Increased regulatory requirements have pushed alternative fund managers to think more about risk, which has become multi-faceted: it is no longer about evaluating market risk ex post, but monitoring counterparty risk, liquidity risk, cyber risk, compliance risk and technology risk.
As the regulations become more stringent, so managers' awareness of what they need to do to adhere to them has risen.
George Ralph, Managing Director of RFA, says that to deal with increased regulation, and the rising threat of cyber attacks, managers are increasingly turning to IT outsourcing.
"However, this does not mean that managers can transfer risk to a third party vendor and expect them to get on with it; there's got to be an element of shared risk. This was raised in the FCA's FG16/5 guidance paper released last July," says Ralph.
Specifically, section 3.4 states that "Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities. Firms cannot delegate any part of this responsibility to a third party."
Regulation, like risk, cannot be outsourced. Even though fund managers rely on IT vendors to provide infrastructure-as-a-service, or a broader suite of managed services, they are merely solving the technology component. This is not a risk transference exercise.
Striking the right balance is therefore critical when outsourcing. Firms need to have an IT risk management process in place to monitor all of their business risks, regardless of whether they are managed internally or externally.
"If you consider the components of an operational risk framework, having a very clear objective as to how you manage risks, identifying which risks you are willing to take on internally, and placing comments alongside each identifiable business risk as to how you would mitigate it, is useful. Then, you should have a board member who is responsible for each one of those risks. I don't think one individual should be responsible for all risks in a business," comments Ralph.
He concedes that if there is a limited (not wholesale) element of risk transference when outsourcing, there needs to be clearly defined terms in place detailing what the vendor is doing to mitigate that risk.
As investment firms embrace technology to meet the regulatory challenge, it is more important than ever to put in place a robust IT risk management process to stay both compliant, and secure.
Full news
© Hedgeweek
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article