SEI OppRisk Book US

8/22/2019 SEI OppRisk Book US

1/49

TOP 10OPERATIONAL RISKSA Survival Guide or Investment Management Firms

seic.com/ims


2/49

Introduction

Chapter 1

Complacency Trivializing and Disregarding Risks

Chapter 2The Blind Leading the Blind Overextended and Underqualied Managers

Chapter 3

Novices, Apprentices and Soloists Inadequate Training or Cross-Training

Chapter 4

Dropped Batons Inormation Hand-os

Chapter 5

Nave Reliance on Technology The Downside o Automation

Chapter 6

Playbooks Workfow Documentation

Chapter 7

Amalgamated Assignments Improper Segregation o Duties

Chapter 8

Reconciliation Gaps A False Sense o Security

Chapter 9Reading The Fine Print Know Thy Legal Entities

Chapter 10

Poor Planning and Slow Response Times

Changes in the Firm, the Marketplace and the Regulatory Environment

Conclusion

Table of Contents

5

8

12

15

18

23

27

31

36

39

44


3/49

IntroductionIn 2010, then-consultants Holly Miller and Philip Lawton authored the book, The Top Ten Operational

Risks: A Survival Guide or Investment Management Firms.1 Growing rom a presentation and discussionat an industry roundtable, the book was motivated by recognition o a simple act: when investment

management rms stumble or ail, their clients suer.

Having since joined SEIs Investment Manager Services division in mid-2011 as Managing Director o Middle

Oce Outsourcing, Holly works with organizations that understand that coming to grips with operational

risk is becoming ever more critical or investment managers who want to survive, let alone thrive. Indeed,

she champions the view that investment organizations need to tackle the issue with the same intensity

they bring to battling market volatility and economic crises.

Accordingly, we at SEI are pleased to issue an on-line summary version o the book with abridged content

and a redesigned ormat. Our goal is consistent with Miller and Lawtons original objective: to make keyconcepts easily accessible and actionable without becoming mired in esoteric issues or technical terms.

Besides updating each chapter with proactive risk management steps, we have added a concluding

chapter on developing an action plan to strengthen operational risk controls.

Like the book rom which they are based, these summaries are designed as a resource or investment

managerstraditional and alternative alikewho seriously want to understand and reduce their exposures

to operational risks. They have every reason to do so. The operational realm is one in which a minor

oversight or a single misstep in daily routines can have potentially major consequences. In worst-case

scenarios, a single incident can result in signicant direct costs and, worse still, devastating reputational

damage rom which it may take years to recover. This is why operational risk is such a grave concern not

only to investment management rms, but also to their clients, investors, regulators and trading partners.

Operational risk can stem rom many sources. The Basel Committee on Banking Supervision denes

operational risk as the risk o loss resulting rom inadequate or ailed internal processes, people and

systems or rom external events.2 The denition considers the ull range o material operational risks and

lists examples ranging rom raud and data entry errors to hardware ailures and oods.

Further complicating risk management eorts, organizations may dier widely in their exposure to

operational risk, depending, or instance, upon their investment strategies, the markets in which they

operate and the instruments they employ. As with investment risk, rms also have varying tolerance levels

or operational risk. Consequently, there is no generic checklist or identiying operational risk, nor is there

a single, universally applicable set o mitigation measures. Still, we believe virtually every investment

management rm can benet rom taking a resh look at common areas o risk, and considering the variety

o relatively straightorward risk management measures that can readily be deployed by large and small

organizations alike. This guide is oered in that spirit.


4/49

Our Top Ten list summarizes the areas o risk that are requently encountered by those who work in or

around investment operations (though not in order o severity or potential loss). The list includes issues

that keep arising in operational reviews even though they have received signicant attention in industry

media over the years. The rst three chapters take up personnel issues, including supervision and training.

Chapters our through seven address organizational and support issues, including the role o technology,

which can be both a solution and a source o risk in itsel. Chapters eight through ten ocus on common

areas o weakness in reconciliation, legal review and planning.

While there can be no one size ts all approach to operational risk management, each chapter provides

best-practice suggestions or identiying whether a given risk exists within your organization, as well as

potential steps or mitigating it. We hope that this guide will help many organizations to rethink and reduce

their exposure to operational risks.

It has been observed that operational risk oers no upside; to use Castle Hall Alternatives phrase, it is risk

without reward. But we at SEI have a dierent perspective. We think in terms o operational excellence as

a way to create investment value by reducing costs, increasing client satisaction and reinorcing sound

business relationships with trading partners.

To our way o thinking, eective risk management is the oundation o operational excellence.

With this guide, we oer investment managers one more resource or pursuing that goal.

1The Top Ten Operational Risks: A Survival Guide or Investment Management Firms and Hedge

Funds, written by Holly H. Miller and Philip Lawton, 1st edition, 2010.

2 Sound Practices or the Management and Supervision o Operational Risk, February 2003.


5/49

5Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 1 Cmccy Trivializing and Disregarding Risks

Complacency might be summed up as a mindset that ails to ask, What i?

Its a passive laid-back attitude that says, So ar, so good. We have policies

in place. Nothing terrible has happened. Everythings under control, no need

to worry

Is This Your Firm?

Firms with a culture o complacency take a passive approach toward operational risk rather than adopting a proactive

one. This way o thinking may be evidenced by:

Reacting to headline risks, such as the September 11th attacks or the Mado scandal, rather than actoring operational

risks into day-to-day planning.

Risk-planning exercises that ocus on the rearview mirror rather than considering what might happen next.

Sketchy business continuity plans. (Has anyone considered the potential loss o sta in a worst-case scenario?)

Poor recordkeeping. (Is there a chronic backlog o documents waiting to be scanned?)

Decient insurance coverage. (Are there adequate policies in orce or errors and omissions as well as general

liability and directors and ocers coverage?)

Short-changing o operational and IT investments or several years running. (How many releases behind are criticalinvestment applications?)

Launching new investment strategies without conducting a cross-unctional product launch review.

Avoiding Common Pitalls

Inexperienced or underqualied sta

Hiring insuciently skilled sta introduces signicant operational risk

to an organization, and neglecting to train new employees compounds

the error. This is a needless risk, especially in the current market

environment, when so many good people are available. 01CHAPTER

Risk Area #1

ComPlACEnCyTrivializing and Disregarding Risks


6/49


One reason rms may ail to hire qualied sta is that they underestimate the complexity o the products they oer or the

nancial instruments they trade. For example, rms that manage xed-income securities generally require more advanced

skills and systems than those ocused solely on equity instruments. Likewise, investing outside ones own country requires

substantially more data elements and operational eort. Emerging markets, derivatives or illiquid securities can introduce

even more variables.

To be proactive: Recognize the importance o aligning sta skills with operational complexity and hire or

train appropriately.

Ignoring input rom middle- and back-oce staThese sta members may be the best equipped to see ways o reducing the probability o errors within their own unctiona

areas. Beyond that, they oten see risks that originate elsewhere in the organization. For instance, they may notice

consistently incorrect or late trade entries by a particular trader, or see sales and marketing teams change presentation

materials ollowing a compliance review.

To be proactive:

Invite and listen to the eedback oered by support teams as well as by service providers, making

sure senior management takes immediate action to resolve any critical issues raised.

Maintain and regularly review error logs that capture both errors and near misses; the instructional

value they oer should not be squandered.

Establish a ormal new product committee that includes not only investment and sales/marketing

sta, but also compliance, operations and IT.

Keep sta inormed, introducing a new counterparty or unamiliar security type without a heads-up

to operations, compliance and IT may signicantly increase the risk o ailed trades, a problem that

can be avoided without any additional expense to the rm.

Lack o robust electronic document managementHave crucial documents such as investment management agreements, guidelines and objectives, client correspondence

and other contracts been scanned and backed up? Or are they sitting in locked le cabinets, vulnerable to anything rom

plumbing issues on the oor above to a orced relocation ater a disaster? (For a real-lie illustration o such perils, read theSECs July 2000 response to Jennison Associates request or a no-action letter.1 In a warehouse re, Jennison lost records

that supported the rms perormance track recordarguably any investment managers single most valuable non-tangible

asset. As or plumbing problems, ask JP Morgan about the pipe that burst on the rms London trading oor in September

2010.)

1sec.gov/divisions/investment/noaction/2000/jennison070600.pd


7/49


To be proactive:

Ensure that critical documents are always eectively backed up. In todays environment o

inexpensive document scanners and cloud computing, this is a measure that even the smallest

investment manager can aord.

Blind trust o operational teams

Many investment managers operate with the philosophy that they should simply hire good people, and then get out o

the way so they can do their jobs. While this may seem laudable, it is actually a disservice to leave team members with no

eective oversight. With no checks on whether an account was reconciled properly, perormance-based ees were calculated

correctly or a compliance rule was interpreted and coded appropriately, sta members are put in the position o being solely

responsible or the accuracy o their work. They are also let vulnerable to suspicion should things go wrong or evidence o

improprieties comes to light.

To be proactive:

Develop procedures that provide appropriate checks and balances or operational sta. Just as

even the best writer needs an editor, sta members deserve to work with eective oversight. The

same point applies when it comes to managing service providers. (At SEI, we consider an eective

oversight program to be the hallmark o a good client.) Rather than indicating a lack o trust, proper

oversight demonstrates a rms commitment to risk management on behal o clients and sta alike.

In sum, take a minute to consider what could bite your rm. Ask your sta the

same question. Think about whether you reward, punish or ignore news o arisk. And then work on some ways to keep potential problems rom ever

happening.


8/49

8Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 2 Th Bd ldg th Bd Overextended and Underqualifed Managers

02CHAPTER

Supervision is a major area o operational risk because breakdowns occur so

oten and in so many dierent orms. It is one thing to manage our own tasks.

Directing the decisions and activities o others is a much greater challenge

and the larger the rm, the more dicult that job. Another set o risks is

encountered when investment managers outsource critical support services

to specialists, a measure that, ironically, is oten intended to reduce

operational risks.


Managers unamiliar with operational unctions

This problem is not conned to small rms that cannot yet aord to hire specialists in domains such as operations and

systems, human resources and accounting. As organizations grow, they eventually reach the point where managers can

no longer be hands-on supervisors with the time and knowledge to perorm any job in their purview. Instead, they become

executives who must rely on the experience and expertise o their direct reports. Problems also occur when, in a well-

intentioned eort to promote rom within, rms select team leaders who are insuciently versed in operations and quickly

nd themselves in over their heads.

Top-level managers are oten even more removed rom operational unctions. Within most buy-side rms, the chie executive

typically comes rom the investment or distribution side o the organization; operations, compliance and inormation

technology (IT) are typically not seen as incubators or CEO positions. As a result, ew senior executives have a solid

understanding o increasingly complex middle- and back-oce unctions,

much less a rm grasp o the details involved in identiying and managing

operational risk.

This leaves many executives at a loss when it comes to evaluating the

perormance o operational teams or the recommendations o their

direct reportsnot to mention assessing operational risk. They may

end up alling back upon their instincts, or heeding the advice o theirmost persuasive team members rather than the most knowledgeable

ones; indeed, they may not even realize which team members are the

most expert. This is not to say that executives in the areas o business

management, investment, or marketing must become operational

experts. They should, however, be equipped to ask the right questions

about risks to which the rm and its stakeholders might be exposed.

Risk Area #2

THE blind lEAding THE blindOverextended and Underqualied Managers


9/49


To be proactive: Oer a management training program in which recruits or employees with leadership potential are

rotated through the various unctional areas o the organization. Oten used in the military and by

rms such as Vanguard, such programs can help ensure that tomorrows leaders have a strong

grasp o key unctions and activities. Ensure the time spent in each area is sucient to obtain a

strong grasp o its unctions.

Use process mapping and workfow documentation to help managers understand middle- and back-oce

unctions. For example, show what occurs when a new account is opened or a portolio manager initiates

an order. Graphical representations o the systems architecture and various workfows can be a big help

here. By memorializing processes, procedures and accountabilities, such documentation not only assists

in daily unctioning, but also acilitates eective training. (This is not a panacea howeversee Risk Area #6,

Playbooks, or a discussion o potential issues with workfow documentation.)

Provide or external assessments such as mock regulatory examinations, peer benchmarking and

operational due diligence reviews, all conducted under strict nondisclosure agreements. Such reviews

may not only identiy improvement opportunities, but also tell CEOs whether they should continue to relyupon their direct reports.

Create or strengthen internal audit departments or recurrent monitoring. This could complement or

substitute or external assessments.

Delegating responsibility to managers unqualied or the tasks

This is another requent consequence o executives ailure to appreciate operational complexity. For example, CEOs

commonly assign all responsibility or operational risk to a compliance team composed entirely o attorneys and paralegals.

To suggest that a law degree or a regulatory background qualies someone to identiy and mitigate technological or

operational risk is as misguided as calling upon an IT or operations expert to prepare the oering documents or a und. It

also raises a question o corporate governance: Who oversees compliance?

To be proactive:

External operational reviews can help pinpoint areas o organizational risk within a rm.

Develop more comprehensive job descriptions that spell out essential skills and competencies in detail,

and update them regularly. This can assist in hiring and promotion decisions while also illuminating

employee training and development needs.

Develop and maintain robust training and cross-training programs to preserve institutional historyand knowledge.

Implement succession planning or all key positions, noting that even very junior positions may be vital.


10/49


Understang or the volume o activity

During the 2007-2009 downturn, many buy-side rms made signicant cutbacks in stang. Support teams were oten

aected and, in some cases, bore the brunt o those cost-cutting measures. Yet the number o securities transactions did

not decline during this periodon the contrary, the volume o trades on the New York Stock Exchange rose throughout the

crisisand today we oten see rms stretched to the limit. As the job market continues to improve, beleaguered managers

and employees are more likely to seek greener pastures, leaving rms with too ew experienced sta to get the job done

adequately, let alone well.

Insucient managerial bandwidth is another aspect o the problem. Some managers have such a wide span o managerial

responsibility that they cannot possibly keep track o all their direct reports activities. Others have been placed in the dual

role o managing some tasks while executing others, undercutting their ocus and eectiveness in both realms.

To be proactive:

A long-term plan or improved automation or outsourcing o back- or middle-oce unctions may oer

solutions or investment managers who want to maintain a lean headcount while they grow. (That being

said, automation isnt a cure-all; well have more to say on this topic in the chapter on Risk Area #5,

Nave Reliance on Technology).

Outsourcing with insucient due diligence

A lack o experience in operations and IT can lead CEOs to assume that outsourcing will help them manage their risks

as well as their operations. Indeed, there are many sound reasons to outsource, such as wanting to ocus on core

competencies, securing access to better technology or expertise, or taking advantage o labor and/or time arbitrage

opportunities, to name a ew.

Yet, without careul management o the process, outsourcing may actually increase a rms operational risk prole rather

than reducing it. A perect illustration o this point is the remarks made ater the BP oil spill by then-CEO Tony Hayward:This was not our drilling rig, it was not our equipment, it was not our people, our systems or our processes We are taking

our responsibility to deal with it very, very seriously.

Key service providers such as accountants, custodians, prime brokers, und administrators, sotware vendors and middle-

oce outsourcing providers introduce operational risk, but many investment management rmseven those that have

been placed under the microscope by prospective clientsdont seem to put concerted eort into the due diligence they

perorm themselves. Additionally, many investment managers pay scant attention to the risks introduced by hand-os to or

rom these service providers (or more on that topic, see Risk Area #4, Dropped Batons). Eective risk management in this

domain calls or more than simply hiring a big global custodial bank and/or moving to a multi-prime broker service model.

1

NYSE Group Share and Dollar Volume in NYSE Listed, 2009.2BBC News interview, May 5, 2010.


11/49


To be proactive:

Adhere to best practices in due diligence, which call or managers to issue RFPs, obtain nancial

statements, perorm initial and ongoing annual on-site visits and read all the ne print (see Risk Area

#9). SEIs own experience indicates that proactive investment managers are substantially increasing

the depth o their due diligence, asking or more visits and issuing more detailed questionnaires than

ever beore.

Rogue activity

No discussion o operational risk would be complete without a mention o rogue activitythat is, the conscious

departure rom sanctioned operating policies and procedures. To be clear, rogue activity is not always due to malign

intent. While rms may worry about the rogue who is actively seeking ways to cheat or embezzle, the more common

problem is employees who may sincerely want to do a good job, but take shortcuts or triage their responsibilities when

they are overstretched. Oten they push tasks aside with the intent o catching up lateror example, reviewing past

reconciliations at some unspecied uture date. Another type o rogue activity is the senior sta member who routinely

ignores policies and procedures, a situation to which smaller rms may be especially prone.

To be proactive:

Maintain an operational risk log that documents operational mishaps and near misses. Requiring

violators to recount and present the issue may help educate them, i not shame them into compliance.

Review and bee up mechanisms or enorcement o existing policies.

Consider the need or tougher new policies, particularly i oenses are chronic. For example, employees

who ail to le personal trading orms can be ned, or rms can withhold a portion o their pay until

the problem is remediated.

When senior executives and managers lack a solid understanding o middle-

and back-oce workings, the repercussions can be ar-reaching. At worst,

they can spiral out o control. The rst step toward wisdom is to recognize

that we dont know what we dont know.


12/49

12Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 3 nvc, atc d st Inadequate Training or Cross Training

Risk Area #3

noViCES, APPREnTiCES And SoloiSTSInadequate Training or Cross-Training

While we have already mentioned sta training as an essential tool or mitigating

investment managers operational risk, the lack o adequate training and cross-

training is so ubiquitous within operational departments that it deserves to be

called out as an area o risk.


One acet o the issue is key-person risk, which is not limited to an organizations senior sta, but can also be spotted in

low-ranking yet vital positions. Other problems stem rom poor organizational design, a lack o consideration or business

continuity planning, and the notion that ad hoc on-the-job training constitutes a coherent program. Today, many rms are

operating at historically low stang levels, urther increasing the importance o proper training and cross-training.

Highly specialized operational teams

Many rms build small teams to ocus on a specic asset class, investment strategy, client or und; some have dedicated

teams or each large und. This approach has obvious appeal: management can put their best people in a particularly

challenging area, clients like having a team dedicated to their accounts or unds, and sta may be less distracted by

other tasks.

Many investment managers create these specialized teams in an eort to lower their operational risk proles; yet, ironically,all too oten the result is more risk rather than less. A small, specialized teams intellectual capital and institutional knowledge

may be severely depleted by the loss o a single member, whether such absences are short-term (vacations), over a longer

period (sabbatical or maternity leave) or permanent (leaving the rm or

being promoted). Such brain drains may occur abruptly when an illness,

amily emergency or resignation is involved, leaving organizations

scrambling to cope. Worse still, in keeping with Murphys Law, these

unexpected gaps in stang oten seem to come at the worst possible

timese.g., during a period o peak transaction volume, while other key

sta members are on holiday, or when a product or system launch is

imminentnot only disrupting operations, but producing enough stress

and chaos to discourage or drive away some o those who remain onthe job. 03

CHAPTER


13/49


A prolieration o processes and proceduresBecause the specialized-team approach osters isolation, it oten leads teams to develop idiosyncratic processes and

procedures rather than adapting a master set o workows. We will delve into this issue more thoroughly in the chapter

on workows (Risk Area #6, Playbooks), but it should be kept in mind when considering how to organize support teams.

Failure to grasp the bigger picture

We touched on problems stemming rom the lack o training or managers in chapter 2, The Blind Leading the Blind. The

same kinds o issues are encountered at lower organizational levels where the work actually gets done. When consultants

conduct operational reviews, they oten nd junior sta members who operate in a kind o bubblethat is, they cannot

explain how their jobs t into the unctions o the department as a whole. Indeed, even among those who are adept at

what they were hired to do, many cannot articulate what their rm actually does.

Without understanding how their individual roles t into the larger organization, sta members cannot ully appreciate the

urgency o inormation, the importance o accuracy, or how much even minor improvements would benet the business.

For example, every reconciliation clerk should understand the potential eect a position break could have on the investment

team and the trading desk. Yet, all too oten one side o the organization has no idea what happens on the other side. How

many traders understand the downstream eectsand costso an erroneous trade ticket?

Lack o exposure to industry advancesEmployees with a narrow view o their own workplace are unlikely to know how other organizations tackle operational

challenges. This kind o tunnel vision is particularly common among rms where many sta members have been there or

years and do not regularly attend conerences or make a point o networking with their peers. Such organizations oten

stick with processes and procedures that might once have been leading-edge, but have allen behind industry practice and

technological change. No rm or department can be sure it has the best approach without considering solutions that other

organizations have devised. Firms that encourage lielong learning may have a lasting competitive advantage because thei

employees are engaged and their solutions are up-to-date.

Soloists with exclusive ownership o unctions or relationships

Soloists are employees who perorm unctions that no one else knows how to door, perhaps, wants to do. In some

cases, no one else has sucient access rights to systems to perorm a unction. There is no doubt that security mastermaintenance can be tedious and the list o people with access to payroll should be limited. A soloist may also be someone

who views client relationships as personal property. Some relationship managers (RMs) seem to lose sight o the act that

client relationships belong to the rm, not to RMs. Feeling that their contacts are just thattheir contactssuch RMs may

never get around to updating client relationship management (CRM) systems. Too oten, supervisors ail to step in or ear

o rocking the boat or undercutting results. Such problems are not limited to small organizations, however. Many large sales

or client service teams harbor soloists who overtly balk at letting anyone else perorm tasks or service relationships they

claim as their own. The point is that even well trained, high-perorming soloists may stand in the way o rm-wide eorts to

mitigate operational risks through cross-training.


14/49


To be proactive:Identiying training and cross-training challenges generally is not dicult. Start by looking at your organizational

chart to identiy small teams. (Ideally, teams should never be smaller than three ully cross-trained people.) The good

news is that eective training can be accomplished in a variety o ways, but also can be designed to address multiple

problems. Among possible measures:

A well conceived set o do-it-yoursel training measures can be eective. Quiz sta on what they

should have read in the rms compliance manual or code o ethics. Review system access capabilities.

Spot-check CRM updates. Ask people to describe what they doand really listen to their answers.

A series o internal lunch-and-learn sessions can be an eective approach to cross-training; more

oten than not the participants also discover opportunities or operational improvements. Those sta

members who lead training sessions also stand to benet rom the experience.

A proessional credentialing program in investment operations does not yet exist, but the Certicate

in Investment Perormance Measurement (CIPM) oered by CFA Institute ensures that perormance

practitioners have the requisite skills in their specialized elds. Many classes and short courses, bothlive and online, are available across a wide range o topics.

Customized on-site training is also an option. This can be provided by internal experts and/or

external specialists who can tailor training to the rms methods and requirements.

Job rotation, job shadowing and job swaps can help ensure that cross-training takes place, especially

i these measures are accompanied by presentations on the systems architecture and workfows.

Ask teams to document or review their workfows as a group and share each teams workfows

with other teams.

Attending webinars, industry conerences and networking events can be helpul to many employees,

particularly those who are knowledgeable in their jobs but would benet rom more exposure to

other organizations.

Ensure that all clients are assigned a primary and a back-up RM, and that both are in regular

contact with them.

Murphys Law requently comes into play and exposes poor organizational design

when rms can least deal with it. Identiy training and cross-training challenges when

they arent needed so that you can start mitigating operational risk in the calm beorethe storm, not in the eye o the hurricane.


15/49

15Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 4 Dd Bt Inormation Hand-ofs

Risk Area #4

dRoPPEd bATonSInormation Hand-os

Competitive runners know that in a 4x100 meter relay, signicant time, or even the

race itsel, can be lost i someone bobbles or, worse still, drops the baton while it

is passed rom one sprinter to the next. Investment managersace similar risks when

passing inormation between the people, departments, organizations and systems

involved in complex sequential activities. Hand-os are raught with communication

and timing challenges. Luckily, some simple tools can go a long way toward

remedying the problem.


Failing to identiy where hand-os occur

A great way to think about hand-os is to revisit the old practice o using paper trade tickets (a method that is still in use

by some rms, and can be workable or rms with limited transaction volumes). Tickets could get lost because someone

mislaid them, a data entry clerk orgot to input them, or they simply ell behind a le cabinet. In rms using industry best

practices, the number o tickets written in the course o a day would be compared with the number o trades entered into

the rms investment accounting system. I the totals didnt match, an inquiry would be initiated. This approach wasnt ail-

saei one ticket was missing and another trade had been entered twice, then the counts would appear to be correctbut

it did help reduce problems. Duplicate trade entries could be avoided by marking tickets as they were entered into the

system, and the lost-behind-the-le-cabinet problem could be ameliorated by keeping tickets in designated wire baskets.

These days, o course, investment managers operate with less paper,

ewer wire baskets, and more automation. But rms today also have ar

higher transaction volumes and, typically, more moving parts to their

processes, both within the rm and in dealings with trading partners,

custodians, prime brokers, administrators, middle-oce outsourcing

providers, exchanges and settlement acilities. While every inormation

hand-o creates the possibility or error, many rms have ailed to

systematically map where these interchanges occur.

Poorly designed or documented system interaces

Hand-os rom one electronic system to another are common trouble spots.

The problem may stem rom poor planning or insucient oresight in the

original system design (e.g., built or equities but not xed income because

well never need that). Systems may also be poorly written, inadequately

supported by vendors, or insuciently documented (i documented at all).

Firms also run into problems when one system gets upgraded and another

one doesnt, or when a legacy system has been in place or so long that no

one still in the rms employment knows exactly how they unction.

04CHAPTER


16/49


Timing can also be a challenge. In many instances, inormation is only sent rom one application to another on a nightly batch

basis. Yet as settlement cycles shorten, such a batch-based approach may not be suciently requent or communicating

critical inormation between systems. Other timing challenges arise when interaces ail to consider the impacts o backdated

activity. Global investment managers are oten plagued with timing issues because there is never an end to the day. Inormation

must be handed o seamlessly rom one oceand applicationto another in an endless cycle, leaving no time or the

traditional overnight cycle.

Many interaces suer rom more than one o these problems, and operational risk increases geometrically as more

interaces are involved. Indeed, the inadequacy o system interaces is oten a key driver in the decision to consider

outsourcing. Many investment management rms choose outsourcing because it is more cost-eective and less complex

than addressing all the known and unknown issues with their internal systems.

To be proactive: Develop a thorough system diagram that includes every application in use and identies the

interaces between them.

Diagram workow to determine where hand-os occur. A swim-lane diagram that depicts each

system in its own lane can be particularly helpul in identiying where inormation hand-os occur.

Such a diagram can also capture hand-os between people and systems (again, think o entering

data rom paper tickets), as well as those between teams or departments, between one rm and

another (such as receiving execution details rom a counterparty and sending back trade allocation

inormation), between two or more systems, and between the investment manager and its clients

(such as client reports or subscription and redemption activity).

Swim-lane diagram

Portfolio

Ma

nager Create

OrderTicket

Fax BankAuthorization

Letter

AllocateExecuted

Trade

UpdateTicket

UpdatePosition

IssueConfrmation(s)

UpdateTicketTr

ader

Yes

No

Custodian

TradeSupport

InvAccting

System

Counterparty

ExecuteOrder

Place Orderwith

Counterparty

Enter Trade(s) intoInvestment

Accounting System

Ticket MatchesConfrm?

UpdatePosition

SettleTrade


17/49


(continued)

Examine each identied hand-o in detail. Once an exchange has been captured, consider how

oten the hand-o occurs, the kind o inormation transerred, the timing around the hand-o, and

what might go wrong with it. We nd it helpul to look at available metrics, procedural documentation,

data requirements, and error logs to evaluate the scope, nature and repercussions o potential

operational mishaps.

Develop a comprehensive inventory o trouble spots. For example, i we again think in terms o

the old paper-ticket systems, a ticket could be lost or entered twice. It might be illegible, or contain

bad inormation in one or more elds, or have been submitted ater the data entry team has gone

home or the night. It is also possible that the securityor the counterparty, the currency, or even

the portoliohas not yet been set up, or set up incorrectly, in the investment accounting system.

With an inventory o what might go wrong, rms can assess each one, estimating the likelihood that

problems will occur and the damage they might cause.

Build workows, processes and escalation protocols to mitigate the risks. In some cases, a quick x

may be sucient to solve the issue. I, or example, a security or currency has not been properly setup, some rms may be able to x that on the spot. In other organizations, however, the problem and

its solution may not be so simple. For example, i trade entry clerks are not authorized or trained in

new security or counterparty set-up, a urther hand-o is required between trade entry and the security/

counterparty maintenance group. This new hand-o needs its own examination o risks and how to

mitigate them.

Examine hand-os to and rom outsourcing providers, and expect that those providers have done

the same thing. Firms such as SEI use automated workfow tools where possible to ensure better

tracking, increased consistency, and aster exception processing. Where appropriate, each hand-o

should be covered by a service-level agreement with deadlines, quality expectations and metrics

that provide benchmarks or evaluating the perormance o both the provider and the investmentmanager.

Dont orget to consider inormation provided by clients. Even the most sophisticated institutional

clients sometimes ail to notiy managers o contributions or withdrawals in separate accounts, or

example. Such ailures create needless reconciliation work or harried operations sta and can lead

to distorted or misattributed returns. A portolio manager is more likely to orgive the client than the

operations group when his/her perormance is aected because the client neglected to inorm the

rm o a cash fow.

Once investment managers have a complete inventory o where their

operational processes might go wrong, they can take systematic steps to

reduce or eliminate their risks.


18/49

18Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 5 nv rc Tchgy The Downside of Automation

Lets be clear rom the start: automation is a powerul tool or mitigating

operational risk. Properly selected, programmed and managed, computers can

perorm repetitive tasks with accuracy and lightning speed. They never grow

bored or inattentive. And theyre willing to work 24/7 without once stopping

or a break. Yet computers also have the capacity to spew out mistakes at

superhuman speed.

Moreover, computers are undamentally obtuse. They will do only what we tell them to do, and then, like a surly adolescent,they will do exactlywhat we say. They wont demonstrate initiative; or example, computers will not perorm a reasonability

check unless we specically instruct them to do so and dene reasonable in unambiguous, syntactically correct terms.

A case in point: In June 2010, Deutsche Banks algorithmic trading system acted on bad pricing inputs by placing 7,468

orders to sell Nikkei 225 utures contracts on the Osaka Stock Exchange. The total value was more than $182 billion. Any

trader would have questioned the size o the transaction, but the systems developers hadnt taught the system to make

such evaluations, and approximately $546 million o the orders were executed beore the error was caught. Ultimately the

bank was reprimanded by the exchange, shut down the proprietary trading unit in question and received a great deal o

unavorable publicity.

Firms that want to reduce their exposure to operational risks must recognize that automation is a double-edged sword.

While helping to reduce many risks, it may also pose a host o new ones.


Insucient knowledge o the manual tasks being automated

The U.S. Army Rangers would never be allowed to use GPS systems to

navigate in the eld without knowing how to use a compass. Yet in our

industry, automation has taken over some activities to the point that ew

people remember how to do them manually, i they ever knew.

Is it any wonder that the ner points o accrued interest calculations maybe elusive to a younger generation accustomed to using calculators or

every computation? Can we really expect them to determine whether a

xed-income system is applying the correct day-count convention to U.S.

corporate bonds (generally 30/360) as opposed to U.S. Treasury bonds

(actual/actual)? 05CHAPTER

Risk Area #5

nAVE REliAnCE on TECHnologyThe Downside o Automation


19/49


To be proactive: Make sure that automation project teams include sta members who thoroughly understand how to

manually perorm the activities being automated. Without bringing such undamental understanding to

bear, it is impossible to consider the necessary steps in a processor those that might not be necessary

in an automated environmentand to make certain that vital, consequential unctions are not skipped,

missed or ignored. Sta who know how something is done will also know how mistakes are made andwhether results generated by an application are correct.

Poorly designed, implemented or documented technology solutions

Problems may arise or a variety o reasons, including:

Using a system or portolios and instruments it wasnt built to handle. For instance, an investment manager may be

trying to support a handul o multi-currency portolios using a single-currency investment accounting system, or trading

xed-income securities on a system originally designed only to handle equities. In other cases, the manager may be

relying on spreadsheets or databases in lieu o an application that has been tested and locked down to protect against

ad hoc changes.

Poorly designed interaces between two systems (see chapter 4, Dropped Batons). Interaces are particularly suspect i

they were originally built in a phased implementation processor example, one that was initially implemented to support

equities only and then extended to support xed-income and derivatives instruments. Too oten, the early project phases

were poorly documented and subsequent phases are delayed, leaving IT and operations departments unsure how an

interace will perorm when conronted with a new set o inputs. (We know the interace works with common stocks; will it

cope with preerreds?)

Shoe-horning inormation and transactions into earlier system designs or makeshit applications developed into

skunkworks projects. This leaves investment management rms even more exposed to the risks in chapter 3

(Novices, Soloists and Apprentices). Anyone who has ever tried to decipher the inner workings o someone elsesspreadsheet knows how challenging that can be, even when dealing with a standalone spreadsheet, let alone one linked

to scores o other spreadsheets. Likewise, i multi-currency portolios are managed on a single-currency platorm, guring

out the workarounds created to record oreign exchange transactions and to reect that inormation in client reports can

be maddeningly complex. Some database applications are notorious or their lack o documentation.

Inadequate audit trails. This problem is oten encountered with older vendor systems as well as with many o the less

robust newer applications. It is ubiquitous among electronic spreadsheets and relational databases created without

corporate oversight by business units that cannot wait or IT resources to become available. However, it may prove

important to know who changed a price or cancelled a trade or set up a security, on what date, and at what time o day.

A reliable audit trail will not only help during regulatory exams but will also assist in unwinding errors, designing process

controls and identiying additional training needs.

Neglected or out-o-date systems access controls. Many well-designed buy-side applications allow an investment

manager to control access at the unction level. For example, traders could be authorized to enter trades but prohibited

rom setting up securities, and portolio managers might be able to view inormation and run reports but not change any

data. Some rms neglect to implement these built-in system controls; others establish the controls but ail to update them

as workows are altered, systems capabilities are upgraded and people change jobs. Jrme Kerviels 4.9 billion raud

at Socit Gnrale was acilitated, in part, by a ailure to keep systems access privileges up-to-date.


20/49


To be proactive: Develop detailed written specications as a guide or any system or sotware development project.

These specications should be developed with thorough input and reviewed by sta members who

understand the operational context or the unctions being automated.

Diagram systems and workows to identiy all systems in use, including spreadsheets and proprietarydatabases.Properly executed, this step will not only make it much easier to identiy key interaces and system

access rights, it will also help bring potential audit trail issues to light.

Whenever a new system is implemented, review all workows around that application or possible re-

engineering. The same holds true when a new third-party service provider such as an administrator, prime

broker or middle-oce outsourcing provider is engaged. While ideally, some activities will be eliminated

thanks to automation or outsourcing, new activities may be required to oversee processing and

ensure data accuracy.

Inadequate testing o new systems and sotwareFailing to thoroughly test systems, including upgrades, reports and, or that matter, workows, is another source o unoreseen

risks. Insucient testing oten results rom a sketchy understanding o the unctions being automated. I sta members do

not know how to perorm a task manually, how can they properly test any automation? Another underlying cause is a lack o

clear unctional specications or system development. Organizations may be tempted to shortcut this step by basing sotware

development on inormal user requests, rather than ully documented unctional specications.

And, o course, many end users are simply unaware o the critical need or regression testingunaware, that is, until an

upgrade unexpectedly breaks another component o the application. Unortunately, however, many are too easily lulled

back into complacency, especially in the ace o mounting deadlines and too ew resources.

To be proactive:

Reer back to written system specications. Testing new sotware is obviously more dicult when

there is a lack o clarity on precisely what it should do.

Make sure that new systems and eatures are evaluated and tested by sta who understand

the manual processes being automated. Those who know how something is done will be better

equipped to know how mistakes can be made, and to assess whether the application is producing

correct results.

Allowing potentially disruptive ad hoc changes

Investment managers have invested signicant time and money to implement pre-trade compliance systems intended to ag or block

transactions which, i executed, would result in breaching an accounts investment guidelines. Yet, we see the same rms enabling

traders to set up skeleton securities on the y. I the rm were purchasing, say, Exxon Mobil or the rst time, the trader could set up a

common stock skeleton security with the security name, ticker and currency so that trading can proceed apace, leaving other details

(e.g., Exxon Mobils primary exchange, indicated annual dividend or sector and industry classications) to be lled in later by someone

else. While this procedure certainly accelerates the trading process, the investment management rm has impaired its state-o-the-art

pre-trade compliance system. How can the system evaluate the percentage held in energy stocks i it does not know that Exxon Mobil

should be classied within energy?


21/49


To be proactive:

Think through workows and system access controls to prevent expedient, but potentially

troublesome changes. Periodic team-wide, and even cross-team, reviews o workfows and access

controls oten highlight the downstream eect that some changes can have. Likewise, review

system access when people join and leave individual teams and not just the rm. All system access

should additionally be reviewed on a regular and periodic basis.

Failure to implement and test system updates in a timely manner

Investment managers may engage teams o consultants to assist with a new system implementation, but give relatively little

thought to the resources needed later or installing and testing new system releases (let alone the changes to workows,

interaces and business continuity plans that such upgrades should trigger). Ignoring sotware updates is perilous: new

releases may contain critical bug xes and vendor contracts oten limit support to recent releases. Some managers

implement new sotware releases but curtail or skip testing due to the press o time, thus taking on risks that would make

their clients shudder.

To be proactive:

Develop, and adhere to, work processes and timelines or maintaining and updating your rms

systems inrastructure, however costly and time-consuming those activities may be. In some cases,

outsourcing might be an attractive alternative since it can limit that number o applications or which

the investment manager is directly responsible or maintaining, updating and testing new releases.

Relying on consultants whose knowledge is too narrow or too general

Knowledgeable consultants can help dramatically mitigate operational risk by conducting well-directed operational reviewsevaluating systems or outsourcing vendors, and guiding technology selection and implementation projects. But consultants

are no panacea; they may even inate operational risk i they dont have the specialized knowledge an assignment requires.

To be proactive:

Make sure that consultants understand the investment management business, not just nancial

services in general. The buy-side does do things dierently.This advice is especially important

when it comes to implementation projects, which oten involve vendor specialists. While vendor-

supplied consultants do provide knowledge o the latest releases and bug xes, as well as priority

access to the vendors support team in the event an issue arises, those who lack solid experience

with buy-side rms may be unaware o best-practice workfows or the upstream and downstreamimpacts o key activities or errors.


22/49


When stafng technology evaluation/selection projects, make sure that any consultant being

considered is independent or has ully disclosed any compensation arrangements with vendors.

When it comes to a large-scale system or outsourcing implementation, more than one kind o

expertise may be necessary. It is oten advisable to engage specialized consultants as well as the

vendor consultants to ensure your rms priorities and objectives are kept in sharp ocus.

I you dont want to be working with consultants indenitely, conrm that they have a plan ortranserring their knowledge to your sta during the project.

Competitive rather than cooperative relationships

Over the years, the balance o power between operations and IT departments has shited in many investment rms. In the

past, IT departments commonly dictated which systems would be used to support operations. More recently the pendulum

has swung back in avor o operations calling the shots. But it is impossible to build or maintain an eective environment or

operational risk management i the departments involved see each other as competitors rather than partners. Similarly, risk

management is compromised i investment managers and third-party service providers operate in a siloed ashion.

To be proactive:

Manage project plans and communications with an eye to developing well-aligned, collaborative

working relationships. We believe strongly that IT and operations sta must work hand-in-glove

to create a smoothly operating, risk-managed inrastructure. That means that IT needs to support

operations rather than mandate solutions; at the same time, operations must be sensitive to ITs

perspective on the costs and requirements o some potential solutions.

Likewise, outsourcing works best when investment managers and their third-party service providers

establish strong lines o communication with some degree o give and take. At SEI, we encourage

an open exchange o ideas and inormation on a scheduled and ad hoc basis, rom strategicplanning to day-to-day operational activity. In our observation, those clients who treat their

relationship with us as a true partnership are the ones who realize the most value rom it.

In sum, rms that want to reduce their operational risks need to actor that goal

into every aspect o their ongoing automation eort.


23/49

23Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 6 pyb Workfow Documentation

06CHAPTER

Documenting processes and procedures is such a undamental and obvious

requirement or eective operations management that one might question the

need to call it out. Yet, non-existent, obsolete or incomplete documentation is

implicated in so many operational snaus that it deserves to be singled out as a

risk area in its own right.

An operations department without workows is like a traveler without a set o maps or a community without a zoning

plan. Even i your rms documentation is useul, comprehensive, up-to-date and readily accessible in an emergency, youmay still nd the topic worth revisiting. I, on the other hand, the state o your documentation is less than adequate or

even worrisome, you may wish to use this chapter as the basis or dialogue and planning within your rm or department.

Not only will well-documented workows help you avoid mistakes and miscommunication, they make it much easier to

train new employees. Reviewing workows is a perect way or new hires to occupy themselves during idle periods when

no one is available to train them. As an added benet, you will get helpul eedback on the clarity and eectiveness o your

documentation.


A total lack o ormal workfows

Extreme as this may be, having no ormal set o workows is unortunately

the case at some organizations, especially but not only, at emerging

rms. In such situations, teams are managed on what might be called

the whack-a-mole model, with predictable consequences or the

quality o work lie. When the entire rm lacks a playbook, the resulting

chaos oten resembles a game o soccer as played by a team o unruly

six-year-olds who race ater the ball with little concern or their assigned

positions or even the goalposts. (Some parents call this swarm ball.)

Without established workows, it is impossible to ensure that operational

controls are in place, sta are perorming all necessary tasks, andall systems involvedespecially mission-critical spreadsheetshave

been identied. When there is a total absence o workow diagrams or

documentation, operational due-diligence reviews may be over beore

they have even started.

Risk Area #6

PlAybooKSWorkfow Documentation


24/49


To be proactive:

Develop a plan and timeline or developing and documenting workows. Dont try to tackle every

process at once, or you will be overwhelmed. Start with the simplest and most basic unctions, and

build rom there. The swim-lane and system diagrams discussed in chapter 4 (Dropped Batons)

can be invaluable in this eort.

As you embark on any documentation project, remember that workows necessarily go hand-in-hand with policies

and procedures. In act, its impossible to properly develop and document workows and controls without a thorough

knowledge o the policies and procedures in place. Make sure to consider all potentially relevant itemsrom compliance

policies and expense report procedures to inormation security policies, escalation procedures and business continuity plans.

Workfows that are out o date

Firms should revisit their workows with the occurrence o any meaningul changee.g., reorganizations, systems

implementations, product launches, new reporting requirements, changes to system access levels and new instrument

types. Yet many operational teams seem to lack the time, expertise, or motivation to do so.

To be proactive: Establish and enorce a regular schedule or reviewing and updating workows. Even when rms

are well-established and relatively unchanging, managers should take a resh look at their workfows

at least annually.

Documentation that is either too vague or too detailed

Neither type is as useul as it should be. Overly vague documentation leaves sta members to ounder in a crisis. On the other

hand, excessively detailed documentation generally has such a short shel lie that the material loses its value by the time it iscritically needed. While those with disciplined, analytical minds may insist on exhaustive, step-by-step documentation, complete

with screen shots and keystrokes or every task, otentimes such perectionism is rarely worth the considerable eort and

expense it entails to create and maintain.

To be proactive:

Get eedback rom managers and employees to help identiy the right level o detail. The appropriate

level o documentation is a matter o individual judgment, taking into account the rms and the

departments operational risk appetite, training requirements, and overall preparedness or disaster

recovery. Firms can oten achieve a good balance by developing reasonably inormative, but not

exhaustive, documentation and supplementing it with extensive cross-training.


25/49


No escalation procedures

Escalation procedures are worthy o special mention. When things go wrong, as they sometimes will, it is important to have

established the criteria and protocols or elevating an issue to a higher level o management. Heads o operations, or

example, neednt be inormed about every individual reconciliation break or ailed trade as it occurs. (They do need to see

error logs on a regular basis.) I managers in larger rms were notied o every single issue, they would be so inundated by

small, manageable items that they would be unable to identiy whether a major problem is lurking in their inboxes.

To be proactive:

Dene which incidents should go up the chain o command, and when. The most eective escalation

procedures use both size/impact and time as decision criteria. For example, a small ailed sell transaction

may not initially merit escalation due to its inconsequential size, but it should get escalated well beore

the counterparty issues a buy-in notice. On the other hand, a similar trade that is very large might be

escalated immediately based on its size alone, especially i it is material in relation to the overall portolio.

Sta that ignore or are unaware o documented workfowsRegardless o the state o a rms documentation, workows do no good i sta do not ollow whatever workows, policies

and procedures have been memorialized.

To be proactive:

Take steps to ensure that sta have not only received copies o workows, and have them at

hand, but have also actually read and understood them. Conrming receipt is only the rst

step. Managers should also consider having periodic meetings to review and explain policies,

procedures and workfows. (Note that this applies to all the policies, procedures and workfows

across the rm, not just those that are compliance-related.) When it comes to determining whether

workfows are actually ollowed, job swapping, operational reviews and audits can help.

Multiple undocumented variations on the same basic workfow

This problem oten occurs when rms develop small teams that are specialized by product, instrument type, investment

strategy or client. Oten these small teams will start out with a single set o workows used by similar teams across the

organization, but then they customize their processes and procedures over time, perhaps without documenting these

renements. The result may be a rm with multiple sets o workows or the same basic unction, such as trade settlement

or reconciliation. When encountered and questioned about such situations, teams may protest, but were dierent! Its

true that one size doesnt t all, but i a rms workows can only handle one product or one client or one strategy, then it is

time or them to re-think their processes.


26/49


To be proactive:

Consolidate and ocus workows as much as possible.As an analogy, consider the simple workfows

or pouring and serving coee. Whether we have one team or our, were dealing with our workfows:

black, with sugar only, with milk only or with milk and sugar. However, even i we organize our teams

to serve coee, they can all ollow one central workfow with optional steps depending on customers

stated preerences.

This approach makes sense or several reasons. First, only one set o workfows has to be maintained.

Secondly, all sta will be amiliar with the overall workfow, even i their team perorms some o the

optional steps and not others (e.g., adding sugar but not milk). Finally, a single workfow with options

is easier to review, update, and explain during audits and operational due diligence meetings.

Ideally, workfows dene a single, logical set o activities in manageable pieces. In our example o serving

coee, the workfow would intentionally exclude the steps required to make the coee, secure the

ingredients or select a cup. Likewise, it leaves o beore covering coee consumption or cleanup

activities. By documenting in bite-sized chunks, investment managers get immediate benet rom each

unction that is documented. When managers start a new documentation eort by ocusing on relatively

simple unctions, they can build on the resulting eedback and experience as they add more complex

unctions later in the process. For example, a trade settlement workfow might be updated to consider trade

cancellations, trade corrections or situations when trades are rst posted ater trade date (or worse still,

ater settlement date).

Individual workfows can then be linked to other workfows to cover longer, more intricate processes.

In addition, users can coordinate with outside service providers to ensure hand-o scenarios are

adequately covered.

Workfows that are inaccessible when needed most

In a sudden evacuation, you may not have time to collect those reassuringly substantial three-ring binders rom your oce

bookshel and take them to an osite location. Likewise, when systems are down and internet access is unavailable, having

access to hard copies may be critical.

To be proactive:

Make sure that updated workows are available both online and in hard copy. During a business

continuity or disaster recovery event, investment managers oten must call upon sta to discharge

unctions they are unaccustomed to perorming on a daily basis. It is in exactly these situations that clear,

concise, well-documented workfows can be a lie-saver.

A lack o time, insucient expertise and an undersupply o motivation are all

reasons why workfow documentation is so oten pushed to the back burner. But

investing the eort it takes to do the job will pay o in expedited and consistent

training, more eective controls, improved eciency and a lower rate o errors

every single business day.


27/49

27Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 7 amgmtd agmt Improper Segregation of Duties

07CHAPTER

Given the number o moving parts in the investment process, its no surprise that

the roles and responsibilities o those involved are not always appropriately

delineated. The issue goes beyond opening the door to raud and embezzlement.

The ailure to clearly and properly assign duties can create conficts o interest,

throw up barriers to accountability, and complicate matters o compliance and

administration.

Such problems afict traditional and alternative managers alike, as well as some o their key service providers. Moreover,these problems have become more common since the nancial crisis and the ensuing downsizing o operational and IT

sta across the industry. Reductions in the workorce leave ewer people in place to handle the same workload initially

and, as the market continues to recover, a growing volume o portolios and transactions. Not only does this mean

that operational sta may become chronically overextended and more prone to errors, it leads to situations where

employees must wear multiple hats, sometimes stretching or crossing the boundaries o good segregation controls. It is

not uncommon or rms that once had appropriate controls in place to no longer be able to support those controls ater

a workorce reduction. Clearly smaller rms, especially start-ups, are challenged rom the outset by having a relatively

small number o employees available to handle multiple unctions.


Conusing assets ounds with the assets orms

This issue is a particular concern to rms managing pooled vehicles,

including traditional rms that manage mutual unds and alternative rms

that manage hedge unds, private equity unds or unds o hedge unds.

It oten involves recordkeeping sta, but may aect others as well.

Consider the hypothetical example o Opaque Asset Management (OAM),

which manages the Opaque Fund. For purposes o this discussion, the

type o und and strategy are irrelevant. What is important is that the

Opaque Fund is a cliento Opaque Asset Managementperhaps evenits largest clientand is distinct rom the rm. That point, while critically

important, may escape sta at all organizational levels; they may either

orget the distinction between manager and und or never grasp it in the

rst place. Indeed, many clients and due diligence rms also ail to pick

up on the distinction when reviewing und procedures. The common

practice o giving unds names similar to those o their managing rms

only increases the conusion.

Risk Area #7

AmAlgAmATEd ASSignmEnTSImproper Segregation o Duties


28/49


I you are tempted to think that muddling rms and unds doesnt really matter, lets consider some o the issues that can

arise in practiceor example, who should be approving wire transers? Clearly, best practice calls or having two approvals

beore a transer is released. But who should those approving parties be? In many organizations, portolio managers

believe that they should approve all wires. But because portolio managers actually oversee the unds trading activities,

proper segregation o duties would generally dictate that they should have no control over the movement o und (i.e.,

client) assets. The exception might be those cases where portolio managers are principals o the investmentmanagement

frm and eel strongly they should approve wire transers or the frms money (e.g., payroll, taxes or other major rm

expenses).

To be proactive:

Consider an operational review to identiy potential issues and remedial actions. Outsourcing may be

a remedy to explore, particularly in cases where rm resources are stretched or segregation o duties

is inadequate.

Be clear on where the lines between unctional activities should be drawn. For instance, recalling

the notorious examples o Nick Leeson at Barings Bank and Jrme Kerviel at Socit Gnrale, under

no circumstances should portolio managers or traders price their own portolios; nor should they be

involved in trade settlement or reconciliation. Likewise, trade support sta should not perorm the duties

o reconciliation sta and vice-versa. And perormance measurement teamsat least, those responsible

or generating perormance data used in marketing and possibly in incentive compensation calculations

should not report to the investment team or the sales/marketing area.

Manage inormation ows to minimize the potential or manipulation o data. Trade conrmations

are sometimes sent by counterparties to the trading desk which, in turn, passes the conrmations on to

investment operations. This sets up a situation in which a rogue trader could alter a conrmation. A better

approach is to have counterparty conrmations sent directly to investment operations. Traders may

certainly be copied on conrmations, i desired, but they should not serve as the primary conduit or as

an intermediary in the delivery process.

Make sure clients are in control when their assets are moved. The question o who should have the

authority to wire money has a simple answer: that authority always rests with the client (or the und). For

separate accounts, best practice dictates that the investment manager should never be given authority

to wire unds. Indeed, when the manager has such authority, it is considered constructive custody, which

needs to be disclosed on the investment managers Form ADV.

In the case o unds, where the investment manager wears two hats, this responsibility should be assigned

with special care. The authority to transer unds should not rest with the investment team or anyone

involved in reconciliation. Ideally, wire transers are handled by a combination o an internal operations

team and the external und administrator. In all cases, a wire transer should be approved by at least two

people. Moreover, checks should be put in place to ensure that the amounts drawn and accounts involved

are correct. Limiting the specic accounts to which unds can be wired is a sound practice (and, o course,

a dierent group should manage that set-up). For example, individual sta at the investment manager might

only be authorized to wire rom the custodian to the administrator while the administrators sta might only

be able to wire rom the administrator accounts to either investors or to the custodianand then based

only on written instructions rom the investment managers operations team.


29/49


One last caution concerns network authentication system security tokens, those little devices that banks

or prime brokers provide to issue updated codes or initiating wires or authenticating users. Dont leave

them in a desk drawer! First, they could easily be ound and are subject to misuse by someone else.

Second, i theyre in your drawer, they wont be very helpul in the event you need to invoke your

business continuity plan. Inconvenient as it may be, put them

on your keychain so they will be with you at all times.

Failing to separate und records rom those o the rm

This problem involves custodians, prime brokers, und administrators and auditors. Every undwill have one or more

agents that serve as the unds custodian(s) or the saekeeping o assets. (Hedge unds generally utilize prime brokers

who unction not only as asset saekeepers/custodians, but also as execution counterparties and lenders.) Likewise,

the und will have an auditor, as well as a und accountant or und administrator, the latter o which is increasingly an

independent third-party service provider such as SEI.

The custodian, auditor and und administrator are hired by the undnot by the investment management frm. Moreover,

the books and records maintained by these parties are those o the und(read: client), not the investment management

frm. So what happens when the regulators walk in or a periodic examination o the frm? Should Opaque AssetManagement (OAM) rely on clientrecords? The answer is clearly no.

The management o separate accounts brings the books-and-records issue into sharper relie, in that separate account clients

do not require a und administrator. Thus, the only book o record would be that o the custodian or prime broker as the

saekeeper o assets. Once again, it is problematic i OAM, the investment management rm, is subject to a regulatory exam

and can rely only upon the books and records produced by agents o its separate account clients.

True, ailure to maintain separate rm and und records certainly streamlines operations because everyone reers to a

single record. On the other hand, with that approach, the term STP can take on new meaningnot straight-through-

processing, but straight-through-problems. I, or example, a manager downloads trade conrmations and uploads

them to the managers investment accounting system, rather than inputting transactions manually or loading them rom

the managers trading system, there is no way to catch mistakes should the counterpartys conrmation be incorrectan all too common occurrence.

To be proactive:

Consider some level o shadow portolio accounting. Investment management rms that practice

shadow accounting maintain their own independent sets o books and records (generally through

the use o an investment or portolio accounting system). The intent is to enable managers to spot

mistakes or improprieties by periodically reconciling their records with those o saekeepers and und

administrators.

Shadow portolio accounting is commonly used in the traditional investment arena. And with many

hedge unds, especially those with Level 3, hard-to-value or illiquid assets, it is oten considered to be

a necessary double-check, rather than a luxury. Still, it is the subject o some debate, especially within

the alternative side o the industry. Some consider maintenance o manager recordsas opposed to

simply maintenance o und recordsto be best practice, yet the discussion is particularly critical in two

scenarios: rst, when the unds custodian also perorms the middle-oce portolio accounting unction

or the investment manager; and second, when the und relies on one or more prime brokers or trade

instructions, eschewing a robust, independent trade matching process.


30/49


When evaluating the need or shadow portolio accounting, careul review o the sources o data or

critical operational unctions and recordkeeping is o paramount importance. While und accounting

calculations can leverage middle-oce portolio accounting data, to do so properly, care must be taken

to ensure portolio accounting inormation is appropriately sourced. For example, all trading inormation

should be ed to the portolio accounting application directly rom the investment managers order

management system or paper tickets and not rom broker conrmations or, worse still, eeds provided

rom the prime broker or custodian. This is even more important when the prime broker acts as the

counterparty on the trade or the custodian also unctions as the und administrator and/or middle-

oce recordkeeper.

Some managers determine that, since responsibility ultimately rests with the investment management

rm, they will duplicate 100% o what the administrator does. Said one European hedge und manager

quoted in Ernst & Youngs Coming o Age, its 2011 survey o the hedge und industry, We have to

have our own records. We cant rely on third parties. As a regulated rm, we have to have them and

cant outsource that to an administrator. But having an outside administrator is a orm o back-up

and insurance. We see it as our responsibility to have our own records. In these instances, oten

managers will shadow portolio accounting records to track what a given und owns, but do not

shadow partnership accounting records, which identiy who owns the und. And shadowing o

portolio accounting data has critical benets when managers employ a multi-prime and/or multi-administrator model.

While the debate continues, SEI suggests that each investment manager should consider where

on the spectrum o partial to complete shadow accounting they wish to be, given the rms specic

situation. We urther work with rms to careully track inormation fows, however, to ensure that

source data, such as trades, that eeds portolio accounting systems is independent rom source

data supplying saekeeping systems employed by custodians and prime brokers. The investment

manager should be the source or all trade inormation and we recommend that all investment

managers match trades to counterparty conrms 100% o the time, regardless o whether the

manager (or its third-party middle-oce provider) serves as the arming party.

On a nal note, its important to remember that issues relating to segregation o duties are uid and can crop up as a consequence

o hiring or management decisions that seem relatively innocuous. In light o this, investment management clients and rms

evaluating outsourcing providers should recognize that due diligence is not a one-time occurrence, but a critical point o control

that should be repeated on a regularly scheduled basis.

Even when exhaustive RFP and due diligence processes are perormed prior to engaging

outsourcing providers, and on an ongoing basis, investment managers should ensure

appropriate processes and procedures are in place or eective oversight o third-party

providers. This might include identication o exception items or additional review and

spot-checking inormation on a periodic basis, as well as design and review o summary

reports with a particular ocus on high-risk areas or new processing by the outsourcing

partner. These high-level checks should be examined periodically to ensure they are

appropriate and, i warranted, adjusted rom time to time.


31/49

3Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 8 rcct G A False Sense of Security

08CHAPTER

Everyone knows that keeping track o clients assets is a undamental

responsibility o investment managers. Everyone also knows that reconciliation

the process o comparing records, identiying and researching discrepancies

and, importantly, seeing to it that material errors are correctedis a critical step

in satisying this obligation. Its as simple and obvious as locking the dead bolt

on the ront door at night.

Investment managers employ time-consuming, expensive reconciliation processes and systems to ensure that theirbooks and records are accurate, and many readers may be thinking, Weve got it covered. Were in good shape. Yet

there are considerations that may not be quite so apparent. Even in the best-managed rms, there may be reconciliation

issues that leave managers more exposed to risks than they realize. In other words, they may be locking the ront door

but are they also locking the one in back?


Less-than-comprehensive reconciliation procedures

At a minimum, we expect on the buy side to see reconciliation between the investment managers records (or, i investment

operations are outsourced, the third-party providers investment accounting records) and the records o the saekeepers (e.g.,the custodian or prime broker). But, depending on the investment vehicle and the structure o operations, this may not be

sucient to catch all mistakes and red-ag potential problems.

To be proactive:

Develop procedures that provide or a ull set o

checks. For commingled vehicles such as mutual

unds and hedge unds, where a und administrator is

required, there should additionally be a reconciliation

between the administrators records and those o the

saekeeper. At SEI, we recommend what is commonly

called a three-way reconciliation, but is more

accurately described as three separate reconciliations:

the investment managers records vs. the saekeepers;

the saekeepers vs. the administrators; and the

administrators vs. the managers.

Risk Area #8

REConCiliATion gAPSA False Sense o Security


32/49

32Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 8 rcct G A False Sense of Security

Remember that perormance analysts are not portolio accountants. At rms that manage

institutional money held in separate account portolios, perormance analysts are typically responsible

or investigating out-o-tolerance variances between the rates o return calculated by the manager, the

custodian and/or the clients investment consultant. While this process may provide a nal check on the

accuracy o data inputs to the return calculations, this does not constitute a ull reconciliation.

Assign reconciliation duties to appropriate sta. Trade support sta should not be in the reconciliation

business, nor should portolio managers or traders. In assigning these responsibilities, rms need to guard

against the potential or raudulent activity while also recognizing that it is generally dicult to catch ones

own typos.

Assuming the accuracy o electronic or consolidated records

A undamental question is what really constitutes the saekeepers ocial records. While transaction les, or instance,

are important sources o inormation, many saekeepers will not stand by these back-up reports or electronic

representations o an account, considering the paper statement to be the only ocial record. Reco

Documents

SEI OppRisk Book US