Family offices underestimate operational risk – that’s a big mistake

Often because they are small and have few staff, family offices don’t pay enough attention to operational risk management. But this could be a costly mistake and at the very least is undermining their performance.

There is a growing understanding of operational risk and where it occurs in the family office as the ‘professionalisation’ of the investment process works its way down the value chain to middle and back office functions. But the scale of the threat usually only becomes apparent when a risk is realised.

That is the view of Alchamentus director, Paul Staples, who describes compliance and control risks as a growing priority for family offices as they move closer to being regulated entities. Staples is an operational risk specialist who has worked in the area with many big institutional asset management groups and increasingly family offices.

He divides risk factors into internal like post-investment operations processes and controls, Know Your Customer/Anti-Money Laundering checks of counterparties, data retention and control, compliance management, regulatory alignment and controls – and external, which includes cyber and regulatory risk as well as people risk. For instance, how do you control what people know about your business when they leave?

According to Paul Kearney, head of UK private banking at Kleinwort Hambros, the big operational risk is that, while in the majority of organisations the segregation of duties is the main risk control mechanism, the relatively modest headcount of many family offices often requires individuals to undertake potentially conflicting tasks.

Staples says that culture and accountability are vital elements in reducing operational risk

“As soon as you start to task a small team with a number of roles you lose the significant benefit of segregation of duties and increase the potential for ‘rogue’ employee to operate within a weakened control environment,” he says.

One of the most effective mechanisms for screening out such individuals is to conduct rigorous due diligence on them prior to bringing the employee on board. And once a team has been assembled, it is important to create a risk control framework, adds Kearney.

“The question then becomes how to import that controlled environment in the most economical way and this may require some form of outsourcing arrangement to provide independent oversight,” he says.

Staples observes that culture and accountability are vital elements in reducing operational risk. “A concept of measure, manage and reduce needs to be implemented and this starts with an operational risk framework assessment,” he says. “Culture is important in terms of enforcement and encouraging awareness and a senior leader needs to be in charge of driving the agenda.”

It is good governance to set up a structure that provides assurance around processes such as checking the investment return numbers given to the principal, suggests Kearney. “The family office professional’s job relies on delivering good news to their employer and this creates the risk of an individual telling the principal what they think they want to hear.”

Robert Jones warns that most family office consultants and advisers are only interested in more lucrative front office investment engagements

The protection against cyber risks in small family offices can be a challenge due to a lack of dedicated cybersecurity staff. However, Bill Frizzell, director of technology at Laird Norton Wealth Management, reckons some of this disadvantage can be offset by selecting technology vendors that offer strong security as part of their solutions.

“Despite the high profile of the cyber attacks we hear about, major technology vendors generally provide better cybersecurity protection than small and medium businesses,” he says. “Small family offices may also want to engage technology consultants who can guide their purchases of security solutions.”

Charles Lowenhaupt, chairman and CEO of Lowenhaupt Global Advisors, advocates undertaking a risk inventory. “Each potential risk should be evaluated in terms of how tolerable the result would be and how likely it is to happen and the review process should be repeated at least every quarter,” he says. “If the family office cannot manage operational risk, it needs to simplify its operations and/or advise family members that some risks – for example, risk of divorce or travel safety – cannot be managed by the office.”

This final point highlights the role of risk specialists and external risk advisors, although FCL Advisory managing director, Robert Jones, warns that most family office consultants and advisers are only interested in more lucrative front office investment engagements.

“In addition, most professionals in the family office industry – including external administrators who simply focus on reconciliations and reporting – charge a percentage of assets under management, which makes no sense to me,” he says.