George Ralph, Managing Director of RFA, recently chaired a breakfast briefing on Operational Due Diligence for private equity firms. With a knowledgeable and varied panel he debated the growing importance of being absolutely shipshape and watertight when it comes to investor due diligence around operations and talked about how GDPR will affect everyone and what can be done to make sure firms are not only meeting ODD requirements, but exceeding them too.
The ODD landscape
It has been a record year for private equity funds raised, and the total assets stand now at £2.83 trillion. The hedge fund space is also back on track, so it really is a great year for asset management. However, with the boom comes more scrutiny and investors are becoming far more discrete and knowledgeable, they are scrutinising not just the managers but the wider firm, and the service providers that are contracted to the firm they are investing with. The main question being asked of the service providers is, are these guys good enough. ODD teams can and will ask for certain service providers to be appointed if they know they are better or more compliant than the existing provider.
Can ODD actually be an opportunity for managers?
So how can managers put themselves in a more positive light and win investment? One way is to use the ODD process to highlight how stringently your business operates. ODD teams are looking at every single element of the business and will not only inspect contracts and terms of business, they will actually visit the service providers to ensure that they are doing what they say they are. In fact, one of the panel members, an ODD expert, was investigating an outsourced disaster recovery service provider, and found that when the previous IT manager left, the invoices for the DR service had never been passed on or paid, so the service had been cut off some six months earlier. Luckily no disaster had arisen during that time.
In a Prequin survey from 2017 it stated that 45 per cent of investors would rule out any manage that failed to meet their governance requirements. That includes governance around controlling and securing data, and it was actually shocking to most of the panel that the percentage wasn’t more like 95 per cent of investors who would rule out a non-compliant manager. Any ODD team worth its salt would identify non-compliance and it would be a deal breaker. What is great though is that the ODD world and the regulatory worlds seem to be coming together, both the ODD teams and the regulators are asking for the same things.
Other pressures and opportunities
George is a GDPR accredited assessor and often hears how this is putting added pressure onto managers as they try to make sure they are compliant with the industry regulations and with the requirements.
In addition, more and more firms are introducing automation into their manual administration processes, and some are investigating AI and Machine Learning technologies to improve efficiencies and maximise margins, all positive moves and ones which investors will view as forward thinking and savvy, but all come with their own risk. With technology comes risk and managing that is key.
Cyber attacks generally are more prevalent, or at least they are reported more widely, and making sure that service providers and managers are taking every step to keep data safe and secure is becoming an even greater part of the whole operational due diligence undertaking.
Outsource tasks not responsibilities
One of the biggest weaknesses, particularly in the small to mid-sized managers who are outsourcing services is the attitude that someone else is doing a job, so it’s not the manager’s responsibility. It’s completely wrong. It’s still your responsibility to make sure that your service providers are meeting standards and requirements. If your IT firm fails, you fail and no investor will give you the benefit of the doubt. You have chosen that service provider, it’s your responsibility. Regulators are the same, in the case of GDPR, the ICO will want to see that level of oversight which means that even though your administration or trading platform is outsourced, that the manager and firm is completely in control and understands where the data is, who has access to it and how it is being used and stored.
The FCA published a paper in 2016, called FP16 which was around managing the supply chain and third parties which contained an item on minimising the supply chain. Outsourcing is completely acceptable and commonplace, but firms should be mindful about keeping a close eye on the suppliers you have and not allowing these to be masked by other service providers. I recommend to clients that they should take out direct contracts with service providers for elements like telephony, or hardware but allow an IT service provider to manage those relationships. This is transparent and clear to regulators and investors alike, and means there are no nasty surprises for the client which are being hidden behind a single, large contract.
When you outsource, you essentially increase your risks and as someone highlighted, risk that has been transferred is still risk. It is this transfer of certain elements that can increase your risk in other areas. The Senior Managers and Certification Regime which is being extended this year to include FCA regulated firms, will place responsibility for firms’ failures at the feet of the senior manager in charge of that area. This means if you have outsourced your IT function, the COO would still be liable for any breaches of FCA requirements, which for cybersecurity are based on Senior Management Arrangements, Systems and Controls.
Cybersecurity and data protection is paramount
RFA always advises clients to take a rigorous approach to cybersecurity and data protection, even if it is outsourced. It’s crucial that DR and business continuity plans are in place, and more importantly that they are tested regularly and without prior warning to the wider business. Unannounced testing is the best way of checking that things will work in the event of a real disaster.
If actual testing is proving difficult to do regularly, we also advise our clients to run hypothetical tests, where the right people are gathered in a room and presented with a scenario, such as the head office burning down. Then document everything that needs to happen, all the risks associated with the scenario and what the process will be. Will employees be able to work from home, if yes, do they have the correct, secure and speedy access to the corporate network and the systems they need? Is there another office they could work from? How long will it take to get a permanent solution up and running? This will act as evidence to the regulator, should you be investigated, and can also form part of your evidence to investors to show that you have everything firmly under control.
Taking the fear out of GDPR
There are some key activities that managers can do to prepare for GDPR and these are:
Run a data analysis exercise. Do you have any personal data, what is it, who has access to it and what do you have it for?
Undertake a technology review to understand where your data is, how safe it is and how it gets from A to B. There are new technologies out there which can track files once sent out securely, prevent them from being forwarded on, and even require someone to request permission to send on. This sort of technology could be big news, and it’s worth checking the marketplace to see what’s out there. A quick fix example for HR could be to set up a separate email account for applicants to send CVs to. This could be set up to auto-respond with the firm’s policy information about where the CV will be stored, what it will be used for and when it will be deleted.
Review your policies and procedures. Introduce a Data Privacy Impact Assessment form and process. This sets a baseline of what you’re doing to protect your data, RFA has templates available on request. Make sure your policies are accessible and available to all members of your team. If people don’t read them, they are ineffectual.
Formally appoint a key team to manage GDPR. You really need someone needs to take ownership of this.
Finally, review your supply chain to make sure you’re managing that properly and have full oversight of who is doing what with your data. It all ties in nicely with the ODD requirements anyway, so just extend the review to include granular information on the actual data.
RFA advises its clients to approach risk management holistically, and ODD is simply another facet of risk management. As mentioned before, the regulators and the investors are looking for the same thing, and that boils down to a documented, well planned risk management strategy.