Top five operational risks in fund administration in 2018
Basel II defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events”. This is a pretty wide ranging description, although the convention does set out seven categories to help group the various risk types:
Internal fraud
External fraud
Employment practices
Clients, products and business practices
Damage to physical assets
Business disruption and system failure
Execution, delivery and process management
The collapse of Barings in 1995 was a real watershed moment—a perfect example of the failings of process, people, systems and external events, in the form of a large earthquake in Japan and adverse movements in the Nikkei index. The subsequent introduction of the ironclad three lines of defence (operations, risk function and internal audit) did not prevent, however, 13 years later, Société Générale’s Jerome Kerviel from being allowed to gamble and lose €5 billion.
So here are my top five operational risks:
People - the weakest link
Despite recent technological advancements, the world of fund administration is essentially still a people industry. Some examples of poor management still exist, particularly around operational risk and controls. Staff who lack the right qualifications and training increase the probability of errors, and administrators can be demotivated by monotonous and tedious workflows. Too many admins are still laden down with spreadsheets. An unhealthy corporate culture often results in high staff turnover rates and key person dependencies. The over-dependence on key employees, errors and performance failures can be significantly reduced by a continual drive to maximise automation, providing transparent business process management and strong oversight controls. The motivation, empowerment and education of employees, with related accountability, provides the strongest first line of defence against operational risks. The best-run fund administrators are those that consistently invest in their people as well as their technology.
Cyber risk and data security
The EU Commission has estimated the cost of cyber-crime globally will rise to €1.89 trillion by 2019, but only around ten percent of this is being spent on prevention. Robert Mueller, former director of the FBI even stated: “There are only two types of companies; those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.” Ginni Rometty, IBM’s chairman has also stated that cyber-crime may be the greatest threat to every company in the world.
High profile incidents such as the theft of $65 million from the Bank of Bangladesh through SWIFT vulnerabilities have impacted fund admin operations. Cyber criminals are becoming increasingly sophisticated, yet the majority of the funds industry is lagging far behind. Older technology legacy platforms further increase operational risk levels, and there have been high profile occurrences of failed upgrades combined with inadequate disaster recovery and business continuity procedures. This is an area firmly in the spotlight of regulators globally.
Compliance failures
Unsurprisingly, regulation remains a significant challenge given the thousands of new and amended pieces of legislation impacting the asset management sector each year. Costs associated with this growing regulatory burden have been largely subsumed by fund admin departments, while the risk of compliance failure including regulatory fines appears to have exponentially increased.
Regulators globally are looking closely at procedures to counteract terrorist financing and money laundering and the EU’s forthcoming General Data Protection Regulation, coming into force in May 2018, has far reaching consequences for fund administrators and their clients, including mandatory breach notifications and the potential financial and reputational damage associated with failure to comply.
Outsourcing and offshoring
Outsourcing and offshoring is arguably the single biggest trend in fund administration in the past ten years. The obvious upside for successful offshoring includes operational cost savings, fully utilising global time zones and alleviating concentration exposure. Possible downsides include inadequate operational oversight, a lack of understanding of cultural and regulatory differences, geopolitical impacts as well as unforeseen communication, system and IT issues. Back in March 2017, The Central Bank of Ireland published a CEO letter to all Irish based fund administrators stating that it felt the current level of outsourcing was “at or close to the outer limit of what is appropriate for this industry”. The letter went on to set out expectations for the sector, including a dedicated outsourcing manager/team.
Geopolitical and economic triggers
A significant headwind in the past 12 to 18 months, geopolitical and economic triggers are essentially external events and mostly out of the control of administrators. They can however be planned for, or at least the impacts partially mitigated. Obvious examples include Brexit, Trump’s tax plans and foreign policy, regional conflicts and political instability in various offshore locations. There is also the possibility of market downturns and skilled labour shortages.
In a highly competitive and increasingly regulated environment, it is essential for fund administrators to minimise losses resulting from operational risk events by carrying out effective top-down and bottom-up risk identification and assessment across business lines and functions. Each process should be mapped, inherent risks identified and related controls assessed for effectiveness.
Risk assessments should also include all related third-party service providers, including market data vendors and technology providers in order to ensure the highest standards of secure, transparent and robust service delivery.
.jpg)