Due Diligence and Risk Management

ODD is a rigorous approach to operational due diligence provides in-depth assessments of managers’ policies, procedures and resources across key control functions. Analysis is supported by the use of bespoke due diligence questionnaires, tailored to address clients' needs. Reports clearly present the information that is most pertinent to you. And, where possible, the team works proactively with managers to resolve areas of weakness by introducing operational improvements.

• Organizational structure / concentration of authority in one or a few individuals

• Middle office, back office and valuation

• Identification and understanding of systems, controls, and resources impacting portfolio management and shadow accounting

• Trade settlement and reconciliation / weak reconciliation procedures

• Investment managers operating outside mandates

• Ineffective transaction controls / lack of checks and balances & segregation of duties

• Performance reporting

• Appropriately skilled personnel with relevant training and development programs

• Effective procedures

Although the core objective of operational due diligence is to provide investors with information that helps them make investment decisions, the process impacts managers as well. The objectives of operational due diligence can generally be summarized as follows:

1. For all – Reaffirms the details of the investment mandates to the investment manager’s teams, the necessity for adhering to them, and the investor’s desire to minimize operational risks.

2. For managers with less sophisticated internal support – Creates an opportunity for strengthening internal systems, procedures, and safeguards that preserve the investment mandate and minimize operational risks.

3. For managers who operate outside of their investment mandates in a transparent manner or have systems and processes that expose the investor to unnecessary risks – Creates an opportunity for constructive redirection of any internal systems, procedures, and personnel.

4. For those who are covering up an overt disregard of their investment mandate or an overt disregard for systems and process to reduce risk – Creates a potential deterrent, as the process increases their risk of being discovered.

5. For investors – Provides feedback that strengthens the understanding of operational risks associated with individual investment managers, and provides assurance of increased manager accountability for maintaining the investment mandate and reducing operational risks.

While it is impossible to eliminate all risks involved with any investment, a strong operational due diligence program can help mitigate such risks and provide investors with valuable insight to help them make investment decisions.

Risk management is a process that defines risk tolerance and measures, monitors, and modifies risks to be in line with that tolerance. A successful risk management program helps an organization consider the full range of risks it faces. Risk management also examines the relationship between different types of business risks and the cascading impact they could have on an organization's strategic goals.

Risk management has perhaps never been more important than it is now. The risks that modern organizations face have grown more complex, fueled by the rapid pace of globalization. In many companies, business executives and the board of directors are taking a fresh look at their risk management programs. Organizations are reassessing their risk exposure, examining risk processes and reconsidering who should be involved in risk management. Companies that currently take a reactive approach to risk management -- guarding against past risks and changing practices after a new risk causes harm -- are considering the competitive advantages of a more proactive approach. There is heightened interest in supporting business sustainability, resiliency and agility.

Enterprise Risk - Creation, enhancement, implementation and review of integrated frameworks for the identification, measurement, mitigation and monitoring of risks from all sources

Legal Risk - Poorly drafted arbitration clauses in ISDA contracts leading to potential litigation

Business Risk - Specific tasks assigned to a single individual rather than a team exposes the manager to key person risk

Market Risk - Inadequate trading controls resulting in unwarrented market risk

Liquidity Risk - Providing strategic recommendations to identify, measure and manage liquidity risk, helping organizations to comply with regulatory expectations and enhance their position in an evolving competitive landscape

Reputational Risk - Operational errors resulting in damage to brand name

IT Risk - Risk of false trading signals due to uncontrolled system

Credit Risk - Focused on assisting in credit risk identification, measurement, management and reporting

Operational Risk - Creation, enhancement, implementation and review of operational risk frameworks

Compliance Risk - Design of effective, flexible and robust compliance programs to address unique business, regulatory, risk tolerance, technology and operational model requirements

Quantitative Risk - Applying quantitative techniques to help institutions develop and validate risk measurement and valuation methodologies

1. An investment manager does not fully recognize or understand its investment mandate or internal controls, and may unwittingly be increasing operational risk.

2. An investment manager is fully cognizant and supportive of its investment mandate, but a breakdown of internal systems and controls, and/or human misunderstanding or error may have created transactions that unwittingly are outside of the investment mandate and contribute to increased operational risk.

3. An investment manager chooses to circumvent its investment mandate or internal controls for “the better interests” of the client, and is making no effort to “cover up” their lack of compliance with the mandate or override of controls.

4. An Investment Manager chooses to circumvent its investment mandate or internal controls as a means of improving their relative performance, and is making a conscious effort to hide this circumvention from their clients.

Traditional risk management often gets a bad rap these days compared to enterprise risk management. Both approaches aim to mitigate risks that could harm organizations. Both buy insurance to protect against a range of risks -- from losses due to fire and theft to cyber liability. Both adhere to guidance provided by the major standards bodies. But traditional risk management, experts argue, lacks the mindset and mechanisms required to understand risk as an integral part of enterprise strategy and performance.

In Enterprise risk management, managing risk is a collaborative, cross-functional and big-picture effort. An ERM team, which could be as small as five people, works with the business unit leaders and staff to debrief them, help them use the right tools to think through the risks, collate that information and present it to the organization's executive leadership and board.

These steps can be used by any type of entity and includes the following steps for identifying, assessing and managing risks:

1. Identify the risks faced by your organization.

2. Analyze the likelihood and possible impact of each one.

3. Evaluate and prioritize the risks based on business objectives.

4. Treat -- or respond to -- the risk conditions.

5. Monitor the results of risk controls and adjust as necessary.

These steps are straightforward, but risk management committees should not underestimate the work required to complete the process. These require a solid understanding of what makes the organization tick.

Benefits of effective risk management include the following:

• Increased awareness of risk across the organization.

• More confidence in organizational objectives and goals because risk is factored into strategy.

• Better and more efficient compliance with regulatory and internal compliance mandates because compliance is coordinated.

• Improved operational efficiency through more consistent application of risk processes and controls.

• Improved workplace safety and security for employees and customers.

• A competitive differentiator in the marketplace.

The following are some of the challenges risk management teams should expect to encounter:

• Expenditures go up initially, as risk management programs can require expensive software and services.

• The increased emphasis on governance also requires business units to invest time and money to comply.

• Reaching consensus on the severity of risk and how to treat it can be a difficult and contentious exercise and sometimes lead to risk analysis paralysis.

• Demonstrating the value of risk management to executives without being able to give them hard numbers is difficult.

A risk management plan describes how an organization will manage risk. It lays out elements such as the organization's risk approach, the roles and responsibilities of risk management teams, resources that will be used in the risk management process and internal policies and procedures.

Communication and Consultation - Since raising risk awareness is an essential part of risk management, risk leaders must also develop a communication plan to convey the organization's risk policies and procedures to employees and relevant parties. This step sets the tone for risk decisions at every level. The audience includes anyone who has an interest in how the organization takes advantage of positive risks and minimizes negative ones.

Establishing the Scope and Context - This step requires defining both the organization's risk appetite and risk tolerance -- the latter is how much the risks associated with specific initiatives can vary from the overall risk appetite. Factors to consider here include business objectives, company culture, regulatory requirements and the political environment, among others.

Risk Identification - This step defines the risk scenarios that could have a positive or negative impact on the organization's ability to conduct business. As noted above, the resulting list should be recorded in a risk register and kept up to date.

Risk Analysis - The likelihood and impact of each risk is analyzed to help sort risks. Making a risk heat map can be useful here; also known as a risk assessment matrix, it provides a visual representation of the nature and impact of a company's risks. An employee calling in sick, for example, is a high-probability event that has little or no impact on most companies. An earthquake, depending on location, is an example of a low-probability risk event with high impact. The qualitative approach many organizations use to rate the likelihood and impact of risks might benefit from a more quantitative analysis.

Risk Evaluation - Here is where organizations assess risks and decide how to respond to them through the following approaches:

• Risk avoidance, when the organization seeks to eliminate, withdraw from or not be involved in the potential risk.

• Risk mitigation, in which the organization takes actions to limit or optimize a risk.

• Risk sharing or transfer, which involves contracting with a third party (e.g., an insurer) to bear some or all costs of a risk that might or might not occur.

• Risk acceptance, when a risk falls within the organization's risk appetite and tolerance and is accepted without taking any risk reduction measures.

Risk Treatment - This step involves applying the agreed-upon controls and processes and confirming they work as planned.

Monitoring and Review - Are the controls working as intended? Can they be improved? Monitoring activities should measure performance and look for key risk indicators that might trigger a change in strategy.

A risk management consultant can help you prepare your organization from the damage any single adverse event could cause. If you are interested in talking with us regarding reducing risk in your firm’s operational processes, let us know.