IMDDA hosted a webinar “What are Today’s Asset Managers Due Diligence Obligations?” with Robin Hodgkins, President of Castina LLC and former CISO John Rizzulo, now President at Rizzulo GRC. They spoke extensively about investment due diligence procedures for asset management. Here are a few of the highlights to whet your appetite for the full recording:
1. If your due diligence is not documented, it has not occurred
This may sound drastic, but this is exactly how the regulators now view investment due diligence procedures for asset management. You must be able to provide comprehensive plans, policies and procedures appropriate to your organization’s structure and risk profile, regardless of the size of your business.
Similarly, you must have a solid paper trail for each aspect of each investment due diligence activity. You need to expect regulators to ask to see documents that detail questionnaires and responses, evaluation and reviews of that data, reports from further investigations and site visits and reports from ongoing due diligence activities relating to third party relationship management.
In short, word of mouth assurances count for nothing in today’s regulatory climate, so don’t be caught out!
2. Vendor management must be integrated with the overall risk management plan
This cannot be an intangible cultural goal. You need to be able to demonstrate to a regulator, ideally in the form of a kind of organizational chart, how vendor management is part of and reports into risk management. The alternative for smaller firms is a direct reporting line into senior management.
You should also ensure that you have a list of mission critical vendors that is current and immediately available as this is one of the first things any regulator will ask for. You’ll want to store all your vendor risk management documentation in one place as it doesn’t look good if you’re chasing round 15 different locations trying to source information to answer a regulator’s queries.
3. You must demonstrate a risk based approach
You should apply risk ratings to individual third party relationships and more detailed aspects of those relationships. You must be able to demonstrate that you use this system to prioritize your workload, allowing you to review higher risk items ahead of lower risk ones rather than running to a standard calendar of due diligence reviews.
4. Demonstrate that your investment due diligence procedures are appropriate for your business
This can be a tricky one as investment due diligence procedures for asset management is not a one size fits all discipline. You may find that your risk profile is different to even your closest competitors. What is important is that you are able to show that you understand the due diligence requirements generated by your particular organization’s structure, size and risk profile and that you have adequate policies, plans and procedures in place to meet them.
5. Detail matters
Finally, don’t let yourself be caught out by the small stuff. Our expert John related an incidence where a company was cited over their vendor management, simply because a date was wrong in the footer of a document. It had been copied from a previous version and the document owner forgot to change the date. The organization had an email trail with the correct dates proven, but this didn’t help them avoid the citation.
Want to know more about current thinking in this essential practice area? The IMDDA webinar “What are Today’s Asset Managers Due Diligence Obligations?” reveals the full story, listen to the recording here: