During a recent event with EisnerAmper in New York City, we discussed Operational Due Diligence for investment management firms. We were lucky to be joined by Frank Napolitani from EisnerAmper, as well as ODD experts Maura Harris from Bostwick Capital and Beste Portnoff from Bessemer Trust. Steve Schoener from Eze Castle Integration covered cybersecurity and IT best practices and how it fits into ODD. During the event, we covered Operational Due Diligence red flags that could lead to investment deferment as well as Cybersecurity risk factors and IT best practices.
Operational Due Diligence Red Flags:
- People: Investment management is a relationship business. It is crucial to see who is in charge, what they do, and how they are running the business. Do they have a control framework? What processes do they have in place? Employees at the firm must understand the risks associated with their organization. Additionally, the management team should be well-qualified for their role, for example, a CEO should have the appropriate experience as well as years under their belt to lead the the company.
- Alignment: Building on this, how are the employees at the firm, from the top down, aligned with the investors? How is the organization aligned with the SEC best practices and beliefs?
- Transparency: Is the organization transparent and honest? Investors need transparency into the people and policies your organization has in place. Any element of untruth or dishonesty can kill a deal.
- Investment Team Part of Meeting: In some cases, ODD professionals find this to be a red flag. The investment team should be performing their roles as investment managers, not answering ODD questionnaires. Of course, if you are an Emerging Manager or a smaller firm, perhaps the investment team is part of the management team and can be considered an exception.
What are some common DDQ questions from the cybersecurity and IT perspective:
- What policies and procedures do you have in place? It is crucial for your firm to be aware of what policies and procedures are in place in terms of cybersecurity. Your firm should be able to answer the following: What is the data, where is the data, and who can access the data?
- Why do you have these policies and procedures in place? It is important to also understand and be prepared to answer WHY your policies and procedures are in place. Of course, your firm needs layers of security, but your firm may not necessarily need every layer, especially if you’re an emerging manager or a smaller firm. If that is the case, it is crucial to have an answer to why you did or didn’t put certain security measures in place.
- What policies do you have around your employees and staff? It is no secret that people internally can be the biggest threat to an organization’s cybersecurity, whether it’s a disgruntled employee or an accident. Programs such as formal employee training, managed phishing and training or principle of least privilege, allowing employees access only to the documents and files that they need, can mitigate these threats. Having a top down approach when it comes to cybersecurity is also crucial and creates a culture of security within the firm.
What should your firm be prepared to answer at an ODD meeting?
Your firm should be able to articulate the policies and procedures in place within the organization, why they have these policies and procedures in place. Some topics include:
- Pre-trade compliance
- Post-trade allocations
- Regulatory and compliance
- IT infrastructure
- Cybersecurity preparedness
At the end of the day, Operational Due Diligence professionals are not there to provide a roadmap to success or quantitative goals for your organization. They want to see organizations and their leadership think for themselves.
Interested in coming to an Eze Castle Event? See our full list of Seminars HERE.