FINRA’s Risk Management Priorities for 2016

Steven Minsky | Feb. 17, 2016

The Financial Industry Regulatory Authority (FINRA) releases an annual letter outlining its Regulatory and Examination Priorities for the upcoming year. In line with letters and rules from other regulatory bodies such as the SEC, NAIC, and FFIEC, the 2016 FINRA Priority Letter puts the spotlight on risk and control management. What, specifically, are the FINRA priorities of the year? Among other things, “FINRA will focus on the frameworks that firms use to develop, communicate and evaluate conformance with their culture.”

Before a framework is adopted, however, firms need to be able to evaluate the standings of their current risk cultures. The RIMS Risk Maturity Model, recognized by organizations such as the NAIC and the American Petroleum Institute, has emerged as a leading tool designed to give this type of insight. The RMM is a free online resource that “allows you to score your risk management program and receive an immediately available report.” It helps you benchmark where your integrated risk management capabilities stand, identify where your program is weakest, and provide a roadmap for improvement. This report helps ensure your organization avoids reputational damage and costly fines associated with poor risk management.

Three Priorities to Learn More About

Priority #1: Effectively Managing Conflicts of Interests

Organizations of all sizes and industries face systemic risks that can be traced back to their employees. Financial institutions are no exception. In fact, they may be some of the highest-risk organizations. The large amounts of PII that brokers house, as well as the sensitive information surrounding insider financial information, can create a number of ethics and security concerns.

FINRA emphasizes the need for organizations to assess, mitigate, and monitor risks surrounding 1) incentive structures and 2) potential avenues for information leakage. The Risk Maturity Model (RMM) is a best-practice framework that has helped thousands of organizations measure and improve their risk culture. This year’s FINRA priorities indicate that the financial services industry values and requires quantifiable risk benchmarks like those provided by the RMM.

Priority #2: Risk-Based Cybersecurity & Technology Defenses

Cybersecurity has been highlighted by FINRA, as well as regulators across the board, because of the “persistence of threats and our observations on the continued need for firms to improve their cybersecurity defenses.” FINRA points out that focusing on external threats is simply no longer enough. Organizations must focus on technology management and make sure that their system infrastructure is capable. FINRA specifically highlights the need for strong data quality and governance policies.

Priority #3: Outsourcing

No matter how robust assessments and risk mitigation strategies are, third-party vendors who manage secure data or provide critical services still need to be risk rated and controlled. In 2016, regulators will continue to focus on the effectiveness and results on due diligence questionnaires and risk assessments. It is integral that organizations “appropriately supervise outsourced activities and that firms conduct adequate initial and ongoing due diligence of outsourced providers.” By utilizing a risk-based process, organizations can identify and prioritize their most important and riskiest vendors.

How can ERM and eGRC software help protect against these serious threats? LogicManager knocks down silos and unlocks the organization’s ability identify and assess risks across the enterprise. With a robust risk taxonomy, you can easily uncover relationships between risks, regulations, physical assets, and third-party services. Best practices and controls can easily be leveraged in other areas of the organization and applied to external vendors. The result is a common risk framework that adds bottom-line value and adheres to FINRA’s risk management and control priorities for 2016.

Measure Your Risk Program

Measure the effectiveness of your risk program by taking the free RIMS Risk Maturity Model Assessment here!


About the Author:

Steven is a recognized thought leader in ERM, CEO of LogicManager, and co-author of the RIMS Risk Maturity Model. Follow him on Twitter at @SteveMinsky