Self-Assessments/Exam Readiness Self-Assessment

Interactive Self-Assessment · Free— The Compliance Desk

Exam Readiness Self-Assessment

Score your firm's RIA examination readiness in 5 minutes. 20 questions across the four-layer AI governance framework — built from the actual deficiency-letter patterns of 124 recent examinations.

⏱ ~5 minutes📋 20 questions📊 Scored 0–100📧 Free report⬇ 1,512 launches

Answered 0 of 20

Inventory — Knowing what AI you're running

5 questions · The foundation layer

0/10

"Show me every system in your environment that uses ML or generative AI, including embedded vendor features." This is the question that opens most exams.

— Q01

Do you maintain a current, dated inventory of every AI tool used by the firm — including AI features embedded in vendor platforms (CRM, portfolio management, communications)?

Hint: "Embedded AI" is where firms most frequently miss items.

— Q02

Is the inventory reviewed and updated on a defined cadence (at minimum quarterly), with a named owner accountable for currency?

— Q03

Is the inventory signed off by the CCO (not initialled by junior staff) within the last review cycle?

— Q04

For each tool, do you document the data flowing in, data flowing out, and the named human supervisor of the tool's outputs?

— Q05

Can your CCO produce the complete inventory document within 15 minutes of an examiner's request?

Risk Assessment — Knowing what each tool does

5 questions · The assessment layer

0/10

Per-tool documentation of model risk, data risk, output risk, and vendor risk. Annual review with board-level sign-off.

— Q06

Have you completed a written risk assessment for each AI tool covering model risk, data risk, output risk, and vendor risk?

— Q07

Are risk assessments reviewed at least annually, with documented findings and explicit decisions on continuing/modifying use of each tool?

— Q08

Are AI risk assessments reviewed by the firm's board, executive committee, or risk committee — with the review documented in minutes?

— Q09

Have you documented vendor due diligence specifically for AI features (separate from general vendor onboarding)?

— Q10

For your top-five most-used AI tools, can you walk an examiner through the specific risks identified and mitigations in place?

Supervision — Ongoing oversight, not point-in-time

5 questions · The oversight layer

0/10

Quarterly testing, output sampling, exception reporting, vendor monitoring. The most commonly conflated layer.

— Q11

Do you conduct documented quarterly output sampling for each material AI tool — testing actual outputs against expected behaviour?

— Q12

Do you maintain exception logs documenting when an AI output deviated from expected behaviour, and what action was taken?

— Q13

Do you have written supervisory procedures specifying who reviews AI outputs, on what cadence, and what triggers escalation?

— Q14

Do you monitor vendor changes to AI features (new capabilities, model updates, data flow changes) on an ongoing basis?

— Q15

For client-facing AI tools (e.g., AI-drafted communications), is there documented human review before content reaches the client?

Incident Response — When (not if) AI fails

5 questions · The response layer

0/10

Procedures for AI errors, vendor failures, and client-facing AI mistakes. Documented plan plus annual tabletop exercise.

— Q16

Do you have a written incident response plan specifically covering AI errors and vendor failures (separate from general cybersecurity IR)?

— Q17

Does the plan specify named owners for: detection, escalation, client notification, regulatory notification, and documentation?

— Q18

Have you conducted at least one tabletop exercise on an AI-specific incident scenario in the past 12 months?

— Q19

Do you have a documented decision framework for when to disclose an AI-related incident to affected clients?

— Q20

Has any AI incident in the past 24 months been logged, reviewed, and used to update procedures (closed-loop learning)?

Answer all 20 questions to unlock your score (20 remaining)

— How the Scoring Works

Four readiness tiers, built on real deficiency letters.

— Critical

0–39

Material gaps across multiple layers. High examination risk. Address before next sweep.

— At Risk

40–59

Some governance in place but inconsistent. Specific gaps likely to draw findings.

— Adequate

60–79

Solid framework with gaps. Likely defensible with targeted strengthening.

— Strong

80–100

Examination-ready. Documentation, supervision, and IR all in defensible shape.

Source & calibration

The 20 questions and scoring weights are derived from analysis of 124 RIA examination deficiency letters between Q4 2024 and Q4 2025, supplemented by direct conversation with three former Division of Examinations staff. The four-layer governance framework is the de-facto standard emerging from those letters.

Scoring weights are calibrated quarterly as new deficiency patterns emerge. The current version reflects examination priorities as of May 2026.

— Related Resources

Take the next step on readiness.

📋

Checklist · PDF

The CCO's AI Governance Checklist

47 points mapped to the same four-layer framework. Built from the actual deficiency patterns this assessment uses.

Download free →

🎙

Roundtable · Jun 25

What's Changing in Wealth Management Compliance in 2026?

Sarah Chen (Former SEC), Marcus Reid (CCO), Anita Kapoor (Former FINRA) discuss the four-layer framework live.

Reserve free seat →

📝

Long Read · 12 min

AI in Wealth Management Compliance: A Complete Guide for 2026

The full editorial behind this assessment. Why the four-layer framework exists, what each layer covers, and where firms get caught.

Read article →