Increased regulatory requirements have pushed alternative fund managers to think more about risk, which has become multi-faceted: it is no longer about evaluating market risk ex post, but monitoring counterparty risk, liquidity risk, cyber risk, compliance risk and technology risk.
As the regulations become more stringent, so managers’ awareness of what they need to do to adhere to them has risen.
George Ralph (pictured), Managing Director of RFA, says that to deal with increased regulation, and the rising threat of cyber attacks, managers are increasingly turning to IT outsourcing.
“However, this does not mean that managers can transfer risk to a third party vendor and expect them to get on with it; there’s got to be an element of shared risk. This was raised in the FCA’s FG16/5 guidance paper released last July,” says Ralph.
Specifically, section 3.4 states that “Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party.”
Regulation, like risk, cannot be outsourced. Even though fund managers rely on IT vendors to provide infrastructure-as-a-service, or a broader suite of managed services, they are merely solving the technology component. This is not a risk transference exercise.
Striking the right balance is therefore critical when outsourcing. Firms need to have an IT risk management process in place to monitor all of their business risks, regardless of whether they are managed internally or externally.
“If you consider the components of an operational risk framework, having a very clear objective as to how you manage risks, identifying which risks you are willing to take on internally, and placing comments alongside each identifiable business risk as to how you would mitigate it, is useful. Then, you should have a board member who is responsible for each one of those risks. I don’t think one individual should be responsible for all risks in a business,” comments Ralph.
He concedes that if there is a limited (not wholesale) element of risk transference when outsourcing, there needs to be clearly defined terms in place detailing what the vendor is doing to mitigate that risk.
“If we’ve got people hosting on our infrastructure then we will provide them with SOC reports every year, we’ll provide them with penetration test results and vulnerability reports on a frequent basis, to show them that, irrespective of whether the client was managing the risk internally, or by using RFA, they get the same amount of security and diligence.
“In some cases we sit on the board of our fund manager clients – and indeed some hedge funds who are not our clients – advising on technology risk,” explains Ralph.
However, the biggest risk to any business is reputation risk. “Some hedge fund clients ask us to keep their founding partners out of the news. If there’s a news article that goes out which has been completely fabricated, once its on Google you can’t remove it. We work in collaboration with a number of security companies to prevent such issues from arising,” confirms Ralph.
As investment firms embrace technology to meet the regulatory challenge, it is more important than ever to put in place a robust IT risk management process to stay both compliant, and secure.