
their position on regulatory matters. Furthermore, to foster compliant behaviour, they must be able to create an
environment of trust and respect between business line staff and the compliance function. The CCO and other
compliance staff should strive to be seen in a positive light. Rather than mandating compliance in an obstructive
way, they should attempt to balance business considerations with risk and regulatory requirements.
Creating a business-oriented image does not mean acceding to undesirable activity. It means offering practical
and creative alternatives and facilitating business in a compliant manner, rather than simply prohibiting business
activities outright. When compliance staff members are seen as partners, rather than as adversaries, they will have
credibility and support in more difficult situations, such as occasions when the CCO must take a firm stand.
However, business owners sometimes choose to disregard the advice of the CCO, often with the attitude that
they are prepared to take the risk. Such behaviour is particularly problematic when it violates a rule or creates
unmanageable risk for the dealer member. When these situations arise, a process must be in place whereby the CCO
escalates decision-making to the Ultimate Designated Person and the board of directors, if necessary. Business unit
leaders who consistently ignore the advice of the compliance department or the CCO should understand that, in so
doing they agree to accept such risk themselves. Alternatively, they may be found to be engaging in conduct that is
unbecoming to their role and to the operation of the dealer member.

GENERAL TYPES OF RISK

2 | Identify and categorize the risks to which a dealer member is susceptible.

Part of the risk management process is to identify and categorize the risks to which the dealer member is
susceptible. This section describes the different categories of risk and identifies some specific risks that are common
to most dealer members. Dealer members should be aware that many risks are interconnected, and failure in one
area often leads to failure in another. In addition, as the firm evolves and grows, they should periodically re-evaluate
the firm’s risk profile to ensure that the process of risk management remains current and applicable to the business
model.

REPUTATIONAL RISK
Reputational risk is the risk that negative publicity regarding a dealer member’s business practices or conduct,
whether valid or not, will bring harm to the business. This risk is particularly significant for investment dealers,
who are entrusted to manage the funds of their clients. For example, a dealer member can receive multiple client

© CANADIAN SECURITIES INSTITUTE
4 6 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

complaints about a particular investment advisor or one single control failure. In either case, reputational risk is
a concern. Even one occurrence of this type can significantly impair the firm’s reputation with various different
stakeholders including clients, regulators, and staff.
A dealer member’s reputation is founded on a combination of its ethics and competence. Although intangible,
reputation is a core business asset that takes significant time and expense to build. Once threatened, it can dissipate
quickly and sometimes irretrievably.
The costs associated with loss of reputation can be devastating. A good reputation is fundamentally necessary to
attract new clients and maintain the confidence of existing clients. When clients leave because they question the
dealer member’s integrity, revenue goes with them. It also becomes more difficult for the dealer member to recruit
good employees. Business growth is thus hindered, along with the firm’s ability to recoup lost revenue. In fact, when
a dealer member loses its reputation, it is in danger of entirely losing its viability as a business.
Reputational risk is essentially a composite of all other risks, and it can only be mitigated by first managing those
risks. Other than through public relations efforts during a crisis, reputational risk cannot be addressed directly.
However, when an event occurs to put the dealer member’s reputation at risk, it should be fairly straightforward to
manage the threat if the right processes are in place.

EXTERNAL RISK
External risk (also called environmental risk) emerges from the environment in which the dealer member operates.
This risk is influenced by the firm’s strategic fit with its external environment and by how effectively it responds to
economic, political, and regulatory developments.
This type of risk assumes that external factors affect a dealer member’s status quo, and the firm should therefore
make changes to its operating environment in response to these factors.

REGULATORY RISK
Regulatory risk is associated with a dealer member’s ability to understand, acknowledge, and comply with evolving
regulatory requirements. The most significant regulatory risk arises from laws, rules, and regulations involving
criminal or quasi-criminal conduct, including fraud, theft, money laundering, illegal insider trading, and market
manipulation. In recent years, CIRO and the Canadian Securities Administrators have increased their regulatory
expectations and have become stricter in their application and enforcement of the rules. Regulatory risk is therefore
of paramount concern to the dealer member and its control environment.
Penalties may be imposed by regulators on the dealer member and also on individual directors, officers, and
employees who fail to meet expected standards or who fail to properly supervise. Costs of these actions in
settlements or sanctions can mean significant fines and loss of revenue for the firm. Dealer members or their
employees might also have certain trading privileges revoked or they may lose their registered status, which will
affect the firm’s ability to carry on its business.
Other costs that typically emerge from a regulatory investigation or proceeding include the cost of retaining outside
counsel and other advisors, the commitment of internal resources, and the cost of diverting management’s focus
away from running the business. On top of the direct financial impact of enforcement action, a dealer member’s
financial health can be further affected by litigation costs and loss of reputation.

EMERGING ISSUE RISK
Another type of regulatory compliance risk arises from the introduction of new or changed regulatory standards. Often
referred to as emerging issue risk, this type of risk usually arises from rapid change in the industry combined with product
and process innovation. In such an environment, regulators may delay making rules until changes are fully understood.
Dealer members that quickly adapt to innovations can generate significant profit, but they are subject to the risk of

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 7

regulatory actions against them when the rules change. For follower firms who enter the arena after the regulatory
framework has been established, the risk is lower. However, they miss out on the economic benefits of acting quickly.

EXAMPLE
An emerging and very significant risk to dealer members, its registrants and the capital markets generally, is
cybersecurity risk. Given the rapid advancements in technology, dealer members and registrants must have
implemented a cybersecurity risk management regime (similar to an anti-money laundering risk management
regime) to prepare and mitigate the risks that dealer members face from cyber criminals. This type of risk is at the
existential level as data breaches and related impacts from cyber-attacks can threaten the ongoing viability of
dealer members.

Regulators are sometimes driven to change the rules in response to dealer members testing the limits of regulations.
They may also initiate change in response to market events that fundamentally alter the economic landscape. In
such situations, the “smell test” can be particularly useful in identifying and assessing risks.
Management of regulatory risk is always a principal area of focus for a CCO and should be the first objective
of compliance. To assess this risk, the CCO should act to ensure that the dealer member’s existing risk-tracking
methodology has properly identified prevailing risks based on the current operations of the dealer member. In
addition, the CCO should consider the number and gravity of the firm’s past and pending regulatory deficiencies
and enforcement incidents that resulted from previous regulatory examinations and internal reviews. Based on
this review, the CCO should see that appropriate resources have been allocated to manage risks that have been
identified either by the dealer member or by CIRO during business conduct examinations to ensure that both are
properly managed and resolved.

ECONOMIC AND POLITICAL RISK
Economic and political risk emerges from changes in the global environment or in a dealer member’s national or
regional environment. The degree to which a dealer member is affected by such risk depends on its overall business
strategy and direction. For example, although the securities industry is generally cyclical, a diversified firm would be
less affected by a general economic downturn than would a single-business-line boutique.

EXAMPLE
The economic downturn of 2008 is an example of the economic risk that can affect both the dealer member and
the global economy. Moreover, political change can affect the dealer member if incoming governments imposed
changes affect its ability to operate.

Risk assessment factors include the strengths, weaknesses, and volatility of a dealer member’s economic and
political environment. Systemic issues in the firm’s location should also be considered, along with capital markets
volatility that might affect the particular firm. A dealer member’s strategic fit with its environment and its ability to
respond to external events influence the degree of risk exposure.
A dealer member that conducts business outside Canada can be exposed to different risks than those that
exist in the domestic market. Political risk can result from such causes as a radical change of government or
the nationalization of businesses. It can also emerge from economic changes, such as currency devaluation or
hyperinflation resulting from government policies.
Specific country risk relates to the costs associated with a particular country’s business practices, market conditions,
regulatory requirements, legal system, and operational environment. Dealer members looking to operate in other
countries often incur these costs to build the business before any economic return is generated. Most importantly,
dealer members that operate in jurisdictions outside of Canada are required to gain a very thorough understanding
of the manner in which they may be able to operate in such a jurisdiction. A dealer member who is licensed to carry
on business in Canada is not necessarily qualified to deal with residents of foreign jurisdictions.

© CANADIAN SECURITIES INSTITUTE
4 8 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

At a minimum, dealer members should make sure that they are lawfully permitted to operate in foreign
jurisdictions. Other problems, such as anti-money laundering issues, may be exacerbated in some foreign
jurisdictions as well. Reputational risk can be another side effect of doing business in a jurisdiction that is seen as
undesirable. For example, some jurisdictions are considered tax havens and poor allies in the global fight against
money laundering and terrorist financing.

INHERENT RISK
Inherent risk is the pure risk intrinsic to the specific business of a dealer member, without considering the impact
of any related internal controls, established policies and procedures, or risk management practices. In other words,
inherent risk represents the unique risks attributable to the business model and activities of a specific firm. The
various aspects of inherent risk are described below.

BUSINESS ACTIVITIES
Risk originating from business activities relates to the dealer member’s exposure that is inherent when providing
a particular product or service in consideration of the size, type, and complexity of the business. A firm’s lines of
business contribute to the aggregate risks present in its overall portfolio. Each business activity presents its own
risks, and the combination of activities that a firm engages in affects the overall risk assumed at the corporate level.

EXAMPLE
A diversified dealer member is better able to deal with a slowdown in some of its business lines if other business
lines are counter-cyclical. For example, a firm that operates nationally is less susceptible to business activities
risk than a regional firm. A dealer member that offers managed accounts and fee-based platforms, in addition to
traditional transactional trading, is also less risk-prone.

A dealer member’s approach to risk management across the business should be reflected in its overall management
processes. These internal processes usually consist of setting, planning, and executing objectives, as well as
measuring and managing performance.
The sustainability of revenue sources is an important risk assessment factor. The CCO should consider whether
the firm is economically dependent on a few large clients or products, or whether it relies on non-recurring income
sources. The level of risk is also affected by overhead and expenses, by accounting practices relating to income
recognition, and by previous results and budgets.

SIZE OF BUSINESS
A large dealer member may be more susceptible to inherent risk simply because of its size. For this reason, business
risk is measured in terms of gross revenue, assets under management, volume of daily transactions, number of
clients and accounts, number of advisors, and similar statistics.
Although potentially more susceptible to risk, a larger dealer member might be better positioned than a smaller
firm to sustain financial loss and might also have stronger risk control practices. Both of these factors affect its risk
assessment.
The rate of growth of the business also affects its level of risk. Rapid business growth can stress operational and
supervisory resources, processes, and controls, which may not be able to keep pace.

FINANCIAL PRODUCTS
The types of financial products that a dealer member offers determine the dealer member’s product risk. This risk
is influenced by the diversity and complexity of the products and the location and liquidity of their markets. Risk
level is also affected by the firm’s experience with the products and its role in transactions. If a dealer member
acts in more than one capacity with respect to a product or product type, the conflict of interest risk must also be
addressed.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 9

EXAMPLE
CIRO has provided specific guidance for dealer members that choose to offer certain products for sale, such
as leveraged exchange-traded funds, for example. CIRO has provided guidance to ensure that these types of
products are clearly understood by the dealer member and the investment advisors recommending them to
clients. Dealer members are also required to appoint a product review committee to oversee all products being
offered for sale by the dealer member. This requirement ensures that the dealer member and its investment
advisors are able to adhere to their KYC obligations.

The dealer member’s role in dealing with a particular product significantly affects the risks the firm assumes.
Generally, a firm functions in one or more of the following roles:

Agent In functioning solely as an intermediary, the dealer member assumes the lowest level
of risk. The primary risks for an agent are suitability risk and credit risk during the
settlement period.

Principal A dealer member acting as principal is exposed to the risk of changes in the market value
of positions that are held in inventory to facilitate client transactions. It also bears a
typically higher standard of legal responsibility to clients.

Proprietary Trader By trading securities for its own account to generate a profit, the dealer member
assumes market, prepayment, hedging, credit, operations, and accounting risks.

Manufacturer The dealer member that is the originator of a financial product is subject to product
liability. This role often also encompasses an ongoing management or administrative
role.

NEW PRODUCTS
New products include both newly created products and existing products whose attributes are materially
affected by a fundamental change in the market. Both types of products give rise to specific risk management
considerations.
Factors that contribute to new product risk are the absence of familiar qualities and performance history. Traditional
products are usually offered within a framework of established and well-understood regulations and practices.
Emerging issue risk is another consideration. There is often a significant lag time between the introduction of a
new product and the implementation of applicable regulations and formulated policy positions. Dealer members
and investment advisors should be cautious in offering such products before they are clearly understood. Dealer
members leading the introduction of new products and services may benefit from increased expertise and market
share in advance of other dealer members, but they also take on greater risk.

EXAMPLE
In the 1990s, hedge funds were marketed primarily to sophisticated investors. The high returns provided by
similar investment products during the bear market at the beginning of that decade led to an increased interest
in hedge funds by average retail investors. However, although the products may be similar, there is a different risk
profile associated with the different market segments. Dealer members that sold such products to clients with a
low-risk tolerance created undue risk for both their clients and the firm.

Many new products are effectively hybrid products; they combine material characteristics that are traditionally
associated with different product categories. Such products do not easily fit into standard product categories.

© CANADIAN SECURITIES INSTITUTE
4 10 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

EXAMPLE
Principal-protected notes are structured product offerings that combine a principal guarantee with higher-
risk strategies to generate income. The principal amount invested is commonly not subject to significant risk
(other than that it becomes essentially a deep-discount note, with no investment return or return of principal
until maturity). However, there may be uncertainty as to whether the targeted income stream is achieved. This
combination of high- and low-risk features highlights the importance of product knowledge for the firm.

Dealer members should consider the following risks when offering a new product:

Failure of the firm to address all risks associated with the product
Lack of vetting by the firm’s product review committee
Any enhanced disclosure obligations or requirements for the client to obtain independent legal advice, given the
complexity of the new product
Suitability risk arising from failure by registrants and clients to understand the attributes of the product
Subsequent regulatory or legal changes that alter the product’s economic or risk profile

Risk management for new products involves the following tasks:

Create a senior-level new product committee to assess all new product plans.
Analyze material aspects of new products before they are offered.
Use multi-disciplinary project teams to ensure that all key requirements are addressed.
Train and educate staff about the characteristics of new products offered.

Note: This topic is discussed in greater detail further on in the course.

DERIVATIVES
Derivatives make up a securities category that includes options, futures, forwards, and swaps. These products are
not new, but they are perceived to be higher risk. Contrary to their reputation, derivatives originated primarily as risk
management tools and continue to perform an important risk management function in the marketplace. However,
derivatives warrant specific consideration because of their complexity, inherent leverage, and volatility. Speculative
derivatives trading can lead to catastrophic losses when the risk level is not recognized until it is too late.
Many new products incorporate derivatives into their structure, in which case both derivative risk and new product
risk are present.

DIVE DEEPER

Specific supervisory requirements for derivatives are addressed in IDPC Rule 3900, Part (F),
Supervision of Options, Futures Contracts, and Futures Contract Option Trading Accounts. Derivative
risk management standards are also mandated under IDPC Rule 4900, Derivative Risk Management,
because general risk management techniques are also applicable to derivatives.
For complete requirements, visit CIRO’s website.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 11

CLIENTS
The level of client risk depends on the type of clients that a dealer member serves and their level of vulnerability.
Client type depends on whether the dealer member is retail or institutional, non-domestic, or resident Canadian.
Client risk can be broadly grouped into two categories:
1. The risk that the firm’s employees will act inappropriately at the expense of its clients
2. The risk that the firm’s clients will act inappropriately at the expense of the firm

The second risk can result in direct financial loss to the dealer member through fraud or credit default. Even if the
firm is not directly affected financially, by facilitating illegal client activities such as money laundering or market
manipulation, it can suffer material adverse consequences.
Some risks may be lower with institutional clients because considerations such as suitability may be less relevant.
However, credit risk and gatekeeper risk may be greater.
The risk profile of a dealer member’s retail client base is determined by the clients’ KYC profile. It includes factors
such as overall investment knowledge, income, net worth, and age. The types of client accounts maintained by a
firm also affect its risk profile. For example, the extent to which the dealer member’s retail clients engage in margin
investing can indicate the risk associated with the firm’s business. So, too, can the proportion of managed and
discretionary accounts compared to self-directed accounts.
The account management practices of a dealer member and its registrants can have an overlapping effect on
its management of client risk. For example, investment advisors who carefully document the nature of all client
communication are more likely to successfully manage client complaints thanks to clear and concise file notes.

STRATEGIC AND TACTICAL MANAGEMENT RISK
Strategic and tactical management risk relates to the extent to which a dealer member can devise strategies for its
business operations and then put those strategies into effect.
Business strategy decisions have a material effect on the compliance function when compliance resources are
required to execute those decisions. A CCO should be aware of material business decisions and take them into
account when designing a compliance plan. By engaging early in the decision-making process, the CCO can alert
senior management to the compliance factors associated with various courses of action, which allows time for
planning.

BUSINESS STRATEGIES AND DECISIONS
Business strategy and decision risk relates to the strength of a dealer member’s business planning process. It
is affected by management’s ability to identify necessary changes to strategic direction and by the scope and
frequency of those changes. A dealer member that fundamentally changes its business direction can encounter the
same risks as a new firm. On the other hand, a risk also exists when the firm fails to recognize the need for change.

BUSINESS ALLIANCES
Business alliance risk is the risk that a dealer member will select inappropriate business partners. This risk
encompasses various types of business alliances, including referral arrangements, and can manifest itself in many
ways.

© CANADIAN SECURITIES INSTITUTE
4 12 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

EXAMPLE
Both dealer members and individual registrants have exposure in this area. From a dealer member perspective,
it must deal with many different contractual partners or vendors out of necessity. In these contexts, the
dealer member should carry out sufficient due diligence on such vendors. They should be particularly vigilant
with vendors that carry out sensitive activities or functions for the dealer member (such as communication
or third-party compliance functions) to ensure that the vendors have acceptable policies around privacy and
cybersecurity.
Similarly, dealer members must exercise caution when engaging in business relationships for the purpose of
client referrals. The risk of unlicensed referral agents engaging in activities that require registration is significant
in this area. For individual registrants who may have referral arrangements, the dealer member should make sure
they are capable of adhering to the stated requirements in the referral contract between the dealer member and
referring agent’s organization. This due diligence includes receiving an annual attestation from the referral agent
that it has not engaged in any form of registrable activity that would violate the referral arrangement between it
and the dealer member. National Instrument 31-103 applies specific requirements to such activities, in particular
on the nature of conduct and behaviour of each party to the referral arrangement.
In another example of business alliance risk, dealer members focused on distribution can be exposed to risks
originating at a manufacturer, particularly if the distributor has a limited number of manufacturers or gives
priority to a specific manufacturer. Conversely, manufacturers may be exposed to risk if a distribution partner
engages in inappropriate sales practices. The degree of risk in the context of business alliances depends on the
extent of economic codependency and uniqueness. For example, a standard (and commonly used) arm’s-length
distribution arrangement is typically considered lower risk than a distribution alliance that includes a negotiated
ownership interest or participation in revenue or profit.

A CCO can manage business alliance risk by using due diligence, contractual protection, and conflict management
mechanisms when choosing and dealing with business partners.

CORPORATE STRUCTURE AND OWNERSHIP
Corporate structure and ownership risk relates to the extent that the corporate group might engage in inappropriate
related-party transactions, or the extent that it might be exposed to conflicts of interest. With more complex
structures, the risk is higher.
The following factors should be considered:

The nature of ownership (external or internal)
The nature of and rationale for the group structure
The degree of wider group control and influence on business activity
The frequency, size, and nature of related-party transactions
The influence of other regulatory regimes on the group’s activities

FINANCIAL SOUNDNESS
Dealer members regularly put their financial capital at risk to engage in business activities and to extend credit to
clients. Regulations establish minimum capital and margin requirements that restrict dealer members in how they
can finance their activities. Dealer members that rely on outside borrowing and similar short-term financing to meet
capital requirements may be exposed to funding and liquidity risks.
Risk related to financial soundness is measured by a dealer member’s ability to maintain ongoing financial viability
for the protection of client assets. Its conduct in response to financial pressures is also a factor in assessing this risk.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 13

Financial soundness is a basic element of the CIRO Financial & Operations Compliance Risk Assessment Model, but
it also affects business conduct compliance.

PROFITABILITY AND LIQUIDITY
Risk related to profitability and liquidity is the risk that a dealer member will be unable to maintain profitability and
liquidity at an adequate and relatively stable level. Failure to appropriately manage this risk can result in significant
financial losses to the dealer member.
Such losses might arise from misappropriation of assets or misguided commitment to a losing proprietary
trading strategy. Losses incurred by clients or others as a result of actions or omissions by the dealer member or
its employees can be transferred to the firm through restitution orders, claims, or civil judgments. Insurance can
help protect against employee fraud and misappropriation of funds, loss of property, and liability. The appropriate
insurance products used to manage each of these risks are, respectively, fidelity bonds, fire insurance, errors and
omissions coverage, directors’ and officers’ liability policies, or owner-occupier liability insurance.

INTERNAL RISK
Internal risk factors relate to a dealer member’s ability to operate effectively and efficiently based on its resources
and processes. The human, capital, and operating resources used to conduct business at a dealer member all give
rise to associated risks. The factors that determine the degree of associated risk are unique to each firm.
Various aspects of internal risk are described below.

QUALITY OF MANAGEMENT AND STAFF
An investment dealer’s success is highly dependent on the expertise, skills, and quality of its management and
employees. Certain activities, such as investment banking and corporate finance, rely largely on the ability of staff
to develop customized solutions for individual clients. (Discount brokerages, on the other hand, focus on providing
standardized service to a broad market.)
Risk regarding the quality of management and staff relates to how well a dealer member is structured and how
effectively the lines of responsibilities are assigned. Supervisors must have the knowledge, experience, and skills
necessary to meet business requirements, and staff must be equally qualified to carry out technical functions.
Relevant factors in assessing this risk include the quality and depth of the dealer member’s recruitment process and
its training and development policies. The degree of risk also depends on the qualifications of management and
staff in relation to the complexity of the dealer member’s services and products. Other factors include employee
experience based on tenure and the rate and level of employee turnover.
Chief compliance officers are not typically responsible for assessing the competency of a dealer member’s staff.
Nevertheless, their informal perspective can influence the design of the firm’s compliance program and its approach
to certain situations that are relevant to staff quality.

EXAMPLE
The CCO is typically able to assess the regulatory knowledge of business line personnel for compliance risk
management purposes. Reliance on the CCO’s advice and oversight mechanisms increase when the management
team is not as familiar as it should be with regulations. The CCO can make sure that management and employees
are informed and kept current of new developments by distributing notices and bulletins from regulators. The
CCO’s participation in the dealer member’s training and development practices is another way to address the risk
that supervisory staff is unfamiliar with regulatory requirements.

© CANADIAN SECURITIES INSTITUTE
4 14 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

ADEQUACY OF RESOURCES
Adequacy of resources describes the number of employees, not whether those employees are knowledgeable,
qualified, or experienced. The risk of inadequate resources is the risk that a dealer member will have insufficient
management and staff to properly carry out operating procedures and risk management practices. Typically, this
risk is measured by assessing the ratio of human resources to the type of business that the dealer member conducts.
For example, an assessment of a retail brokerage might compare the number of advisors under supervision to the
number of supervisors and compliance officers at every business location.
Current technology contributes to efficiency, a fact that influences the assessment of adequacy of resources.
Fewer people are able to manage the same or greater volume with the help of electronic applications that rely on
human handling and intervention only where warranted. Within the compliance department, a risk-based approach
facilitated by technology allows for the optimal allocation of resources.
Regulations require that dealer members have adequate supervisory and compliance resources to properly carry
out their compliance functions. Furthermore, CCOs should be aware that inadequate resources outside of the
compliance function can indicate other risks. For example, the head office may not be staffed sufficiently to address
business volumes, or there may not be enough frontline staff available to properly serve clients. Although such an
assessment may be outside the scope of the role of CCOs, they should be aware that control gaps and compliance
issues can arise as a result of inadequate resources.

KEY PERSON RELIANCE
Key person reliance risk arises when a dealer member relies too heavily on too few people to perform important
functions or to generate revenue. CCOs should understand the compliance issues that might arise in if a key
employee were to leave. The following factors should be considered when assessing this risk:

Which supervisory processes and control points are dependent on one person?
How is decision-making authority distributed throughout the firm?
How many people share in-depth knowledge of important functions?
Is there a back-up person for each position?
Does the firm have a well-developed succession plan?
Does the firm provide cross-training to staff?

Successful supervisors focus on building a team that can independently perform to high standards without
their participation. Employees who generate significant revenue or regions that are very profitable may require
special consideration from the compliance department. Big producers know that they have leeway with senior
management, given their revenue-producing value to the dealer member. Some employees who are valuable
revenue generators adopt compliance as part of prudent business practice; others rebel against it. The rebels may
be inclined to avoid their compliance responsibilities or to minimize the personal consequences of their compliance
failures.
General risk management factors apply in such situations. The CCO should refrain from being unnecessarily
obstructionist, and instead give realistic and relevant advice. Care must also be taken to apply the dealer member’s
policies and procedures in a consistent manner, regardless of whether the registrant in question is a high-revenue
producer.
The role of the CCO is to provide guidance on the application of rules, policies, and procedures to ongoing business
situations. Rather than giving orders, the CCO should explain how a rule can be applied to a particular situation in
a way that supports the business mandate. Providing that the compliance department was involved at a very early
stage, a solution can usually be worked out. However, in some situations, the conduct in question or the business
proposed is simply unacceptable, in light of the prevailing rules.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 15

EXAMPLE
If a dealer member operates in a jurisdiction that requires additional licensing and if a client is resident in that
jurisdiction, both the dealer member and the investment advisor will likely require a licence to conduct business
with the client. In this case, the CCO can offer no practical alternative.

SYSTEMS AND OPERATIONAL PROCEDURES
The operations of investment dealers are dependent on complex and interrelated technology and procedures. The
computer systems that underpin the industry are connected to numerous external and internal parties, including
business location networks, exchanges, depositories, other market participants, systems processing providers, and,
in some cases, clients. The risk inherent in such complexity is magnified by the degree of sophistication in many
brokerage applications and by the difficulty of integrating systems planning with business planning.
Risk that involves systems and operational procedures arises from a dealer member’s reliance on computer and
information systems in the firm’s daily operations. It also arises from the possibility that systems are unable to
meet business needs, unreliable, or inappropriate given firm objectives, or are unavailable to adequately support
operations. This risk is combined with operational risk, which involves a lack of effective policies and procedures
to ensure that processes are reliable. Vulnerable processes include financial, client, performance and management
reporting, business continuity, and similar operational outputs.
Electronic systems support the broader operational activities of the dealer member. The volume and the value of
transactions processed daily by most dealer members present risks to trading, processing, clearing, and settlement.
Also at risk are the custody of cash and securities transactions and the holdings in client and proprietary accounts.
The risk is affected by inaccurate data or process failure in the flow of information and in decision-making processes.
Operations risk is common to all components of the securities industry, although the degree of risk varies among
business lines. For example, corporate finance activities are less susceptible to these risks than trading and retail
brokerage.
Aspects of risk related to systems and operational procedures are explained below.

BUSINESS CONTINUITY
Business interruption, as a result of natural or man-made disasters, can have a devastating short- to mid-term
impact on business operations. Effects include staff members’ inability to access their work locations, loss of
processing and support technology, and employee injury or loss of life. Lost revenue, lost or compromised data, and
reconstruction costs can result.
CIRO rules require dealer members to have a business continuity plan in order to carry on business after a significant
business disruption and provide clients with prompt access to their assets.
Every year, a dealer member must review and test its business continuity plan. An appropriate executive must also
approve the business continuity plan annually. CIRO may require a qualified third party to carry out the annual
review and test.

DIVE DEEPER

CIRO has published guidelines, checklists, and related materials on the requirements for business
continuity plans to assist member dealer members in meeting this requirement.
For complete requirements, visit CIRO’s website.

© CANADIAN SECURITIES INSTITUTE
4 16 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

TECHNOLOGY
Technology risk has two components related to the existence and availability of information technology. First,
there is the risk that existing systems and functionality are inadequate to meet business needs. High risk might be
reflected in a high level of human intervention and frequent or major system changes. Risk is mitigated by using
established service providers and maintaining a strong internal technology development and support group.
The second risk related to technology involves the possibility that systems are not available because of a system or
software outage or insufficient processing capacity. Technology may also be unavailable because of technical failure
or cyber-attacks. Technology risk is typically managed in the context of a business continuity plan.

INFORMATION SYSTEMS OPERATION
Risk related to information systems operation arises from inadequate development, testing, or implementation of
these systems, which can result in operating errors or inefficiencies. Of greatest concern is software that affects
cash, securities, client account recordkeeping, and management reporting.
Included in this risk are possible breaches in data security and confidentiality. A dealer member’s security systems
should prevent unauthorized access to hardware, software, communication systems, data storage systems, and
data. This requirement is in place to prevent intentional or unintentional record tampering or loss of confidential or
sensitive information. This risk is particularly relevant to firms with significant levels of electronic business, such as a
discount brokerage.

OPERATING PROCEDURES
Risk in operations relates to inaccurate data or process failures that affect the flow of information. Failure to
accurately process, account for, and report on transactions leads to poor decision-making. Dealer members most
at risk are ones that rely heavily on manual processes or on automated processes that require a high level of
intervention. Of particular concern are transactions that affect cash, securities, and client accounts.
At some dealer members where operations risk is high, policies and procedures are inadequate; at others, they are
adequate but ignored. Firms that fail to conform to their written procedures risk regulatory action or litigation. Even
when written procedures exceed what is required by regulation, firms must meet their own documented standards.
This risk and the related risk management procedures are highly correlated to the effectiveness of the dealer
member’s internal controls.

THIRD-PARTY PERFORMANCE
Third-party performance risk measures a dealer member’s exposure to failure or sub-standard contractual
performance by suppliers. Assessment of this risk requires that CCOs look beyond contracts to the overall quality of
service provided by third parties.

EXAMPLE
An introducing broker is usually highly reliant on its carrying broker. The carrying broker’s reputation, ownership,
and functions help to determine whether the introducing broker is exposed to risk. Conversely, a self-clearing
investment dealer may have very limited third-party exposure. Risk related to internal systems and operations,
however, is higher for such a firm.

SUPERVISION OF BUSINESS LOCATIONS
Ineffective supervision at the business location level is a risk for some dealer members. Management of this risk is
usually fundamental to the design of a firm’s compliance program. The degree of risk is determined by factors such
as the number of business location supervisors or other personnel monitoring client account activities, the adequacy
of management reports, and the extent and frequency of supervisory monitoring.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 17

FRAUD OR UNETHICAL BEHAVIOUR
The risk of fraud or unethical behaviour is the risk that someone will attempt to defraud a dealer member or its
clients of funds. This risk can arise from either an external or internal source. Internal fraud occurs when a manager
or employee within a dealer member steals funds from the firm or from client accounts. CIRO assesses this type of
fraud risk under the internal risk category. External fraud risk is a separate category.
Supervisors and employees at a dealer member are expected to make rational decisions that are aligned with
the dealer member’s objectives. However, there will always be people willing to seek personal profit at the
expense of the organization. No mechanism can fully eliminate this risk, but internal control systems can limit
it. An effective risk management system considers the damage that might result if an employee circumvents the
controls.
Risk of fraud is one of the CCO’s greatest concerns. Compliance staff should look for unusual trading patterns and
the movement of money or securities among accounts. If employees are experiencing financial difficulty or are in
great need of money, their activities should be closely monitored.
Depending on the circumstances, CCOs should ensure that employees provide accurate and complete information,
and the information should be confirmed against reliable sources. Particularly problematic are schemes in which
clients are induced (by either an employee or a third party) to become participants in illegitimate activities
from which they stand to profit. These schemes rely on the silence of the participants, who believe that they are
contravening a rule or regulation. In fact, they are the intended victims.
Insider trading is a further concern for CCOs, particularly as it relates to gatekeeper responsibilities. Though the
dealer member and its clients may not risk financial loss in such circumstances, the risk involves other capital
market participants and the reputation of the industry as a whole.

CYBERSECURITY RISK
Cybersecurity-related issues present challenges similar to anti-money laundering issues for dealer members. In
both cases, the concerns raised and potential damages that can arise require coordinated, enterprise-wide solutions
that are implemented from senior management down to line staff. As well, the threat posed by cyber-attacks can
significantly impair the dealer member’s reputation and ability to operate as a going concern. For these reasons,
CCOs must take great care in formulating an approach to this issue.
IIROC originally published Notice 15-0294, Dealer Member Cyber-security to assist dealer members in addressing
these challenges and in designing a cybersecurity program that augments the dealer members’ overall risk
management programs. Another helpful publication is CSA’s Staff Notice 11-326, Cyber Security and CSA Staff
Notice 33-321. Other regulators have also published guidance on this topic, including OSFI, IOSCO, and FINRA.
In preparing a cyber-security program, compliance employees should review as many resources as possible to
determine the most suitable approach for their particular firm.
In addition, dealer members should carefully review Guidance Note 3700-22-001, Compliance with IIROC’s
Cybersecurity Incident Reporting Requirements. Similar to what dealer members are required to report in terms
of client complaints, certain cybersecurity incidents must be reported to CIRO within 3 days of discovery
of the incident. The dealer member must also provide an investigation report to CIRO within 30 days of
discovery. This type of reporting requirement is similar to a dealer member’s requirement to report to the
Privacy Commissioner of Canada in respect of data breaches. Dealer members should review their policies
and procedures to ensure that both the act of reporting as well as the process of reviewing and document
the incident itself are in keeping with applicable guidelines both from a privacy perspective as well as from a
cybersecurity perspective.
CIRO has also issued two publications: Cybersecurity Best Practices Guide and Cyber Incident Management Planning
Guide. The best practices guide is a set of industry standards designed to help dealer members develop a voluntary
framework in which to manage cybersecurity risks. CIRO recognizes that the policy and approach chosen by each

© CANADIAN SECURITIES INSTITUTE
4 18 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

dealer member should be based on risk management that reflects the particular operations of the firm in the most
cost-effective way.

ELEMENTS OF AN EFFECTIVE CYBERSECURITY PROGRAM
The elements of an effective cybersecurity program include preventive, detective, and corrective controls. Although
cybersecurity programs differ for each dealer member, every firm should consider the areas described below in
designing and implementing an appropriate and effective program.

GOVERNANCE
Leadership and structure are critical to a well-functioning program. Dealer members should have an overall owner
of the cybersecurity function, just as they would have a chief financial officer, a chief anti-money laundering
officer, and a CCO. Each firm should have a corresponding framework in place for oversight of its cybersecurity
program.
The specific framework depends on the dealer member’s business issues, but every firm should have the following
essential elements:

A person or committee to oversee the functioning of the program
Written policies and procedures
A risk assessment requirement, including a list of the factors that should be evaluated
Implementation of various security measures, both physical and otherwise
An incident response plan
An appropriate cybersecurity awareness and training program

Given the severity of cyber-attacks, the significance of the threat to regulators, and the potential for harm to both
the dealer member and its clients, it is important that the board of directors and senior management of the firm be
involved. Both a cross-disciplinary and a top-down approach ensure a balanced and robust program. Cybersecurity
should not be viewed as an issue related only to information technology, but as one that can affect multiple
departments. All departments should be engaged in the process, including the front office (which has direct contact
with clients), and the compliance, legal, and internal audit departments.

RISK ASSESSMENT
The method of assessing the risk to which a dealer member is exposed is an important element of its cybersecurity
program. The risk must first be assessed before the cybersecurity measures and practices can be developed
and implemented. The exercise of preparing a risk assessment helps the dealer member identify threats and
vulnerabilities that it can then address with appropriate controls.
Risk must be assessed on a recurring basis to ensure that the dealer member’s cybersecurity program is adequately
addressing its needs. The frequency of the assessment may vary by firm; however, given the severity of the issue, it
should be carried out at least annually.

EXAMPLE
Registrants in the investment industry are exposed to risks such as the loss or theft of confidential information
related to clients or the dealer member itself, the misuse of client monies or security positions, and the theft of
other information that is confidential or proprietary to the firm. Any of these risks, if realized, can pose significant
harm to the firm’s clients and reputational harm to the firm itself.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 19

As with the program itself, the issues addressed in the risk assessment should be tailored to fit each dealer
member’s particular business model. In general, the following issues should be evaluated (however, the list should
not be considered exhaustive):

All aspects of the firm’s information technology infrastructure
The firm’s cybersecurity awareness and training program
Management of physical assets, including firm-owned and employees’ personal devices
Personnel screening and hiring practices
Network security and back-up practices
Account management
Contractual relationships with third-party service providers

SECURITY MEASURES
As with any risk program implemented for business or regulatory purposes, appropriate security measures must be
implemented as necessary to mitigate risks identified during the assessment. They might include a basic lock on a
server room door, an advanced computer firewall, and strict requirements as to the care and storage of firm-owned
laptops. Some dealer members may have a permissive policy regarding personal devices, whereas others may
restrict or prohibit their use.

POLICIES AND PROCEDURES
Physical security measures are only as effective as the people who use them. Various policies and procedures must
therefore be developed and implemented to ensure that the cybersecurity program operates optimally. Policies
should be the result of a coordinated effort by all affected business units. They should articulate firm-specific
objectives that reflect, among other things, the level of risk that the dealer member is prepared to accept.

EXAMPLE
Policies and procedures typically govern hiring practices and pre-employment screening, workplace practices
and procedures, and data transfer requirements, among other activities. Also relevant to cybersecurity policy
and procedures is the way the dealer member deals with requests from clients to transfer funds or pay funds to
clients.

CYBER-INSURANCE
Cyber-insurance is no longer limited to losses from data breaches, as it once was. Additional coverage may be
available for theft, virus-related issues, business interruption, and identity theft. Dealer members should evaluate
their existing coverage with their insurance providers to determine whether cyber-insurance is available or can be
purchased under an existing policy.

INCIDENT RESPONSE PLAN
Although the ultimate goal of an effective cybersecurity program is to avoid cyber-incidents, this result cannot
be guaranteed. As such, part of an effective program is to have a response plan in place to minimize the effects of
an incident. As noted in CIRO’s Cyber Incident Management Planning Guide, an appropriate response plan involves
components that must be addressed before, during, and after an incident occurs.

© CANADIAN SECURITIES INSTITUTE
4 20 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

Incident management can be broken into five phases:

1. Plan and prepare During this phase, a cybersecurity program is established and implemented. The
governing framework is set, a team assembled, risk assessment completed, policies and
procedures developed, and any other relevant action to get the program established is
undertaken.

2. Detect and report Systems, both internal and external, are actively monitored for any anomalous activity.
If something out of the ordinary is discovered to have occurred, the persons appointed
to manage the issue are notified and will determine whether to take further action, if
necessary.

3. Assess and decide Not every event reported will be serious and warrant further action. Criteria developed
in the first phase is used to assess the true nature of the situation and a decision made as
to further action.

4. Respond If the situation warrants, the incident response plan is put into action to effectively
control and minimize damages.

5. Review A post-incident review is done to assess the effectiveness of the plan and to learn what
can be improved on. Those improvements are then made to reduce risk in the future. It
may be necessary to record or disclose information under various areas of legislation
such as the Personal Information Protection and Electronic Documents Act or the Digital
Privacy Act. Some dealer members share appropriate details with other firms in the
industry to create a supportive network that can help prevent future incidents.

EXAMPLE
An excellent example of the impact of a cyber-attack is the after-effect of the attack against a high-profile
Canadian company in 2015. The attackers released the account information of millions of customers with intent
to compel the company to shutter its operations. The company is now the subject of a multi-million-dollar
class action lawsuit. In this case, the impetus for the attack appeared to be a dispute relating to the aims and
objectives of the company. Dealer members must be cognizant, however, that the objective of hackers may
simply be to cause a business interruption. Theft or the release of client information is not always the goal.

A RISK-BASED APPROACH TO COMPLIANCE

3 | Explain the risk-based approach to designing and implementing a control environment and compliance
program.

In a risk-based approach to compliance, a dealer member’s risks are identified, and the resources available to
address them are determined. The CCO then assesses and prioritizes the risks and allocates resources appropriately.
In essence, the CCO weighs the significance of risks against the availability of resources and allocates more
resources to higher-risk matters.
One of a CCO’s primary responsibilities is to establish and manage a supervisory system designed to comply with
regulatory requirements. The appropriate size and structure of the system and the risk management techniques it
uses depend on a dealer member’s size, structure, and type of business.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 21

Dealer members are exposed to different types of risk, and their effects can vary dramatically. For example, the
implications of risk related to systems and operational procedures are different for an introducing broker than for
a self-clearing dealer. Both aim to protect the interests of their clients and the dealer member in the event of a
business interruption, but they differ in the way they manage the risks associated with this objective. Similarly,
dealer members that do not handle or have custody of client assets have different control considerations from
those that do. A dealer member’s compliance system and risk management procedures may need to be modified
depending on the evolution of its business and changes to regulatory requirements and perceived risks.
In the past, the compliance function at many dealer members was structured simply to satisfy regulatory
requirements. Recently, there has been more emphasis on a risk-based approach to compliance. While still meeting
minimum regulatory requirements, a risk-based approach also attempts to allocate compliance resources in the
best way possible. Many regulatory supervision standards are flexible enough to accommodate, and even promote,
such a tailored risk-based approach.

EXAMPLE
A good example of the use of a risk-based approach is the manner in which a dealer member approaches the
supervision of its anti-money laundering activities. The Financial Transactions and Reports Analysis Centre of
Canada has specifically outlined the framework that must be in place to carry out this supervision, part of which
includes a risk-based approach.

A risk-based approach can be used to determine the allocation of the resources of the whole compliance
department, or of sub-components of the department. A compliance department might analyze how much time
it should spend on tasks such as trade reviews, client complaints, and regulatory requests, as well as on advising
registrants and reviewing marketing materials. It might also analyze resource allocation within one component of
the department, such as business location reviews.

EXAMPLE
A dealer member that has an established practice of doing business location reviews on a one-year cycle might
use a risk-based approach to identify high-risk and low-risk business locations. It might then determine that high-
risk business locations should be reviewed every six months and low-risk business locations every two years, with
the one-year cycle applying to the remaining business locations.

ASSESSING RISK
Daily risk assessment is usually conducted informally. CCOs rely on relevant regulations and on an instinctive
understanding of the regulator’s philosophy. They often ask themselves three questions to assess the risk inherent in
business activities:

Is the client being harmed, financially or otherwise?
Does the situation breach any laws, rules, or regulations?
Given my knowledge and experience, does the situation pass the “smell test”? In other words, does it feel
morally acceptable?

If the answer to the first two questions is negative, the CCO would likely decide that the activity can proceed.
However, the spirit and intent of regulations can be violated without technically being breached. Sometimes a
situation feels wrong, even when no client is harmed and no law is broken. To assess whether a situation feels
morally acceptable, the CCO should ask whether the firm’s reputation would be at risk if the situation were to
become publicly known.

© CANADIAN SECURITIES INSTITUTE
4 22 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

EXAMPLE
An advisor leaves a message for a client on both voicemail and email recommending a trade in a particular
position. The message is time sensitive, given market volatility. The client responds by email requesting that the
advisor proceeds with the trade, which the advisor does.
The dealer member has a policy stating that advisors must speak with their clients to confirm assent before
processing a transaction. In this case, the advisor did not speak directly with the client and, moreover, did not
review certain important aspects of the trade with the client. As the CCO, what would you do in this situation?

More formal risk assessment and management processes can take various forms. Trading and credit, for example, are
supported by dedicated risk management units. These units use sophisticated quantitative models to measure and
control a dealer member’s risk at a given point. An inventory of a dealer member’s compliance risks mapped against
related supervisory and compliance controls can help determine where best to allocate compliance resources.

REDUCING RISK
The control environment of a dealer member contains the following aspects:

Approach to governance
Management style
Organizational structure
Commitment of resources
Communication style
Procedures and controls (and level of adherence)
Personnel behaviour
Human resource policies and practices

The control environment is the foundation for the dealer member’s other components. It is the environment in
which employees conduct their activities and carry out their control responsibilities. It is within this environment
that management assesses risks and implements controls to ensure that employees address them. Meanwhile,
management communicates relevant information throughout the organization. Staff with control responsibilities
monitor the process and suggest changes, where necessary.
The degree of risk that a dealer member is willing to accept is defined within the context of an overall policy
framework. This framework specifies who is responsible for establishing risk tolerance limits, policies, and levels,
as well as for monitoring, managing, and reporting on risk. The policies and procedures that are adopted depend
on the nature of the risks. An ongoing review and assessment process ensures that policies and procedures remain
appropriate and effective and are promptly modified when necessary.
To be effective, the risk assessment and management process must have certain attributes:

Concern for risk management must start at the highest level within the firm.
Risk management must be proactive.
Risks must be defined comprehensively and consistently.
Risks must be identified and assessed across the institution.
Responsibility and accountability for specific risks must be established.
Appropriate tools must be in place, including procedures, controls, and risk mitigants or transfers.
Risk management must be integrated with all management and business activities.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 23

Risk management must be coordinated with capital, liquidity, and funding management.
Risk management must have support from a suitable control environment.

Many of these attributes also exist in a formal compliance structure, reflecting its fundamental risk management
objectives.

ESTABLISHING CHECKS AND BALANCES
Checks and balances help to ensure that no one person at a dealer member has the authority to act alone. Checks
and balances should be in place for every process or activity that could result in fraud or unethical behaviour.

EXAMPLE
Fraud involving cheques is usually based on false pretenses for the issuance of the cheque, rather than an abuse
of the process itself. For that reason, no one at a dealer member should have sole authority to issue cheques. In
addition, the issuance and pick-up of cheques should be well documented.

Checks and balances should occur at all levels and within all operations. They should include approval authorization
levels, reconciliation of accounts, and segregation of duties and supervisory processes. Systems should be in place
to measure, monitor, and provide information about risk. The system should be integrated in a way that ensures
that business objectives are achieved.
A dealer member should assign responsibility for managing and controlling specific risks to qualified individuals,
and it should provide them with enough resources to do their job. The assigned responsibilities should be clearly
documented and communicated so those people who are responsible can incorporate them into their decision-
making activities.

USING APPROPRIATE TOOLS AND TECHNOLOGY
To meet regulatory requirements, a compliance function needs appropriate tools and controls. Beyond the
minimum required, any technology that can process account information, facilitate document retrieval, or analyze
portfolios improves the compliance function. Available technology can also improve trade surveillance, complaint
investigation, and communication with regulators.
Whenever possible, controls should be embedded into existing technological and operational processes so that they
are routinely used.

EXAMPLE
A dealer member that completes all trade orders online, rather than using paper trade tickets, may have difficulty
determining whether an order is solicited or unsolicited. If possible, the firm should modify the online trade
execution system to prevent an order from being submitted when there is no indication as to whether the trade
was solicited. In this way, the firm can implement a control in an existing technological process.

ELIMINATING UNMANAGEABLE RISKS
Unmanageable risks are those risks that have been identified and analyzed in accordance with the framework
articulated above, and that cannot be resolved with the allocation of resources by the dealer member. Such risks
should be eliminated wherever possible.

© CANADIAN SECURITIES INSTITUTE
4 24 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

EXAMPLE
Frauds committed by rogue registrants often involved the registrant redirecting client statements from the
client’s address to an address associated with the registrant. In this way, the registrant concealed the true status
of a client’s portfolio from the client. In some cases, the registrant would send a fictitious statement to the client.
These frauds were possible because registered representatives were able to change addresses on file with the
dealer member. Rather than try to manage such a risk, most dealer members eliminated it by removing the RRs’
permission to change client addresses. Many firms now require a written letter from clients who request a change
of address.

CHOOSING BETWEEN RISKS
Occasionally, CCOs are in a position where they must choose between two or more risks. In such situations, the
goal should always be to reduce residual risk to the dealer member. Based on knowledge and experience, the
CCO must decide which risk is most immediate and most significant. The significance of a risk depends on the
circumstances of each situation, but important factors to consider are potential harm to clients, financial exposure
to the dealer member, and potential legal, regulatory, or reputational ramifications.
Chief compliance officers can react to risk as situations arise, or they can take a proactive approach. Proactive
choices should be built into the compliance system. In making choices, immediacy is the only consideration.
Decisions about which risks are most important can be based on future risk trends and future resources that CCOs
have at their disposal.

RISK-BASED MODELS AND METHODOLOGIES

4 | Discuss the factors that the Canadian Investment Regulatory Organization considers when it assesses
a firm under its risk trend report methodology.

A number of regulators have adopted risk-based models and methodologies to guide their activities and allocate
resources. These regulators follow a similar strategy as a dealer member allocating risk based on activities. For
example, a dealer member that offers options trading to its clients may be assigned a different level of risk than one
that does not.
Each CIRO compliance department – financial and operations, business conduct, and trading conduct – maintains its
own risk model, which acts as a risk management tool to help identify, define, and assess risks for regulated dealer
members, compared to the industry as a whole and to their peers. These models help staff determine each dealer
member’s risk profile relative to other dealer members and the priority focus of CIRO's compliance examination
cycle. The models are also used to prepare a risk trend report (RTR) for each individual dealer member that reflects
areas of risk inherent in their business model and how they manage their business based on the supervisory controls
and governance that are in place. The RTR is sent to dealer members with CIRO’s recommendations on areas in
which they should have priority focus to improve and reduce their risk profile.

CIRO RISK TREND REPORT
CIRO’s RTR process has the following objectives:

Encourage dealer members, particularly those with a high or deteriorating risk profile, to strengthen their
governance and risk management practices.
Increase overall industry compliance.
Provide information to dealer members.
Reduce regulatory burden for lower-risk firms through decreased frequency and scope of regulatory examinations.

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 25

The RTR identifies the key factors in a dealer member’s risk assessment, makes specific recommendations for the
firm to take action, and provides comparisons of both its peer group and the industry as a whole. Circulation of the
RTR is restricted; it can only be accessed by the dealer member, its panel auditor, and the regulators.
Relative to all other dealer members under CIRO’s jurisdiction and to peer groups engaged in comparable activities,
each dealer member is categorized and ranked in the following order:
1. Integrated (national dealer members engaged in proprietary trading, retail and institutional business, corporate
finance, and research activities)
2. Retail (predominantly servicing individual retail clients)
3. Retail (Type 1 and Type 2 introducing brokers)
4. Managed accounts
5. Discount brokers (suitability-exempt)
6. Institutional
7. Corporate finance (predominantly engaged in the distribution of securities and research)
8. Alternative trading systems
9. Proprietary trading and other

INDUSTRY COMPLIANCE PERFORMANCE
CIRO uses risk assessment models to assign risk scores to dealer members and track the compliance performance
of each firm and each peer group (firms involved in similar lines of business), and the industry as a whole. ComSet is
used to track trends at each level.

DID YOU KNOW?

The ComSet Risk Tool is a software tool based on a statistical regression model that uses mathematical
algorithms to normalize ComSet reporting. It takes into account such things as the number of events
reported by a dealer member, the types of events and violations, the seriousness of events and the
number of registrants at a firm. A statistically valid weighting is assigned to all events.
The tool allows this information to be presented in graphical form. The graphs demonstrate the
reporting trends for a dealer member and show their standing in relation to firms in the same peer group
and the industry trend line.

Individual dealer members are provided with RTRs outlining their risk assessment and their performance compared
to their peer group and the industry. CIRO staff use the risk assessments to focus resources on dealer members
that perform poorly compared to others and to encourage them to improve their scores. This risk-based approach
to regulation allows CIRO to re-allocate resources to firms that have a higher-than-average potential to cause risk
to the public. CIRO’s approach aims to enhance the quality of regulation while minimizing unnecessary regulatory
burdens on firms posing little or no risk.

EXAMPLE
A dealer member with a higher-than-average risk score does not necessarily pose an actual or current threat
to the public and is not necessarily in breach of any regulatory requirements. The risk-based methodologies
used by CIRO’s compliance and enforcement staff compare the relative risk of CIRO dealer members. They were
developed to identify and address potential problems before they have an impact on investors.

© CANADIAN SECURITIES INSTITUTE
4 26 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

RISK CONTROLS

5 | Develop a framework that relates the relevant aspects of risk assessment and management directly to
a dealer member.

In addition to the general approach to risk management noted throughout this chapter, IDPC Rule 4200 Part B
sets out the general requirements regarding internal controls to assist dealer members in complying with CIRO
requirements and securities laws. Other CIRO rules address control requirements for capital adequacy, insurance,
segregation of clients’ securities, safekeeping of clients’ securities, safeguarding of securities and cash, and derivative
risk management. In this section, we discuss how to develop a control framework that encompasses aspects of risk
assessment and risk management at a dealer member.

BOARD, MANAGEMENT, AND STAFF
The degree to which a dealer member’s governance structure and processes are aligned with risk management
determines, in part, how effectively the dealer member mitigates risk. Equally important are the values held and
demonstrated by the board of directors, executives, and senior managers, which, as previously discussed, is typically
referred to as tone at the top.

CORPORATE GOVERNANCE
In setting controls for corporate governance, the CCO of a dealer member must assess whether the governance
structure and its processes are effective. Assessments should include the following considerations:

Board and sub-committee structure and terms of reference
Board composition and competence
Knowledge and commitment of members
Frequency and documentation of meetings
Level of direction, authority, understanding, and control over business activities
Flow of risk-related information to all key stakeholders

Furthermore, if a dealer member is owner-managed, the CCO should assess the adequacy of the governance
structure in light of the firm’s ownership.
The leaders at a dealer member must deliberately establish a tone at the top that fosters a culture of compliance.
They must demonstrate strong ethics and serious regard for compliance with regulatory requirements. If senior
management members put personal or business interests ahead of client interests, or have a wilful disregard for
ethical conduct, others within the dealer member are likely to follow their lead. In setting controls related to the
governance structure, the CCO should consider not only the how the firm’s leaders talk about compliance, but also
how they demonstrate and document it.
The CCO is also required to report periodically to both the UDP and the board of directors. The manner and speed
with which the CCO escalates issues, and the manner and speed with which the issues are then dealt with by either
the UDP or the board of directors, are prime indicators of tone at the top for the dealer member’s employees.

MANAGEMENT AND STAFF CULTURE
Management and staff culture is affected by their appetite for risk, their level of ethical and moral values, and their
professional conduct on the whole. In setting controls, the CCO’s assessment of the culture should include the
following considerations:

Attitude toward risk management, controls, and supervision
Extent to which compliance is encouraged

© CANADIAN SECURITIES INSTITUTE
 CHAPTER 4      RISKS FACED BY INVESTMENT DEALERS 4 27

Quality of relationships with regulators
Willingness and ability to keep up to date on issues and concerns
Willingness to foster a positive learning environment when errors are made

CCOs should continuously instill a corporate culture of compliance among management and staff. A culture of
reluctance or noncompliance brings increased regulatory, legal, and reputational risk to the dealer member. In
a culture of lax compliance, the CCO must look for evidence of compliant and ethical behaviour. Upon finding
exemplary ethical behaviour, the CCO should call attention to it and recommend to senior management that it be
recognized and rewarded.

RISK MANAGEMENT PRACTICES
Risk management practices and internal controls must be designed well and executed properly. Good risk
management contributes to reliable reporting of financial information and safeguarding of assets.
Control of risk management practices requires assessment of a dealer member’s method of identifying, prioritizing,
assessing, monitoring, and managing its risks. Indicators of good practices include a documented inventory of risks,
risk frameworks, risk management strategies and policies, and evidence of effective risk management. Evidence of
insurance to manage risk is also necessary.

HEAD OFFICE OR CORPORATE COMPLIANCE SUPERVISION
This control is achieved through an effective centralized head office sales supervisory function. Its effectiveness
depends on the adequacy of designated compliance officers, the extent and frequency of compliance reviews,
and the adequacy of corporate sales policies and procedures. Also significant is the extent to which regulatory
supervision standards are met or exceeded.

INTERNAL CONTROLS
Internal controls require assessment for the following factors:

Adequately documented internal control policies and procedures
An effective internal audit function
Segregation of duties and client assets
Maintenance of effective reconciliation processes relating to external parties
Controls over advertising and sales literature
Oversight of control/suspense accounts

CIRO considers internal control effectiveness in its RTR.

BUSINESS LOCATION RISK ASSESSMENTS
Dealer members with various business locations must conduct periodic onsite reviews of supervision and
recordkeeping. Frequency and depth of review depends on the types of business and level of supervision conducted
at a business location.
The dealer member should have a documented process to assess risk at its various business locations. This process
lets the compliance department vary the frequency of reviews among business locations with different risk
characteristics. It also helps in determining which areas within a business location must be reviewed.
In designing and documenting a scoring system, factors can be weighted based on the dealer member’s areas of
greatest risk and its best indicators of good supervision. Table 4.1 details the factors that a CCO should consider in
assessing risk at a business location.

© CANADIAN SECURITIES INSTITUTE
4 28 CHIEF COMPLIANCE OFFICERS QUALIFYING EXAMINATION      SECTION 2

Table 4.1 | Business Location Risk

Size Number of RRs
Number of active accounts
Assets under administration
Number of business locations

Supervisors Experience
Number
Producing or non-producing

Types of business Number (more types of business supervised at the business location correlates to
higher risk)
Specific types of business (can also be assessed as carrying different risks)
Securities (relative amount of activity in senior equities, speculative equities, fixed
income, mutual funds, derivatives, taking into account types of strategies used)

Activity Commission-to-equity ratio
Extent of margin use

Complaints Number of client complaints weighted by seriousness of allegation
Litigation

Registered Number of RRs under strict or close supervision
Representatives
Experience of RRs