sei opprisk book us
TRANSCRIPT
-
8/22/2019 SEI OppRisk Book US
1/49
TOP 10OPERATIONAL RISKSA Survival Guide or Investment Management Firms
seic.com/ims
-
8/22/2019 SEI OppRisk Book US
2/49
Introduction
Chapter 1
Complacency Trivializing and Disregarding Risks
Chapter 2The Blind Leading the Blind Overextended and Underqualied Managers
Chapter 3
Novices, Apprentices and Soloists Inadequate Training or Cross-Training
Chapter 4
Dropped Batons Inormation Hand-os
Chapter 5
Nave Reliance on Technology The Downside o Automation
Chapter 6
Playbooks Workfow Documentation
Chapter 7
Amalgamated Assignments Improper Segregation o Duties
Chapter 8
Reconciliation Gaps A False Sense o Security
Chapter 9Reading The Fine Print Know Thy Legal Entities
Chapter 10
Poor Planning and Slow Response Times
Changes in the Firm, the Marketplace and the Regulatory Environment
Conclusion
Table of Contents
5
8
12
15
18
23
27
31
36
39
44
-
8/22/2019 SEI OppRisk Book US
3/49
IntroductionIn 2010, then-consultants Holly Miller and Philip Lawton authored the book, The Top Ten Operational
Risks: A Survival Guide or Investment Management Firms.1 Growing rom a presentation and discussionat an industry roundtable, the book was motivated by recognition o a simple act: when investment
management rms stumble or ail, their clients suer.
Having since joined SEIs Investment Manager Services division in mid-2011 as Managing Director o Middle
Oce Outsourcing, Holly works with organizations that understand that coming to grips with operational
risk is becoming ever more critical or investment managers who want to survive, let alone thrive. Indeed,
she champions the view that investment organizations need to tackle the issue with the same intensity
they bring to battling market volatility and economic crises.
Accordingly, we at SEI are pleased to issue an on-line summary version o the book with abridged content
and a redesigned ormat. Our goal is consistent with Miller and Lawtons original objective: to make keyconcepts easily accessible and actionable without becoming mired in esoteric issues or technical terms.
Besides updating each chapter with proactive risk management steps, we have added a concluding
chapter on developing an action plan to strengthen operational risk controls.
Like the book rom which they are based, these summaries are designed as a resource or investment
managerstraditional and alternative alikewho seriously want to understand and reduce their exposures
to operational risks. They have every reason to do so. The operational realm is one in which a minor
oversight or a single misstep in daily routines can have potentially major consequences. In worst-case
scenarios, a single incident can result in signicant direct costs and, worse still, devastating reputational
damage rom which it may take years to recover. This is why operational risk is such a grave concern not
only to investment management rms, but also to their clients, investors, regulators and trading partners.
Operational risk can stem rom many sources. The Basel Committee on Banking Supervision denes
operational risk as the risk o loss resulting rom inadequate or ailed internal processes, people and
systems or rom external events.2 The denition considers the ull range o material operational risks and
lists examples ranging rom raud and data entry errors to hardware ailures and oods.
Further complicating risk management eorts, organizations may dier widely in their exposure to
operational risk, depending, or instance, upon their investment strategies, the markets in which they
operate and the instruments they employ. As with investment risk, rms also have varying tolerance levels
or operational risk. Consequently, there is no generic checklist or identiying operational risk, nor is there
a single, universally applicable set o mitigation measures. Still, we believe virtually every investment
management rm can benet rom taking a resh look at common areas o risk, and considering the variety
o relatively straightorward risk management measures that can readily be deployed by large and small
organizations alike. This guide is oered in that spirit.
-
8/22/2019 SEI OppRisk Book US
4/49
Our Top Ten list summarizes the areas o risk that are requently encountered by those who work in or
around investment operations (though not in order o severity or potential loss). The list includes issues
that keep arising in operational reviews even though they have received signicant attention in industry
media over the years. The rst three chapters take up personnel issues, including supervision and training.
Chapters our through seven address organizational and support issues, including the role o technology,
which can be both a solution and a source o risk in itsel. Chapters eight through ten ocus on common
areas o weakness in reconciliation, legal review and planning.
While there can be no one size ts all approach to operational risk management, each chapter provides
best-practice suggestions or identiying whether a given risk exists within your organization, as well as
potential steps or mitigating it. We hope that this guide will help many organizations to rethink and reduce
their exposure to operational risks.
It has been observed that operational risk oers no upside; to use Castle Hall Alternatives phrase, it is risk
without reward. But we at SEI have a dierent perspective. We think in terms o operational excellence as
a way to create investment value by reducing costs, increasing client satisaction and reinorcing sound
business relationships with trading partners.
To our way o thinking, eective risk management is the oundation o operational excellence.
With this guide, we oer investment managers one more resource or pursuing that goal.
1The Top Ten Operational Risks: A Survival Guide or Investment Management Firms and Hedge
Funds, written by Holly H. Miller and Philip Lawton, 1st edition, 2010.
2 Sound Practices or the Management and Supervision o Operational Risk, February 2003.
-
8/22/2019 SEI OppRisk Book US
5/49
5Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 1 Cmccy Trivializing and Disregarding Risks
Complacency might be summed up as a mindset that ails to ask, What i?
Its a passive laid-back attitude that says, So ar, so good. We have policies
in place. Nothing terrible has happened. Everythings under control, no need
to worry
Is This Your Firm?
Firms with a culture o complacency take a passive approach toward operational risk rather than adopting a proactive
one. This way o thinking may be evidenced by:
Reacting to headline risks, such as the September 11th attacks or the Mado scandal, rather than actoring operational
risks into day-to-day planning.
Risk-planning exercises that ocus on the rearview mirror rather than considering what might happen next.
Sketchy business continuity plans. (Has anyone considered the potential loss o sta in a worst-case scenario?)
Poor recordkeeping. (Is there a chronic backlog o documents waiting to be scanned?)
Decient insurance coverage. (Are there adequate policies in orce or errors and omissions as well as general
liability and directors and ocers coverage?)
Short-changing o operational and IT investments or several years running. (How many releases behind are criticalinvestment applications?)
Launching new investment strategies without conducting a cross-unctional product launch review.
Avoiding Common Pitalls
Inexperienced or underqualied sta
Hiring insuciently skilled sta introduces signicant operational risk
to an organization, and neglecting to train new employees compounds
the error. This is a needless risk, especially in the current market
environment, when so many good people are available. 01CHAPTER
Risk Area #1
ComPlACEnCyTrivializing and Disregarding Risks
-
8/22/2019 SEI OppRisk Book US
6/49
6Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 1 Cmccy Trivializing and Disregarding Risks
One reason rms may ail to hire qualied sta is that they underestimate the complexity o the products they oer or the
nancial instruments they trade. For example, rms that manage xed-income securities generally require more advanced
skills and systems than those ocused solely on equity instruments. Likewise, investing outside ones own country requires
substantially more data elements and operational eort. Emerging markets, derivatives or illiquid securities can introduce
even more variables.
To be proactive: Recognize the importance o aligning sta skills with operational complexity and hire or
train appropriately.
Ignoring input rom middle- and back-oce staThese sta members may be the best equipped to see ways o reducing the probability o errors within their own unctiona
areas. Beyond that, they oten see risks that originate elsewhere in the organization. For instance, they may notice
consistently incorrect or late trade entries by a particular trader, or see sales and marketing teams change presentation
materials ollowing a compliance review.
To be proactive:
Invite and listen to the eedback oered by support teams as well as by service providers, making
sure senior management takes immediate action to resolve any critical issues raised.
Maintain and regularly review error logs that capture both errors and near misses; the instructional
value they oer should not be squandered.
Establish a ormal new product committee that includes not only investment and sales/marketing
sta, but also compliance, operations and IT.
Keep sta inormed, introducing a new counterparty or unamiliar security type without a heads-up
to operations, compliance and IT may signicantly increase the risk o ailed trades, a problem that
can be avoided without any additional expense to the rm.
Lack o robust electronic document managementHave crucial documents such as investment management agreements, guidelines and objectives, client correspondence
and other contracts been scanned and backed up? Or are they sitting in locked le cabinets, vulnerable to anything rom
plumbing issues on the oor above to a orced relocation ater a disaster? (For a real-lie illustration o such perils, read theSECs July 2000 response to Jennison Associates request or a no-action letter.1 In a warehouse re, Jennison lost records
that supported the rms perormance track recordarguably any investment managers single most valuable non-tangible
asset. As or plumbing problems, ask JP Morgan about the pipe that burst on the rms London trading oor in September
2010.)
1sec.gov/divisions/investment/noaction/2000/jennison070600.pd
-
8/22/2019 SEI OppRisk Book US
7/49
7Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 1 Cmccy Trivializing and Disregarding Risks
To be proactive:
Ensure that critical documents are always eectively backed up. In todays environment o
inexpensive document scanners and cloud computing, this is a measure that even the smallest
investment manager can aord.
Blind trust o operational teams
Many investment managers operate with the philosophy that they should simply hire good people, and then get out o
the way so they can do their jobs. While this may seem laudable, it is actually a disservice to leave team members with no
eective oversight. With no checks on whether an account was reconciled properly, perormance-based ees were calculated
correctly or a compliance rule was interpreted and coded appropriately, sta members are put in the position o being solely
responsible or the accuracy o their work. They are also let vulnerable to suspicion should things go wrong or evidence o
improprieties comes to light.
To be proactive:
Develop procedures that provide appropriate checks and balances or operational sta. Just as
even the best writer needs an editor, sta members deserve to work with eective oversight. The
same point applies when it comes to managing service providers. (At SEI, we consider an eective
oversight program to be the hallmark o a good client.) Rather than indicating a lack o trust, proper
oversight demonstrates a rms commitment to risk management on behal o clients and sta alike.
In sum, take a minute to consider what could bite your rm. Ask your sta the
same question. Think about whether you reward, punish or ignore news o arisk. And then work on some ways to keep potential problems rom ever
happening.
-
8/22/2019 SEI OppRisk Book US
8/49
8Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 2 Th Bd ldg th Bd Overextended and Underqualifed Managers
02CHAPTER
Supervision is a major area o operational risk because breakdowns occur so
oten and in so many dierent orms. It is one thing to manage our own tasks.
Directing the decisions and activities o others is a much greater challenge
and the larger the rm, the more dicult that job. Another set o risks is
encountered when investment managers outsource critical support services
to specialists, a measure that, ironically, is oten intended to reduce
operational risks.
Avoiding Common Pitalls
Managers unamiliar with operational unctions
This problem is not conned to small rms that cannot yet aord to hire specialists in domains such as operations and
systems, human resources and accounting. As organizations grow, they eventually reach the point where managers can
no longer be hands-on supervisors with the time and knowledge to perorm any job in their purview. Instead, they become
executives who must rely on the experience and expertise o their direct reports. Problems also occur when, in a well-
intentioned eort to promote rom within, rms select team leaders who are insuciently versed in operations and quickly
nd themselves in over their heads.
Top-level managers are oten even more removed rom operational unctions. Within most buy-side rms, the chie executive
typically comes rom the investment or distribution side o the organization; operations, compliance and inormation
technology (IT) are typically not seen as incubators or CEO positions. As a result, ew senior executives have a solid
understanding o increasingly complex middle- and back-oce unctions,
much less a rm grasp o the details involved in identiying and managing
operational risk.
This leaves many executives at a loss when it comes to evaluating the
perormance o operational teams or the recommendations o their
direct reportsnot to mention assessing operational risk. They may
end up alling back upon their instincts, or heeding the advice o theirmost persuasive team members rather than the most knowledgeable
ones; indeed, they may not even realize which team members are the
most expert. This is not to say that executives in the areas o business
management, investment, or marketing must become operational
experts. They should, however, be equipped to ask the right questions
about risks to which the rm and its stakeholders might be exposed.
Risk Area #2
THE blind lEAding THE blindOverextended and Underqualied Managers
-
8/22/2019 SEI OppRisk Book US
9/49
9Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 2 Th Bd ldg th Bd Overextended and Underqualifed Managers
To be proactive: Oer a management training program in which recruits or employees with leadership potential are
rotated through the various unctional areas o the organization. Oten used in the military and by
rms such as Vanguard, such programs can help ensure that tomorrows leaders have a strong
grasp o key unctions and activities. Ensure the time spent in each area is sucient to obtain a
strong grasp o its unctions.
Use process mapping and workfow documentation to help managers understand middle- and back-oce
unctions. For example, show what occurs when a new account is opened or a portolio manager initiates
an order. Graphical representations o the systems architecture and various workfows can be a big help
here. By memorializing processes, procedures and accountabilities, such documentation not only assists
in daily unctioning, but also acilitates eective training. (This is not a panacea howeversee Risk Area #6,
Playbooks, or a discussion o potential issues with workfow documentation.)
Provide or external assessments such as mock regulatory examinations, peer benchmarking and
operational due diligence reviews, all conducted under strict nondisclosure agreements. Such reviews
may not only identiy improvement opportunities, but also tell CEOs whether they should continue to relyupon their direct reports.
Create or strengthen internal audit departments or recurrent monitoring. This could complement or
substitute or external assessments.
Delegating responsibility to managers unqualied or the tasks
This is another requent consequence o executives ailure to appreciate operational complexity. For example, CEOs
commonly assign all responsibility or operational risk to a compliance team composed entirely o attorneys and paralegals.
To suggest that a law degree or a regulatory background qualies someone to identiy and mitigate technological or
operational risk is as misguided as calling upon an IT or operations expert to prepare the oering documents or a und. It
also raises a question o corporate governance: Who oversees compliance?
To be proactive:
External operational reviews can help pinpoint areas o organizational risk within a rm.
Develop more comprehensive job descriptions that spell out essential skills and competencies in detail,
and update them regularly. This can assist in hiring and promotion decisions while also illuminating
employee training and development needs.
Develop and maintain robust training and cross-training programs to preserve institutional historyand knowledge.
Implement succession planning or all key positions, noting that even very junior positions may be vital.
-
8/22/2019 SEI OppRisk Book US
10/49
10Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 2 Th Bd ldg th Bd Overextended and Underqualifed Managers
Understang or the volume o activity
During the 2007-2009 downturn, many buy-side rms made signicant cutbacks in stang. Support teams were oten
aected and, in some cases, bore the brunt o those cost-cutting measures. Yet the number o securities transactions did
not decline during this periodon the contrary, the volume o trades on the New York Stock Exchange rose throughout the
crisisand today we oten see rms stretched to the limit. As the job market continues to improve, beleaguered managers
and employees are more likely to seek greener pastures, leaving rms with too ew experienced sta to get the job done
adequately, let alone well.
Insucient managerial bandwidth is another aspect o the problem. Some managers have such a wide span o managerial
responsibility that they cannot possibly keep track o all their direct reports activities. Others have been placed in the dual
role o managing some tasks while executing others, undercutting their ocus and eectiveness in both realms.
To be proactive:
A long-term plan or improved automation or outsourcing o back- or middle-oce unctions may oer
solutions or investment managers who want to maintain a lean headcount while they grow. (That being
said, automation isnt a cure-all; well have more to say on this topic in the chapter on Risk Area #5,
Nave Reliance on Technology).
Outsourcing with insucient due diligence
A lack o experience in operations and IT can lead CEOs to assume that outsourcing will help them manage their risks
as well as their operations. Indeed, there are many sound reasons to outsource, such as wanting to ocus on core
competencies, securing access to better technology or expertise, or taking advantage o labor and/or time arbitrage
opportunities, to name a ew.
Yet, without careul management o the process, outsourcing may actually increase a rms operational risk prole rather
than reducing it. A perect illustration o this point is the remarks made ater the BP oil spill by then-CEO Tony Hayward:This was not our drilling rig, it was not our equipment, it was not our people, our systems or our processes We are taking
our responsibility to deal with it very, very seriously.
Key service providers such as accountants, custodians, prime brokers, und administrators, sotware vendors and middle-
oce outsourcing providers introduce operational risk, but many investment management rmseven those that have
been placed under the microscope by prospective clientsdont seem to put concerted eort into the due diligence they
perorm themselves. Additionally, many investment managers pay scant attention to the risks introduced by hand-os to or
rom these service providers (or more on that topic, see Risk Area #4, Dropped Batons). Eective risk management in this
domain calls or more than simply hiring a big global custodial bank and/or moving to a multi-prime broker service model.
1
NYSE Group Share and Dollar Volume in NYSE Listed, 2009.2BBC News interview, May 5, 2010.
-
8/22/2019 SEI OppRisk Book US
11/49
1Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 2 Th Bd ldg th Bd Overextended and Underqualifed Managers
To be proactive:
Adhere to best practices in due diligence, which call or managers to issue RFPs, obtain nancial
statements, perorm initial and ongoing annual on-site visits and read all the ne print (see Risk Area
#9). SEIs own experience indicates that proactive investment managers are substantially increasing
the depth o their due diligence, asking or more visits and issuing more detailed questionnaires than
ever beore.
Rogue activity
No discussion o operational risk would be complete without a mention o rogue activitythat is, the conscious
departure rom sanctioned operating policies and procedures. To be clear, rogue activity is not always due to malign
intent. While rms may worry about the rogue who is actively seeking ways to cheat or embezzle, the more common
problem is employees who may sincerely want to do a good job, but take shortcuts or triage their responsibilities when
they are overstretched. Oten they push tasks aside with the intent o catching up lateror example, reviewing past
reconciliations at some unspecied uture date. Another type o rogue activity is the senior sta member who routinely
ignores policies and procedures, a situation to which smaller rms may be especially prone.
To be proactive:
Maintain an operational risk log that documents operational mishaps and near misses. Requiring
violators to recount and present the issue may help educate them, i not shame them into compliance.
Review and bee up mechanisms or enorcement o existing policies.
Consider the need or tougher new policies, particularly i oenses are chronic. For example, employees
who ail to le personal trading orms can be ned, or rms can withhold a portion o their pay until
the problem is remediated.
When senior executives and managers lack a solid understanding o middle-
and back-oce workings, the repercussions can be ar-reaching. At worst,
they can spiral out o control. The rst step toward wisdom is to recognize
that we dont know what we dont know.
-
8/22/2019 SEI OppRisk Book US
12/49
12Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 3 nvc, atc d st Inadequate Training or Cross Training
Risk Area #3
noViCES, APPREnTiCES And SoloiSTSInadequate Training or Cross-Training
While we have already mentioned sta training as an essential tool or mitigating
investment managers operational risk, the lack o adequate training and cross-
training is so ubiquitous within operational departments that it deserves to be
called out as an area o risk.
Avoiding Common Pitalls
One acet o the issue is key-person risk, which is not limited to an organizations senior sta, but can also be spotted in
low-ranking yet vital positions. Other problems stem rom poor organizational design, a lack o consideration or business
continuity planning, and the notion that ad hoc on-the-job training constitutes a coherent program. Today, many rms are
operating at historically low stang levels, urther increasing the importance o proper training and cross-training.
Highly specialized operational teams
Many rms build small teams to ocus on a specic asset class, investment strategy, client or und; some have dedicated
teams or each large und. This approach has obvious appeal: management can put their best people in a particularly
challenging area, clients like having a team dedicated to their accounts or unds, and sta may be less distracted by
other tasks.
Many investment managers create these specialized teams in an eort to lower their operational risk proles; yet, ironically,all too oten the result is more risk rather than less. A small, specialized teams intellectual capital and institutional knowledge
may be severely depleted by the loss o a single member, whether such absences are short-term (vacations), over a longer
period (sabbatical or maternity leave) or permanent (leaving the rm or
being promoted). Such brain drains may occur abruptly when an illness,
amily emergency or resignation is involved, leaving organizations
scrambling to cope. Worse still, in keeping with Murphys Law, these
unexpected gaps in stang oten seem to come at the worst possible
timese.g., during a period o peak transaction volume, while other key
sta members are on holiday, or when a product or system launch is
imminentnot only disrupting operations, but producing enough stress
and chaos to discourage or drive away some o those who remain onthe job. 03
CHAPTER
-
8/22/2019 SEI OppRisk Book US
13/49
13Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 3 nvc, atc d st Inadequate Training or Cross Training
A prolieration o processes and proceduresBecause the specialized-team approach osters isolation, it oten leads teams to develop idiosyncratic processes and
procedures rather than adapting a master set o workows. We will delve into this issue more thoroughly in the chapter
on workows (Risk Area #6, Playbooks), but it should be kept in mind when considering how to organize support teams.
Failure to grasp the bigger picture
We touched on problems stemming rom the lack o training or managers in chapter 2, The Blind Leading the Blind. The
same kinds o issues are encountered at lower organizational levels where the work actually gets done. When consultants
conduct operational reviews, they oten nd junior sta members who operate in a kind o bubblethat is, they cannot
explain how their jobs t into the unctions o the department as a whole. Indeed, even among those who are adept at
what they were hired to do, many cannot articulate what their rm actually does.
Without understanding how their individual roles t into the larger organization, sta members cannot ully appreciate the
urgency o inormation, the importance o accuracy, or how much even minor improvements would benet the business.
For example, every reconciliation clerk should understand the potential eect a position break could have on the investment
team and the trading desk. Yet, all too oten one side o the organization has no idea what happens on the other side. How
many traders understand the downstream eectsand costso an erroneous trade ticket?
Lack o exposure to industry advancesEmployees with a narrow view o their own workplace are unlikely to know how other organizations tackle operational
challenges. This kind o tunnel vision is particularly common among rms where many sta members have been there or
years and do not regularly attend conerences or make a point o networking with their peers. Such organizations oten
stick with processes and procedures that might once have been leading-edge, but have allen behind industry practice and
technological change. No rm or department can be sure it has the best approach without considering solutions that other
organizations have devised. Firms that encourage lielong learning may have a lasting competitive advantage because thei
employees are engaged and their solutions are up-to-date.
Soloists with exclusive ownership o unctions or relationships
Soloists are employees who perorm unctions that no one else knows how to door, perhaps, wants to do. In some
cases, no one else has sucient access rights to systems to perorm a unction. There is no doubt that security mastermaintenance can be tedious and the list o people with access to payroll should be limited. A soloist may also be someone
who views client relationships as personal property. Some relationship managers (RMs) seem to lose sight o the act that
client relationships belong to the rm, not to RMs. Feeling that their contacts are just thattheir contactssuch RMs may
never get around to updating client relationship management (CRM) systems. Too oten, supervisors ail to step in or ear
o rocking the boat or undercutting results. Such problems are not limited to small organizations, however. Many large sales
or client service teams harbor soloists who overtly balk at letting anyone else perorm tasks or service relationships they
claim as their own. The point is that even well trained, high-perorming soloists may stand in the way o rm-wide eorts to
mitigate operational risks through cross-training.
-
8/22/2019 SEI OppRisk Book US
14/49
14Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 3 nvc, atc d st Inadequate Training or Cross Training
To be proactive:Identiying training and cross-training challenges generally is not dicult. Start by looking at your organizational
chart to identiy small teams. (Ideally, teams should never be smaller than three ully cross-trained people.) The good
news is that eective training can be accomplished in a variety o ways, but also can be designed to address multiple
problems. Among possible measures:
A well conceived set o do-it-yoursel training measures can be eective. Quiz sta on what they
should have read in the rms compliance manual or code o ethics. Review system access capabilities.
Spot-check CRM updates. Ask people to describe what they doand really listen to their answers.
A series o internal lunch-and-learn sessions can be an eective approach to cross-training; more
oten than not the participants also discover opportunities or operational improvements. Those sta
members who lead training sessions also stand to benet rom the experience.
A proessional credentialing program in investment operations does not yet exist, but the Certicate
in Investment Perormance Measurement (CIPM) oered by CFA Institute ensures that perormance
practitioners have the requisite skills in their specialized elds. Many classes and short courses, bothlive and online, are available across a wide range o topics.
Customized on-site training is also an option. This can be provided by internal experts and/or
external specialists who can tailor training to the rms methods and requirements.
Job rotation, job shadowing and job swaps can help ensure that cross-training takes place, especially
i these measures are accompanied by presentations on the systems architecture and workfows.
Ask teams to document or review their workfows as a group and share each teams workfows
with other teams.
Attending webinars, industry conerences and networking events can be helpul to many employees,
particularly those who are knowledgeable in their jobs but would benet rom more exposure to
other organizations.
Ensure that all clients are assigned a primary and a back-up RM, and that both are in regular
contact with them.
Murphys Law requently comes into play and exposes poor organizational design
when rms can least deal with it. Identiy training and cross-training challenges when
they arent needed so that you can start mitigating operational risk in the calm beorethe storm, not in the eye o the hurricane.
-
8/22/2019 SEI OppRisk Book US
15/49
15Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 4 Dd Bt Inormation Hand-ofs
Risk Area #4
dRoPPEd bATonSInormation Hand-os
Competitive runners know that in a 4x100 meter relay, signicant time, or even the
race itsel, can be lost i someone bobbles or, worse still, drops the baton while it
is passed rom one sprinter to the next. Investment managersace similar risks when
passing inormation between the people, departments, organizations and systems
involved in complex sequential activities. Hand-os are raught with communication
and timing challenges. Luckily, some simple tools can go a long way toward
remedying the problem.
Avoiding Common Pitalls
Failing to identiy where hand-os occur
A great way to think about hand-os is to revisit the old practice o using paper trade tickets (a method that is still in use
by some rms, and can be workable or rms with limited transaction volumes). Tickets could get lost because someone
mislaid them, a data entry clerk orgot to input them, or they simply ell behind a le cabinet. In rms using industry best
practices, the number o tickets written in the course o a day would be compared with the number o trades entered into
the rms investment accounting system. I the totals didnt match, an inquiry would be initiated. This approach wasnt ail-
saei one ticket was missing and another trade had been entered twice, then the counts would appear to be correctbut
it did help reduce problems. Duplicate trade entries could be avoided by marking tickets as they were entered into the
system, and the lost-behind-the-le-cabinet problem could be ameliorated by keeping tickets in designated wire baskets.
These days, o course, investment managers operate with less paper,
ewer wire baskets, and more automation. But rms today also have ar
higher transaction volumes and, typically, more moving parts to their
processes, both within the rm and in dealings with trading partners,
custodians, prime brokers, administrators, middle-oce outsourcing
providers, exchanges and settlement acilities. While every inormation
hand-o creates the possibility or error, many rms have ailed to
systematically map where these interchanges occur.
Poorly designed or documented system interaces
Hand-os rom one electronic system to another are common trouble spots.
The problem may stem rom poor planning or insucient oresight in the
original system design (e.g., built or equities but not xed income because
well never need that). Systems may also be poorly written, inadequately
supported by vendors, or insuciently documented (i documented at all).
Firms also run into problems when one system gets upgraded and another
one doesnt, or when a legacy system has been in place or so long that no
one still in the rms employment knows exactly how they unction.
04CHAPTER
-
8/22/2019 SEI OppRisk Book US
16/49
16Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 4 Dd Bt Inormation Hand-ofs
Timing can also be a challenge. In many instances, inormation is only sent rom one application to another on a nightly batch
basis. Yet as settlement cycles shorten, such a batch-based approach may not be suciently requent or communicating
critical inormation between systems. Other timing challenges arise when interaces ail to consider the impacts o backdated
activity. Global investment managers are oten plagued with timing issues because there is never an end to the day. Inormation
must be handed o seamlessly rom one oceand applicationto another in an endless cycle, leaving no time or the
traditional overnight cycle.
Many interaces suer rom more than one o these problems, and operational risk increases geometrically as more
interaces are involved. Indeed, the inadequacy o system interaces is oten a key driver in the decision to consider
outsourcing. Many investment management rms choose outsourcing because it is more cost-eective and less complex
than addressing all the known and unknown issues with their internal systems.
To be proactive: Develop a thorough system diagram that includes every application in use and identies the
interaces between them.
Diagram workow to determine where hand-os occur. A swim-lane diagram that depicts each
system in its own lane can be particularly helpul in identiying where inormation hand-os occur.
Such a diagram can also capture hand-os between people and systems (again, think o entering
data rom paper tickets), as well as those between teams or departments, between one rm and
another (such as receiving execution details rom a counterparty and sending back trade allocation
inormation), between two or more systems, and between the investment manager and its clients
(such as client reports or subscription and redemption activity).
Swim-lane diagram
Portfolio
Ma
nager Create
OrderTicket
Fax BankAuthorization
Letter
AllocateExecuted
Trade
UpdateTicket
UpdatePosition
IssueConfrmation(s)
UpdateTicketTr
ader
Yes
No
Custodian
TradeSupport
InvAccting
System
Counterparty
ExecuteOrder
Place Orderwith
Counterparty
Enter Trade(s) intoInvestment
Accounting System
Ticket MatchesConfrm?
UpdatePosition
SettleTrade
-
8/22/2019 SEI OppRisk Book US
17/49
17Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 4 Dd Bt Inormation Hand-ofs
(continued)
Examine each identied hand-o in detail. Once an exchange has been captured, consider how
oten the hand-o occurs, the kind o inormation transerred, the timing around the hand-o, and
what might go wrong with it. We nd it helpul to look at available metrics, procedural documentation,
data requirements, and error logs to evaluate the scope, nature and repercussions o potential
operational mishaps.
Develop a comprehensive inventory o trouble spots. For example, i we again think in terms o
the old paper-ticket systems, a ticket could be lost or entered twice. It might be illegible, or contain
bad inormation in one or more elds, or have been submitted ater the data entry team has gone
home or the night. It is also possible that the securityor the counterparty, the currency, or even
the portoliohas not yet been set up, or set up incorrectly, in the investment accounting system.
With an inventory o what might go wrong, rms can assess each one, estimating the likelihood that
problems will occur and the damage they might cause.
Build workows, processes and escalation protocols to mitigate the risks. In some cases, a quick x
may be sucient to solve the issue. I, or example, a security or currency has not been properly setup, some rms may be able to x that on the spot. In other organizations, however, the problem and
its solution may not be so simple. For example, i trade entry clerks are not authorized or trained in
new security or counterparty set-up, a urther hand-o is required between trade entry and the security/
counterparty maintenance group. This new hand-o needs its own examination o risks and how to
mitigate them.
Examine hand-os to and rom outsourcing providers, and expect that those providers have done
the same thing. Firms such as SEI use automated workfow tools where possible to ensure better
tracking, increased consistency, and aster exception processing. Where appropriate, each hand-o
should be covered by a service-level agreement with deadlines, quality expectations and metrics
that provide benchmarks or evaluating the perormance o both the provider and the investmentmanager.
Dont orget to consider inormation provided by clients. Even the most sophisticated institutional
clients sometimes ail to notiy managers o contributions or withdrawals in separate accounts, or
example. Such ailures create needless reconciliation work or harried operations sta and can lead
to distorted or misattributed returns. A portolio manager is more likely to orgive the client than the
operations group when his/her perormance is aected because the client neglected to inorm the
rm o a cash fow.
Once investment managers have a complete inventory o where their
operational processes might go wrong, they can take systematic steps to
reduce or eliminate their risks.
-
8/22/2019 SEI OppRisk Book US
18/49
18Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 5 nv rc Tchgy The Downside of Automation
Lets be clear rom the start: automation is a powerul tool or mitigating
operational risk. Properly selected, programmed and managed, computers can
perorm repetitive tasks with accuracy and lightning speed. They never grow
bored or inattentive. And theyre willing to work 24/7 without once stopping
or a break. Yet computers also have the capacity to spew out mistakes at
superhuman speed.
Moreover, computers are undamentally obtuse. They will do only what we tell them to do, and then, like a surly adolescent,they will do exactlywhat we say. They wont demonstrate initiative; or example, computers will not perorm a reasonability
check unless we specically instruct them to do so and dene reasonable in unambiguous, syntactically correct terms.
A case in point: In June 2010, Deutsche Banks algorithmic trading system acted on bad pricing inputs by placing 7,468
orders to sell Nikkei 225 utures contracts on the Osaka Stock Exchange. The total value was more than $182 billion. Any
trader would have questioned the size o the transaction, but the systems developers hadnt taught the system to make
such evaluations, and approximately $546 million o the orders were executed beore the error was caught. Ultimately the
bank was reprimanded by the exchange, shut down the proprietary trading unit in question and received a great deal o
unavorable publicity.
Firms that want to reduce their exposure to operational risks must recognize that automation is a double-edged sword.
While helping to reduce many risks, it may also pose a host o new ones.
Avoiding Common Pitalls
Insucient knowledge o the manual tasks being automated
The U.S. Army Rangers would never be allowed to use GPS systems to
navigate in the eld without knowing how to use a compass. Yet in our
industry, automation has taken over some activities to the point that ew
people remember how to do them manually, i they ever knew.
Is it any wonder that the ner points o accrued interest calculations maybe elusive to a younger generation accustomed to using calculators or
every computation? Can we really expect them to determine whether a
xed-income system is applying the correct day-count convention to U.S.
corporate bonds (generally 30/360) as opposed to U.S. Treasury bonds
(actual/actual)? 05CHAPTER
Risk Area #5
nAVE REliAnCE on TECHnologyThe Downside o Automation
-
8/22/2019 SEI OppRisk Book US
19/49
19Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 5 nv rc Tchgy The Downside of Automation
To be proactive: Make sure that automation project teams include sta members who thoroughly understand how to
manually perorm the activities being automated. Without bringing such undamental understanding to
bear, it is impossible to consider the necessary steps in a processor those that might not be necessary
in an automated environmentand to make certain that vital, consequential unctions are not skipped,
missed or ignored. Sta who know how something is done will also know how mistakes are made andwhether results generated by an application are correct.
Poorly designed, implemented or documented technology solutions
Problems may arise or a variety o reasons, including:
Using a system or portolios and instruments it wasnt built to handle. For instance, an investment manager may be
trying to support a handul o multi-currency portolios using a single-currency investment accounting system, or trading
xed-income securities on a system originally designed only to handle equities. In other cases, the manager may be
relying on spreadsheets or databases in lieu o an application that has been tested and locked down to protect against
ad hoc changes.
Poorly designed interaces between two systems (see chapter 4, Dropped Batons). Interaces are particularly suspect i
they were originally built in a phased implementation processor example, one that was initially implemented to support
equities only and then extended to support xed-income and derivatives instruments. Too oten, the early project phases
were poorly documented and subsequent phases are delayed, leaving IT and operations departments unsure how an
interace will perorm when conronted with a new set o inputs. (We know the interace works with common stocks; will it
cope with preerreds?)
Shoe-horning inormation and transactions into earlier system designs or makeshit applications developed into
skunkworks projects. This leaves investment management rms even more exposed to the risks in chapter 3
(Novices, Soloists and Apprentices). Anyone who has ever tried to decipher the inner workings o someone elsesspreadsheet knows how challenging that can be, even when dealing with a standalone spreadsheet, let alone one linked
to scores o other spreadsheets. Likewise, i multi-currency portolios are managed on a single-currency platorm, guring
out the workarounds created to record oreign exchange transactions and to reect that inormation in client reports can
be maddeningly complex. Some database applications are notorious or their lack o documentation.
Inadequate audit trails. This problem is oten encountered with older vendor systems as well as with many o the less
robust newer applications. It is ubiquitous among electronic spreadsheets and relational databases created without
corporate oversight by business units that cannot wait or IT resources to become available. However, it may prove
important to know who changed a price or cancelled a trade or set up a security, on what date, and at what time o day.
A reliable audit trail will not only help during regulatory exams but will also assist in unwinding errors, designing process
controls and identiying additional training needs.
Neglected or out-o-date systems access controls. Many well-designed buy-side applications allow an investment
manager to control access at the unction level. For example, traders could be authorized to enter trades but prohibited
rom setting up securities, and portolio managers might be able to view inormation and run reports but not change any
data. Some rms neglect to implement these built-in system controls; others establish the controls but ail to update them
as workows are altered, systems capabilities are upgraded and people change jobs. Jrme Kerviels 4.9 billion raud
at Socit Gnrale was acilitated, in part, by a ailure to keep systems access privileges up-to-date.
-
8/22/2019 SEI OppRisk Book US
20/49
20Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 5 nv rc Tchgy The Downside of Automation
To be proactive: Develop detailed written specications as a guide or any system or sotware development project.
These specications should be developed with thorough input and reviewed by sta members who
understand the operational context or the unctions being automated.
Diagram systems and workows to identiy all systems in use, including spreadsheets and proprietarydatabases.Properly executed, this step will not only make it much easier to identiy key interaces and system
access rights, it will also help bring potential audit trail issues to light.
Whenever a new system is implemented, review all workows around that application or possible re-
engineering. The same holds true when a new third-party service provider such as an administrator, prime
broker or middle-oce outsourcing provider is engaged. While ideally, some activities will be eliminated
thanks to automation or outsourcing, new activities may be required to oversee processing and
ensure data accuracy.
Inadequate testing o new systems and sotwareFailing to thoroughly test systems, including upgrades, reports and, or that matter, workows, is another source o unoreseen
risks. Insucient testing oten results rom a sketchy understanding o the unctions being automated. I sta members do
not know how to perorm a task manually, how can they properly test any automation? Another underlying cause is a lack o
clear unctional specications or system development. Organizations may be tempted to shortcut this step by basing sotware
development on inormal user requests, rather than ully documented unctional specications.
And, o course, many end users are simply unaware o the critical need or regression testingunaware, that is, until an
upgrade unexpectedly breaks another component o the application. Unortunately, however, many are too easily lulled
back into complacency, especially in the ace o mounting deadlines and too ew resources.
To be proactive:
Reer back to written system specications. Testing new sotware is obviously more dicult when
there is a lack o clarity on precisely what it should do.
Make sure that new systems and eatures are evaluated and tested by sta who understand
the manual processes being automated. Those who know how something is done will be better
equipped to know how mistakes can be made, and to assess whether the application is producing
correct results.
Allowing potentially disruptive ad hoc changes
Investment managers have invested signicant time and money to implement pre-trade compliance systems intended to ag or block
transactions which, i executed, would result in breaching an accounts investment guidelines. Yet, we see the same rms enabling
traders to set up skeleton securities on the y. I the rm were purchasing, say, Exxon Mobil or the rst time, the trader could set up a
common stock skeleton security with the security name, ticker and currency so that trading can proceed apace, leaving other details
(e.g., Exxon Mobils primary exchange, indicated annual dividend or sector and industry classications) to be lled in later by someone
else. While this procedure certainly accelerates the trading process, the investment management rm has impaired its state-o-the-art
pre-trade compliance system. How can the system evaluate the percentage held in energy stocks i it does not know that Exxon Mobil
should be classied within energy?
-
8/22/2019 SEI OppRisk Book US
21/49
2Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 5 nv rc Tchgy The Downside of Automation
To be proactive:
Think through workows and system access controls to prevent expedient, but potentially
troublesome changes. Periodic team-wide, and even cross-team, reviews o workfows and access
controls oten highlight the downstream eect that some changes can have. Likewise, review
system access when people join and leave individual teams and not just the rm. All system access
should additionally be reviewed on a regular and periodic basis.
Failure to implement and test system updates in a timely manner
Investment managers may engage teams o consultants to assist with a new system implementation, but give relatively little
thought to the resources needed later or installing and testing new system releases (let alone the changes to workows,
interaces and business continuity plans that such upgrades should trigger). Ignoring sotware updates is perilous: new
releases may contain critical bug xes and vendor contracts oten limit support to recent releases. Some managers
implement new sotware releases but curtail or skip testing due to the press o time, thus taking on risks that would make
their clients shudder.
To be proactive:
Develop, and adhere to, work processes and timelines or maintaining and updating your rms
systems inrastructure, however costly and time-consuming those activities may be. In some cases,
outsourcing might be an attractive alternative since it can limit that number o applications or which
the investment manager is directly responsible or maintaining, updating and testing new releases.
Relying on consultants whose knowledge is too narrow or too general
Knowledgeable consultants can help dramatically mitigate operational risk by conducting well-directed operational reviewsevaluating systems or outsourcing vendors, and guiding technology selection and implementation projects. But consultants
are no panacea; they may even inate operational risk i they dont have the specialized knowledge an assignment requires.
To be proactive:
Make sure that consultants understand the investment management business, not just nancial
services in general. The buy-side does do things dierently.This advice is especially important
when it comes to implementation projects, which oten involve vendor specialists. While vendor-
supplied consultants do provide knowledge o the latest releases and bug xes, as well as priority
access to the vendors support team in the event an issue arises, those who lack solid experience
with buy-side rms may be unaware o best-practice workfows or the upstream and downstreamimpacts o key activities or errors.
-
8/22/2019 SEI OppRisk Book US
22/49
22Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 5 nv rc Tchgy The Downside of Automation
When stafng technology evaluation/selection projects, make sure that any consultant being
considered is independent or has ully disclosed any compensation arrangements with vendors.
When it comes to a large-scale system or outsourcing implementation, more than one kind o
expertise may be necessary. It is oten advisable to engage specialized consultants as well as the
vendor consultants to ensure your rms priorities and objectives are kept in sharp ocus.
I you dont want to be working with consultants indenitely, conrm that they have a plan ortranserring their knowledge to your sta during the project.
Competitive rather than cooperative relationships
Over the years, the balance o power between operations and IT departments has shited in many investment rms. In the
past, IT departments commonly dictated which systems would be used to support operations. More recently the pendulum
has swung back in avor o operations calling the shots. But it is impossible to build or maintain an eective environment or
operational risk management i the departments involved see each other as competitors rather than partners. Similarly, risk
management is compromised i investment managers and third-party service providers operate in a siloed ashion.
To be proactive:
Manage project plans and communications with an eye to developing well-aligned, collaborative
working relationships. We believe strongly that IT and operations sta must work hand-in-glove
to create a smoothly operating, risk-managed inrastructure. That means that IT needs to support
operations rather than mandate solutions; at the same time, operations must be sensitive to ITs
perspective on the costs and requirements o some potential solutions.
Likewise, outsourcing works best when investment managers and their third-party service providers
establish strong lines o communication with some degree o give and take. At SEI, we encourage
an open exchange o ideas and inormation on a scheduled and ad hoc basis, rom strategicplanning to day-to-day operational activity. In our observation, those clients who treat their
relationship with us as a true partnership are the ones who realize the most value rom it.
In sum, rms that want to reduce their operational risks need to actor that goal
into every aspect o their ongoing automation eort.
-
8/22/2019 SEI OppRisk Book US
23/49
23Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 6 pyb Workfow Documentation
06CHAPTER
Documenting processes and procedures is such a undamental and obvious
requirement or eective operations management that one might question the
need to call it out. Yet, non-existent, obsolete or incomplete documentation is
implicated in so many operational snaus that it deserves to be singled out as a
risk area in its own right.
An operations department without workows is like a traveler without a set o maps or a community without a zoning
plan. Even i your rms documentation is useul, comprehensive, up-to-date and readily accessible in an emergency, youmay still nd the topic worth revisiting. I, on the other hand, the state o your documentation is less than adequate or
even worrisome, you may wish to use this chapter as the basis or dialogue and planning within your rm or department.
Not only will well-documented workows help you avoid mistakes and miscommunication, they make it much easier to
train new employees. Reviewing workows is a perect way or new hires to occupy themselves during idle periods when
no one is available to train them. As an added benet, you will get helpul eedback on the clarity and eectiveness o your
documentation.
Avoiding Common Pitalls
A total lack o ormal workfows
Extreme as this may be, having no ormal set o workows is unortunately
the case at some organizations, especially but not only, at emerging
rms. In such situations, teams are managed on what might be called
the whack-a-mole model, with predictable consequences or the
quality o work lie. When the entire rm lacks a playbook, the resulting
chaos oten resembles a game o soccer as played by a team o unruly
six-year-olds who race ater the ball with little concern or their assigned
positions or even the goalposts. (Some parents call this swarm ball.)
Without established workows, it is impossible to ensure that operational
controls are in place, sta are perorming all necessary tasks, andall systems involvedespecially mission-critical spreadsheetshave
been identied. When there is a total absence o workow diagrams or
documentation, operational due-diligence reviews may be over beore
they have even started.
Risk Area #6
PlAybooKSWorkfow Documentation
-
8/22/2019 SEI OppRisk Book US
24/49
24Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 6 pyb Workfow Documentation
To be proactive:
Develop a plan and timeline or developing and documenting workows. Dont try to tackle every
process at once, or you will be overwhelmed. Start with the simplest and most basic unctions, and
build rom there. The swim-lane and system diagrams discussed in chapter 4 (Dropped Batons)
can be invaluable in this eort.
As you embark on any documentation project, remember that workows necessarily go hand-in-hand with policies
and procedures. In act, its impossible to properly develop and document workows and controls without a thorough
knowledge o the policies and procedures in place. Make sure to consider all potentially relevant itemsrom compliance
policies and expense report procedures to inormation security policies, escalation procedures and business continuity plans.
Workfows that are out o date
Firms should revisit their workows with the occurrence o any meaningul changee.g., reorganizations, systems
implementations, product launches, new reporting requirements, changes to system access levels and new instrument
types. Yet many operational teams seem to lack the time, expertise, or motivation to do so.
To be proactive: Establish and enorce a regular schedule or reviewing and updating workows. Even when rms
are well-established and relatively unchanging, managers should take a resh look at their workfows
at least annually.
Documentation that is either too vague or too detailed
Neither type is as useul as it should be. Overly vague documentation leaves sta members to ounder in a crisis. On the other
hand, excessively detailed documentation generally has such a short shel lie that the material loses its value by the time it iscritically needed. While those with disciplined, analytical minds may insist on exhaustive, step-by-step documentation, complete
with screen shots and keystrokes or every task, otentimes such perectionism is rarely worth the considerable eort and
expense it entails to create and maintain.
To be proactive:
Get eedback rom managers and employees to help identiy the right level o detail. The appropriate
level o documentation is a matter o individual judgment, taking into account the rms and the
departments operational risk appetite, training requirements, and overall preparedness or disaster
recovery. Firms can oten achieve a good balance by developing reasonably inormative, but not
exhaustive, documentation and supplementing it with extensive cross-training.
-
8/22/2019 SEI OppRisk Book US
25/49
25Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 6 pyb Workfow Documentation
No escalation procedures
Escalation procedures are worthy o special mention. When things go wrong, as they sometimes will, it is important to have
established the criteria and protocols or elevating an issue to a higher level o management. Heads o operations, or
example, neednt be inormed about every individual reconciliation break or ailed trade as it occurs. (They do need to see
error logs on a regular basis.) I managers in larger rms were notied o every single issue, they would be so inundated by
small, manageable items that they would be unable to identiy whether a major problem is lurking in their inboxes.
To be proactive:
Dene which incidents should go up the chain o command, and when. The most eective escalation
procedures use both size/impact and time as decision criteria. For example, a small ailed sell transaction
may not initially merit escalation due to its inconsequential size, but it should get escalated well beore
the counterparty issues a buy-in notice. On the other hand, a similar trade that is very large might be
escalated immediately based on its size alone, especially i it is material in relation to the overall portolio.
Sta that ignore or are unaware o documented workfowsRegardless o the state o a rms documentation, workows do no good i sta do not ollow whatever workows, policies
and procedures have been memorialized.
To be proactive:
Take steps to ensure that sta have not only received copies o workows, and have them at
hand, but have also actually read and understood them. Conrming receipt is only the rst
step. Managers should also consider having periodic meetings to review and explain policies,
procedures and workfows. (Note that this applies to all the policies, procedures and workfows
across the rm, not just those that are compliance-related.) When it comes to determining whether
workfows are actually ollowed, job swapping, operational reviews and audits can help.
Multiple undocumented variations on the same basic workfow
This problem oten occurs when rms develop small teams that are specialized by product, instrument type, investment
strategy or client. Oten these small teams will start out with a single set o workows used by similar teams across the
organization, but then they customize their processes and procedures over time, perhaps without documenting these
renements. The result may be a rm with multiple sets o workows or the same basic unction, such as trade settlement
or reconciliation. When encountered and questioned about such situations, teams may protest, but were dierent! Its
true that one size doesnt t all, but i a rms workows can only handle one product or one client or one strategy, then it is
time or them to re-think their processes.
-
8/22/2019 SEI OppRisk Book US
26/49
26Top 10 operaTional risks A Survival Guide or Investment Management Firms Cht 6 pyb Workfow Documentation
To be proactive:
Consolidate and ocus workows as much as possible.As an analogy, consider the simple workfows
or pouring and serving coee. Whether we have one team or our, were dealing with our workfows:
black, with sugar only, with milk only or with milk and sugar. However, even i we organize our teams
to serve coee, they can all ollow one central workfow with optional steps depending on customers
stated preerences.
This approach makes sense or several reasons. First, only one set o workfows has to be maintained.
Secondly, all sta will be amiliar with the overall workfow, even i their team perorms some o the
optional steps and not others (e.g., adding sugar but not milk). Finally, a single workfow with options
is easier to review, update, and explain during audits and operational due diligence meetings.
Ideally, workfows dene a single, logical set o activities in manageable pieces. In our example o serving
coee, the workfow would intentionally exclude the steps required to make the coee, secure the
ingredients or select a cup. Likewise, it leaves o beore covering coee consumption or cleanup
activities. By documenting in bite-sized chunks, investment managers get immediate benet rom each
unction that is documented. When managers start a new documentation eort by ocusing on relatively
simple unctions, they can build on the resulting eedback and experience as they add more complex
unctions later in the process. For example, a trade settlement workfow might be updated to consider trade
cancellations, trade corrections or situations when trades are rst posted ater trade date (or worse still,
ater settlement date).
Individual workfows can then be linked to other workfows to cover longer, more intricate processes.
In addition, users can coordinate with outside service providers to ensure hand-o scenarios are
adequately covered.
Workfows that are inaccessible when needed most
In a sudden evacuation, you may not have time to collect those reassuringly substantial three-ring binders rom your oce
bookshel and take them to an osite location. Likewise, when systems are down and internet access is unavailable, having
access to hard copies may be critical.
To be proactive:
Make sure that updated workows are available both online and in hard copy. During a business
continuity or disaster recovery event, investment managers oten must call upon sta to discharge
unctions they are unaccustomed to perorming on a daily basis. It is in exactly these situations that clear,
concise, well-documented workfows can be a lie-saver.
A lack o time, insucient expertise and an undersupply o motivation are all
reasons why workfow documentation is so oten pushed to the back burner. But
investing the eort it takes to do the job will pay o in expedited and consistent
training, more eective controls, improved eciency and a lower rate o errors
every single business day.
-
8/22/2019 SEI OppRisk Book US
27/49
27Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 7 amgmtd agmt Improper Segregation of Duties
07CHAPTER
Given the number o moving parts in the investment process, its no surprise that
the roles and responsibilities o those involved are not always appropriately
delineated. The issue goes beyond opening the door to raud and embezzlement.
The ailure to clearly and properly assign duties can create conficts o interest,
throw up barriers to accountability, and complicate matters o compliance and
administration.
Such problems afict traditional and alternative managers alike, as well as some o their key service providers. Moreover,these problems have become more common since the nancial crisis and the ensuing downsizing o operational and IT
sta across the industry. Reductions in the workorce leave ewer people in place to handle the same workload initially
and, as the market continues to recover, a growing volume o portolios and transactions. Not only does this mean
that operational sta may become chronically overextended and more prone to errors, it leads to situations where
employees must wear multiple hats, sometimes stretching or crossing the boundaries o good segregation controls. It is
not uncommon or rms that once had appropriate controls in place to no longer be able to support those controls ater
a workorce reduction. Clearly smaller rms, especially start-ups, are challenged rom the outset by having a relatively
small number o employees available to handle multiple unctions.
Avoiding Common Pitalls
Conusing assets ounds with the assets orms
This issue is a particular concern to rms managing pooled vehicles,
including traditional rms that manage mutual unds and alternative rms
that manage hedge unds, private equity unds or unds o hedge unds.
It oten involves recordkeeping sta, but may aect others as well.
Consider the hypothetical example o Opaque Asset Management (OAM),
which manages the Opaque Fund. For purposes o this discussion, the
type o und and strategy are irrelevant. What is important is that the
Opaque Fund is a cliento Opaque Asset Managementperhaps evenits largest clientand is distinct rom the rm. That point, while critically
important, may escape sta at all organizational levels; they may either
orget the distinction between manager and und or never grasp it in the
rst place. Indeed, many clients and due diligence rms also ail to pick
up on the distinction when reviewing und procedures. The common
practice o giving unds names similar to those o their managing rms
only increases the conusion.
Risk Area #7
AmAlgAmATEd ASSignmEnTSImproper Segregation o Duties
-
8/22/2019 SEI OppRisk Book US
28/49
28Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 7 amgmtd agmt Improper Segregation of Duties
I you are tempted to think that muddling rms and unds doesnt really matter, lets consider some o the issues that can
arise in practiceor example, who should be approving wire transers? Clearly, best practice calls or having two approvals
beore a transer is released. But who should those approving parties be? In many organizations, portolio managers
believe that they should approve all wires. But because portolio managers actually oversee the unds trading activities,
proper segregation o duties would generally dictate that they should have no control over the movement o und (i.e.,
client) assets. The exception might be those cases where portolio managers are principals o the investmentmanagement
frm and eel strongly they should approve wire transers or the frms money (e.g., payroll, taxes or other major rm
expenses).
To be proactive:
Consider an operational review to identiy potential issues and remedial actions. Outsourcing may be
a remedy to explore, particularly in cases where rm resources are stretched or segregation o duties
is inadequate.
Be clear on where the lines between unctional activities should be drawn. For instance, recalling
the notorious examples o Nick Leeson at Barings Bank and Jrme Kerviel at Socit Gnrale, under
no circumstances should portolio managers or traders price their own portolios; nor should they be
involved in trade settlement or reconciliation. Likewise, trade support sta should not perorm the duties
o reconciliation sta and vice-versa. And perormance measurement teamsat least, those responsible
or generating perormance data used in marketing and possibly in incentive compensation calculations
should not report to the investment team or the sales/marketing area.
Manage inormation ows to minimize the potential or manipulation o data. Trade conrmations
are sometimes sent by counterparties to the trading desk which, in turn, passes the conrmations on to
investment operations. This sets up a situation in which a rogue trader could alter a conrmation. A better
approach is to have counterparty conrmations sent directly to investment operations. Traders may
certainly be copied on conrmations, i desired, but they should not serve as the primary conduit or as
an intermediary in the delivery process.
Make sure clients are in control when their assets are moved. The question o who should have the
authority to wire money has a simple answer: that authority always rests with the client (or the und). For
separate accounts, best practice dictates that the investment manager should never be given authority
to wire unds. Indeed, when the manager has such authority, it is considered constructive custody, which
needs to be disclosed on the investment managers Form ADV.
In the case o unds, where the investment manager wears two hats, this responsibility should be assigned
with special care. The authority to transer unds should not rest with the investment team or anyone
involved in reconciliation. Ideally, wire transers are handled by a combination o an internal operations
team and the external und administrator. In all cases, a wire transer should be approved by at least two
people. Moreover, checks should be put in place to ensure that the amounts drawn and accounts involved
are correct. Limiting the specic accounts to which unds can be wired is a sound practice (and, o course,
a dierent group should manage that set-up). For example, individual sta at the investment manager might
only be authorized to wire rom the custodian to the administrator while the administrators sta might only
be able to wire rom the administrator accounts to either investors or to the custodianand then based
only on written instructions rom the investment managers operations team.
-
8/22/2019 SEI OppRisk Book US
29/49
29Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 7 amgmtd agmt Improper Segregation of Duties
One last caution concerns network authentication system security tokens, those little devices that banks
or prime brokers provide to issue updated codes or initiating wires or authenticating users. Dont leave
them in a desk drawer! First, they could easily be ound and are subject to misuse by someone else.
Second, i theyre in your drawer, they wont be very helpul in the event you need to invoke your
business continuity plan. Inconvenient as it may be, put them
on your keychain so they will be with you at all times.
Failing to separate und records rom those o the rm
This problem involves custodians, prime brokers, und administrators and auditors. Every undwill have one or more
agents that serve as the unds custodian(s) or the saekeeping o assets. (Hedge unds generally utilize prime brokers
who unction not only as asset saekeepers/custodians, but also as execution counterparties and lenders.) Likewise,
the und will have an auditor, as well as a und accountant or und administrator, the latter o which is increasingly an
independent third-party service provider such as SEI.
The custodian, auditor and und administrator are hired by the undnot by the investment management frm. Moreover,
the books and records maintained by these parties are those o the und(read: client), not the investment management
frm. So what happens when the regulators walk in or a periodic examination o the frm? Should Opaque AssetManagement (OAM) rely on clientrecords? The answer is clearly no.
The management o separate accounts brings the books-and-records issue into sharper relie, in that separate account clients
do not require a und administrator. Thus, the only book o record would be that o the custodian or prime broker as the
saekeeper o assets. Once again, it is problematic i OAM, the investment management rm, is subject to a regulatory exam
and can rely only upon the books and records produced by agents o its separate account clients.
True, ailure to maintain separate rm and und records certainly streamlines operations because everyone reers to a
single record. On the other hand, with that approach, the term STP can take on new meaningnot straight-through-
processing, but straight-through-problems. I, or example, a manager downloads trade conrmations and uploads
them to the managers investment accounting system, rather than inputting transactions manually or loading them rom
the managers trading system, there is no way to catch mistakes should the counterpartys conrmation be incorrectan all too common occurrence.
To be proactive:
Consider some level o shadow portolio accounting. Investment management rms that practice
shadow accounting maintain their own independent sets o books and records (generally through
the use o an investment or portolio accounting system). The intent is to enable managers to spot
mistakes or improprieties by periodically reconciling their records with those o saekeepers and und
administrators.
Shadow portolio accounting is commonly used in the traditional investment arena. And with many
hedge unds, especially those with Level 3, hard-to-value or illiquid assets, it is oten considered to be
a necessary double-check, rather than a luxury. Still, it is the subject o some debate, especially within
the alternative side o the industry. Some consider maintenance o manager recordsas opposed to
simply maintenance o und recordsto be best practice, yet the discussion is particularly critical in two
scenarios: rst, when the unds custodian also perorms the middle-oce portolio accounting unction
or the investment manager; and second, when the und relies on one or more prime brokers or trade
instructions, eschewing a robust, independent trade matching process.
-
8/22/2019 SEI OppRisk Book US
30/49
30Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 7 amgmtd agmt Improper Segregation of Duties
When evaluating the need or shadow portolio accounting, careul review o the sources o data or
critical operational unctions and recordkeeping is o paramount importance. While und accounting
calculations can leverage middle-oce portolio accounting data, to do so properly, care must be taken
to ensure portolio accounting inormation is appropriately sourced. For example, all trading inormation
should be ed to the portolio accounting application directly rom the investment managers order
management system or paper tickets and not rom broker conrmations or, worse still, eeds provided
rom the prime broker or custodian. This is even more important when the prime broker acts as the
counterparty on the trade or the custodian also unctions as the und administrator and/or middle-
oce recordkeeper.
Some managers determine that, since responsibility ultimately rests with the investment management
rm, they will duplicate 100% o what the administrator does. Said one European hedge und manager
quoted in Ernst & Youngs Coming o Age, its 2011 survey o the hedge und industry, We have to
have our own records. We cant rely on third parties. As a regulated rm, we have to have them and
cant outsource that to an administrator. But having an outside administrator is a orm o back-up
and insurance. We see it as our responsibility to have our own records. In these instances, oten
managers will shadow portolio accounting records to track what a given und owns, but do not
shadow partnership accounting records, which identiy who owns the und. And shadowing o
portolio accounting data has critical benets when managers employ a multi-prime and/or multi-administrator model.
While the debate continues, SEI suggests that each investment manager should consider where
on the spectrum o partial to complete shadow accounting they wish to be, given the rms specic
situation. We urther work with rms to careully track inormation fows, however, to ensure that
source data, such as trades, that eeds portolio accounting systems is independent rom source
data supplying saekeeping systems employed by custodians and prime brokers. The investment
manager should be the source or all trade inormation and we recommend that all investment
managers match trades to counterparty conrms 100% o the time, regardless o whether the
manager (or its third-party middle-oce provider) serves as the arming party.
On a nal note, its important to remember that issues relating to segregation o duties are uid and can crop up as a consequence
o hiring or management decisions that seem relatively innocuous. In light o this, investment management clients and rms
evaluating outsourcing providers should recognize that due diligence is not a one-time occurrence, but a critical point o control
that should be repeated on a regularly scheduled basis.
Even when exhaustive RFP and due diligence processes are perormed prior to engaging
outsourcing providers, and on an ongoing basis, investment managers should ensure
appropriate processes and procedures are in place or eective oversight o third-party
providers. This might include identication o exception items or additional review and
spot-checking inormation on a periodic basis, as well as design and review o summary
reports with a particular ocus on high-risk areas or new processing by the outsourcing
partner. These high-level checks should be examined periodically to ensure they are
appropriate and, i warranted, adjusted rom time to time.
-
8/22/2019 SEI OppRisk Book US
31/49
3Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 8 rcct G A False Sense of Security
08CHAPTER
Everyone knows that keeping track o clients assets is a undamental
responsibility o investment managers. Everyone also knows that reconciliation
the process o comparing records, identiying and researching discrepancies
and, importantly, seeing to it that material errors are correctedis a critical step
in satisying this obligation. Its as simple and obvious as locking the dead bolt
on the ront door at night.
Investment managers employ time-consuming, expensive reconciliation processes and systems to ensure that theirbooks and records are accurate, and many readers may be thinking, Weve got it covered. Were in good shape. Yet
there are considerations that may not be quite so apparent. Even in the best-managed rms, there may be reconciliation
issues that leave managers more exposed to risks than they realize. In other words, they may be locking the ront door
but are they also locking the one in back?
Avoiding Common Pitalls
Less-than-comprehensive reconciliation procedures
At a minimum, we expect on the buy side to see reconciliation between the investment managers records (or, i investment
operations are outsourced, the third-party providers investment accounting records) and the records o the saekeepers (e.g.,the custodian or prime broker). But, depending on the investment vehicle and the structure o operations, this may not be
sucient to catch all mistakes and red-ag potential problems.
To be proactive:
Develop procedures that provide or a ull set o
checks. For commingled vehicles such as mutual
unds and hedge unds, where a und administrator is
required, there should additionally be a reconciliation
between the administrators records and those o the
saekeeper. At SEI, we recommend what is commonly
called a three-way reconciliation, but is more
accurately described as three separate reconciliations:
the investment managers records vs. the saekeepers;
the saekeepers vs. the administrators; and the
administrators vs. the managers.
Risk Area #8
REConCiliATion gAPSA False Sense o Security
-
8/22/2019 SEI OppRisk Book US
32/49
32Top 10 operaTional risks A Survival Guide for Investment Management Firms Cht 8 rcct G A False Sense of Security
Remember that perormance analysts are not portolio accountants. At rms that manage
institutional money held in separate account portolios, perormance analysts are typically responsible
or investigating out-o-tolerance variances between the rates o return calculated by the manager, the
custodian and/or the clients investment consultant. While this process may provide a nal check on the
accuracy o data inputs to the return calculations, this does not constitute a ull reconciliation.
Assign reconciliation duties to appropriate sta. Trade support sta should not be in the reconciliation
business, nor should portolio managers or traders. In assigning these responsibilities, rms need to guard
against the potential or raudulent activity while also recognizing that it is generally dicult to catch ones
own typos.
Assuming the accuracy o electronic or consolidated records
A undamental question is what really constitutes the saekeepers ocial records. While transaction les, or instance,
are important sources o inormation, many saekeepers will not stand by these back-up reports or electronic
representations o an account, considering the paper statement to be the only ocial record. Reco