The operational due diligence (ODD) process vets an investment manager’s internal controls and operational risk management. It’s clear that growing choice in the alternative investment sector is being matched with increasing operational due diligence demands from investors.
Although fund managers may prefer to focus on strategy and performance, it is well worth the effort to create a watertight firm that will meet and exceed ODD requirements. Indeed, our experience shows that excelling in this area is a valuable differentiator, providing considerable immediate and longer-term gains.
In the short-term an alternative manager with exceptional ODD will graduate to more investor short-lists. In the long-term this will feed through into more allocations and help attract (and retain) the best recruits (since the firm will earn a reputation for being well set up).
1. Investor scrutiny increasing
There has been a marked increase in ODD standards, which have accelerated since the 2008-09 financial crisis. Today, allocation decisions follow considerable scrutiny not only of investment personnel and firms, but of the service providers being used for increasingly more levels of support across entire organisations. With investors becoming more sophisticated and precise with regards to procedures, it is increasingly common for ODD teams to put conditions on an allocation. This could be a demand for improvements in a specific process or a requirement to change service providers, moving to a firm which is operating to a higher standard of compliance than the incumbent provider.
2. An opportunity to stand out
With investors often spoilt for choice among managers in allocating risk budgets, other considerations can come into play. Key among these is ODD. It is in the interests of both the investment manager and investor to make the ODD review efficient and effective. Ensuring a team is well prepared for ODD reviews and questionnaires is essential. A knowledgeable and well-resourced service provider can contribute to an effective DDQ process. Making the ODD process work smoothly in the initial stages of a relationship will build investor confidence in how a manager will function over the course of an investment and in a crisis. ODD offers an opportunity to develop an edge. Smart managers seize it.
3. Heightened profile of IT service management
The growing importance of technology processes to institutional investing has pushed ODD review of IT service management up investors’ agenda. This means, for example, in private equity that the ODD review covers enterprise support, IT strategy road-mapping and visibility into monitoring and maintenance. With hedge funds, ODD will require transparency compliant reports covering data, services and work stations.
Then there is the question of readiness to cope with a disaster. A big part of this is having practical, effective disaster recovery and business continuity plans in place. Regular, ad hoc, unannounced testing is a good ODD practice and the best way to gauge how things will work in a real disaster and make improvements before an investor or regulator requires them.
We often set up hypothetical tests, where the relevant team members gather in one room and are presented with a scenario: say, the head office is burning down. The next step is to document everything that needs to happen, all the risks associated with the scenario and what the process will be. Can employees work from home with secure access to the corporate network and systems they need? Is there another office they could work from? How long will it take to get a permanent solution up and running? Being prepared to show all of this in an ODD review displays a manager’s preparedness and thus resilience.
One new area moving up the ODD agenda is automation in manual administration processes. AI and machine learning technologies can improve efficiency and investor servicing. But they can introduce a level of operational risk that institutional investors will want to see being appropriately managed, with mitigations in place.
4. Cyber security is a high-profile risk
Every day brings media reports of new cyber-attacks. Unsurprisingly, cyber security is now a firmly established area of ODD investigation. It is advisable for investment firms to take a rigorous and thorough approach to cyber security.
To make the most of ODD preparedness it makes sense to undergo a cyber security readiness audit and act on any best-practice recommendations. The government’s Cyber Essentials scheme is a great starting point. Vulnerability and threat detection, including periodic phishing testing, and procedure certification are ODD requirements that can’t be fudged.
Given the extremely negative ramifications of a cyber-attack disrupting business, investor ODD will favour service providers and managers that are on an arc of continuous security improvement. The key here is to continually probe and be critically aware about how the investment firm is conducting security, what protective tools are being deployed and gauging the vigilance of users. Central to this is regular and engaging training to help firm associates spot risks (think potentially malicious links and attachments), and identify the deceptions and patterns associated with cyberattacks.
In addition to user training and awareness, firms also need to re-evaluate their IT estate to ensure that the right tools are in place to protect data. The best way to protect against malware is using next generation anti-virus software. Such software is continually up-dated and is ‘smart’ enough to recognise both known threats and patterns of behaviour (or technical traits) that are normally associated with malware.
Particularly important is to protect device users at endpoints with endpoint anti-virus protection. Again, this must be an ongoing process and there are new detection and response technologies emerging all the time. The aim here is to combine elements of anti-virus protection, network monitoring and malware remediation to ensure next generation standards of endpoint protection. Another area to invest in is a network security solution which monitors the network and its files for both incoming and outgoing threats, alerting an administrator of any suspicious or malicious behaviour. Finally, a web security solution will protect the investment firm’s web-based assets and applications.
5. GDPR compliance needs ongoing management
Now that GDPR is in place, managers need to keep operating in a compliant manner and be able show during ODD an ongoing process how they will continue to do so. Test areas for managers include:
Data analysis – nature of personal data; access control; and reason for having it.
Technology review – data storage, protection and transmission. New technologies, for example, can track files sent out securely, prevent them from being forwarded on, and manage access permission.
Policies, procedures and supply chain review – a Data Privacy Impact Assessment can set a baseline for data protection and monitor acceptance/best practice. Reviewing supply chains, meanwhile, fits in closely with ODD requirements to provide full oversight of who is doing what with the actual data.
However, fund managers need to move on from just talking about GDPR and embrace IT compliance much more broadly. If firms can address the wider issues surrounding IT compliance, they can meet the specific challenges presented by GDPR, MiFID II and FCA cybersecurity requirements, plus anything that comes into play in the future.
We tell alternative investment managers to approach risk management holistically to understand the broad implications of ODD. As we discussed at the outset, ODD is simply another facet of operational risk management albeit with specific challenges for IT. Excelling at ODD, in effect, means managers being fully prepared for what both regulators and allocators are seeking and that boils down to a documented, well planned risk management strategy covering IT and other business areas.