1. Appointment of Executives responsible for managing significant areas of risk

Rule 1500 enables Dealers to identify and assign responsibility for significant areas of risk in accordance with the size, scope and risk of their business.

In complying with Rule 1500, we expect Dealers to:

• identify significant areas of risk specific to their business,
• assign as many appropriate Executives as necessary to ensure adequate management of each significant area of risk,
• document and maintain the list of Executives and the significant areas of risk each Executive is responsible for managing, and
• ensure Executives have the necessary education, training and experience to fully carry out their responsibility.

We also expect Executives to:

• be responsible for their assigned significant area of risk, including the review and approval of any related policies and procedures, and
• have the qualifications, such as meet the applicable proficiency requirements, and authority necessary to fully carry out their responsibility.

1. Significant areas of risk

Dealers should identify every significant area of risk specific within their business. We define the term significant area of risk broadly as follows, in order to capture both functional areas and distinct business lines within the firm:

A function, process or an activity within a Dealer Member in which a failure to mitigate or control its risk could lead to material harm to the Dealer Member’s liquidity, solvency, operational capabilities, clients, client assets and other client positions.4

Dealers should consider their unique business model, size and risks when determining the significant areas of risk specific to them. While some areas of risk are commonly identified among Dealers, others may be unique to a particular Dealer or Dealer category.

1. Assessing which and how many Executives to assign

Dealers should assess which Executives are appropriate using the same general considerations for assessing that an individual is competent to carry out specific Approved Person responsibilities.

Dealers must assign as many appropriate Executives as necessary to ensure compliance with IIROC requirements, including Rule 1500.5  Dealers may assign more than one significant area of risk to one Executive,6  or assign more than one Executive to manage a single significant area of risk.7  In the latter case, the Executives will be jointly responsible for their assigned area.

For instance, a Dealer may structure their firm such that the responsibility for all significant areas of risk is assigned between the chief financial officer (CFO), chief compliance officer (CCO) and ultimate designated person (UDP). Dealers with multiple business lines may assign the responsibility for significant areas of risk between specific units, such as derivatives, investment banking, order execution only account services, or trading, to the Executive in charge of each unit. With the increasing adoption of enterprise risk management models, Dealers may manage certain areas of risk at the enterprise level and assign them to an Executive with supervisory responsibility across several business lines.

Dealers have the flexibility of designating an Executive at a related or affiliated firm, including certain outside of Canada affiliated firms, in compliance with sub-clause 2503(1)(i)(b).

1. Executive’s responsibility regarding a significant area of risk

Executives are responsible for supervising and directing the activities of the Dealer, and its employees and Approved Persons, in accordance with their area of responsibility, to provide reasonable assurance of compliance with IIROC requirements and securities laws.8

Subsection 1502(3) further specifies that Executives are responsible for reviewing and approving policies and procedures relating to their significant area of risk. Executives should review and approve any substantive changes to such policies and procedures, monitor their adequacy and supervise Dealer’s adherence to them, including that any issues are properly identified, escalated and resolved.

Unless specifically prohibited by IIROC Rules, a Dealer can outsource certain functions and services that may fall within an identified significant area of risk. However, the responsibility for managing this particular area remains with the Executive of the Dealer. Similarly, Executives may delegate the performance of tasks or activities, in compliance with section 1103, but not their responsibility for managing their assigned significant area of risk.

1. Documenting and maintaining the list of Executives and significant areas of risk

Dealers must maintain a list or an organization chart that documents the names and responsibilities of Executives that have been assigned responsibility for managing one or more significant area of risk. Dealers do not need to file this list/chart with IIROC unless it forms part of the Dealer governance document which is required to be filed pursuant to section 3916. The list/chart should be kept in compliance with the general requirements for maintaining records.9  This includes the obligation for the Dealer to keep the document current, by updating it accordingly to reflect changes to the identified significant areas of risk or the Executive responsible for such area. Dealers must make this document available to IIROC on request, in the manner requested by IIROC.10

1. IIROC’s role in ensuring proper significant area of risk identification and supervision

Dealers have discretion in identifying and assigning responsibility for significant areas of risk, as long as this is done in compliance with IIROC requirements. IIROC has the authority to request information and, in the extreme cases, object to the discretion used when it has reasons to believe a Dealer is in non-compliance with our rules.

1. Applicable Rules

This Guidance Note discusses the following IIROC Rules: 

• Section 1103
• Rule 1500
• Section 2503
• Section 2602
• Section 3804
• Section 3905
• Section 3909
• Section 3916

1. Related Documents

This Guidance Note is published under Notice 21-0171.

• 4Subsection 1201(2).
• 5Subsection 3905(3).
• 6This practice is observed at smaller firms, where the UDP is generally responsible for managing significant areas of risk within the firm.
• 7This practice is observed at larger entities or entities that outsource or delegate activities or functions to affiliates or other third parties.
• 8Section 3909.
• 9Section 3804.
• 10Subsection 3804(4).