Part 4

Risk

Abstract

The final chapter considers the huge importance of risk and, in particular, operational risk that affects administrator and custodians as well as the risks faced by the fund itself and the promoters of the fund. Case studies look at risk events and how to establish a control framework to manage operational risks. Finally, we look at the possible future changes that will affect the custody and administration service providers.

Keywords

operational risk
risk management
administration service providers
custodians
generic risks
unique risks, market risk

Risks faced by a fund and how the administrator can assist the fund to manage the risks

There are many risks associated with funds and fund administration ranging from fiduciary duties to the performance of outsource arrangements as well as the three main risks of market, counterparty, and operational risk.
The following are some high level examples of market risk:
Liquidity—Ability to buy or sell an asset.
Tax—Changes to the taxation on capital gain or income.
Default—Failure of an asset like a bond to repay capital or pay interest.
Default (2)—Failure of a limited partner in a private equity fund to honor a drawdown.
The following are some high level examples of operational risk:
Documentation
Compliance
Settlement
Liquidity
Systems
People

Operational risk

In general terms we can say that operational risk became high profile following the collapse of Barings Bank. Barings Bank collapsed in Feb. 1995 due to unauthorized trading, poor governance, and failure of the operational control framework in the bank.
Until that time firms operating in financial markets were very much aware of the other two major types of risk, market and counterparty or credit risk. However it was not considered likely that risks associated with operational aspects of a business like settlement, record keeping etc. would, if they were to become a risk event, cause the collapse of a firm.
In this pre Barings era, financial losses caused by errors in the processing and procedures were considered “part” of the business and therefore were absorbed in the profit or loss calculations of the firm.
Following the collapse of Barings and the part that a series of failures in controls, governance, and procedures played in the collapse, the Bank for International Settlement (BIS) established a committee to consider the implications of systemic risk created by the collapse of financial institution because of operational risks.
The committee recognized that there were hitherto unrecognized dangers in a series of linked operational based risk events creating such a significant internal and external systemic risk situation that would threaten not just individual institutions but the markets as a whole.
Regulators, stakeholders, senior management, and investors all began to look at operational risk and its management and today as we have seen earlier in this book, there is comprehensive regulation and risk management in place across the markets and participants.
In any transaction for the fund that involves securities, derivatives or other types of assets, there will be a series of participants during the life cycle of the transaction as well as procedures and processes that take a transaction from origination to finality of settlement and into the post settlement environment.
People and processes are the fundamental structure on which most of the operations environment is based. To that structure we can add knowledge, skills sets, and management.
Operational risks are therefore predominantly related to this structure and indeed the BIS Basle Committee defined operational risk as:
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
We can then define the management of operational risk as:
Operational risk management is the process of identifying, assessing, monitoring, and controlling/mitigating operational risk.
Operational risks will come in many formats, originate in many varied ways and have very different impacts if they become risk events.
For both the administrator and the custodian operational risks pose a serious threat both financial and reputational.
A significant instance of a risk event could even prove catastrophic and close the business down.
What we also have to remember is that there are unique risks that are bespoke to an organization and generic risks that affect all organizations within the industry.
Unique risks tend to be associated with people and systems on the basis that no two firms are likely to have the same people or system profile.
Generic risks are those that would impact across many organizations simultaneously like for instance the failure of a country’s payment system, a natural disaster, or the failure of a market source of prices preventing the valuation of the funds assets.
Operational risk is rarely static and so the systemic implications both internal and external are significant. “Creeping risk” is where a risk originates in a process or part of a firm but the impact in terms of the risk and resultant risk event would be felt somewhere else.
For example, an error in the processing of a subscription or redemption by the transfer agent causes the NAV per share published by the valuation team to be incorrect.
Another example might be errors in reconciliations process in the custodian are actually caused by poor performance in the transaction processing area rather than the reconciliation team.
Clearly prevention of the operational risk is a major objective in the management of the risk of a fund, its administrator, and custodian.
We have in previous sections of the book also explored the various factors and influences in terms of exactly who the participants will be in a process and to what degree they will be involved.
We have seen that in the context of the operations process in a custodian or administrator, the origin of the transaction and the type of product being transacted are key drivers for the actual operational process that will follow the trade.
Let us remind ourselves of the flows seen earlier in the book:
Portfolio management—Asset purchase/sale flow
image
Portfolio transactions and NAV
image
Cash management and collateral (Fig. 4.1)
image
Figure 4.1  (Source: The DSC Portfolio Ltd.)
So operational risk is directly related to the participants in a process and the characteristics of the types of products being processed and the systems being used in that process. However, not all operational risks will have the same profile or the same probability of an event or the same impact should that event actually occur.

Types of risk

We can say there are three high level types of risk:
Killer risks
Key risks
Standard risks
And these can be illustrated as shown in Fig. 4.2.
image
Figure 4.2 The risk pyramid. (Source: The DSC Portfolio Ltd.)
Killer risks are so severe that if they occur, the organization’s very existence is at risk.
Key risks are risks that would be severely damaging to the firm.
Together they would account for no more than perhaps 20% of the total risk. They would be monitored and often managed by designated risk management teams in conjunction with the business and the operational teams.
The remaining Standard risks, around 80% of risks in most firms, are those risks that occur in and are usually managed by the boys and girls in their daily tasks.
It is important to flag at this stage that no firm can eliminate every risk. Many errors can and will occur every day in every process. The key thing is that most of these errors and problems will be identified quickly and resolved. Technically, there is a risk between occurrence, identification, and resolution and a failure to identify the issue or a delay in resolving it is obviously creating a higher risk of an event.
The ability for the custodian and administration teams to recognize when to escalate an issue to management and the risk team is a key requirement for a good risk awareness culture in an organization.
In order to be able to manage these risks successfully it is essential to be able to identify the risks.
We can now look at the risks faced by administrators and custodians.

Risks Faced by an Administrator and Custodian

Typical operational risk that could be faced by an administrator or custodian could be any of those in the following:
Human error
Management
Inadequate technology/systems
Settlement risk
Lack of industry awareness
Poor relationship management
Counterparty and 3rd party risk (outsource)
Breaches of guidelines and controls
Inefficient or ineffective procedures
Lack of adequate product knowledge and skill sets
Data errors
Fraud and money laundering
Loss of key personnel
External events
These lists are not every type of risk event category or risk but do show just how diverse and widespread operational risk is.
Let us look at examples under each heading.
1. Human error—Perhaps the most commonly perceived operational risk and certainly a human error in a particularly crucial process, for example, validating a subscription or a response to a SWIFT message, could create a major risk event.
2. Management—A particularly important source of operational risk as poor and ineffective management will lead to many other types of operational risk situations, for example, poor staff morale leading to poor performance levels.
3. Inadequate technology/systems—With so much of the operational process in the financial markets and other highly automated industries, the technology risks are very significant and a major concern would be errors in the accounting systems and control systems. Another major technology risk for the administrator or custodian is inadequate systems for the activity of the fund that is a customer.
4. Settlement—This is the risk associated with finality of settlement and can therefore be related to failure to make/receive payment or make/take delivery correctly or even at all. Associated risk would be fraud and default.
5. Lack of industry awareness—This risk is about the understanding of the industry in which the business and its management and staff are working, for example, management and staff in a fund administration or custodian firm must be aware of the issues, regulations, and changes happening in the investment fund industry.
6. Poor relationship management—A risk that can be related to internal and external scenarios, for example, to the client or prime broker or service provider or inter-team or inter-department internally.
7. Counterparty and 3rd party—Related to all risks associated with outsource and insource and any critical service provisions. The performance of a 3rd party can influence the risk profile of a firm and so the risk profile of a fund that outsources to an administrator or custodian is determined by their performance. Likewise an administrator or custodian insourcing from the fund has their risk profile affected by the performance of a fund. This is why having service level agreements in place is crucially important.
8. Breaches of guidelines and controls—The failure to follow best practice and a control framework would significantly increase the risk profile of the firm.
9. Ineffective or inefficient procedures—This can lead to a wide range of risks, which will have potentially systemic and significant impact outcomes. The cause could be due to poor management and so it could also be part of that risk.
10. Lack of adequate knowledge and skill sets—This relates to competency and capabilities at all levels and is associated with management risk, HR risk, as well as pursuing qualifications for staff and employing qualified staff etc. An example of a related qualification would be the CLT International Advanced Certificate & Diploma in Fund Administration details of which can be found at http://www.cltint.com/course/advanced-certificate-in-fund-administration/.
11. Data errors—Linked to systems/technology risk but also to data base management, data security etc.
12. Fraud and money laundering—Two key risks and any firm must have strong controls in place to manage these risks.
13. Loss of key personnel—Another risk linked to HR but also an operational risk issue for management and team leaders. The recruitment environment can be a major issue particularly in offshore fund centers or where offshoring has been used.
14. External events—Risks that are beyond (usually) the control of the firm such as transport disruption, natural disasters etc.
We can see from the above that operational risk is not just about operations or operations risk and that operations risk is one of several that can fall under operational as well as market or credit risk too as shown in the Fig. 4.3.
image
Figure 4.3 The operational risk framework. (Source: The DSC Portfolio Ltd.)
It is also important to consider operational risk in the context of systemic risk.

Cased Studies and Illustrations of Risks and the Management of the Risks

Managing Operational Risk

Operational risk management is the process of identifying, assessing, monitoring, and controlling operational risk.
How? Well depending on the size and nature of the organization, it may be the responsibility of a risk management team. Alternatively there may be oversight of control and procedures by a director or manager. It is possible that the administrator may be asked to assist with the fund’s risk management process but cannot have responsibility for the risk management. That will always lie with the fund.
Fig. 4.3 illustrates the components of a risk management strategy:
Risk management structures—Can utilize historical data, self-assessment of the possible risk, and/or likelihood that a risk event will occur.
All entities involved in the fund process need to create an operational risk policy that contains:
Risks to avoid
Risks to be contained
Self assessment process
Identification of key/killer risks
Risk monitoring and control processes
Risk event management
Risk incident reports
Risk policy will be carried out largely through controls and procedures on a day-to-day basis which will involve the administrator and custodian.
A key element of operational risk management is to benefit from lessons learned and make adjustments where necessary.

Risk Logs/Incident Reports

Logs and incident reports are major tools in the risk management process, however these are not about blame. It is important that they remain factual and focus on the structure of the risk event that has happened from occurrence through to actions taken to close the risk event.
Incident reports should provide the facts and the detail of the actions that were needed to manage the risk event.
Logs provide data that will show trends or the patterns that may be occurring and record the level of financial losses that are being incurred. They can also be associated with the complaints log and can include actual events as well as “near misses.” Data in logs needs to be current so that old data about events that happened when the environment and circumstances were different is excluded.
A risk event has a structure as shown in Fig. 4.4:
image
Figure 4.4 Structure of a risk event. (Source: DSC Portfolio Ltd.)

Subjective versus Quantitative Analyses in Identifying Risks

The process of identifying risks needs to be strong, credible, and realistic and so a mix of quantitative and subjective analysis should be used.
Subjective—Involves self-assessment by the business units within the company and particularly the teams managing the key processes and procedures. The reason for this is that they are dealing with the potential risks all the time and have the greatest knowledge of the processes and procedures as well as the control framework.
Quantitative—Can involve statistical data and comparison, for example:
1. Measuring the levels of financial loss against levels of activity.
2. Complexity of processes or product against the degree of automated processes.
3. Degree of automation versus number of manual processes.
4. Key risk indicators (KRIs).
5. Key performance indicators (KPIs).
KRIs and KPIs will be entity specific but some examples would be:
1. Error rates is key processes.
2. Expected losses versus actual losses.
3. Level of reconciliation breaks.
4. System performance statistics.
5. Level of client related errors, that is, subscription/redemptions.
6. Staff turnover.

Self-assessment and measuring risk

A major method of identifying risks in a firm is to involve the business units in a process of self-assessment.
The assessment will be based on identifying risks but also assessing the potential for the risk to become an event, that is, to analyze the control framework in place that seeks to manage the risks.
In addition an assessment of the strength of the controls and control framework is undertaken.
We will also look to include some form of assessment of the impact of the event should it occur.
Self-assessment is of course subjective and so we must create a suitable framework for the business unit to work and to achieve consistency across the business with allowance for specific risk issues within each unit.
Part of that framework may well include a review and challenge process undertaken by the risk group whereby the outcomes from the subjective assessment are compared to some form of quantitative analysis perhaps from relevant management information data, and reassessed jointly with the business unit.
This process is crucially important because risks that have been incorrectly assessed and then input to the risk management process will create problems and in fact increase rather than decrease a firm’s risk.
Techniques
Many self-assessment techniques utilize the process often used by auditors of scoring or grading. Thus a risk self-assessment by a team would look first at the key procedures, processes, and any controls that are in place, evaluating their potential risk or risks.
An example of what we are talking about could be the illustration shown in Fig. 4.5.
image
Figure 4.5 Risk flow.
However this process is dependent on the operations managers or process owners having mapped the procedures and processes so that a critical analysis can take place.
If you recall, we looked at the workflows in administration and custody and this will be the foundation on which the risk analysis will take place.
Each stage in that workflow will be analyzed in terms of, for example:
Manual or automated process
Straight through processing level
Complexity of the process
Context of the process (stand alone or dependency)
Deadlines
Workload—activity level, spikes etc.
Resource level needed and available—people and systems (including competencies, reliability etc.)
Regulatory risk (reporting requirements, breach context etc.)
Influences—internal/external
From this data the risk sensitivity can be formulated.
Again it is important to recognize that not every risk will become a risk event. What we are doing at this stage is identifying the principal risks inherent in the process and or procedure. The same self-assessment challenge will also provide us with the probability of the risk becoming a risk event and by creating an internal record or log of risk events we have a quantitative methodology of verifying the self-assessment.
Within the analysis we will also look to identify the critical risk areas, which will be ones that are related to data inflows and outflows, dependencies etc. and or have a systemic risk value.
The picture we create based on the above information shows where the key activity is in the processes and procedures and the degree to which this constitutes a risk.
The content of that picture would include, for example, the following key stages in the securities settlement process:
Trade capture
Verification/validation (the clearing process)
Enrichment
Instructions
Settlement fails management
Settlement
Valuation and accounting
Corporate actions
Reconciliations at every stage
Examples of the identifiable risks would then be:
1. Data unavailability or missing
2. Data incorrect
3. Data not processed
4. Data incorrectly processed
5. Data not distributed or reported incorrectly or late
6. Process failures
7. Action failures, errors, or delays
8. Errors not identified or realized
9. Corrective action incorrect, not made, incomplete
10. Valuation procedures incorrect, incomplete or late
Now if we consider the source of these risks we will see that certainly people and systems including databases are likely to be prime sources of these risks and of possible risk events, for example, incorrect corrective action as illustrated in Figs. 4.6 and 4.7.
image
Figure 4.6 Risk components. * BCP, business continuity process (Source: The DSC Portfolio Ltd.)
image
Figure 4.7 Stages in a risk event. (Source: The DSC Portfolio Ltd.)
Fig. 4.6 shows examples of the risk, possible risk event, and possible impact while Fig. 7 shows the cause, the issue arising and possible remedial action.
Both human error, for example, a dealer may miss data off a deal ticket or may be late in providing the ticket and system error, for example, the incorrect data has been created in the database so the trade information is not complete (or even rejected).
The potential event created could result in financial losses, regulatory action, or loss of reputation.
Reputation loss is often as damaging and can be even more damaging than possible financial losses as a result of a risk event happening.
For example, an incorrect NAV that is published by an investment fund could result in a regulatory breach, a requirement to compensate investors who may have subscribed or redeemed at the incorrect NAV but above all it may make both regulator and investors concerned about the quality of the processes, procedures, and controls being utilized.
Resolution may look straightforward but on the other hand technology changes are rarely easy and while the changes are happening, a higher level of operational risk will exist. That said adequate BCP capabilities are frequently linked to regulation, to insurance cover, and any risk management information a prospective client or stakeholders may want to see.
All risk events have a structure and the components of that structure can be illustrated as shown in the Fig. 4.7.
The components as we can see are a cause, and event and the effect or impact of that event.
All operational risks have a cause that can become an event that will have an effect on the business that can be negligible, important, or serious.
Understanding what the cause(s) are, what risk event(s) can happen, and what the effect(s) of that will be is crucially important to successful risk management.
There are many ways of successfully addressing this issue but to look at ways of managing the risk process, it is important to consider on a simplistic basis the assessment of a situation.
The following exercise will illustrate this.

Risk scenario analysis

Identify the possible causes, events, and impact that each of these scenarios has as follows:
1. A new computer system is implemented at the firm but cannot be reconciled to the original system.
2. Increasing information demands from the clients and counterparties has doubled the workload for the operations teams and contains a host of new and alternative procedures and processes.
3. The performance of an outsource arrangement appears to be deteriorating.
Now consider the following scenario and analyze the possible risk issues for the administrator and the custodian.

Conflict resolution exercise

Background

Over the last 24 months, there has been an increasing number of problems occurring between the Process team dealing with trade input, verification, and posting and the Client Support team who deal with corporate actions and provide reports and communications with the internal (dealers, fund managers, business development) and the external client base (fund companies, corporate and private clients).
In particular the following high profile issue occurred:
Error on a Rights Issue
A major client requested to the Client Support team that the one for four rights issue at $5 on a holding of 200,000 shares be taken up.
However the client account was showing only 100,000 shares. When this was queried with the process team the reply was that there were no outstanding transactions.
The Client Support team were reluctant to contact the highly important but quite difficult client and so assumed that the client had made a mistake over the number of shares.
The Client Support team instructed the take up of the rights (25,000 shares) and debited the client account with $125,000.
This left a total of $500,000 on the clients account and a few days later the client called and asked for confirmation of the balance. He was told $500,000 and shortly after placed an order to buy another 80,000 shares at $6.
Later that day, the Process team put through the client’s account two trades for 100,000 at $5.50 and 80,000 at $6, total cost $1,030,000. Client Support assumed that these were two new trades and called the client for the balance of $530,000.
The client went mad accusing the firm of utter incompetence and threatened to close the account and report the firm to the regulator.
Client Support asked the Process team what the two trades were and received the reply that there was a purchase for an order of 80,000 shares at $6 placed today and a trade of 100,000 shares at $5.50 that had been placed 7 days ago but had failed to settle in the market until today.
Client Support asked why, when they queried the outstanding trades the previous day they had been told there were none.
The Process team came back and said it was a mistake. When the problem it had caused was pointed out to them, the Process team told the Client Support team it was their fault, as they should have checked with the client.
The client was furious and insisted that as he had acted on the information provided by the firm it was their problem to make good the shortfall in cash and also wanted to know when his additional 25,000 shares from the rights issue would be in his account (remember the client said the rights on 200,000 shares which in fact was his holding)
The firm decided they would need to make the client good and take the loss against the operations department error account.

Exercise

Identify the losses the firm may have to take and the major failings and the risk associated with the mismanagement of this corporate action.
The answers to these exercises can be found in the appendices or at www.dscportfolio.com.

Risk of fraud in finance

The following is taken from a seminar run by Onestudy Training in Jersey entitled-
Operational risks of fraud in finance—Jersey Nov. 2014
The association between acts of fraud and operational risk may at first seem obvious.
Where there is a lack of and implementation of a control framework with robust procedures and processes, a potential fraudster knows the odds are in their favor.
If we add to this a lack of a risk awareness and culture among management and employees then the possibility of a successful fraud is further increased.
However the ability of operational risk management to prevent and/or detect fraud, or the potential for fraud is not so certain.
The major problem is that no two organizations have identical risk profiles or universes and so by nature the potential for fraud is bespoke. This is not to say that there are not generic operational risks linked to the potential fraud but very often it is a mix of generic and bespoke risks that occur with perhaps the emphasis on bespoke.
Most operational risks have either people or processes/systems as their main source.
Interestingly within the people category, management is a significant source of operational risk. I will come back to this later.
Consider first the typical operational risk universe.
It is likely to be diverse for any type of financial organization and in a sense it is the same with potential fraud.
We may be inclined to assume that institutions dealing with money are the most vulnerable and most likely to be the subject of an attempted fraud and as many surveys suggest banks consider fraud as one of their major potential risks.
However we can also look at other organizations that would have fraud high on their list of risks.
In the investment fund universe, the post 2008 environment has been largely about loss of trust by investors and hugely increased regulation as a result of events like Madoff but also other concerns about where the assets of a fund, and therefore the capital of the investor, actually were.
These issues encompassed the use of assets as collateral, the short selling of securities, and the associated securities borrowing and the buying of assets on margin, common in some types of hedge funds.
In Europe, the regulators introduced new regulation in the form of the Alternative Investment Fund Managers Directive that placed responsibilities for the monitoring and safekeeping of an AIF’s assets with the Depositary.
Loss of assets is a major concern of the management of any fund but while loss of assets is perhaps relatively speaking rare, the misuse of assets can be very different.
A scenario that I can give you relates to a broker where two members of staff managing a customer’s account noted that they had placed securities as collateral against a written call option. The two staff noted that the client rolled the written position shortly before the expiry of the options series.
A seemingly simple fraud offered itself. If the staff could “borrow” the securities they could carry out several possible actions. One would be to sell the shares safe in the knowledge that the client was unlikely to sell the shares themselves as they had the written option position. Another was to use the shares as collateral against a loan.
The broker was acting as the nominee for the customer and so had custody of the assets.
All that remained to complete the fraud was for the two members of staff to have access to the assets to transfer them and to doctor the internal records so that it appeared the shares were being held against the option position.
The staff were both in key and senior positions and able to collude. There was little awareness of risk in the firm and an almost total lack of a control framework. The two people colluding on the fraud had the responsibility to reconcile assets held for customers, responsibility for instructions to move assets including cash. The data they produced was never questioned.
The fraud was only discovered when the option position was assigned and the securities were needed for delivery. The pair had sold the securities but the price had risen significantly hence the assignment. The pair could not generate the cash needed to buy the securities and the fraud was discovered. It cost the firm a high six figure sum to make good the customer.
Another example is the transfer of assets as collateral to cover margin call.
In this case the assets were held at a third party custodian.
A new recruit working in the operations team received a call from a manager at the custodian requesting authorization to transfer assets to a broker against a margin call for a derivative position.
The new recruit did not know what a derivative was and spoke to their supervisor. The supervisor suggested the young lady concerned spoke to the derivatives operations team who were located on the next desks.
They were pleased to provide the background to derivatives but asked why the interest.
When she said she had received the request they told her not to do anything and to leave it with them.
A few minutes later she received another call from the rather irate manager telling her there would be big trouble if this margin call was not met and the asset transfer not made.
Somewhat distressed she immediately went back to the derivatives operations team.
Reassuring her there was no problem they called the custodian but the manager concerned was apparently at lunch. The situation was escalated and an immediate check on all previous requests to transfer assets from this manager was made.
Two previous instances were found and like the current request there was no derivative margin call that needed collateral.
The previous two that occurred in the past three months were for £5,000 in value and £8,000 in value. The current one was for £900,000 in value.
Internally there was a threshold for automatic authorization set at £1 m with random authorization checks. The first two were not subject to the random authorization checks and so had been processed. The securities were transferred to a fictitious account set up by the manager.
The manager never came back from lunch and the total of £13,000 was never recovered.
Had the young lady not asked about derivatives and the operations team not been suspicious the loss would have been close to a million.
The firm and the custodian negotiated a settlement.
In case one there was no control framework and in case two there was but the threshold was high and so there was a risk that fraudulent payments and or movement of assets could occur.
Clearly the custodian had a much bigger operational risk in terms of internal controls and the manager was able to exploit this.
In a sense the simplicity of the attempts was the key, plus the knowledge that the control framework was nonexistent or weak and this is the key point.
Wherever an organization does not have operational risk awareness and a strong, proven risk management culture then they are vulnerable to fraud and other criminal acts.
The classic case study is of course Nick Leeson at Barings where the bank was subjected to a massive unmanageable exposures through unauthorized and hidden trades because of multiple failures of controls and the incompetence and failures of senior management in the bank as well as elsewhere like the regulator, the Bank of England.
There has been a significant change in the approach to managing operational risk since the collapse of Barings and yet as 2008 showed, risk events still occur and management of risks is still a potential danger for some organizations.
So how can operational risk management be structured to try to deter and prevent fraud?
First we need to understand the sequences in a risk event.
As it is highly unlikely that we can prevent all fraud, although that would be the ultimate objective of the control framework, we need to have a structure that works subsequent to the occurrence of a risk event.
Second we need to consider the way in which to actively manage the potential risk event
Key elements of the structure will be to kill the event to consolidate the loss and then to learn the lessons. For example, did existing controls fail, was this an unforeseeable event, did the one or more internal or external events have significant influence, did the KRIs fail to identify the risk, is the event a systemic risk?
Finally, we will need to have an effective incident report about the event which I will stress needs to be productive and not a “blame document.”
To summarize, effective operational risk management can and will play a significant part in managing potential fraud in financial institutions whether that is in banks operations or custodians in the investment fund industry.
Where a potential fraudster believes that there is inadequate risk management and a general disinterest or even hostility to operational risk management they will be comfortable that their fraud has a very good chance of success.
D.A. Loader, The DSC Portfolio Ltd

Risk terminology

Here is a glossary of frequently used risk terms.

Glossary of risk terminology

Risk Description Associated risk type
Accounting risk

This will occur when a business engages in accounting practices for the products or services that are either not suitable, are deliberately misinterpreted or are implemented incorrectly or do not comply with accepted market principles.

The risk can also occur if there is doubt about the acceptable accounting standards or where there is conflict between different standards by the setting organizations.

 Audit, regulatory, reporting
Action risk

The risk of an action being implemented erroneously, accidentally, in unsuitable situations or being authorized or undertaken by unqualified personnel.

The risks that arise could create losses (costs, fines etc.), reputation damage (outcome and impact) and regulatory problems.

Management, settlement, payment risk

Regulatory and financial risk
Audit risk This is the risk that the audit process and people are unable or do not have the ability to, or do not understand sufficiently the processes and procedures being audited
Basel directives Inability to demonstrate compliance with the requirement as set out by the Committee of the Bank for International Settlement Regulatory
Business risk

A risk that is derived from the specific services and products and are particular to the industry of the firm concerned.

These risks are often sub sets of strategic risk and occur or originate from business units.

Operations risk, Technology risk

People risk
Business continuity risk The impact of internal or external events that in some way interrupt or curtail the operation of the business for a significant period of time or in some catastrophic financial or logistical way as to make normal or viable operation of business difficult.

Operations risk

Client risk

Counterparty/supplier risk
Client risk

The risk of being unable to manage the processes associated with the services provided to clients.

Money laundering

Fraud

Noncompliance with client regulation (Regulatory Conduct of Business Rules etc.)—key areas being suitability (Funds) risk warning distribution, client money/asset segregation.

Operations risk

People risk

Regulatory (including fines)

Reputation—Loss of clients/revenue
Competition risk

A complex risk that can arise in a number of ways and is quite different from business risk, which is about internal decisions and actions.

Competition risk could arise from the entrance of a new competitor or product into a market with potential loss of market share and or increase in investment/costs to compete. This is particularly the case where new competitors cherry pick profitable market segments, where they have or adapt to new technology and practices quicker, or can respond to changing customer requirements more rapidly.

Examples here could be found in e-banking, socially responsible investment products etc.

Competition risk can also apply to prolonged declining market share created by inability to change as well as by poorly managed mergers and takeovers resulting in massive loss of customers that in turn renders the strategic aims unobtainable and likely to entail severe losses for some period of time.
Compliance risk

The inability to adequately comply with external regulations or internal rules and controls.

This may be caused by lack of knowledge of certain markets, products and regulatory requirements, and/or oversight of business units involved.

Regulatory

Financial
Counterparty risk

This is the risk associated with dealing with or taking services or products from another party.

Includes: Ongoing support and enhancement of services, insourcing/outsourcing.

 Operations risk
Country risk

Risk of clearing, settlement, and client money regulation not being as strong as in the UK/US

Law.

Infrastructure.

Information distribution may be less transparent and or obtainable.

Instability.

Tax environment/changes.

Operation risk

Legal risk
Credit risk Risk associated with the default of a counterparty on an obligation. Financial—Replacement loss
Creeping risk A risk that starts in one part of a business and then moves across and within the business potentially having a greater impact in other areas (Similar to a computer virus).
Custody/depositary risk The failure to protect assets and any resulting benefits on those assets that are entrusted to the care and safekeeping of the firm. Reputation, financial, regulatory
Data risk

Occurs when data is incorrectly generated, updated, stored, or used.

Corrupted or incorrect data in critical systems (including risk systems) can have a devastating impact.

Unauthorized access, use or publication of confidential client or business data can have such an impact as to put at risk the very existence of the organization.

 Technology, control, fraud
Demand risk (liquidity)

A risk where there is uncertainty about future demand for a product caused by uncontrollable or unforeseen changes in the market, for instance regulatory changes.

It also manifests itself in situations where there is greater demand than can be satisfied effectively and efficiently causing delays and penalties to be incurred.

Demand risk is relevant in terms of the passing of risk from one business unit to another, that is, the aggressive marketing of a product creating risk for the production team (meeting alterations “sold” by the sales team) or client support teams (delays in delivery, quality etc.).

 Strategic, operational, operations
Documentation risk As well as errors within and the ineffectiveness of legal documentation, there is the risk inherent in the publication of documents to the clients including correctness of information, suitability of the document (KYC and restricted product docs), confidentiality, and frequency requirements (regulatory, agreements etc.).
Fiduciary risk
Breaching either of the following:
1. A person legally appointed and authorized to hold assets in trust for another person. The fiduciary manages the assets for the benefit of the other person rather than for his or her own profit.
2. A loan made on trust rather than against some security or asset.
Fraud risk

This is the risk that because of weak controls in respect of payments, asset movements, authorizations, access to systems, and static data in an organization, it is vulnerable to an act of fraud by an individual, group of individuals, or from external sources.

E-banking presents potential for fraud if security over access and data is poor.
H R Risk See Personnel Risk
Insource Risk A risk associated with the taking on of additional operational workload with inadequate resource, knowledge, and systems.

Operations risk

Financial—compensation for performance

Reputation
Key performance indicators (KPI) Indicators showing a change in performance that may be evidence of increasing or decreasing efficiency and effectiveness of processes and procedures often linked into KRIs.
Key risk

Identified as risks that could significantly impact on the achievement of the objectives of a business unit.

Likely to be proactively managed by Head of Function/Department on a frequent (ie, monthly basis). Typically 15–20% of total risks.

Firms develop key risk indicators to measure profile changes of the key risks.
Key risk indicators (KRI)

The identification of risks and their indicators used in the risk management process.

Important that KRIs are monitored for evidence of increasing or decreasing risk levels and also for their continued relevance.
Killer risk

Identified as risks that could significantly impact on the achievement of firm, divisional and or strategic business unit objectives including a risk that’s impact is so severe that it would render the firm incapable of continuing in business or would make the firm so vulnerable that it would subject to takeover or wipe out by competitors. Typically 2–5% of total risks.

Managed and tracked through key risk indicators.
Know your client (KYC)

A risk control measure that demands the organization has adequate and up to date knowledge of the client, its activities, restrictions that apply to the client’s actual or potential business, and the suitability of products and services marketed and sold to the client.

Also known as Client due diligence (CDD).

Regulatory risk
Legal risk

The risk associated with the business of a firm in a jurisdiction including areas like the Investment Manager Agreement, Prime Broker Agreement, and other outsource agreements.

From an operations point of view it would be related to areas such as netting, agreements, claims etc.

 Settlement risk
Limit risk A risk that a control measure is accidentally or deliberately circumvented or is incorrectly set or is not reviewed and amended according to changed circumstances.
Loss database A database that records incidents where a risk event has created a loss at or above a set threshold plus other statistics related internal and external risk events.
Management risk

A risk associated with the failure of management to be structured or operate effectively in relation to the business.

Poorly trained, under resourced/overworked or ineffective managers and supervisors are a massive operations risk.

Operations risk

Reputation

Regulatory
Market risk

Risk associated with the transactions undertaken by a firm in a market/product.

Mainly about price and liquidity but can also be related to other risk like legal and competition.
Money laundering risk

A major risk for many organizations that can result in heavy penalties for individuals and loss of authorization to do business for firms for breaches of the regulations.

Any organization covered by the Regulations must ensure effective controls over possible money laundering including making sure that employees are adequately trained.

Regulatory risk

Financial risk

Compliance risk
New market risk

This is the risk of operating in a new market environment where knowledge and experience may initially be low. It is also about the risk that procedures and controls are not immediately at the acceptable standard level of existing market usage.

Can also apply to activity that is undertaken in emerging markets where the market infrastructure, practices, and operation is itself untried and tested.

Operations risk

Systems risk

Settlement risk
New product risk This risk will manifest itself if the launch or the commencement of trading in a new product or when the launch or use of a new service is undertaken without sufficient infrastructure in place, including controls, systems, knowledge skills etc.), and prior training of personnel.

Operations risk

Systems risk

Settlement risk


Project risk
Operational risk

There are various definitions of operational risk.

The Basle Committee define it as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

Most organizations would add in “loss of reputation.”
Operations risk

Part of operational risk it applies to the functions that deal with areas like clearing, settlement, payments, delivery of client services, custody, systems etc.

Operations risk is the failure to provide the required process, procedures, and controls for the above.

 Operational risk
Operational risk management (ORM)

The process of actively managing operational risks in a structure that adds value as well as reduces potential unnecessary losses.

Often run by a risk group and usually has one or more operational risk managers in the structure.

Likely to include audit and compliance in some capacity.
Operational risk officers (OROs)

Name given to a person who is part of the group managing risk and is usually closely related to the business so that they can liaise with both the business and the risk managers on risk issues.

Can also be called ORCs—operational risk coordinators.
Outsource risk

A risk associated with the outsourcing of operational functions and processes.

Risk is that you can outsource the function but not the responsibility.

Operations risk

Reputation risk

Compliance risk
Payment risk

A risk associated with the erroneous payment of monies.

Often but not always associated with fraud it can be nevertheless a risk that is created by poor training, supervision, and procedures for making and or receiving payments.

Fraud

Reputation—errors on client accounts
People risk

This is the risk associated with individuals or teams of people and is often about their potential as a source of risk and also their potential to be a significant contributor to managing some risks like operational risk.

One obvious people risk is the level of human error in the processes, the knowledge levels both procedural and business, and the ability to work in environments particular to business units, products, services etc.

Operations

Financial and reputation risk
Personnel risk

Different from people risk in so much as this may occur because of poor recruitment environments, uncompetitive remuneration, lack of or ineffective training and development etc.

Loss of key personal is a major personnel risk.

Employment Law is also part of this risk and includes areas such as Diversity in the Workplace Directives and training, unfair dismissal etc.

Operations

Financial and reputation risk
Project risk The failure of a project to be properly managed creating operational problems for the teams/areas of the firm affected plus over run of costs, late delivery of the project, failure to adequately test before roll out, failure to deliver to the project specification.

Financial risk

Operational risk

Business risk
Regulatory risk

The risk of noncompliance with the regulatory environment where the business is operating.

Particularly areas such as authorization, marketing and sales, conduct of business, client relationships, client assets etc.

 Compliance risk
Risk event The occurrence of a possible risk situation becoming an actual risk situation with resultant actual impact.
Standard risk

A risk that is identified and managed as part of the day to day business process by the boys and girls doing their jobs effectively and efficiently.

Controls devised and implemented by managers and supervisors in the business.

Monitored by risk managers from management information provided by the business but essentially not what the risk managers or OROs should be focusing on.
Strategic risk A risk that is associated with decisions and leadership, that is, the adoption of a working practice that is old, untried or ill thought out that results in unnecessary pressure, workloads, costs, and falling performance of people, systems, and the business.

Business risk

Project risk
Technology risk

The risk associated with the use of technology in a firm.

Most obvious risks are:

1. Lack of knowledge of systems.
2. Inability to manage projects.
3. Lack of support for systems.
4. Lack of awareness of systems capability and scope.
5. Inappropriate systems for the business.
6. Old and outdated technology.
7. Access—hackers and viruses, malicious attack.
 Operations risk
Value at risk (VAR) A technique used to estimate the probability of portfolio losses based on the statistical analysis of historical price trends and volatilities.
Workflow risk
Risk associated with workflow and processes covering:
1. Variable flow.
2. Under resourcing.
3. Pressure points.
4. Disruption.
5. Lack of knowledge.
6. Unnecessary complex procedures.
7. Poor technology.
8. Lack of STP.
9. Cross border processes.
10. Data sources.
Operations risk






Source: The DSC Portfolio Ltd This Glossary of Terms is compiled from various sources and is believed to be correct although no responsibility can be taken for any errors or omissions. This Glossary of Terms is compiled from various sources and is believed to be correct although no responsibility can be taken for any errors or omissions.

Summary

Great diversity of risks from internal and external sources can affect administrators, custodians, and the fund itself.
Risk containment versus risk avoidance parameters must be established as part of the risk policy.
Recognize and understand the risk exposures that the processes and procedures create.
Customer service generated risks must be understood and controlled to protect against financial loss and reputation damage.
Money laundering, fraud, and theft pose real dangers for the fund and in its support process.
Operational risk is identifiable and can be controlled.
The organizations people are its greatest control feature.
If a risk culture exists in the organization it will automatically reduce the risk that organization faces.

Possible Future Changes and Challenges in the Fund Administration and Custody Environment

The investment environment has undergone significant change and this will continue.
The main areas of change will be driven by the evolving regulation, by the economic growth or otherwise in the mature and emerging markets and the innovation within the investment process.
Some of the possible challenges may be related to the list below:
Greater demand for products from customers who are more and more sophisticated.
Product complexity increases and so does the associated operational risks.
Product suitability is an issue and will require greater oversight.
Competition creates risk pressure.
Business and process changes are happening and will continue and change is a major operational risk.
Greater supervision of activities will require accurate and timely record keeping.
Transparency and market disclosures will increase reporting.
Greater demands for professional, qualified operational personnel to support more complex products, services, and investment strategies as well as regulatory competence.
Change management will continue and represents a possible significant operational risk.
Force fields will need to be managed if projects and change is to take place efficiently and without problem.
Fluctuating risk levels will pose challenges for the control framework and oversight.
Firm-wide buy-in across the promoters, managers, administrators, and custodians to support risk management is essential.
Capital allocation, liquidity ratios and leverage reporting will impact on alternative investment funds under AIFMD.
Cost of control versus risk must be understood.
Demonstrating risk competence will be key going forward to meet regulatory requirements and client due diligence.

Summary

Risk is a major concern for both the fund and the administrator and custodian.
With investor confidence and trust still at a low any kind of situation that is related to a risk event will often be magnified out of all proportion.
Potential risk events must be identified and adequate risk management applied however large or small a fund or administrator/custodian might be.
Reputational risk is potentially as damaging as financial losses, maybe more so for suppliers of services to funds.
Agreements may offer some redress possibilities but they do not prevent a risk event happening and so in addition to operational risk, a fund is also exposed to counterparty risk where a third party is used.
Due diligence and oversight become therefore of major importance.
Remember that while a fund can ask the administrator to assist it in managing its operational risks, it cannot outsource the responsibility.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset