Operational Risk: An Emerging Focus for Investment Managers

Investment managers may begin to shift their risk management focus back toward operational risk, as well as several other emerging areas, according to results from Deloitte Touche Tohmatsu Limited’s (DTTL) Global Risk Management Survey, Eighth Edition. which gauged the state of risk management in the financial services industry, including investment management firms.

Cary Stier

Most firms described themselves as effective in managing liquidity risk (85%), credit risk (83%) and regulatory and compliance risk (74%), according to survey results. However, only 45% gave themselves a high rating for operational risk management—a little less than the 47% recorded in the previous survey conducted in 2010. Eighty-six financial institutions from around the world participated in the survey, representing a range of financial services sectors and with aggregate assets of more than $18 trillion. One-half of the 86 respondents identified themselves as either stand-alone investment managers or investment managers of larger integrated financial institutions (primarily banks and insurance firms).

“These results underscore the inherent complexity of measuring and managing operational risk, and suggest that work remains to be done in this area,” says Cary Stier, vice chairman and Global Investment Management leader for Deloitte & Touche LLP. “The more evolved risk managers are examining the nuances of their firm’s risk culture by devising new and improved ways to measure risk-taking throughout their organizations,” he adds.

Indeed, “the strategic importance of risk management and the potential for reputational harm can be seen in the 94% of respondents who indicated that their boards and/or executive management teams are spending more time on the oversight of risk compared to the last several years,” says Garrett O’Brien, a principal at Deloitte & Touche LLP.

Emerging Risks

Investment management firms are faced with three areas of emerging risks: model risk, IT security and cyber risk, and business continuity. Model risks are not limited to model-driven trading strategies, but also to quantitative models used for the purpose of valuation, trade allocation and risk management. Of the 61% of survey respondents who said model risk was included in their ERM program coverage, only 50% believe they are effectively managing it. To address this type of risk, some investment managers are focusing their attention on model governance, model validation, deployment and maintenance.

Mary Galligan

With 40% of breaches* resulting from hackers gaining access through third-party systems, it’s increasingly important that investment managers understand their extended enterprise and the control frameworks that service providers have to secure client and transaction data, as well as intellectual property. Some investment managers are conducting cyber threat assessments to better understand their potential exposure.

“Cyber education can start with simple questions, such as who would want your information, and why do they want it,” notes Mary Galligan, a director with Deloitte & Touche LLP’s Cyber Risk Services practice and former FBI special agent in charge of cyber and special operations. “It’s important for investment managers to start with a clear understanding of their vulnerabilities to make risk management and mitigation more informed.”

Business continuity and disaster recovery continue to be a priority for the Securities and Exchange Commission and a hot topic for the risk committee, in some cases being elevated to the board level. Many firms are reevaluating or adjusting their strategies for dealing with extended disruptions, as recent natural disasters have provided a number of data points to gauge the actual effectiveness of existing plans.

Key Risk Management Challenges

According to the survey, a number of inhibitors to managing risk effectively are specific to investment management firms, including data and technology, resourcing and service provider oversight.

Data and technology: Investment management firms face significant system, infrastructure and data challenges, which are compounded by the investment manager’s fund and account structures, as well as its reliance upon service providers for technology and data. The old adage, “garbage in, garbage out” still applies: Data quality is clearly affecting organizations’ abilities to assess, monitor and mitigate risk.

Garrett O'Brien

Resourcing. Doing more with less is placing a premium on resources with the right skills to manage day-to-day risk while accommodating growing and emerging risk areas. “For investment management firms, says Mr. OBrien, a key question emerging around managing risk in general is, what is the most efficient and effective way to focus their time and effort on risk, particularly if resources are constrained? Increasingly, there is a shift toward allocating resources to key focus areas as a result of strategic risk assessments. The use of formal risk assessments allows organizations to compare and contrast risk exposures across areas that were traditionally managed in silos.

Service provider oversight: Financial firms face a variety of risks associated with their reliance on service providers, including theft, the inadvertent release of client-identifying data or dissemination of intellectual property such as on strategy or trades, and regulatory breaches. Some investment management firms are working to gain a more holistic view of their extended enterprise by evaluating the risk profile for each service provider. They are also establishing a service provider oversight framework that aligns with their overall risk profile.

The Three Views of Assessing Risk

Increasingly, investment management firms taking an approach of characterizing their risk in three views, which correlate directly to the level of priority and focus of the board, executive management and risk committees:

—Franchise threatening: The 10 to 15 key risk areas that can threaten the reputation and operating ability of the firm.

—Regulatory imperative: Fulfillment of fiduciary, regulatory, and legal responsibilities.

—The control environment: All other risks where the residual risk is understood and reviewed on a periodic basis against limits and acceptable losses.

In addition, the more evolved risk managers are taking time to examine the nuances of their firm’s risk culture by devising new and improved ways to measure risk taking throughout their organizations, and stress the need for greater organizational awareness and integration across risk, IT, operations, compliance, internal audit and legal functions.

“For investment managers, managing risk is not a race to the top or bottom, but rather to a place where market participants can feel comfortable about the risks they are taking and facing—so they can concentrate more on growing the business and generating superior returns,” notes Mr. Stier.

* “2013 Cost of Data Breach Study: Global Analysis.” Benchmark research sponsored by Symantec and independently conducted by Ponemon Institute LLC, May 2013.

Related Resources

August 20, 2014, 12:01am