By Melanie Prusinski, PwC Assurance Partner –
In an ever-changing and complex regulatory and political environment, operational risk means many things to asset managers. Can I profitably grow my business? Am I paying enough attention to the risk I am taking on? How do I effectively monitor my outsourced activities? With every asset management firm having its own risk tolerance, and no common approach or framework to assess and combat operational risk, how can asset managers—especially at smaller firms—meet their fiduciary and regulatory responsibilities? These were some of the questions discussed recently by a panel of PwC and industry leaders at our Assets & Wealth 2016 conference in New York.
When you think about any organization, a key consideration is balancing the cost of infrastructure with shrinking revenues. For asset managers in particular, investors are putting pressure on fees, regulators are heightening their focus on management oversight, and employee turnover remains an ever-present issue.
There is no one-size-fits-all approach to operational risk. The first step is to evaluate the types of risk you are exposed to and to assess your risk tolerance, and then perform a top-down analysis to determine where to focus your program. Essential outputs of the program should be KRIs, KPIs, and a thorough understanding of where your organization wants to concentrate its efforts. With limited scope for automating this process, asset managers are increasingly burdened with manually intensive programs.
Many asset managers are turning to outsourcing to help manage these considerations. Handing over control to specialists such as data center providers, administrators, and network providers is a tempting way to reduce cost. But outsourcing brings the burden of assessing your vendors through on-site visits, due-diligence questionnaires, and ongoing monitoring. To compound the issue, if you are a relatively small asset manager, it can be hard to get traction with your large service providers to adequately meet your fiduciary and regulatory obligations.
Further, consider whether your staff is sufficiently cross-trained. Are you too key-man dependent or can your business handle the departure of key team members?
The cyber question
When thinking about operational risk, cybersecurity is front of mind for most asset managers. With heightened regulatory pressure, cybersecurity risk is at the forefront on most managers’ and investors’ minds. Many managers have implemented internal programs such as penetration and social engineering testing, but do you know what your vendors do to safeguard your data? In the last few years, as regulators increasingly look to protect the industry and stay ahead of cybersecurity threats, guidance on responding to risk has been released by FINRA, the SEC, and DFS, to name a few. As such, regulatory risk and cybersecurity risk go hand in hand.
Crucial to assessing your vulnerability is an understanding of where your critical information is maintained. Do you know, and understand, where your most sensitive pieces of data are stored? Not all pieces of information are created equal and, as with broader operational risk programs, focusing your cybersecurity program on the most inherently sensitive data is a common approach. Cybersecurity is, of course, more than regulations and assessments. It remains the responsibility of all employees and not simply the CISO or CEO.
Tax: The ever-present risk
Although cybersecurity may be front of mind from a regulatory perspective, significant changes in tax laws mean that taxes should be viewed as an operational risk, not just a compliance function. Effective risk management programs involve the C-suite regularly assessing tax risks, and reviewing local tax changes in the context of business operations. Incorporating tax into your risk management program, and engaging the organization in the tax discussion not only provides institutional buy-in but fosters an understanding of what exposures could exist for simply missing a business or tax law change.
Asset managers should take a fresh look at their operational risk programs. Focus on the essential processes that underlie your business and the inherent risk that they drive. Cost-efficient and time-effective operational risk programs are not simply “tacked on” to your operations, but a fully thought-out program. This approach enables asset managers to efficiently manage risk while realigning resources back to value-adding activities.