Spire Search Partners discussed the following at the May 2020 ORM/ERM Alternative Asset Management Roundtable:
- Summary
- Structure & Framework
- Culture & Acceptance
- Emerging Risks & Global Challenges
- Data & Analytics
- Tools
Section 1: Summary
Operational and Enterprise Risk is a relatively new function being built out in the alternative asset management space.
Traditional asset managers and large hedge funds are somewhat more mature in their build out of an ORM/ERM framework. Private Market investment firms, however, are further behind – some starting their build out only in the last year or two.
Firms in this space have several reasons for building the capability. Leaders tell us:
- Clients appreciate it
- It drives continuous process improvements – especially when rolling out new products, launching new funds, and making sure processes are working from the front to back
- Firms with ever more complexity, growth and globalized businesses need a framework to flag emerging strategic and business risks
Alt Asset Managers don’t have the big governance infrastructure, the expansive ORM/ERM teams or the embedded first line risk/control professionals that you would find on the sell side.
Yet they want to know that potential issues are going to get raised up to the right people at the right time and that they are equipped to have an appropriate response. They want the appropriate level of governance to keep them out of trouble, and take an objective look at controls.
These firms have very lean teams; as firms become increasingly more complex – they require a non-financial risk function that is highly efficient; that leverages technology, captures the appropriate data and that to some degree automates the framework to accomplish their risk management goals.
As firms work through determining the right size and make up of their risk committee, they are also assessing and considering a variety of different tools for vendor risk, overall GRC as well as data capture and visualization.
While all firms aspire to have the data analytics capability to monitor, analyze, flag and react to potential risks and actual incidents – that seems to be a reality in only a few firms, typically in those built on a quantitative/technical foundation and who have invested the time and technology required to put it in place.
Section 2: Structure, Team, & Risks
Alternative asset managers in early stages of building out an ORM/ERM framework are interested to know how their peers are structured, and using that insight to inform their own evolution toward whatever may be the most effective structure for their own organization.
Most firms have an investment risk leader too but in many private markets firms that is also a lean team; they are still working through how best financial and non-financial risk leaders can work together and provide integrated insights to executive leadership. Even firms with the most advanced frameworks are still early on in their evolution.
Many ORM/ERM leaders in the industry came from the sell side and it’s a very different world than they are used to, with fewer resources, different cultures, some different metrics for success, much less regulatory oversight and yet equally large business risks.
Framework
In most major alt asset managers the ORM/ERM function sits within audit, in Operations or in a stand-alone operational/non-financial risk function under the CRO alongside market, liquidity and counter party risk.
- The function partners with investment risk to cover enterprise-wide risks, working together to flesh out key risks across financial and non-financial
- In several cases, the function is called ORM but has domain over all areas of non-financial risk
- They typically have a Risk Inventory, and only a few do some form of an RCSA, not typical like those on the sell side
Some of the key challenges include:
- What appropriate reporting looks like; what is impactful, concise and effective
- Getting Investment Risk on board to work together
- Right-sizing the risk committee and having the right people on it
- Choosing the right tools to capture and analyze data
- Establishing the appropriate culture of risk and control, gaining firmwide acceptance
Risk Committee
Risk committees, for most, are 7-8 people and include the most senior people in the firm (President, CEO, CIO, CFO, Chief Compliance Officer, Head of Legal, CHRO, Head of Investment Risk, General Council, CTO)
- In one case the risk committee was 20 people but was recently brought down to 8 for more focus and efficiency
- Market/Investment Risk is typically a separate group/forum that rolls up to the risk committee
- Chaired or Co-Chaired by the Head of ORM/ERM
- Some firms are still working through what their risk committee should look like
Maturity of Function
Most teams are completely new (around 1 year) in the private markets world, except for Ares, which has had a standalone function for over 2 years.
The function is more mature in the hedge fund/broader alt. asset management space where some firms have had a function for 3-4 years.
Team Size
Team sizes range from 1 to 8 people; 8 people in the most complex firms with the most matured teams and more often 1 or 2 people in size.
Risk Stripe Coverage
Most of the firms have an “Ops Risk” or “ERM” team that covers the full range of non-financial risk stripes; including Operational Risk, IT risk, Cyber Risk, Reputational Risk, Strategic Risk, BCP, Vendor/TPRM.
Ops Risk, Strategic and Reputational Risk seem to top the list in terms of priorities for most. At least one firm also has Regulatory/Tax Compliance as a non-financial risk stripe.
- One firm uses surveys to gather input from the broader organization to determine what their major risks are across 3 areas: Process, Information/Decision Making and Environment. This in turn determines their scope
- Most have a series of subgroups that discuss each of the risk stripes individually (including market and investment risk) and report up to the Risk Committee
Section 3: Culture & Acceptance
With operational and broader non-financial risk management being a fairly new undertaking for most alternative asset managers the challenge for most is gaining organization wide acceptance and adherence.
Many buy side firms don’t yet have the vernacular to take a more formal approach to operational risk management and to get people to think about risk and process and control in a more formal way.
Leaders are interested to better understand what it takes to gain cultural acceptance; where they are in that evolution and what levers they can pull to influence people and drive that evolution forward.
There are many core drivers for organizational acceptance but the buy side has the benefit of having more business-based drivers (as opposed to the regulatory ones on the sell side).
While the regulatory hammer isn’t there to force acceptance upon employees overnight, this could be the foundation for a stronger, more genuine, culture of risk and control to take root.
Overcoming these challenges comes in many flavors, including:
- Firms in earlier stages of building a framework say that investors appreciate it and even see it out
- Later stage frameworks point to the operational efficiency and resiliency that their non-financial risk framework has enabled as a key driver
- Parts of some businesses do require it; for example, where a firm has an insurance arm or a publicly traded vehicle
- Leadership recognizes the potential risks associated with increasing complexity; this is a common theme and a key driver for building a framework and a reason for broader value recognition
- Firms with a quantitative/technical foundation tend to have a greater appreciation for the process improvement and efficiency that comes with an effective ORM function and are seen to more quickly achieve acceptance
- Recent events around the COVID pandemic have raised the importance of the function; raising the question of what other tail risks might be around the next corner
Section 4: Emerging Risks & Global Challenges
The ability to capture emerging risks is a top priority for most firms and a key driver for building a non-financial risk framework.
Even before the current pandemic brought the need for this into the spotlight, the increasing complexity with which many alt asset managers are evolving and the global expansions they have undertaken has underlined the need for an effective framework that will bring to light whatever the next big tail event may be.
Teams are lean, cultures are in early stages of acceptance of risk and control, at the same time firms are becoming ever more complex, diversified and global.
Non-financial risk leaders see that leading to higher potential for the current infrastructures to breakdown as it moves ever faster carrying ever more weight.
- Organizations want to formalize a structured approach and a framework that can capture and flag emerging and strategic risks; this has led to ORM/ERM leadership being involved at the highest level with strategy, product development and fund launch meetings.
- Firms see the vital importance of leveraging data to inform leadership of potential cracks in the infrastructure that could emerge as firms move faster and faster in an ever more complex world. This is especially important because most leadership has not experienced any issues arise from this in the past.
- Scalability of an ORM framework is also a challenge; it becomes increasingly difficult to scale with increased complexity that comes from an increasing variety and number of entities, vehicles, strategies, process and customizations for clients.
- Non-financial risk managers see high levels of key person risk due to the enormous amount of knowledge that sits with a few key people.
Section 5: Data & Analytics
Every firm has aspirations of building out a set of tools and analytics to capture the appropriate data/insight to enable an effective and thorough non-financial risk framework; yet resources in the alt. asset management world are limited and teams run very lean – this requires an automated and systematic approach to risk management but is also good reason as one leader suggested for Heads of this function to be “careful about what you promise”.
- Governance is much lighter than on the bank side – as such emphasis is less on governance and more on tools and data to identify risks; working with lighter resources teams must rely on data and analytics to have the intended impact.
- One firm that is more advanced in the use of data and analytics explains that they have a different take on RCSA than usual, instead using scenarios to test/stress the organization.
- In the case of AQR, the firm is a data driven/quant firm so the philosophy of data analytics is well established there. It was a major undertaking but they have built a framework and the tools to capture data (broken into processes and products) and operating metrics across the firm (broken down by departments, groups and processes as well as across entities and products) and systematically flag potential operational risks. The process enabled them to understand exactly what people are doing on a day-to-day basis. Entities are ranked according to operational complexity, common themes are determined and metrics that indicate a change in inherent risk are specified. The framework allows them to track metrics around the effectiveness of the control environment.
- Another firm that is more advanced in leveraging data/analytics to managed operational risks use a series of functional dashboards that feed a centralized ops risk dashboard which combines all key risk indicators (KRIs) from each of the individual functional dashboards. They leverage Tableau across the organization and are overcoming challenges of getting everyone on the same platform and identifying appropriate data sources to feed into the Ops Risk Dashboard.
Section 6: Tools
A number of different products exist in the space; none seemed to be the silver bullet but in combination some firms have been able to buy/build the necessary modules to work toward their goals.
Archer – Well known GRC tool, several firms are using
Tableau – The more mature/advanced ORM frameworks are using this to visualize and present data
Salesforce – One of the more mature functions built a GRC tool on the back of SalesForce finding it a flexible tool that enabled them to lower development costs, they were able to integrate it with vendor/onboarding tools and incorporate event driven components
KY3P – IHS Markit’s vendor risk product used by a few firms on the call, but at least one of them was in the process of moving away from it
Coupa – Several firms using this as well, one in particular shared that they are shifting away from KY3P to this
Fusion – Several firms are using this for BCP and starting to use it for risk assessments and TPM modules as well, AQR worked with them to develop the ops risk module which then feeds into Coupa and is integrated into Tableau
AuditBoard – Has risk, audit, compliance/sox modules – most are happy with it, one of the attendees had just implemented it for audit
Deloitte’s Survey Tool – One firm is talking to Deloitte for a survey tool, initial feedback is positive
Protiviti – Another GRC tool but the firm that was using it was, going to replace it with Workiva, which has an audit module as well
Download the full presentation here: ORM/ERM Alternative Asset Management Roundtable Presentation (May 2020)