Six Key Risk Management Strategies to Head Off Trouble
Total Page:16
File Type:pdf, Size:1020Kb
SafeguardingShort, engaging privateheadline equity firms Six key risk management strategies to head off trouble March 2017 kpmg.com Authors Shruti Shah Shruti is a principal in KPMG’s Advisory Services practice. With more than 20 years’ experience in the financial services sector, Shruti specifically focuses on alternative investments such as private equity, asset management, and real estate. Christine Buchanan Christine is a partner in KPMG’s Advisory Services practice. She has more than 20 years of experience serving clients in the financial services industry. Her primary focus is large investment management organizations, alternative investment vehicles, and mutual funds. Before moving to the advisory side, Christine spent many years auditing asset management clients. We would also like to acknowledge the following members of our KPMG asset management advisory team for their invaluable contributions to this white paper: David Calef, Andres Cools, Ray Dookhie, Sean Gleason, Laurence Godin, Jeff Lee, Greg Matthews, Mark McKeever, and Vivek Mehta. Contents Introduction 2 Managing technology risk 4 Managing third-party risk 7 Managing fraud and misconduct risk 10 Managing cyber risk 14 Managing compliance risk 17 Crisis management 20 Final thoughts 24 How KPMG can help 25 Contact us 26 Introduction Increasing competition for portfolio company investments. More pressure to deliver returns to investors. Mounting The top risk management issues are: regulatory requirements domestically and globally. — Technology risk Cyber threats abound, becoming more precipitous with — Third-party risk unprecedented technological advances. — Fraud and misconduct risks And all of these potentially disruptive developments are taking place at ever-increasing speeds. What’s more, news— — Cyber risk especially bad news—travels around the globe almost — Compliance risk instantaneously thanks to the Internet and social media. — Crisis management The upshot of all this is that the value of a private equity firm and/or its portfolio companies can plunge even before The U.S. Securities and Exchange Commission (SEC) and there’s a chance to react. That’s why it’s essential for private other domestic and global regulatory bodies expect private equity firms to keep close watch on myriad strategic, equity firms to have a well-developed and thought-out risk operational, and external risks that can potentially impact management framework to address these issues. What’s them. Equally, if not more, important is for these firms to more, this expectation applies to the firm itself as well as have an effective risk management framework in place. its portfolio companies. Funding risk management measures Similarly, investors are demanding more transparency a challenge from private equity firms (often with the SEC’s backing). While these are challenging tasks for virtually all They want to know that the private equity firm with whom companies, regardless of industry, they are particularly they’ve placed their assets has anticipated these risks, is tricky for private equity firms, which may lack the focus and prepared to take action if or when they occur, and that their budgets required to manage these escalating risks. assets are secure. What’s more, getting buy-in from deal-focused private equity firm management to expend resources on risk prevention measures can be difficult. After all, every dollar Private equity is all about spent on risk prevention means fewer funds available to increasing value and achieving invest in a portfolio company or to award as a bonus. And there’s no guarantee that the potential risk—whether it’s a return on investment for you fraud, misconduct, or cyber—will actually occur. and your investors. But if you The flip side of the coin, of course, is that by not taking choose not to make the necessary proper risk prevention measures, you expose your firm to far greater losses in terms of resources, value, penalties, investments needed to manage and reputation. the risks inherent in your firm Top risk management issues and your portfolio companies, We’ve listened to industry experts, spoken with internal audit and compliance professionals, and gained insight you may find that all you built up from KPMG LLP (KPMG) colleagues who work with private equity firms. The result is our list of top risk management is washed away in the blink of issues facing private equity firms—along with practical an eye.” actions we recommend they take to eliminate, or at least mitigate, risk. –Shruti Shah, KPMG Partner, Risk Consulting Safeguarding private equity firms 3 Managing technology risk Private equity firms have traditionally focused their Following are three best practices that can maximize technology risk management (TRM) on identifying and technology risk preparedness at both the firm and portfolio addressing risks related to information security. But company levels: in recent years, as private equity firms continue to increase their technology footprint, TRM has undergone Holistic approach to TRM an evolution. The traditional approach to TRM included three lines of defense: (1) those aligned with the business or operational More and more, it’s being viewed as an opportunity to function, (2) those tasked with oversight of compliance and provide business value, anticipate issues before they risk management, and (3) auditors, audit committee, happen, and support business growth objectives. and/or compliance. “A robust technology risk “A robust TRM function measures Now, increasing numbers management function of financial services firms not only measures a a private equity firm’s risk are placing a dedicated risk private equity firm’s risk management professional in exposure, it also defines exposure, defines its overall IT risk the first line of defense (at the organization’s overall IT appetite, and enhances its control the business or operational risk appetite and enhances level), and charging him the control environment by environment by working directly or her with effectively working directly with the with the business lines.” engaging and integrating business lines,” stated Vivek with the second and/or third Mehta, KPMG Technology –Vivek Mehta, KPMG Partner, lines of defense. Risk Advisory partner. Emerging Technology Risk This is a more holistic “As TRM becomes more mature within a firm, approach to TRM, and also it transitions from providing ad hoc control reviews to allows for real-time identification, escalation, and resolution enabling proactive risk management,” he added. “It does of risks. However, based on our observations, it seems so by using a combination of techniques, such as controls that private equity firms as a whole are lagging behind testing, key risk indicators (KRIs), and data analytics to in this evolving practice. We would recommend that it is address threats before they occur.” something they should consider adopting. Maintaining an evolving risk inventory As private equity investment strategies continue to evolve, your risk inventory— Be strategic the risks against which you are guarding—should adapt accordingly. For example, PE firms and their portfolio companies now need to identify risks related to cyber threats, cloud-based software, identity and access management, e-mail, “To be truly strategic, CIOs protection of intellectual property, and protection of investor information, to need to think about how value name a few. is created. Many are good at cost cutting, but this is almost Performing an annual risk assessment and adopting integrated tools to help by definition a backward-looking maintain and update your inventory are essential. This might include an exercise—optimizing something enterprise risk management (ERM) tool to house your risk library. This will allow that is already in place. for real-time monitoring of risks. This is not strategic. CIOs What’s more, periodic monitoring and updating of your risk inventory help need to think about what ensure that you’re accurately addressing those risks that can impact the firm’s future possibilities there are to strategic goals. Even better would be a continuous risk monitoring program that leverage technology for new could help ensure that risks potentially impacting the firm’s strategic goals are value and top-line growth. dealt with on a real-time basis. This is what differentiates the In addition, an ERM solution may provide the chief information officer (CIO), strategic CIO.” or those charged with overseeing technology, with the information and other – Peter A. High, resources needed to influence the management of critical IT risks on an Implementing World Class IT enterprise-wide basis. Strategy: How IT Can Drive Align technology risk with other risk functions Organizational Innovation IT risk should not be viewed in a silo, but rather in the context of other risk functions within the enterprise, including the others risks identified in this white paper. A common language must be established within the firm—and throughout its portfolio companies, if appropriate—to provide a platform for identifying interrelationships between risks. Integrating the firm’s technology risk with other enterprise risk functions will provide a holistic approach to analyzing the impact of potential future obstacles in achieving the organization’s goals and objectives. Private equity firms should also give TRM a “seat at the table.” This will provide for a more comprehensive approach to firmwide risk management, early identification and remediation of potential pitfalls, and create