Since my first child came along, I have noticed interesting parallels between the challenges of raising a new human and challenges I encounter on my projects in the world of investment management. In particular, one comparison stands out: the essential role of risk and controls. In our industry, risk and controls play the role of the responsible, but often underappreciated, adult. It’s a role I know well as a dad, and one that’s necessary for operational success.
Consequences of Neglecting Risk and Controls
Now, let’s dive into what particularly frustrates me about this role (I’m talking about risk and controls, not parenting). I firmly believe that risk and control safeguards exist to ensure our safety and keep us on the right track.
Disregarding these measures is akin to children ignoring their parent’s warnings about playing with matches. Just as the consequences of a fire can be disastrous, neglecting risk and controls can have severe repercussions for any organisation.
Why would anyone not want to be aware of both avoidable and inevitable risks? If something is about to go awry, I’d prefer to be among the first to know and in sync with all stakeholders in the value chain affected by the issue.
Yet, I’m certain that many of us have encountered situations in our professional careers where assumptions were elevated to the status of facts, driving numerous business decisions. This tendency can intertwine with the overall culture surrounding risk and controls, leading to issues in resource allocation and decision-making processes.
This approach can embed itself into the organisational culture surrounding risk and controls. It leads to wasted time and resources spent chasing false alarms and fosters a habit of ‘firefighting,’ where departments constantly jump from one active risk to another. All these are caused by the lack of foresight when ‘evidencing’ thoughts with assumptions. Moreover, this problem is cyclical: when risk and control management lose credibility, it can lead to disengagement from key stakeholders across an organisation.
What I’m saying is risk and control frameworks should capture everyone’s attention, providing a guiding light for where the business should be concerned and how it can be better. And utilising data is one way to do this. It has the potential to demystify risk and controls–making them relative to the business and more effective.
The Three Core Risks Felt By All Firms
If we were to break it down, there are three core types of risk that should be managed by investment managers:
Investment Risk—The Chief Information Officers (CIO) and investment teams need to ensure that concentration, credit, liquidity, and market exposures are managed in line with fund guidelines, regulation, and the asset managers policies. This is key to building the business and delivering returns to clients.
Operational Risk—The COO is accountable for making sure the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events is monitored and managed effectively and as proactively as possible. This is essential for running the business and servicing clients.
Market Risk—The CRO oversees the monitoring of systematic risks to the company. These market risks can be caused by a variety of factors, including economic conditions, geopolitical events, and investor sentiment. This is to insulate and position the business as much as possible from factors outside of the organisations control.
Establishing C-Suite Priorities for Data-Led Risk Management
Utilising data empowers us to achieve a range of objectives. It enables us to identify and assess risks more accurately, design and implement more effective controls, and continually monitor and enhance our risk and control frameworks.
For the Chief Risk Officer (CRO), this means taking a top-down approach when assessing all risks, facilitating informed, big-picture decision-making. It involves understanding the alignment of operational risk with investment risks, as well as how they interact with broader macro and microeconomic factors.
The CRO of a leading global investment manager is concerned that they do not have a holistic view of risk, especially as it relates to interdependencies across operations and the front office. The CRO needs a way to aggregate information on market risk, credit risk, liquidity risk, operational risk, and strategic risk. The underlying data for these risk types comes from a wide range of sources but to ideally use their stress testing and scenario analysis models, they need integration across a wide range of internal and external data sources. The CRO works with the CTO, COO, and CDO as they assess how to accommodate their needs within the broader technology and data strategies. The group decide to leverage a new, cloud-based data warehousing solution to ingest structured and semi-structured data from a variety of in-house and external data sources. This tool works within the company’s broader platform strategy and not only offers the CRO a consolidated view of risks, it empowers them to use advanced analytics and cutting edge predictive models.
For the Chief Operating Officer (COO), the focus lies on ensuring operational continuity and responsiveness to business needs. It expands to pinpointing weaknesses and addressing them promptly, as well as being aware of any issues with third-party service providers for example, potential collateral exposure that may exceed our risk appetite with an OTC investment.
The COO of a leading global investment manager needs to provide high quality data and outputs to the CRO so that they can analyse, assess, and determine action the company needs to take to stay within the risk parameters that have been set. The COO will need to be able to ensure that the requirements are understood, working with the CTO and CDO to feed these into the data and technology strategies. If these outputs are to enable the corporate strategy, they should in turn determine the technology strategy, such as using cloud-based data warehousing solution to ingest typically structured data from a variety of in-house and external data sources. The insights from this data will stream from the core operating platforms and service providers that are under the accountability of the COO, which gives the COO greater control of the sourcing of data as well as the quality assurance. The COO can also use this solution as a way of managing supplier risks and service levels against the agreed SLA's.
Unlocking the Benefits of a Data-Led Risk and Control Strategy
Early on in my career, I encountered an issue where I lacked the data to prove out an audit inquiry into our service level deliverables with a supplier. Though I had a general idea that the services in question were being delivered acceptably, I didn’t have a data trail to point to. Relying only on my anecdotal evidence wasn’t enough and the inquiry was escalated up the chain of command. The lesson learned for me was that data needs to be the bedrock of risk and controls.
By embracing a data-driven risk and control strategy, this issue could have been avoided. But a data-led risk and control strategy extends far beyond audit time savings—it gives C-Suite and other executives a holistic perspective, sharpening their foresight, precision, and operational resilience.
The advantages are manifold:
Enhanced Risk Identification: Use data to uncover risks that may have remained hidden, expanding your risk awareness.
Precise Risk Assessments: Use data to allow for more accurate quantification of risks and their potential impacts.
Efficient Risk Management: Automate critical risk management tasks, from stress testing to portfolio rebalancing, streamlining your operations.
Transparency and Accountability: Leverage data-driven reports to improve transparency and accountability in your risk and control management activities.
Robust Risk Policies: Develop effective policies and procedures for identifying, assessing, and mitigating risks.
Business Continuity: Ensure your business can weather major disruptions with robust operational planning.
This approach not only fortifies your risk management but also offers broader business value. You can reduce operating costs through more effective controls and decrease the risk of fines and sanctions. Plus, it enhances trust with existing clients through client due diligence. It also paves the way for engaging prospective clients, fuelling new business opportunities and revenue growth.
So How Should Investment Managers Lay the Foundations for a Data-Led Risk and Control Strategy?
To succeed in implementing a data-led risk and control strategy, investment managers must establish some essential foundations. In my experience, the following approaches have consistently proven to be effective and highly valuable:
Establish a purpose, for monitoring and managing your risk and control framework as it will provide the organisation with a reason and outcome to achieve that is relatable to them.
Secure senior ownership and accountability, this must drive the culture and behaviours and ensure sufficient focus is given.
Determine your outputs and metrics upfront once these have been proposed and agreed ownership of the metrics and associated remediation plan for anything out of appetite must be established.
Build trust, this can only be achieved by knowing what data is being monitored and used to create the metrics and outputs. If there is not agreement on the source of the data, what the inputs are and a lack of trust in the quality of the data, the output will never be accepted or used effectively.
Take only what you need, follow what I call the ‘Goldilocks principle.’ For those who do not know this it is simply put as, an organisation needs to have just the right amount and type of data as too little or too much will skew the outputs in a less than favourable way.
In today's environment, data-driven risk and control strategies have become essential. These strategies, driven by a clear purpose, senior ownership, and precise data, empower investment managers to navigate risks with foresight and precision.
By unlocking the potential of data, operational leaders can identify hidden risks, streamline operations, and ensure business continuity. The result is not only enhanced risk management but also reduced operating costs and increased client trust, ultimately fuelling new opportunities for organizational growth. And to come full circle as it pertains to fatherhood, risk and controls keeps us safe, sane, and fuels opportunities for human growth.