Brian Digney, Research & Content Director, Standards Board for Alternative Investments (SBAI).

Brian Digney will be speaking at the Fund Operator Summit | Europe 2023 on 19 September in London on the topic of “How can investment operations professionals balance the need for innovation with risk management and compliance?”.

For more information, including how to register, please click here.

Andrew Putwain: Can you discuss what you’re looking for in terms of good risk management practice?

Brian Digney: Much of the current conversation centres around the question of “how do you innovate?” or “how do you scale your business?”. For the investment management industry today, outsourcing can provide a solution against a backdrop of increasing costs. However, this creates a potentially more complex business model and as a result, increased operational risk.

"Regulators are cracking down and prescribing minimum standards and expectations for outsourcing, business resilience, and vendor risk management."

A number of regulators are now focused on this subject, and if you look at European regulatory authorities such as the Central Bank of Ireland, the National Futures Association (NFA), and the U.S. Securities and Exchange Commission (SEC), there is a concerted focus on outsourcing, business resilience, and operational risk. There is a concern that overreliance on outsourced relationships can adversely affect investors if these relationships are not adequately monitored and regularly assessed.

This means that regulators are cracking down and prescribing minimum standards and expectations for outsourcing, business resilience, and vendor risk management.

The terms ‘counterparty risk management’, ‘outsourcing’ and ‘vendor risk management’, are all focused on different elements of the financial ecosystem, but fundamentally are not too dissimilar and have considerable overlap in terms of how the process of assessment and ongoing evaluation is structured, recorded, and governed. Good risk management should be formal, documented, and embedded in the organisations’ governance process. The Standards Board for Alternative Investment (SBAI) have created a number of Standards related to Risk Management which provide a framework for investment managers on industry best practices.

Andrew: What are the operational risks that managers experience that affect their ability to grow?

Brian: There are several issues that can arise for managers of different sizes and trading strategies. Smaller managers may be negatively impacted by a lack of resources and poor segregation of duties by the nature of smaller team sizes. Larger managers may be negatively impacted by the need to balance resources against competing projects and objectives. Larger managers are typically more complex, and with complexity comes additional operational risk. Technology solutions can create scalability and reduce the need for manual inputs and processes; however, systems are costly and require investment. Alternative investment managers don't have the same resources now that they had in the past, as it is a more costly environment to operate in.

Then there’s the regulatory element, which is potentially the largest operational risk that alternative investment managers face today. Regulatory expectations keep expanding and growing. We have seen a number of key initiatives in the US such as the private funds, outsourcing, and cyber security proposals emerge. The Form PF proposal was recently adopted, not long after the change to marketing rules. In Europe, there is an additional focus on climate risk and sustainable investing which we know the industry has struggled with.

"Managers should assess their operational risk profile against their resources and implement plans that are credible and focus on key risks which are properly tailored to your business."

It's a given that the regulatory environment will continue to evolve, which is why it is incredibly important for alternative investment managers to invest in resources to deal with changes in the compliance space. This could be dedicated in-house resources, or the use of third-party resources and consultants to support internal change projects. It is a must to have a formal compliance framework– for example, having the right policies, having procedures in place, and being able to show evidence that these policies and procedures are being implemented. In my experience of seeing the outcomes of numerous regulatory reviews, it is a common criticism of regulators that managers don’t always put into practice what their policies and procedures would suggest. Operational risk processes need to be practical in terms of being implementable and should have supporting evidence.

Managers should assess their operational risk profile against their resources and implement plans that are credible and focus on key risks which are properly tailored to your business. Over-promising and under-delivering is something regulators have little or no appetite for.

I have seen managers adopting ‘off the shelf’ policies provided by third parties and consultants with little framing or amendments to reflect the business in scope, which can lead to pitfalls when these policies are queried by regulators and operational due diligence teams.

Andrew: Can innovation provide a way for managers to achieve their objectives – and if not, why?

Brian: There’s an expectation that technology can do everything. But it’s often very expensive to deploy new technology into a business.

"Most technology requires some degree of human input, so that’s why outsourcing has become part of the solution. It can bridge the gap and give you that human resource at a lower cost point."

From my time as an operational due diligence practitioner, I have seen smaller managers struggle with the desire to implement the best system and trading infrastructure with budget constraints. This can lead to trade-offs, such as mid-priced OMS or PMS versus more expensive systems, or lesser degrees of straight-through processing and automation that would be possible if money was no object, etc.

Overreliance on technology is also a problem; it can’t do everything. Most technology requires some degree of human input, so that’s why outsourcing has become part of the solution. It can bridge the gap and give you that human resource at a lower cost point.

One of the other topics to mention is Artificial Intelligence (AI), which is a potential growth opportunity. There are a lot of AI-focused discussions and excitement about potential capabilities in financial services. It’s an area worth watching.

Andrew: It seems there’s more hesitancy around using AI for larger-scale business aspects than we’d expect – given all the hype. Do you feel that’s accurate?

Brian: There's a general level of mild scepticism around AI in the alternatives industry – especially in terms of how much AI and similar innovations can be practically deployed.

There are a couple of examples that come to mind: for example, people using ChatGPT to troubleshoot code they’ve written or to write new code. The concern here is that there are potential licencing rights and intellectual ownership issues around those pieces of code, and there's a reticence for managers to adopt that practice wholesale because they don't know what risks they’ll be exposing themselves to down the line.

Andrew: What is the best way to go about risk identification – within technology, working practices, or how stakeholders operate as a team – and what are you looking to achieve? For example, streamlines processes or enhanced efficiency?

Brian: Risk identification within technology is similar to any other risk process; whether you're looking to innovate, looking to approve a new Service Provider, or taking on a new system – you need to be running an adequate risk management process.

"There needs to be a formal risk monitoring process that allows for projects to be overseen and managed and to ensure that once deployed, the technology works as intended and doesn’t expose a business to unforeseen risks."

That means that the discussions amongst your team members about potential risks and mitigation practices are systematically crucial to your business. You need to know what to do if they fail; you need to have a backup process.

There needs to be a formal risk monitoring process that allows for projects to be overseen and managed and to ensure that once deployed, the technology works as intended and doesn’t expose a business to unforeseen risks. That requires an ongoing process of analysis and monitoring.

To tie it back to what we discussed earlier, these are the principles that regulators expect. It goes back to the point of being able to demonstrate that you've considered risks, that you've documented them, and that you’ve discussed them. If anyone asks for evidence, then you can deliver something compelling – something that provides confidence in your risk management process.

Brian Digney will be speaking at the Fund Operator Summit | Europe 2023 on 19 September in London on the topic of “How can investment operations professionals balance the need for innovation with risk management and compliance?”.

For more information, including how to register, please click here.

 

Please Sign In or Register to leave a Comment.