Meeting New Questions Head On

Regulations need changes in governance

ARTHUR TULLY AND ALAN FISH, ERNST & YOUNG
Originally published in the July/August 2010 issue

Amid increased calls for transparency, hedge fund firms are bracing for enhanced regulation. By taking a top-down approach to governance and risk, hedge fund executives can help prepare their firms for heightened disclosure requirements while maximising internal efficiencies. Increased government oversight of the financial sector is coming. Even though markets have improved and nervously guarded capital is making its way back into hedge funds, investors — and lawmakers — remain cautious. Congress is considering a host of new regulatory options, including many that would require increased governance and reporting from funds that have experienced a relatively light touch in the past. At this juncture, hedge fund executives cannot afford to ignore the coming changes. And while some have wisely chosen to begin the process of creating more robust and formal risk management, compliance and internal audit functions, others lag.

Today, some larger hedge fund firms with established governance frameworks find themselves well-positioned to meet the challenges new regulations will pose. Now is the time for these firms to assess their strengths and weaknesses in the areas of governance and risk, and then look for ways to broadly enhance their efforts. For smaller firms with limited resources, or for those that currently have few formal governance processes in place, the challenges may be greater.

The question all organisations should be asking is: How can we position ourselves for meeting the demands of a market that is calling for more transparency, disclosure and regulation? The foundation of this answer is threefold: 1) establish a more formal governance and risk framework with the appropriate sponsorship and involvement from senior management and the board; 2) embrace more sophisticated oversight that reduces both risk and surprises, in the form of dedicated risk management and compliance functions; and 3) establish or improve the internal audit function. Firms should approach all of these efforts holistically — considering their impact on all stakeholders within the organisation. When done correctly, a broad approach to organisational change can maximise efficiencies throughout a firm.

Risk and regulation
The crisis in the banking sector and the evaporation of trillions of dollars in wealth has spurred investors to exercise more caution as they consider taking on risk. Consequently, risk management has become a potential differentiator to many institutional investors and sovereign wealth funds. These investors now request from hedge fund managers rigorous oversight functions designed to reduce risk. In response, executives are not only addressing regulatory compliance risk, they are investing in the infrastructure to support the management of operational, technology, market and counterparty risks. They are also implementing more robust treasury and cash management practices that maximise returns, while lowering the risks associated with liquidity and forecasting.

More important, though, investors are asking these firms to provide more information on processes that firms once considered proprietary competitive advantages. Although it remains to be seen how far future regulation will go in terms of transparency, funds can go a long way toward meeting the appeals of existing and potentialclients by making the right investments in a governance and risk management framework. They can lessen risk across the organisation by addressing it holistically, and by being as forthright and transparent as possible about these processes, without disclosing proprietary information.

Internal audit
With heightened scrutiny forthcoming, some hedge fund firms are now re-assessing their approach to internal audit by investing in a dedicated new function, enhancing an existing one and/or seeking assistance from an outside third-party. The use of external SAS 70s has also been on the rise. Firms are also performing comprehensive reviews of their operations that mirror an actual internal audit. While such efforts are a good start, in the current investment climate, financial firms of all sizes could realise considerable benefit from making an investment in internal audit. Why? An effective internal audit function can help firms assess business strategies and models with increasingly complex risk profiles. A number of factors are raising levels of risk exposure, including: costly IT investments, expanding third-party relationships, new products and channels and, perhaps most notably, additional regulatory requirements.

Internal audit can also help firms quantify and assess the scope of challenges associated with public offerings, the launch of new funds and a host of other objectives. According to the Institute of Internal Auditors, the process “helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” Inherent benefits of internal audit will differ from firm to firm.

Holistic governance
Creating an effective governance and risk management framework throughout an organisation can be time consuming, costly and difficult, particularly without a proper strategy for success. It can also end up being unwieldy and inefficient if undertaken in silos. In this scenario, effort is duplicated, resources are squandered and efficiencies are lost. Therefore, for example, when an organisation builds a compliance program, invests in technology and shores up its infrastructure, it must do so broadly, with consideration given to the needs and goals of all stakeholders, including internal audit and risk management.

An effective governance strategy begins at the top. Below that, an effective governance framework consists of three levels of defense. The first level includes policies and procedures that give ownership of managing risk to individuals working in the front, middle and back office operations. For example, at this level, the governance model dictates how employees executing trades, or overseeing third-party service providers should operate from a policy, procedure, internal control and overall risk perspective. The second level establishes a compliance and risk management function that interprets the rules, provides training, monitors and advises the business and helps develop policies and procedures. Based on the firm’s operating model and size, compliance and risk may own some of the processes such as maintaining the code of ethics, monitoring investment guidelines and performing risk assessments. The third level of defense is internal audit, which works closely with risk and compliance to uncover governance issues and help an organisation avoid surprises. Internal audit is responsible for validating the risk framework and providing assurance that it is operating as designed.

Using this basic framework, each organisation can tailor its efforts to meet its own unique needs and budgetary limitations. Some smaller firms will need to continue to employ the use of risk, compliance and investment committees to act as the risk management function for the organisation, while leveraging the compliance function. In other instances, it may not be practical to have a formal internal audit function, but rather leverage the compliance function to perform periodic testing and the results of third-party assessments and SAS 70s. But before using such strategies, firms should give careful consideration to all risks, including those brought on by the changing regulatory environment, the prospects of increased growth and the ever increasing demand for more transparency and disclosure.

Currently, some hedge fund firms are preparing for the brave new regulatory world by adopting a formal governance and risk framework as a starting point from which to begin the process of assessment and planning. Others are revisiting existing governance and risk management programs to see what, if anything, they can do to enhance their approach to risk management and create more transparency. Both groups understand that the time to act is now. Regulation, when it is adopted, will not wait for those who are unprepared.