The Investment Industry Regulatory Organization of Canada (IIROC) recently released its annual compliance report. The purpose of the report was to assist IIROC’s dealer members in “focusing their supervision and risk management efforts”, and to identify key areas that IIROC will be focusing on in the coming year. It was interesting to note that most of the compliance deficiencies noted were not industry-specific. Rather, the regulator identified risk management issues and failings that can be, and are, found across industries and in organizations of varying degrees of size and sophistication. The annual compliance report follows on the heels of IIROC’s release of its Revised Sanction Guidelines and related Policy Statements, which Lawrence Ritchie, Lia Bruschetta and Henry Ngan wrote about in a recent Osler Update.

Some of the key risk management issues identified in the report included:

  1. Written Internal Control Policies – policies were found to inaccurately or insufficiently describe the policies and procedures in effect. Written procedures were copied nearly verbatim from the minimum requirements set out in IIROC’s rules, with little or no information about the firm’s particular processes, including tracking performance and supervision. IIROC also noted that firms’ policies governing other areas such as outsourcing, outside business activities and conflicts of interest were poorly articulated and/or lacked sufficient detail.
  2. Internal Controls in Practice – examiners observed non-performance of minimum required procedures. The report suggests that robust internal controls begin with having a strong governance process.
  3. Accounting and Reporting Errors – there were errors in compiling monthly financial reports or weekly estimates, as required.
  4. Books and Records – some firms were found not to be meeting the minimum requirements relating to books and records set out in the IIROC Rules. Firms that are attempting to achieve operational efficiency through computer systems, often provided by an affiliate, faced the greatest compliance issues.
  5. Operational Issues – examiners observed a range of operational issues including non-employees having signing authority over bank accounts and failure to provide notice or request for required approvals. The report suggests that operational deficiencies often result from a lack of awareness of a particular rule or a lack of appreciation for the regulatory impact of a change in business activities. Firms should thus establish processes that ensure operational issues are regularly discussed by management and a cross-section of firm staff.

The report will obviously be of particular interest to IIROC members, particularly since it signals areas on which IIROC will be focussing. The report should also be a timely reminder of the importance of effective risk management in any organization. It emphasises basic measures such as having meaningful policies in place to address key risk areas, having clearly articulated procedures to ensure compliance with those policies, and a clear understanding of where accountability lies for ensuring compliance with those procedures and policies. The fact that IIROC felt the need to emphasise basic risk management practices to its members, which are generally sophisticated, highly regulated companies, serves as a reminder that effective risk management is an ongoing process, requiring regular attention and commitment at all levels of an organization.