Operational Risk and Insurance: Introduction and Basic Considerations
Undoubtedly the previous decade was dedicated to generate opportunities placing Cyprus on the map as a solid financial services and funds jurisdiction. Now it is more important than ever to ensure the sustainability and professionalism of the funds’ industry by engaging deeply in risk management. Among the main risks a fund manager/fund is facing, operational risk is usually left behind in terms of prioritisation which is contradicting to the complexity and sophistication of modern fund structures.
Operational risk is the main area on which the concept of insurance is based. In this article we will focus on the main operational risks for which the insurance market delt with successfully, providing meaningful coverage for the fund managers and their funds under management.
Liability when offering professional services – When a fund manager/fund engages with a fund/investor to provide certain services (i.e. fund management services, portfolio management, investment advice, risk management etc.) in return of a fee, the fund manager/fund has the responsibility to perform such services with due care and skill. In the course of this relationship, the professional may cause losses to its clients as a result of an error, omission or failure to provide the agreed services. This liability can be transferred through a suitably drafted Professional Indemnity insurance policy which will cover legal defence costs / investigation expenses and indemnification of client losses.
Management liability – Every company is managed and controlled by its board of directors and officers. These people have the ultimate responsibility towards the operation to act in its best interest. Their unlimited personal liability creates a risk that can affect their own properties and families. This risk can be transferred through a Directors’ & Officers’ Liability insurance policy protecting the natural persons (directors, officers and any employee of the company acting in a managerial role), for their liability when taking a management decision that can cause loss to a third party (i.e. shareholder, creditor, client, employee for unfair treatment/discrimination/layoff/harassment etc.). Relevant cover commonly includes defence costs/legal expenses along with indemnification and in some cases can be extended to cover for regulatory/investigations and civil/administrative/regulatory fines.
Internal and External Crime – Firms can become victims of unlawful acts by either their employees or third parties with the intention of gaining profit or causing damage. The risk arises from the concentration of assets/wealth in the investment structure which creates a temptation of criminal activity. Firms can insure internal and external crime, through Crime coverage that can be offered either as a standalone policy or in combination with other coverages.
Experience has shown that the above risks are interlinked in many ways between the fund manager and funds themselves. This has led to the creation of combined insurance solutions that acknowledge these relationships and provide homogeneity of coverage across all entities (fund manager and funds under management).
There is an ongoing discussion with regards to technology risks such as cyber security breaches and interruption or technology failure in general which leaves room for further evaluation on the respective risks covered by available insurance policies.
Generally, risk managers need to make sure that after identifying potential risks, a risk analysis is performed and following determination of the risk appetite of each fund separately, the remaining risk is either mitigated through increased controls or transferred through insurance or both in many cases. The type of insurance contract, the level of coverage, the choice of insurance company and the scope of cover need to be discussed with a suitably trained insurance consultant ensuring that the designed insurance structure is in line with the analysis performed by the manager.
Key insurance assessment criteria
The assessment process performed by insurers when deciding to accept a risk follows the evaluation of two aspects:
The insurability of a risk and the level of cover and cost is determined by the probability of having a loss in relation to how severe such loss will be for the operation. Specialised insurers underwriting risks in the funds’ segment follow a sophisticated process combining quantitative and qualitative characteristics of each operation. A list of the key topics that are always being assessed by insurers is the following:
Type of operation – The type of operation and structure is one of the most important assessment criteria evaluating information under the two main categories:
- Information for the fund manager: licensing status and jurisdiction, years of operation vs start-ups, number of funds under management, investments track record, financial results (management fees and any other income generated) etc.
- Information for the funds under management: licensing status and jurisdiction, quality of documentation (prospectuses, NAV reports) ultimate interest/investors (number/type/domiciliation), assets under management, type and jurisdictions of investments/underlining portfolios etc.
People - Key persons should have a thorough understanding on all functions of the operation making sure that the staff numbers and expertise within the team are relevant to the size and complexity of the funds under management (i.e. type of fund, investment strategy, number of funds under management etc.).
Internal Controls and Procedures - The type, variety and complexity of the manager’s investment strategies depending on each fund’s / compartment’s strategy, should determine the internal controls in place. This should not be different in the case of a hosting fund manager, because the supervision and ultimately the responsibility lies with the manager (i.e. sophistication of systems, number and expertise of back office staff especially in heavy volumes trading strategies, well thought processes with clear segregation of duties, multiple levels of authorities to mitigate internal fraud etc.)
Compliance - Compliance as a function needs to be integrated to all aspects of the operation (i.e. policies/internal manuals, KYC, errors & complaints handing etc.). Insurers will assess and ensure that compliance policies are being adequately monitored and enforced by staff because lack of satisfactory evidence could result to unavailability of overage for future regulatory failings (i.e. regulatory investigations, fines & penalties etc.).
Loss History - Any previous experience on losses caused from operational failure (i.e. errors, omissions, systems/processes failure, breaches of professional duty, regulatory investigations etc.) will be assessed along with any corrective measures adopted post failure to avoid reoccurrence of the same event/failure.
Important operational risks commonly overlooked
Service Providers - Outsourcing parties form an integral part of any operation since the “end service” provided to the funds depends on the performance of all counterparties. Reliance on the expertise of service providers (i.e. fund administrators, asset valuation service providers, broker(s), custodian, lawyers, auditors, IT/Cyber security providers etc.) makes the cost base of the manager more variable but at the same time creates unknown risk exposures. The quality of the outsourcing parties and the quality of the engagement agreements between them and the fund manager, setting clear boundaries on the duties and liabilities of each party, will create a blue print on the risks of each party from the cooperation. This can guide insurance obligations for both parties if any of the risks cannot be mitigated internally.
Operational Risk on Underlying Investments - This is a topic that is not commonly discussed, either because the fund manager is offering hosting services or the investment portfolio is part of a former family office or simply because the assessment, analysis and quantification of operational risk at that level is very complex and time consuming. The fact of the matter however, is that the fund manager has the ultimate responsibility to ensure the performance of the underlying investments. Operational failure in alternative investments is a topic that merits a closer look since it will impact heavily the valuation and ultimately the performance of the funds. The risk management process (identification, analysis, risk appetite setting and risk mitigation and/or risk transfer) varies across alternative investments (real estate, shipping, energy, commercial or industrial units, leisure, technology, new ventures etc.) however experience shows that when the fund professionals have a clear understanding on the risks they are facing, a meaningful risk transfer solution can be designed to avoid future crisis from operational failure.
Conclusion / Opinion
Operational risk to most people relates to legal/regulatory/compliance. Nowadays with the evolution of technology, speed of markets, crime and complexity of the operations, operational risk is broader and more significant. Modern operational risk management requires a blend of good risk understanding, solid controls on risks than can be mitigated and well-crafted insurance for catastrophic risks.