On February 17, 2017, the Mutual Fund Directors Forum released a report titled "Role of the Mutual Fund Director in the Oversight of the Risk Management Function" (the Report). The purpose of the Report is to assist fund directors by outlining key concepts and principles relevant to fund directors' risk oversight. The Report is divided into three sections: (1) a fund director's duties and role in the risk oversight process; (2) context to help directors better understand how investment advisers develop and monitor risk management programs; and (3) discussion of several specific areas of risk, including, among others, regulatory risk, valuation risk, cybersecurity risk, reputational risk, and risks related to new strategies. The Report encourages fund directors, when thinking about risk and their role in risk oversight, to consider the characteristics of the funds they oversee, including fund type, fund size, the assets and number of funds in the fund complex, the structure of management and other service arrangements, fees, vendor management framework, the nature of the investment objectives and the investments used in the funds.
Risk Oversight Function
The Report notes that, generally, effective risk oversight contemplates that a fund's directors understand a fund's regulatory, investment, and operational risks. The Report also advises that fund directors should avoid the temptation to become drawn into the day-to-day operations of a fund and its adviser. Instead, fund directors should (1) delegate day-to-day management responsibilities relating to the fund to the fund's investment adviser and other third-party service providers and (2) focus on overseeing these parties' performance and operate as an independent check on those charged with day-to-day management responsibilities. The Report encourages fund directors to work with outside parties and the fund's investment adviser to oversee how risks are identified and managed. The Report also notes the fund's chief compliance officer (the CCO) can be a valuable asset in overseeing risk management given the CCO's involvement in a variety of risk areas, such as those for valuation, securities lending, and disclosure.
The Report suggests that, to gain an understanding of these risks, directors should:
- request enough information regarding the fund's activities and the critical services provided to the fund to develop an appropriate understanding of the risks inherent in the operation of a fund and to then assess the effectiveness of risk practices and controls implemented by the adviser and other service providers;
- receive regular updates from the investment adviser regarding the risks associated with outsourced services and how they are being managed; and
- evaluate on an ongoing basis whether fund policies and procedures in place are reasonably designed and effective at preventing the fund's operations from violating applicable federal securities laws.
Risk Management Programs
As part of their risk oversight, a fund's directors should discuss with the adviser its risk assessment process and how potential risks are identified and addressed, and how ongoing risks are regularly evaluated, managed and/ or mitigated. The board should appreciate how the adviser identifies the variety of risk concerns appropriate to a particular fund. While there is no standard model or organizational structure for risk management, and investing styles, operations and service providers can vary widely, most risk management programs follow similar principles. Risk management programs are designed to identify, measure, and manage the most significant risks, not to eliminate every risk.
The Report identifies several elements directors should consider when evaluating the effectiveness of a risk management program and, for each, includes a list of questions fund directors may want to ask. The elements that the Report encourages fund directors to consider include:
- the firm's attitude toward risk management and the risk culture at a firm;
- how a firm communicates about its risk management program across the organization, including (1) how it notifies appropriate parties about risk events, (2) how issues are escalated through various levels of management within the organization, and (3) what information the board receives on a regular basis and when the board should be notified of risk events;
- how the adviser assesses risk in relation to the adviser's risk appetite, risk tolerance in relation to the overall objectives of a fund, and whether a fund's strategy is aligned with its risk appetite and risk tolerances;
- what mechanisms exist to identify risk events (e.g., a cyber breach, a significant trading error, or exceeding the expected volatility range for a fund's return) and what is the process for responding to risk events;
- the firm's current controls; the ongoing development, execution and evolution of the control structure; and adjustments and responses to the control structure to address risk events;
- whether the adviser is continuously evaluating its risk management program in connection with shareholder expectations, current market conditions, and regulatory concerns;
- how the risks of relying on third parties to perform critical functions (e.g., sub-advisers, fund administrators, custodians, transfer agents, other intermediaries, and sub-accounting firms) are being identified and managed; and
- critical service providers' business continuity planning and disaster recovery protocols and how the fund complex's own business continuity planning addresses the risk that a critical third-party provider could suffer a significant business disruption.
Key Risks Facing the Investment Management Industry
The Report provides details on several key risks facing the investment management industry, but notes that not all of the risks discussed will require equal levels of board attention or time during board meetings and that boards may address risks differently. The Report encourages directors to pay particular attention to areas where there are potential conflicts between the shareholders and the fund's adviser when considering the key risks facing the funds they oversee. For each of the risks identified, the Report includes a list of key considerations for fund directors.
The risks identified by the Report include:
- Investment Risk: both the intended or expected risk from the investment process and the unintended risk that may result from investment decisions, assumptions, market movements, and other factors.
- Regulatory Risk: the risk that a fund is operating in a manner that is not in compliance with existing regulation.
- Liquidity Risk: the risk that (1) a fund does not have sufficient liquid assets to meet redemption requests in a manner consistent with SEC requirements without harming remaining shareholders; (2) established methods to determine liquidity have not been applied consistently and/or accurately; (3) established liquidity determination methods are no longer appropriate; and (4) the fund's valuation procedures and policies do not appropriately consider liquidity in the valuation process to achieve accurate security valuations.
- Valuation Risk: the risk that a fund inappropriately determines the value of one or more of its investments, resulting in an inaccurate net asset value for the fund.
- Cyber Risk: the risk that a negative cyber event will impact an organization.
- Reputational Risk: a loss of trust in the brand of the fund or an increase in negative perception of the brand that can lead to negative publicity, loss of revenues, asset withdrawals, loss of clients, and loss of key talent.
- Risk Related to New Strategies: the risk that new strategies or investments can result in heightened leverage, operational risk, liquidity and valuation risk, as well as disclosure risk for the fund complex.
- Model Risk Management: the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports.
- Disclosure Risk: that disclosures and statements could be made in fund documents that are not true.
- Anti-Money Laundering Risk: the risk that funds fail to identify potential money laundering scenarios or to comply with regulatory standards.
The Report is available at: http://www.mfdf.org/images/Newsroom/RiskPaperFinal2017.pdf.