Risky Business- Managing Risk Today for Tomorrow’s Uncertainty – Nov 6th 2018


Joanna Horowitz (Moderator) – Senior Consultant, Monticello Consulting Group

John Robbins – Senior Director & Chief Compliance Officer, ICE Data Services

Ken Tays – Governance Risk & Control and Internal Audit Practice Leader, Broadridge Consulting

Dan Nikci – Founder & CEO, Applied Fund Solutions, LLC

John Holzwarth – Chief Compliance Officer & Director, Perkins Fund Marketing


Q1: Establishing Key Risk Indicators

JH: Look to SEC Priority Letters, typically used to frame the SEC’s interviews and interactions with companies.

JR: SEC looks to determine how a business has defined and considered its risks.

Have senior managers siloed responsibilities, thereby attempting to offload risk responsibilities to specific groups (e.g. Risk, Compliance)?

The answer should be NO – managing risk is demanded of all.

        Do firm leaders have a common view of the firm’s risks?

KT: What is the firm’s culture: are risk & sales in opposition, or have the activities been reconciled and balanced?  Attitudes flow from senior management down.

What is the firm’s Risk Appetite Statement (RAS)?  Has it been created, considering the firm’s various activities?

DN: Executive views are key: risk is not just the responsibility of the CCO & CRO.
A holistic approach is required: what is the firm’s Enterprise Risk Management process?

JH: Risks must be identified in Written Supervisory Procedures, mapping out risks in a matrix format.
Firms must test and document areas defined as having the most risk.

DN:  Firms must balance strategies and risks: risk appetite statements and guidelines are the guardrails to protect the firm.

Q2: How to build an effective governance model that is not dependent of people?

JR:    Documentation is key: WSPs, RAS.

The business heads must be fully-involved (risk policies cannot simply be imposed).

Identify the worst potential outcomes, and consider how to avoid and deal with them.

Who in the firm owns the risks of various activities?  How are risks being managed?

Consider the different regulatory tiers and jurisdictions in which the firm operates.  Regulators look for consistency of approach and activity across various jurisdictions.

Q3: How can smaller funds manage this process effectively?

DN: Identification of Key Risk Indicators (KRIs) is important.  Ranking, management.  Simple Excel models are better than nothing and can often suffice until more resources are available. 

Periodic reviews (at least annual) are necessary.

JH: Identify who does what, when, and how.  Documentation is required to establish and prove activities.

NSCP/NRS membership can be helpful to gather skills, guidance.

Q4: How is the SEC looking at KPIs and KRIs for smaller firms?

DN: Look to past SEC activities to predict their future actions.

JR: What are the components or a firm’s KRIs?  If the firm can explain its thinking and logic, show governance practices and how they fit with KRI thinking, and prove documentation – this goes a long way.

KT: If the firm’s logic holds up under scrutiny, then it is probably going to be ok.

Even if regulators disagree, the documentation and logic explanations establish active management, which is key.

Q5:   What risks are likely to be the most pertinent in the minds of regulators?

JR:    Look to SEC Guidance Letters.

Case histories, transactions, pricing, valuation.

Analytical tools are more rigorous than ever, which reduced regulator subjectivity.

Data will drive regulator questions and focus.

JH:    SEC case filings, risk alerts, priorities letters can all be helpful.

Trade allocations, expense allocations.

Research: with whom are firm analysts talking?

Marketing materials – has the CCO reviewed and approved?

Does the Due Diligence Questionnaire makes sense? Is it coherent and complete?

PPM & ADV disclosures.

Are fund administrators included in money transfers?  How are those protocols defined and enforced?

Risk allocations.


DN:  Are the firm’s risk and compliance manuals customized for its businesses, or are they merely off-the-shelf documents?

Spoofing to mis-direct funds flows has become a real risk.

Marketing materials also should be vetted by the CFO.

JH:    Costs can be contained by outsourcing compliance and risk activities to match with firm size.

But cookie-cutter manuals must be avoided: if the firm doesn’t practice it, it should not be in the manuals!

Q6: Risk Appetite Statements:

KT:    These establish the bounds of the firm’s activities, and its risk profile and approach.

Q7: Digital risks:

JR:    This is a broad area, which includes cybersecurity.

Business Continuity Planning is key: how can the firm recover when adverse events occur.

It is important to demonstrate that risks have been considered and that a plan is in place.

Q8: Distributed Ledger Technologies and blockchains – are benefits worth early adoption?

JH:    Firms are generally not adopting yet – crypto risks remain high, and tangible benefits are still difficult to realize. 

JR:    Blockchain technologies can help with operational risk management. 

E.g.: DTCC project involving post-trade lifecycle management for derivatives.

Look to identify ho DLT can be included in pilot projects.

DN:  Northern Trust is working with IBM on using DLT to improve the efficiency of private equity deal management.

DLT should help with trade breaks over time: perhaps hastening their elimination.

Can we move from double-entry to triple-ledger accounting?

Progress is still slow but the technology continues to improve.

Plenty of activity is going on in large banks and other FIs behind the scenes.

Q9: How to implement risk cultures?

KT:    Risk management is what you did yesterday to prepare for (often unforeseen) events that occur today.

 Trend analyses are used to predict risks and identify KRIs.  Firms must demonstrate how they are paying attention and preparing.

Risk culture is about how the firm is paying attention.

The ART of risk management is about taking action in advance of a crisis, to be positioned for opportunities.

Q10: How to be proactive about reputational risks:

JR:    Reputational risk must always be part of KRI generation and risk profile/culture development.

Headline risk is much more common today.

Due to the presence of social media, personal behaviors have more impact now on the firm.

KT:    Any risk that is not well-managed increases the firm’s reputational risk.

DN:  Social media posts can be relentless in exposing actions: even inclusion/diversity; team members can “go rogue” instantly to expose activities.

JR:    Firms need social media policies to govern personal and professional activities.

Firms must consider how best to manage different media? (Activities will not necessarily be the same.)

Having dialogues about activities is important.

JH:    The business environment includes greater scrutiny and higher standards these days.  Compliance activities are key.

Due diligence on fund managers: investor interests are in line with those of regulators.

Competitive factors now include risk policies & approaches.

Audience Q&A:

Q1: Constrained risk profiles within firms:

JR:    Different parts of the firm can approach risks & opportunities in different ways… but public forums assist in forcing explanations and justification of actions and decisions.

KT:    Open forums help firms manage risks explicitly.

DN:  Employees must understand that compliance is mandatory: if folks don’t agree or won’t comply, they are free to leave.  But if they stay, they must comply.

Q2:   Options for small firms to handle outsourced compliance:

JH:    A good internal Chief Compliance Officer is critical.

Firms cannot outsource risk management.  But firms CAN outsource elements of compliance activities and obtain useful perspective in doing so.

Q3:   What are the SEC’s next priorities?

JR:    Conflict of interest management: how to identify and process conflicts in real time?  How to reassess risks over time?

JH:    Look to the SEC’s historical priorities to predict their future ones.

DN:  Cybersecurity & KRIs.

Q4:   Is risk management becoming more critical given deregulatory trends?

KT:    The current trend may be to cut back risk activities and resources, but this will change with the next downturn.  And risk/audit/compliance activities can reduce future costs and prevent revenues from being lost due to adverse events.

JR:    Public pressure may be increasing support for risk management activities.

KT:    Robotics and artificial intelligence will provide additional resources over time, improving efficiencies.

JH:    There is a trend now to automate regulatory activity to reduce compliance costs.

Q5:   Can compliance thought processes be driven all the way to the sales force?

JR:    This is a dynamic and iterative process, and it helps to be proactive and explain the priorities to sales groups, and to listen to them about client demands.

DN:  The culture and conversations must start at the top and be pushed down: personal and firm objectives, everyone is responsible and has a role to play, alignment of interests is key.