Operational Readiness for RICs

Why 2026 SEC Exams Will Be Different

For Registered Investment Companies (RICs), operational readiness has traditionally been framed as a compliance exercise: policies in place, documentation organized, and exams managed.

That mindset no longer meets regulatory expectations.

SEC examinations are increasingly designed not just to confirm the existence of controls, but to evaluate whether firms can demonstrate sustained, integrated operational discipline across governance, risk, and execution. In other words, the bar is shifting from documentation to defensibility.

The question isn’t whether your program is complete, but whether it withstand scrutiny.

From Static Compliance to Continuous Readiness

One of the most important shifts we’re seeing is the move from point-in-time preparedness to continuous exam readiness.

Historically, firms prepared for exams as discrete events, ramping up documentation efforts in anticipation of regulatory review.

Today, that approach creates risk. Regulators increasingly expect firms to:

  • Produce documentation quickly and consistently
  • Demonstrate that policies are current and actively implemented
  • Show evidence of ongoing testing, monitoring, and remediation

Mock exams and readiness assessments are becoming table stakes. The absence of recent testing itself may raise questions about program maturity.

Governance Is the New Front Line

Another clear trend is that governance is under deeper scrutiny than ever before.

The SEC is increasingly focused on how decision-making happens, not just what decisions are made.

This increases expectations for fund officers, boards, and others with oversight responsibilities to demonstrate:

  • Clear accountability across roles (CCO, AML compliance officer, and treasurer)
  • Effective challenge and escalation mechanisms
  • Transparent board reporting that supports informed decision-making

In this environment, governance cannot be performative. It must be operationalized, embedded into workflows, supported by documentation, and evident in outcomes.

Cybersecurity and Operational Resilience Are No Longer Parallel Tracks

Cybersecurity was once viewed as distinct from compliance. Today, the two are closely interconnected.

With the continued evolution of Regulation S-P and heightened focus on data protection and incident response, firms are expected to demonstrate that controls are:

  • Tested regularly
  • Integrated with business continuity planning
  • Applied consistently across third-party ecosystems

What’s emerging is a broader expectation: operational resilience as a system, not a collection of controls. Vendor oversight, data governance, and incident response must align, and gaps between them are increasingly visible during exams.

Complexity Is Driving Deeper Questions

For firms with ETFs, alternatives, or less traditional strategies, scrutiny is intensifying.

Regulators are focusing more on how complexity is managed in practice, including:

  • Whether valuation processes can withstand market stress
  • Whether liquidity classifications are realistic and actively reviewed
  • Whether disclosures truly reflect underlying risks

This reflects a broader regulatory posture where complexity is acceptable but only if firms can demonstrate they fully understand and control it.

The Expanding Role of the Treasurer

One of the more notable shifts in recent years is the elevation of the treasurer’s function.

Once viewed primarily through a reporting lens, the role is now central to financial governance and control integrity.

Expectations increasingly include:

  • Active oversight of disclosure controls and procedures
  • Clear ownership of financial reporting accuracy
  • Documented coordination with administrators and service providers

This evolution is part of a larger trend: regulators are looking for clear lines of responsibility, especially where operational and financial risks intersect.

Third-Party Risk Is First-Order Risk

As outsourcing and specialization continue to grow, so does regulatory focus on vendor oversight.

What’s changed is the expectation of ongoing accountability.

Firms must demonstrate that they:

  • Continuously monitor service provider performance
  • Actively review control environments (e.g., system and organization control reports)
  • Escalate and resolve issues through defined procedures

In today’s environment, regulators increasingly view vendor gaps as firm-level failures, not external issues.

Rethinking the Operating Model

All of these trends point to a deeper reality: the traditional operating model for many RICs is under strain.

Rising regulatory expectations, combined with resource constraints and increasing complexity, are forcing firms to reconsider:

  • Whether internal teams have sufficient bandwidth
  • Where key-person dependencies create risk
  • How specialized expertise (valuation, AML, governance) is sourced

Outsourcing is increasingly about risk management and capability enhancement.

A New Standard for Readiness

Taken together, these shifts define a new standard for operational readiness:

  • Not reactive, but continuous
  • Not documented, but demonstrable
  • Not siloed, but integrated

Firms that meet this standard are not just better prepared for exams; they are more resilient, more transparent, and better positioned for long-term growth.

Where Are the Gaps?

To help firms navigate this landscape, we’ve developed an  Operational Readiness Review Checklist designed to benchmark your program across key areas of regulatory focus.

But the checklist is just the starting point.

The real value comes from understanding why gaps exist and how to close them in a way that strengthens your entire operating model.