In the last few years, operational due diligence on hedge fund managers has taken on the same level of forensic detail as the hit TV show CSI New York. Given that this has coincided with greater institutional allocations, it is entirely understandable; mom and pop’s pension is at risk.
To be sure, no institutional investor can take a punt on allocating to a hedge fund manager, no matter how stellar their track record, if the operational infrastructure in place simply doesn’t meet the required standard. In a report published by Castle Hall Alternatives earlier this year entitled Six Principles of Operational Due Diligence, they stress this point in their conclusion, noting that “the role of operational due diligence…at the most basic level, is to worry about what can go wrong”. At what point, they ask, is there an incentive to “pass” the fund, irrespective of potential operational problems?
To be honest, this ultimately depends on each individual investor but at the heart of the issue is ensuring that a detailed operational due diligence process is in place.
Managers have nowhere to hide today and are quickly becoming cognisant of the fact that operational risk is now equally as important as portfolio risk.
“When I think about operational risk it starts with the institutional investors rather than the managers. Before regulation became more stringent, it was institutional investors who were driving the controls as part of their operational due diligence requirements,” says Bennett Egeth, President of Broadridge Investment Management Solutions.
“ODD determines where money is placed. It involves looking at a manager’s ability to comply with different regulations, the separation of duties, key man risk, the technology choices a manager has made and whether those choices are purchased or built internally. It also involves looking at the complexity of the product mix within a firm, and looking at their actual business model compared to its description in the private placement memorandum.”
The operational risk of a hedge fund is being made more complicated by the basic outputs that are required of its data. Put simply, today’s manager has to process and disseminate a huge array of complex information, accurately and on time.
“I think the data transparency initiatives, both from the regulators and institutional investors, create operational risks per se given the sensitivity of data and challenge to effectively aggregate and deliver it to the numerous constituents,” comments Gary Kaminsky, Managing Director, Global Regulatory and Compliance at ConceptONE LLC, a leading provider of risk management solutions, regulatory reporting and middle and back office services.
Last year the firm developed a Regulatory Enterprise Risk Management solution – RegERM – to give hedge funders a complete answer for all of their regulatory reporting needs. ConceptONE has long supported managers in risk management reporting. What the deluge of market regulation – Form PF, CPO-PQR, Annex IV, FATCA, EMIR – as well as investor-driven transparency reporting under the OPERA protocol has done is put managers’ operational infrastructures under enormous pressure. Unless firms are willing to have operations teams of 20 to 30 people, staying on top of operational demands and remaining fully compliant has become the proverbial uphill challenge.
“What ends up happening within an organisation is that there has to be a harmonisation of data. Operational risk is very much challenged by the complicated aspects of data,” adds Kaminsky.
The need for consistent data
Egeth notes that at Broadridge a great deal of emphasis is placed on the quality of data that drives new reporting and risk analytics so that managers don’t have to worry about whether they are utilising the right data or not. Aside from data accuracy, what is also important is access to the data and, following on from Kaminsky’s point about its variety and complexity, the ability to integrate it for different purposes.
This requires data to be consistent.
“If I want to call IBM a service company rather than a technology company, I need to be able to store that information at a security level but I also need to make sure that my regulatory reports reflect that, my risk reports reflect that, my performance and attribution numbers reflect that and so on,” says Egeth. “One of the biggest challenges around operational risk management is ensuring that the manager is making the same data assumptions that result in consistent data across their enterprise.
“What you don’t want is when you go back to look at your aggregate exposure by asset class and you find IBM sitting in three different places, even though it’s the same trade position. The ability to manage data such that disparate systems are working off consistent data is, in my mind, one of the biggest challenges for managers around operational risk.”
Most hedge funds would doubtless agree. The stakes are so high today that any threat to reputational risk because a manager lacks the operational controls to identify errant data leads to one outcome only: the closure of the business. Investors will not accept inaccurate performance attribution, or the inability for a manager to show what business continuity plans they have in place should a counterparty get into trouble.
The industry has, in this regard, well and truly grown up. Hedge funds are morphing steadily into institutional asset managers: the Aberdeens, Fidelitys and BlackRocks of the world. If today’s emerging managers think they can grow by harvesting 30 per cent alpha on the back of a threadbare operational framework they are kidding themselves.
“Our system helps to achieve the repeatability of process without necessitating the marshaling of internal resources on a quarterly, if not daily basis,” says Kaminsky. “Our primary goal is to deliver a solution that enables firms to comply with their regulatory reporting and third party transparency reporting obligations, and to do it in a way where they align these disclosures to achieve several goals. One is to mitigate disparities in disclosures that can result in unnecessary scrutiny from a regulator or potential investors. Second, to be able to run their business day-to-day whilst also complying with these things.
“Managers also need to have an audit trail. Someone, at some point, is going to ask why a question was answered in a particular way. To do that, managers need quick access to records contained in the audit trail.”
It could be argued that indirectly, by making firms address these operational issues, regulation is helping them to run better businesses.
As managers move to develop new strategies, build new products, to widen their investor base, the reporting demands naturally increase. Risk management is more complex than ever. To address the issue, SunGard is rolling out a new integrated risk management solution known as APT Enterprise. It will give clients managed reporting services as they seek to stay on top of the complexity of risk reporting. Reports will be available in Excel and PDF format or accessed through an interactive web-based risk dashboard.
“We provide a series of workflow tools within APT Enterprise that are geared towards handling enterprise-level risk reporting. We are calling it ‘Risk without the Trouble’,” comments Laurence Wormald, COO and head of research, SunGard APT.
There are two main ways to utilise the dashboard for report generation.
“The first option is a full service-based model where the manager simply needs to load up their fund data to a secure FTP site. Then, within an hour or two – depending on the service level agreement – they can pick up a full set of standard form reports. The second option is where the manager can drive the process themselves through the dashboards. In other words, one day they can request five reports and the following day request 50 reports.
“Most likely, managers will have a daily standard reporting cycle and then on top of that, they have the ability to generate additional reports based on what they see in the dashboards. If the VaR in one of the funds spikes up the manager might want an additional risk report. They can do their own scenario analysis and generate different reports for different market conditions. The dashboards allow for that flexibility,” explains Wormald.
SunGard will send standard risk reports overnight based on closing prices before the start of trading the next day as well as ‘on demand’ reports within Enterprise.
“Everybody knows that getting risk management right is an expensive, troublesome exercise. We think APT Enterprise will be a trouble-free way to get your risk right, make you nimbler, take your investment story to investors in a much more powerful way, demonstrate best practice and grow your AuM,” adds Wormald.
This drive towards managed services, where the operational heavy lifting is outsourced to the respective service provider, is gaining momentum as managers look for ways to trim back their operations teams. Economically, it is a much more cost-efficient solution. Moreover, it means that managers are able to mitigate operational risk by ascribing key functions to expert organisations whose sole purpose is to handle operational issues on a daily basis.
Outsourcing does not mean abdicating responsibility
Using outsourced providers, however, to handle operational issues, does not mean managers should also be outsourcing responsibility. Investors, when doing their ODD, will want clear evidence of how managers are staying on top of operational risk. They will typically be fine with a manager using third party providers – after all many managers now appoint independent fund administrators – but what they will expect to see is some form of shadowing, be it for accounting, regulatory reporting etc.
“Operational risk means understanding what the controls are to make sure the administrator has the most current and complete information as well as how I, as a fund manager, supervise my administrator’s ability to produce an accurate investment book of records (IBOR),” says Egeth.
“One of my favourite expressions is ‘Who watches the watchers?’ From a fund’s perspective, even if an administrator is producing the IBOR it doesn’t mean the manager should abdicate their duty. The regulators and investors hold the manager accountable, not their administrator, if things go wrong. All an administrator can do is provide good record keeping on the information that a manager provides. If that information is incomplete, the records aren’t going to be accurate.”
On outsourcing, Kaminsky says: “We’re just trying to help facilitate the enrichment and movement of data into the appropriate regulatory reports. It’s a partnership arrangement. We can do as much or as little as the client wants us to do.”
Cybersecurity & technology risk
An insufficient operational set-up is also exposing managers to yet another issue: namely technology risk and the potential for sensitive, confidential fund data to be targeted by cyberspace hackers. This has become a focus of attention in the US to the extent that this April the SEC’s Office of Compliance Inspections and Examinations issued a Cyber-security Risk Alert; a seven-page report containing 26 sample questions to determine the vulnerability of hedge fund IT infrastructures, security governance and protocols, risks associated with fund transfer requests and so on.
To tackle these issues, Eze Castle Integration is helping managers to prepare what is known as a Written Information Security Policy (WISP).
As Lisa Smith, BCP/Data Privacy Manager at ECI explains: “Managers need a good understanding of where confidential information is within the firm. Who has access to it? How are they protecting that information? If they are working with fund administrators on client accounts, how is that fund administrator protecting their information? What type of identify theft (i.e. are they compliant with red flag?) programs do they have in place, if at all?
“It’s not all about IT, it’s also about internal policies. What’s the process of dispersing funds to a client’s account? Are the proper checks and balances in place to ensure that the funds are going to the right investor? It needs to be a collaborative initiative to make sure that everybody (within a hedge fund) is being protected.”
Adoption of best practices by establishing a WISP not only bolsters the operations, it gives investors added reassurances. Not only that, it avoids the potentially sticky issue of ‘key man risk’.
“What this SEC initiative is doing is causing managers to take a step back and evaluate what they have in place. It’s just the same as the compliance manual, which every year needs to be reviewed and updated. Now, managers have to review their IT policies. Before, it wasn’t something that was ever properly documented. It was always in the CTO’s head, or in the hands of the service provider.
“Until it has been documented, everyone works off assumptions. It’s critical that everyone knows the company’s IT policy when it comes to cyber security and protecting the firm’s confidential information,” stresses Smith.
