Taking considered risk is the essence of all business and investment activity. Managing business risk is a key to success. This applies as much to investment funds as it does to trading operations. But dealing with commercial and legal hazards within the context of a fund is not as straightforward as for "normal" businesses. Firstly, collective investment schemes may be regulated depending on their category. Secondly, they do not as a rule employ senior managers and staff directly. The investment vehicle will have a wholly non-executive board which will outsource all day-to-day functions to its investment manager, administrator and other service providers. Unless there are clear procedures in place, and responsibilities properly assigned, then risks will not be controlled with likelihood for serious adverse impact on the fund and its investors.
Risk management is an important area of focus for the Jersey Financial Services Commission (the "Commission"). This is borne out by its inclusion within the new Codes of Practice for Certified Funds (the "Codes") which were issued by the Commission on 2 April of this year. The control of risk is quite rightly treated in these Codes as an integral part of the fund's corporate governance framework. It is core to how a business is directed and controlled.
So what are the regulatory requirements? According to the Codes, a certified fund must ensure that clearly defined procedures are put in place so that there is appropriate oversight in order to address the principles of risk management. An assessment of the risks present in the business of the fund must be made, and those risks must be documented, as must the ways in which they are monitored and controlled. The Codes also require that a fund must maintain accurate and reliable information systems and timely and appropriate management reporting. Consideration should also be given for the establishment of a separate risk management committee.
The operation of robust internal control systems is another key requirement under the Codes. Internal controls and risk management are two sides of the same coin. As the Codes point out internal controls and risk management cannot work without accurate and reliable information systems (i.e. proper reporting).
So what does this mean in practice? The first point to make is that the buck stops with the board or other governing body of the fund. It will rely on advisors and service providers, but the board has ultimate responsibility for the fund's system of internal control, for reviewing the effectiveness of this system and determining what reporting is required. This will be done in the light of the risks identified. The board must therefore identify the key risks which the fund will face and their associated control procedures and mitigation measures. The object will be to minimise the chance of a material adverse outcome arising from events and courses which should have been foreseen.
As the fund will be relying on its service providers, the first step in risk management should be to ensure that the investment manager, the administrator and other service providers are fundamentally competent and trustworthy. The competency and trustworthiness of the investment manager is the lynch pin of the Expert Fund and Listed Fund Guides. The ability and integrity of the Jersey based administrator is policed by the Commission under the Financial Services (Jersey) Law 1998. But these attributes cannot be taken for granted and as with all other material risks, they must be reviewed on a regular basis (no less than annually). The board must of course ensure that it receives sufficient information to do this and to monitor all risks.
Risks should be identified in the offering document or prospectus of the fund. But this document is only a starting point in the identification and management process. Risks will fall under certain categories including business and investment risk, market risk, control risk and operational risk. Although some risks are standard and will arise in most cases, some are not and will be specific to the particular fund and its serviced providers. There is no substitute for hard thinking and no tick the box approach will be sufficient.
Identifying the risk is not enough. The probability of the risk arising and the impact on the fund also needs to be assessed. Once the assessment is made, the control needs to be put in place. The effectiveness of the controls then needs to be monitored. So it is not enough for example to identify the need for adequate financial resources to run the fund. Expenses need to be budgeted for and reviewed on a quarterly or other regular basis and management accounts or other financial statements prepared to undertake the monitoring.
The proper documentation of the whole process of risk management is a priority. This is best practice and very importantly, it is something the Commission will be very keen to look at when they conduct their on-site visits. The object of risk management is to minimise risk but it cannot be eliminated. If the business is seriously adversely affected, and heaven forbid the regulator becomes involved, providing evidence that reasonably foreseeable dangers were properly considered and managed will be paramount. It may be an exaggeration to say that pieces of paper in the form of reports, minutes and policies and procedures can save lives but they can certainly save businesses and individual careers.
Originally appeared in Jersey Evening Post, Funds Review – May 2012.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.