Introduction: The Value of Enterprise Risk Man- agement for Private Equity Firms

Imagine you are the CEO of a Private Equity firm and you are faced with the following scenario:

ACME Equity Partners is optimistic about the crown jewel in their portfolio, Global Intercon- nect, a global widget manufacturer with facilities in San Francisco, Hong Kong, and Singapore. The company has been extremely profitable and has been a significant contributor to ACME’s in- vestment performance. But then, unexpectedly, Riff Rocket, the President of Global Interconnect, telephones Tadd Smith, ACME’s President, with some unwelcome news. News reports that facili- ties for Global Interconnect have unsafe work- ing conditions are circulating in the Hong Kong press. To make matters worse, there are alle- gations that these unsafe conditions have been concealed through bribing of local inspectors in the widget factory.

Maybe all of this is bad luck. But these types of sce- narios could be detected or avoided through the imple- mentation of an effective Enterprise Risk Management (ERM) Program.

ERM is a business process for effectively managing risk within your organization. It applies to any orga- nization and is invaluable in identifying and avoiding unforeseen risks, which is particularly helpful given the increasing regulatory pressure for certain orga- nizations to implement such programs. While ERM existed before the Great Recession, the world of Risk Management changed considerably after the financial collapse, because of the widespread view that risk con- trols failed at large financial institutions, threatening the global economy. This perception led to increased oversight by Congress, and extensive measures that were codified in Dodd-Frank. As discussed below, many financial institutions and certain operating companies have been subject to increased regulatory ex- pectations in this area.

ERM Programs are important for Private Equity firms in two ways: (1) they develop a framework of internal controls to mitigate risks associated with the compa- nies in which the PE firm invests, and (2) they develop internal controls for the PE firm itself. PE stakeholders include the management and employees of the Private Equity firm, the limited partners and/or investors in the fund, and the stakeholders in the underlying com- panies. Avoiding surprises like those in our Global In- terconnect example is the objective and value of a ro- bust ERM Program. While the Securities and Exchange Commission (SEC) and other regulators have placed increasing pressure on PE firms and investment ad- visers to develop more robust compliance programs, ERM Programs can provide a 360-degree approach to managing business risk at PE firms, which many firms consider a prudent business practice in the current market and regulatory environment.

ERM Programs for Operating Companies within the PE Portfolio

In a general sense, Private Equity firms make invest- ments in operating companies, focus  on  maximiz-  ing their value for investors and/or limited partners, and, at some point,  seek  to  exit  those  investments in a profitable manner. At the appropriate time, PE firms will seek buyers for operating companies within their portfolio, the characteristics of which vary. Buy- ers typically evaluate many factors in determining whether to purchase a company, including the type   of business, management, profitability, and cultural and business fit. In this regard, risk management re- cently has received more attention, particularly with respect to litigation, regulatory, and reputation risk. To avoid surprises, potential buyers are demanding greater transparency of how a potential target com- pany manages risk. Accordingly, portfolio  companies failing to consider ERM potentially diminish the pool of available buyers, which, in turn, may jeopardize the likelihood of a successful exit for PE firms. In addition, limited partners invested in PE funds are increasingly demanding of controls at the portfolio company level and within the PE firm itself.1

ERM supports the general partner’s interest in maxi- mizing portfolio value for limited partners. A primitive or nonexistent ERM program often adversely affects a company’s value. Therefore, many PE firms are expect- ing that their portfolio companies develop and imple- ment significant ERM programs, covering all aspects of their business.

The general partner’s interest in maximizing value co- incides with the demands of regulators to identify, un- derstand, communicate, and address risk. For exam-  ple, “large banks” (with assets greater than $50 billion) are required to have extensive enterprise risk manage- ment programs that are reviewed annually.2 Smaller financial institutions, such as banks below  $50  bil-  lion, investment advisers, and mutual funds, are sub- ject to increasing regulatory  scrutiny  when  it  comes  to risk management. Other  regulators  in  areas  such  as energy,3 consumer, and environmental are further emphasizing  risk  management.

In a similar fashion, public companies have been trending toward programs designed to capture the ba- sics of an effective ERM program: 1) risk   identification; 2) risk evaluation; 3) contingency planning; and 4) crisis management. More recently, public companies have been utilizing risk management in their strate- gic planning and goal-setting processes.4 Given this emphasis on risk management by public companies, PE firms seeking a public exit for their portfolio com- panies would be wise to review such company’s ERM program or practices.

Preparing Operating Companies for the Next Step

Regardless of the type of exit, an effective ERM pro- gram should be relevant to the business, structured in    a practical manner, and implemented efficiently. Effec- tive ERM programs share certain common elements: (i) risk identification; (ii) risk rating, (iii) identification of risk mitigation and adjusted risk, and (iv) presentation of key risks to senior management and the board. In connection with these elements, “risk owners” typical- ly are designated to identify risk, the risk team ranks each identified risk (e.g., high, medium, or low), risk level adjustments occur (taking into consideration countervailing controls), and critical risks and recom- mendations  are  presented  to  senior  management and the board for appropriate action.

In addition, the following important characteristics should also be part of any ERM program:

The ERM Program Should Be Tailored to the Re- quirements of the Business: The ERM program should be tailored to manage risk related to essen- tial business purposes of the company. For exam- ple, although there may be common elements or characteristics, an ERM program for a hotel chain would differ significantly from an ERM program for  a  small  alternative  energy company.

The ERM Program Should Be Strategic in Nature: According to the Association for Financial Profes- sionals,5 successful ERM programs have a  “strate- gic lens.” For PE firms, the “hold” for each invest- ment informs the strategy for exit and, therefore, risk  identification  and  management.

The ERM Program Should Have the Input and Sup- port of Senior Management and the Board of Di- rectors: An ERM program that is closely linked to the strategic vision of senior management and the board will improve the operations of the company and could have a positive impact on profitability  and  exit value.

Independence and Support of the Chief Risk Officer (CRO): The CRO will need the full support of man- agement to carry out his or her responsibilities. A CRO’s independence is crucial to an effective ERM program. CROs must be sufficiently empowered, among other things, to ensure cooperation from other stakeholders, and the collection of complete and reliable information.

The ERM Program Should Create a Culture of “Risk Ownership”: A culture of “risk ownership” through- out the organization is critical to an effective ERM program. Each stakeholder (whether senior leader- ship, middle management or staff) needs to under- stand his or her role in identifying and managing risk and should be accountable for successfully fulfilling such role. Failure at any level jeopardizes    a successful  outcome.  Operational  heads  should  be identified as “risk owners” throughout the or- ganization and have significant input into the risk identification  and  mitigation process.

ERM Programs for Private Equity Firms

It is equally important for PE Firms to apply ERM Pro- grams to themselves. In fact, there are generally three levels of risk for PE firms: (i) firm-level risk, (ii) fund level risk, and (iii) operating company or portfolio risk. Each of these levels may be impacted by litigation risk, regulatory risk, and reputation. Similar to operating companies, PE firms should appoint a person with re- sponsibility for guiding the ERM program at the firm level. This individual requires a similar level of inde- pendence and support to ensure that the effort is ap- propriately  managed  and effective.

A. Firm Level Risk

At the PE firm level, regulatory risk and investment risk become paramount concerns. In terms of regu- latory risk, recent examinations and enforcement ac- tions have focused on conflicts of interest that are not disclosed to limited partners, especially in the area   of fees in connection with limited partnership agree- ments.6 Moreover, because many private equity firms recently registered as investment advisers, such firms face many of the same traditional compliance issues as more mature investment advisers (e.g., annual cer- tifications of control processes, compliance manuals and related testing, and routine SEC examinations).   In connection with SEC reviews, regulators will also be reviewing marketing materials to ensure that per- formance information is accurate and valuation meth- odology is consistent with the methodology disclosed to investors.

PE firms also manage investment risk, which is impact- ed by their due diligence of potential target companies. PE firms typically undertake significant operational due diligence on companies targeted for investment. This essentially means that operating company risk also represents firm-level risk. In terms of ERM, PE firms should develop a strong internal operational due diligence (ODD) team that can evaluate key business risks associated with each target company, including core business strategy and operations, cybersecurity, valuation, corporate governance, and related compli- ance challenges. Because investment decisions of the PE firm depend heavily on the quality of the work of the ODD teams, oversight of ODD practices, controls, and evaluation standards is an importation part of the ERM program.

B. Fund Level Risk

At the Fund level, clear and adequate disclosure to in- vestors is paramount. Among other things, fees, po- tential conflicts of interest, valuation methodology, third party relationships, and monitoring arrange- ments must be fully and completely disclosed. On an on-going basis, material changes to such disclosure needs to be updated and disclosed to limited partners. In many cases, limited partners also may require sub- stantial information on the firm’s ODD reviews of  the firm’s portfolio companies, including a review of such operating companies’ ERM programs, compliance and governance practices, cybersecurity issues, potential pressure on margins and profitability, and other mate- rial  facts.

C. Operating Company Risk

A strong ERM program, such as that identified above at the portfolio company level, provides tangible ben- efits. First, assessing operational risk at the firm and fund levels becomes more manageable for the ODD team and all who are involved in making investment decisions. In our initial example,  an  ERM  program by ACME would easily have determined whether Riff Rocket and the Global Interconnect team had to make safety improvements to their facilities and potentially avoided any related bribery concerns. In addition, an ERM Program would reduce the time, expense, and risk associated with ODD reviews and ongoing moni- toring by the firm. The ODD team would have a bet- ter opportunity to evaluate more complete and critical information. Finally, an ERM program at the operat- ing company level potentially increases exit value for the general partner and limited partners of the invest- ments within the portfolio. In other words, the time and effort spend on an ERM program would not only greatly reduce the risk within the portfolio, but could greatly enhance investor returns.


In sum, an ERM program benefits the PE firm, the fund in which the limited partners invest, and its port- folio companies. Effective ERM programs help firms manage risk from a 360-degree perspective, including investment risk, regulatory risk, and reputation risk. From a diligence perspective, ERM programs facilitate a sharper focus on the value of the assets under con- sideration and reduce the time and expense inherent in a meaningful ODD review. Perhaps most important- ly, an effective ERM program at the operating compa- ny level provides important strategic information that informs critical elements of the investment decision (e.g., the appropriate length of time to hold the asset and the likely exit). For PE firms, ERM programs can provide meaningful benefits to all stakeholders and are becoming more important throughout the invest- ing life cycle, particularly in the context of increased regulatory oversight, as well as increased opportunity to enhance investor value.