What Has SAC Capital Taught Investment Industry about Risk Management?
When a massive enforcement action hits the news, like the recent SAC Capital insider trading settlement, that includes allegations of repeated and substantial misconduct or systematic wrongdoing, the temptation for most investment professionals is to say, “Ehhh, it can’t happen to me. We run a tight ship at my firm. I’m honest, ethical and follow the rules. Those people were out to break the law to get an edge and now they are paying the price.”
But that type of overconfidence, without the support of an effective compliance program coupled with a rigorous risk assessment system, can lead well-meaning, honest investment professionals into dangerous waters. At the Regulatory Compliance Association’s recent Compliance, Risk, and Enforcement Symposium, a panel of compliance professionals stressed the need for rigorous risk assessment and compliance testing to ensure that firms retain their good reputation and avoid the rocky reef of regulatory action.
The requirement to establish (and disclose) a firm-wide risk management process that identifies, measures, and manages the risks facing the investment manager — including the sources, nature, and degree of risk exposure — was covered in the most recent version of the Asset Manager Code of Professional Conduct. Panelists at the Regulatory Compliance Association symposium emphasized the need to rigorously and repeatedly test to make sure that the system is adequate, not just so that the firm can survive a regulatory examination, but so it can survive a catastrophic event such as Bernie Madoff, Superstorm Sandy, the 2008-2009 market implosion, or a group of employees who engage in insider trading.
According to the panel, firms should “follow the money” to determine where the greatest risk exposure is by looking at the firm’s sources of revenue. Then establish forensic testing that takes apart the firm’s policies and procedures to ensure that the firm is doing what it says it is doing. Conduct data analysis, look back at communications, interview employees, and recalculate. The question is not what to test (answer: everything), but how frequently and what is the appropriate sample size.
For instance, and particularly apropos in the aftermath of the SAC case, firms may be concerned about exposure to material nonpublic information. In that case, according to panelist Robert Van Grover, partner at the U.S. law firm of Seward & Kissel, firms should be collecting and evaluating both “structured” data such as trades, price movements, and calendar entries as well as “unstructured” data such as employees’ outside relationships and communications. It is important to link these two types of data to review patterns of activity in greater detail. Firms must have the right tests in place given the types of potential information that employees are privy to (for example, software that monitors employees’ LinkedIn accounts), with well-trained examiners that know what they are looking for. The firm should be asking: What was the trading motivation? Are there discernible trading patterns or are the trades random? Where are the most profitable trades allocated? Is this allocation random or is there “repetitive randomness” signaling a pattern? Examinations for one risk exposure, like material nonpublic information, may overlap and support testing for another risk exposure such as trade allocation issues.
The bottom line is that an effective risk management evaluation includes knowing the firms’ business and revenue sources, knowing its employees and their connections, and developing the proper testing tools to verify that the compliance program is working properly. That way a firm can demonstrate to itself, clients, and regulators that it has a good understanding of the potential risks it faces, has tested for those risks, and, if any issues are discovered, they are caught and addressed internally — before they become a problem for their clients or themselves.
Photo credit: Associated Press