While many advisory firms are keenly attuned to identifying the investment risks associated with using underlying third-party managers, such as subadvisors, separate account managers, and hedge and private equity fund sponsors, operational due diligence has generally garnered less attention. Yet, this is an imperative that advisory firms cannot afford to overlook.
The SEC considers operational due diligence of such managers as a part of an advisor’s fiduciary duty owed to its clients. The failure to conduct proper operational due diligence could lead to regulatory or civil liability should a client’s assets or information be lost, stolen, or otherwise compromised. This article provides a blueprint for firms seeking to adopt a program for conducting operational due diligence on such managers and focuses on three critical “P’s”: personnel, processes and privacy controls.
What Is Operational Due Diligence?
There is not a uniform definition for operational due diligence. However, it is widely seen as an analysis of the non-investment related risks impacting a manager. Investment risk is the risk that actual investment returns will be lower than investors expect and an analysis of risks often focuses on a manager’s investment philosophy, process, methodology and strategy. On the other hand, operational risk is the risk that a manager’s operations will lead to investment losses, misappropriation of assets, and/or loss of client information. Such an analysis principally focuses on a manager’s personnel, supervisory structure, operating and compliance procedures, and other risk management resources.
The Basic Tools
Tools abound to assist investment advisors in conducting operational due diligence. However, the background of most operational due diligence programs is the due diligence questionnaire, which solicits responses from third-party managers about their business and operations. The due diligence questionnaire often accompanies a request for additional documents from the manager.
However, Ronald Reagan’s old adage, ”trust but verify,” is a fundamental tenet of operational due diligence. As such, to verify information and responses provided by a third-party manager, an investment adviser must utilize other tools. Online searches of a third-party manager’s website and social media pages, the review of its Form ADV on the Investment Adviser Public Disclosure website, and Google searches can reveal a great deal about a manager and even provide background information used to customize the due diligence questionnaire.
Increasingly, onsite visits of a manager are becoming more prevalent because some managers will only allow for certain sensitive information to be reviewed onsite. However, onsite visits also allow an advisor to interview the manager’s employees and to observe a manager’s operational processes and risk management systems at work. Some advisors will ask to speak with a third-party manager’s service providers, such as custodians, auditors and fund administrators. These tools are designed not only to gather information about a manager, but also to ensure that such information is consistent with what the manager is saying.
Key Functional Areas
There is no one-size-fits-all approach as to what should be addressed when conducting operational due diligence because each manager is different. However, many types of issues surface time and again. In this article, we will focus on three principal topics: the manager’s personnel, processes and privacy controls.
It is critical to review a third-party manager’s personnel to ensure that they have appropriate integrity, experience, expertise, judgment, and familiarity with the manager’s operations to carry out the manager’s goals and mission.
Such a review will often begin with a review of the manager’s organizational chart which will provide a visual representation as to where the employees of a manager and any of its affiliates sit in the organization. The organizational chart allows for key personnel to be identified. Special attention is often given to ensuring that a manager’s chief compliance officer, and perhaps chief operating officer, has sufficient qualifications, experience and knowledge to carry out their responsibilities on behalf of the manager.
Operational due diligence often encompasses an evaluation of the manager’s key personnel. The operational due diligence questionnaire will often request information relating to key employee biographies and information as to a manager’s process, if any, for conducting background checks on key employees. Third-party managers are also often asked for the list of responsibilities and the length of employment for key employees. Additionally, information relating to compensation arrangements for key employees may also be requested to determine the likelihood of retaining them.