TOP TEN AREAS OF OPERATIONAL RISK

TOP TEN AREAS OF OPERATIONAL RISK

2

What Is Operational Risk?

Risk without reward

What keeps you up at night?

3

Where Can Operational Risk Reside?

Internal • Operations • Performance measurement • Trading • Portfolio management • Sales and marketing • Legal and compliance • Administrative External • Key service providers • Clients (and their advisors) • Environment

A firm’s operational risk is highly dependent on its investment strategy,

vehicles and products as well as its staff, systems,

vendors and clients

4

Operational Risk Cannot Be Outsourced

“This was not our drilling rig, it was not our equipment,

it was not our people, our systems

or our processes...

…We are taking our responsibility

to deal with it very, very seriously.”

Tony Hayward, CEO, BP, May 2010

5

1. Complacency 2. The blind leading the blind 3. Novices, apprentices and soloists 4. Dropped batons 5. Naïve reliance on technology 6. Playbooks 7. Amalgamated assignments 8. Reconciliation gaps 9. Reading the fine print 10. Poor planning and slow response times

Top 10 Areas of Operational Risk

6

Top 10 Operational Risks

#1 Complacency Trivializing and disregarding risks

• Passive rather than pro-active approach • Failure to carefully consider what can go

wrong • Hiring inexperienced and/or unqualified

staff • Failure to appreciate the complexity of an

instrument or product • Not listening to middle- and back-office

staff • No document management • Not checking work quality

7


#2 The Blind Leading the Blind Over-extended and under-qualified managers

• Managers not understanding what their teams do

• Failure to put appropriate controls on outsourcing providers

• Expecting compliance staff to identify operational risks

– Difficult if they are not experienced in operations or technology

• Failure to oversee and support compliance

– Senior management – Internal audit

• Inadequate due diligence on key service providers

• Senior staff members ignoring policies and procedures

• Rogue activity

8


#3 Novices, Apprentices and Soloists Inadequate training or cross-training

• Key-man risk – As applicable to junior staff as much

as senior management • Teams with fewer than three people • Highly specialized jobs (e.g., single-

product or single-client focus) • New instruments or products about

which staff know little to nothing • Lose track of whether a client is the

firm’s client or the RM’s client • Failure to train at all • Serious concern in business continuity

scenarios • Unwillingness to cross-train others is a

red flag

9


#4 Dropped Batons Hand-offs

• Every hand-off is a risk point • Hand-offs may include:

– Department ↔ department – Person ↔ person – Person ↔ system – Firm ↔ counterparty – Firm ↔ service provider – Firm ↔ client

10


11


#5 Naïve Reliance on Technology Automation can cause operational risk as well as mitigate it

• Automation of activities people did not know how to do manually

– What if a system breaks down? – Is the automation correct?

• System interfaces are particularly suspect • The vendor does not know your business –

and vice versa • Implementing new systems without

changing the workflows • Not staying up-to-date with software

releases • IT telling operations what they need (rather

than the other way around) • Improper system / access privileges (and

failure to review periodically) • Inadequate or out-of-date business

continuity systems/processes • Improper audit trail data

12


#6 Playbooks Workflow Documentation

• Non-existent • Out of date • Overly vague • Not followed • Too many workflows • Not available during disaster recovery

13


#7 Amalgamated Assignments Improper Segregation of Duties

• Portfolio managers or traders settling trades, wiring funds or moving collateral

• Trade support staff reconciling portfolios • Reconciliation staff wiring funds • Performance teams reporting into

investment or sales/marketing heads • Losing track of which hat is on

– Firm assets v. client assets – Custodian or fund administrator – Fund administrator or investment

operations outsourcing provider • Staff reductions / understaffing resulting

in too many people performing too many roles or not sufficiently experienced

14


#8 Reconciliation Gaps A false sense of security

• Assets held by counterparties often not reconciled to actual counterparty statements

– Margin – Collateral

• Failure to reconcile: – Cost basis – Market value – Fractional shares – Security identifier – Original face amount

• Not performed on a timely basis • No clear policies on breaks and escalation

– Time – Size

• No management review • Catching one’s own typos

15


#9 Poor Planning and Slow Response Times Changes in the firm, the marketplace and the regulatory environment

• Investing in systems or staff only after firm growth

• Poor / non-existent new product launch process

• Upcoming issues to consider: – Traditional and alternative managers

currently are subject to two entirely different standards of care

– Regulatory oversight – Operational due diligence exams – Shadow accounting – GIPS® compliance

– Effects on investment firms: – Traditional firms may not give

sufficient attention to operational due diligence

– Alternative firms may not implement the GIPS® standards

16


#10 Reading the Fine Print Know thy legal entities

• Without knowing the entity, one cannot know:

– Risk – Creditworthiness – Conflicts – Regulator

• The industry-standard prime brokerage agreement provides sole authority for any signer to change the agreement, enter new agreements, execute and settle trades and provide new updated authorized signature lists

17

Tools for Identifying Operational Risk

• Workflow diagrams • Metrics • Error logs • Employee surveys and exit interviews • Due diligence meetings • Operational reviews • Job swaps • Testing • Work-from-home day • Two-week vacation with no connectivity • Mock SEC exams • Mock due diligence reviews • Ongoing risk evaluation process • Create a culture that rewards exposure of risk

18

Documenting Processes

19

Mitigating Operational Risk

• Workflow diagrams • Cross training • External operational review • Document management • Automation • Establish an ongoing risk evaluation process • Outsourcing • Educating

Holly H. Miller Investment Manager Services

610 676 3467 [email protected]

Documents

TOP TEN AREAS OF OPERATIONAL RISK