Changing Trends in Operational Due Diligence (ODD): How Are Allocators Reacting
November 24, 2020
By Melissa Miro
The past few months working from home during the pandemic have been challenging and different for all. Managers have learned how to adapt to the “new normal” of working completely remotely and utilizing technology such as Zoom and WebEx to keep the corporate culture in their firms alive.
“Changing Trends in Operational Due Diligence: How Are Allocators Reacting was the topic of discussion in EisnerAmper’s November 2 webcast co-presented by EisnerAmper and DMS.” David Goldstein, Director, Business Development in EisnerAmper’s Financial Services Group, led a discussion with Anne Storie, CEO, Americas, of DMS Governance; Debra Franzese, Partner at Seward & Kissel; and Terence Brady, Director of Operational Due Diligence at Corbin Capital.
Privacy and Security
For managers performing due diligence, there are several key regulatory areas and issues they need to keep in mind such as cybersecurity and having a solid business continuity plan. During the pandemic, many financial services firms have had their employees working from home full-time. Managers have to think about providing technological resources to their employees such as laptops, printers and scanners as well as making sure their firms are safeguarded against cyber threats. Firms have been seeing an increase in cybersecurity threats by ransomware and phishing emails. Many employees have personal identifiable information on their work computers related to the firm, investors and firm policies, as well as their own personal information. Cyber attacks are common and it is important that regular discussions and trainings on how to avoid being a victim of a security breach are held at the firm, especially during this period where many if not all employees are working remotely.
Outsourcing middle- and back-office functions has become a common practice among managers. If a manager has outsourced various functions, from financial and operational to technological, frequent conversations should be held with the outsourced service providers to understand the protocols that are in place to help avoid any cyber threats. Critically, if there are any breaches at the service provider, the manager needs to be made aware of them. A manager can be less susceptible to a data breach if they have the correct protocols in place such as virtual private network (VPN) and multifactor authentication, which help prevent access for anyone other than the people who should been accessing the data. Firms may also look into obtaining cyber insurance policies that can help cover any legal or other expenses related to a cyber breach, which may include coverage for ransom payments. Managers should also speak to employees regarding where they are planning to work on a regular basis as personal WiFi systems may be compromised if the passwords are shared. Employees may be utilizing a public WiFi and having additional protocols such as VPN or multifactor authentication could help avoid any cyber-attacks.
Firms should frequently train their employees on the confidentiality requirements that are part of their roles. When working from home, it might be challenging to keep sensitive information private since an employee may have roommates or family members present. Many firms have come up with best practices and training sessions on how to keep information private and confidential -- for instance, where calls should be taken and how to handle confidential information, including a process regarding printing materials and maintaining and/or disposing of sensitive documents. Employees should keep in mind that people they are working in close contact with, regardless of whether they are a competitor of the firm or in the same industry, could use information that was obtained from working in close quarters to their advantage. Firms should mandate that all computers maintain secure passwords which are unique and updated frequently.
In addition to confidentiality and privacy being key areas to focus on, firms should note that it is important to promote a work-life balance among their employees.
Firms have worked hard to carefully craft a corporate culture that includes a community of collaboration, inclusion and diversity; however, working from home may present challenges of maintaining a culture among employees. Some employees may feel that the corporate culture has partially dissipated which may take away from talent retention. Firms should think of ways to keep their corporate culture alive by keeping open communication with their employees.
Working from home may be a significant cultural shift for some managers that previously did not allow the practice. The sudden transition to remote work has prompted a discussion among employees regarding workplace flexibility moving forward and, further, has forced managers to evaluate and consider how remote work flexibility may affect talent retention, turnover and corporate culture. In a recent Seward & Kissel Investment Manager COVID-19 Survey, 72% of participants polled indicated that they believe their firms will change their work-from-home policies.
Key Person Risk
Another area of consideration is ‘key person risk.’ Often, specific roles are only performed by one specific person at a firm. Managers should evaluate the impact on the firm if a single individual becomes unavailable for an extended period of time (such as due to illness or connectivity issues). A good practice is keeping in mind how to navigate through keeping operations running if a key member is incapacitated and unable to perform their daily functions, such as utilizing another employee or outsourcing additional functions to their service providers. The main focus is to ensure that investors and allocators are comfortable with the firm’s work-from-home process, which may mean that the firm needs to think out of the box a little. Due diligence (DD) teams are experiencing increased transparency from managers with regard to what information and data are being shared with investors and their service providers. Previously, a lot of managers did not want to share compliance manuals and other policies in advance and kept these documents in-house. Now, given the remote working environment, confidential documents that have historically not been shared with due diligence teams due to cybersecurity concerns are being sent in read-only format as in-house meetings are virtually nonexistent. Investment managers realize that during the current environment they may need to share documents more freely in order to execute a transaction and some are wondering whether this will revert back once things go back to “normal.”
Strategy and Onboarding Considerations
Managers should evaluate whether their current strategy is still a viable one given the current economic state and pandemic. Does the investment manager have right relationships in place with its service providers? Evaluation of a strategy, infrastructure and service providers is especially difficult for investors with respect to evaluating a new fund or strategy launched by an existing manager, a new manager relationship or an emerging manager. Due diligence teams have faced challenges, such as accepting new director positions on client boards, when onboarding a new client or product. Firms are taking a more critical look to see how their clients are providing transparency to their investors since in-person meetings are not happening regularly. An investor’s understanding of what is going on in an organization, independent of the quarterly board meetings, is important since the investors are partially relying on the directors for operational transparency within the fund. For emerging or new managers, checking that they have reputable service providers and a robust structure in place from the beginning is of greater importance than ever before. With regards to internal controls, it is very important that managers have proper procedures in place and are overseeing what their service providers are doing if they are utilizing a third party. Due diligence teams may offer advice on how to remedy an internal control deficiency but will require a plan in place and see that the issue is remediated if they plan to continue to be engaged with the manager.
To view the entire webcast, please click here.