Business Risk Management Questionnaire (“BRMQ”) for SFC regulated firms
Note: Cognitive GRC provides services mainly to regulated firms in Hong Kong that provide services to institutional and professional investors only. We work with international service providers to deliver a global service for firms located in Hong Kong. The following topics are raised as part of regular updates we provide to our clients during the year to assist with business planning and should not be considered legal advice. We work with leading service providers to deliver holistic solutions in areas where we have developed unique symbiotic relationships but please note that some of the content below links to other websites and we are not responsible for the content or security of those external sites. Please contact your adviser in relation to any matters raised in this discussion and obtain legal advice where necessary.
The Annual Business Risk Management Questionnaire for SFC regulated firms is due for submission at the same time as a regulated Firm’s Annual Report and Accounts (i.e. within 4 months of the firm’s financial year end). This latest iteration of the annual questionnaire (which has been around since 2019) seeks to confirm both whether Hong Kong regulated firms have adopted expected controls and provides the regulator with base data on where firms sit on the spectrum of risk profiles in their peer group. Although the regulator has not published exactly how the results are being used, some firms have been contacted when their answers are not in line with expectations on particular matters.
Cognitive GRC provided guidance notes in 2021 for our clients to consider how they managed risk during 2020 as part of the BRMQ response process. It is now 2022, so time for a little update based on what we have learned since then.
Simple Guidance: If you say you are doing it, you need to evidence it. If you are not doing it, you need to be able to justify why not, if others in your peer group are doing it based on a similar risk profile.
We are not seeing much back reference to the BRMQ in recent regulatory audits that we have assisted with, but we do see regulators calling firms back on various points where they take an outlier stance on a particular matter. [Similar to what happens in most jurisdictions]
From experience, all regulators appear to allow firms to adopt review programmes that are appropriate for their risk profile, but it is important to ensure that certain things are covered in the overall programme. Senior Management review of risk profile against appropriateness of controls (annual governance review meetings), at least a desktop review (self-assessment of risk and controls) accompanied by the completion of appropriate sampling for higher risk issues (monitoring and testing), and evidence of review of the output of such tests with follow up as required (review monitoring reporting).
The appropriateness of a sample and the extent of a review is probably the most subjective area, but the key point is that senior management need to be able to prove that they have considered what has been done against the emergent risks.
The call to evidence on what has been done in this regard has recently been echoed more clearly in the US where the SEC’s most recent proposals on compliance programmes (please find our US service partner’s summary of the proposals published here) confirm that evidence of “what is reviewed”, being reviewed by principals is just as important as confirming the outcome and that a review was completed.
As such and in line with the direction of travel and logic, we have tracked the adoption of compliance and risk monitoring across firms of all risk types. As we have been conducting reviews for longer than we have existed we have explored ways to best approach the requirements from a practical point of view.
For most, the annual financial audit takes up a lot of time in the first quarter, and there is a lot going on in both investor interest and market volatility, but we hope to assist/ensure the BRMQ is completed in due time for all our clients by adopting a fairly tried and trusted approach that has been developed over 20 years to ensure regulatory reporting remains a formality.
Timing
Please also remember that you can ask the SFC to delay submission of your report and accounts, but you need to give them at least a month of notice (Form 2 – Post-License Application - Extension of Deadline). Although the BRMQ does not form part of the Audit, it is something that needs to go in with it and some auditors are requesting that they have time to review the BRMQ before it is submitted.
Our collective efforts throughout the year to get what is required should make the process smooth but it is worth clearing off the key points sooner rather than later just in case we do need to follow up on anything that has not yet been done prior to submission. We appreciate the efforts of clients who have done their part here as it reduces the need to rush into it while they have other more important items to attend to. Please find some useful resources here:
BRMQ FAQ From SFC Website
BRMQ PDF PDF Versions for complete review of all questions
Electronic Form – Note that you can save and send dat file for review or print as PDF
WINGS Submission Note: BRMQ has always been on the WINGS system.
You can upload last year’s "*.dat" file into Wings and then update the questions if you prefer. There are a least 12 Sections to cover plus additional supplements depending on your regulated activity type.
BRMQ Knowledge through experience
BRMQ Sanctions checking (A12 – Counter Terrorist Financing and Sanctions Violations- Anwser (b))
Even before the US Military Sanctions commenced, over the last two years now we have noted feedback from the SFC that they are expecting firms to be able to prove that they conduct sanctions list checking, even on entities that they have helped to set up (e.g. single client - Cayman Island Fund Range) and parent group entities. While on the one hand, a risk-based approach has been clearly accepted by the update to the SFC guidelines, firms are still being pinged on fairly technical foot faults even under the new guidelines.
For firms without their own subscriptions to sanctions list monitoring services, the residual requirements involve checking client, fund and group contacts against sanctions and risk alert lists as they come in, but the important piece is proving that a check has been done and being able to demonstrate the records of such.
At the very least, this requires a manual check that can be evidenced. The problem with a manual process is that it is more than likely to be deprioritised, especially when relevant and current issues are more pressing for firms with limited resources. In addition, the time spent inputting names into a sanctions checker, or even printing and filing the evidence is just busy time that no one wants to do given the lower likelihood of the risk. However, the cost of a systematic solution only really becomes reasonable at volumes that are greater than the needs of many of our clients.
Clients who do not have sanctions support can refer to our most recent MLRO resources on our Datasite (General Client Information – Newsletters) and/or reach out to their consultant for additional support.
BRMQ - Do you have an Audit Function? (Section A6)
We have always maintained the view based on the requirements in the Internal Controls Guidelines (see quote below) that a risk/audit function is required. For asset managers, the Fund Management Code of Conduct update in 2018 confirmed that firms are required to implement some form of self-assessment of their internal controls programmes to determine that they are adequate for the risks undertaken. This is something which is consistent with standards in the US and UK in terms of risk and compliance oversight. The key issue is the level of independence required to be sufficient as a control from a conflict’s perspective.
“The review functions may be performed by any staff or external consultants (such as external auditors) meeting the skills, experience and qualification criteria. This is to be distinguished from statutory audit work which may provide limited comfort as to the Firm’s management, supervision and internal control systems. Where practicable, the review function should be overseen by an audit committee of the Firm.” Source SFC - Internal Control Guidelines.
Generally, our view is that firms are expected to implement sufficient internal controls checking as part of either the FMCC (Fund Managers) or Internal Control Guidelines (All SFC Firms) to be able to confirm that they do have the function to the same degree that they have a Compliance or Risk Function.
This function does not need to be in-house and does not have to be conducted by the same people who do the financial audit (note that there is no Internal Audit MIC) but nevertheless there is either a regulatory or investor expectation that Firms are doing some form of internal controls assessment each year. The simple question to ask yourself is how can you say that you know your control oversight is adequate if you are simply looking back on the work you have completed yourself. Cognitive Assonance has a tendency to make us seek comfort that we are within the peer group by seeking self-affirmation, but it is all too easy to confirm everything is all right when resources are scarce.
Compliance programmes work well for US Firms that need to review their compliance programmes under SEC standards[1] or CFTC regimes (Registered CPO’s[2]) and it aligns with the expectation of institutional allocators that expect independent review programmes over key control areas.
You can answer no to the question in A6, and state that you have not subjected the relevant areas to a controls review but we think this will highlight an absence of appropriate oversight against your peers.
However, if you do answer in the affirmative, i.e. that you do have an internal audit function, then you need to make sure that you are doing the internal controls review work that covers the areas that you have highlighted.
In short, there should be a rebuttable presumption that boutique non-retail or non-risk generating firms generally fall into the lower risk category from a regulatory complexity point of view (i.e. so called not systemically important). However, it still requires appropriate governance and record keeping to ensure that such an assumption is not undermined by developments in strategy to give stakeholders assurance that the firm remains within their lane.
For our clients who are up to date on quarterly/semi-annual review cycles, this makes the annual BRMQ process relatively straightforward as we normally cover each of the relevant areas highlighted in the BRMQ internal review section as part of our ongoing compliance monitoring programme and therefore they are in a position to respond in the affirmative.
BRMQ Governance and the use of Comitology (A2 – Management and Supervision)
We primarily work with firms who do a great job of managing their respective risks. However, all Firms can fall down during SFC audits simply for not having the confidence to present how well they do this. It is much better to present succinct governance record demonstrating how Compliance has been achieved rather than by needing to trace specifics responses through multiple emails and/or other types of more detailed record keeping that are required if you don’t run (and record) regular governance meetings. If you deliver a haystack in response to a regulatory question, you might end up providing more needles than they were looking for. Those who do well, tend to be the firms that cover the following well as part of their business risk management processes;
Bi-Annual Operational and Portfolio Risk Meeting/Committee/Reports
Semi-Annual Broker Meetings (Quarterly is usually better)
Quarterly Governance Meeting for the Firm (Annual at the very least)
Annual MLRO Reports (aka Institutional Risk Assessments)
Annual Conflicts Discussion and Sign Off
Firms who undertake these exercises as a minimum create a self-fulfilling feedback loop that make it difficult to miss an important deadline or allow a long-standing issue to fester into a material problem.
Nice to have, depending on risk profile, but some of the unique issues raised in the following stand alone internal reviews can also be addressed in more high level governance reviews.
Annual Market Misconduct Risk Assessment
Annual MIC Review
Annual Compliance Arrangements Review.
Annual Senior Management and Governance Review
Typically, we see firms discussing matters around business performance and operational risks much more often in practice but recording meetings on these issues at least monthly provides a great audit trail to track identification and closure of issues as they arise.
If things have gotten away from you due to repeated crisis and response, then it is worth getting an annual meeting in the diary to review the prior year. Check out what you said last year in Section A 2 about frequency of governance meetings and remember to adjust if there was a change.
If you say you are doing it, make sure you have the minutes or at least an agenda on the meeting that actually occurred even if you don’t have any actions.
BRMQ – Outsourcing Section A4 Question 2(a)
Are there any functions fully or partially outsourced by the licensed corporation to external parties during the financial year?
While we believe that the accounting/finance, trade settlement, internal audit and information technology can be outsourced in this context, the only part of the compliance function that can be outsourced is the internal audit/monitoring function. It is important to ensure that firms and compliance officers are aware that when questions are raised to advisers and consultants on interpretation of regulatory matters, this is part of a consulting service that they provide and should never be considered outsourced. Conceptually the compliance function cannot be outsourced (a mantra you hear so often it is worth re-iterating). Certain administrative and review functions can be outsourced, but if you find that you consider the compliance function outsourced then you might need to reconsider how the SFC will look at how responsibilities are shouldered by the senior management team.
BRMQ – Fund Managers - What is the relevance of “External Clients” B13 Discretionary Asset Managers
Funds/Discretionary Accounts without External Clients means Funds that only have company, owner or employee money as at the end of the Period. Here the SFC is looking to distinguish inhouse funds versus those funds which are also offered to external investors. You may need to consider if the status has changed since the last report.
Please note the new parallels between the existing BRMQ and the new Form 12 in the FRR which splits up clients as authorised funds, other collective investment schemes and others (including discretionary accounts).
Form 12 in the new FRR (From February 2022) splits the description of Collective Investment Schemes into SFC Authorised and Others, Open-Ended Fund Companies (OFCs) in a similar way and also divide discretionary accounts into accounts without External Clients, accounts with other individuals and accounts with non-Individual External Clients. The new FRR requires you to divide the AUM in each category into strategy types (Hedge Fund, Private Equity, Passive/Index Tracking and Other strategies).
There may be very good reasons to change the answers to what was supplied last year so please take some time to review your BRMQ and if you do change your approach consider what you will record as the justification.
Cognitive GRC originally provided guidance on the BRMQ following the first year the more detailed version was implementation for collection through the WINGS. The questionnaire was introduced after the SFC updated its code of conducts through 2018, in particular, adding a greater risk focus to the Fund Manager Code of Conduct, in 2018. The questionnaire allows the SFC to ask direct questions about a firm’s risk profile and how they are managing it. Our philosophy and ethos has always been to provide assurance that the controls infrastructure is fit for purpose using techniques that have been developed over 20 years of involvement in risk and compliance management for both institutional and boutique firms with a global footprint. In this case the requirements matched our methodologies. Please contact us if you are interested in more information about how we do what we do.
References
[1] See reference to Focus Areas Relating to Investment Advisers and Investment Companies https://www.sec.gov/news/press-release/2021-39 See also ACA latest update https://www.acaglobal.com/insights/secs-examination-division-shares-observations-relating-common-deficiencies-uncovered-private-fund