Operational Due Diligence – The Fine but Undefined Line Between “Pass” and “Fail”

Published On March 1, 2019

Chris Goodeve Ballard, former UK head of Operational Due Diligence (ODD) at Aon and now a director of 2nd Phase Consulting, talks through his experiences when assessing the suitability of asset managers for some of the largest institutional investors.

Operational Due Diligence (ODD), pre-Bernie Madoff, was simply an adjunct to the Investment Due Diligence (IDD) process. It had little influence, and only in exceptional cases did it have the final say on whether a manager or fund was used or not.

Post-Madoff, it is fair to say that the boot is on the other foot. ODD will now invariably carry a veto and, irrespective of how good investment performance is, ODD can stop everything in its tracks.

The process is very simply, with the review of all aspects of a fund or fund manager covering all components of its operations, except investment performance. There are frequently areas of overlap with IDD, particularly surrounding people and subjects such as leverage and liquidity and the two disciplines, while separate, should always communicate.

ODD teams should (and sadly this is not always the case) recognise that the preparation for a visit and the time taken is onerous and expensive for a manager. Be prepared to give a lot back in return. ODD has a privileged position in that the understanding of best practice runs deep and can, without passing on sensitive or proprietary information, be shared for the benefit of all. If it’s not too arrogant a thing to say, ODD can help improve the fund management gene pool.

The process

The investment research team decide what they want to consider and this is passed to ODD. For reporting purposes, ODD is ideally independent from the investment team to ensure no conflicts can influence the final assessment. Due diligence questionnaires (DDQs) are sent out in advance of a meeting, together with a request for substantial quantities of data and documentation. On-site due diligence is conducted, which usually takes between three and eight hours. It is a very thorough process, with ongoing monitoring continuing after this stage.

Pass to fail in a second. Is this possible?

Yes, and the ODD teams have the ultimate veto with huge amounts of power, but it must be used wisely and responsibly. If the team says “fail”, there is no appeal or review. The decision revolves around many things, not least previous experience of breaking the system in previous roles, and also seeing it broken by other people. There is no substitute for experience within an ODD team.

Why does ODD appear different every time?

There is a huge mix of experiences and knowledge that most ODD teams offer and that exists more widely among ODD professionals. This spans compliance, business continuity, crisis management, forensic accounting, operational logistics and more.

Generally, the objective is to find a way to pass managers, as the investment team will have spent a lot of time on a manager before ODD get called in.

The failure rate is two percent for managers that have gone through an efficient filter before being passed to ODD. When ODD is approached directly by a client to look at a manager who hasn’t passed through that filter, the number can jump to 25 percent.

A SOC 1 report (Service Organization Controls) concerns controls at a service organization which are relevant to user entities’ internal control over financial reporting.

If a SOC 1 report has been qualified and there is a change of auditor the next year, alarm bells start ringing. Managers should stick to the original auditor and get the problem fixed, get at least one clean report and then make the change. No exceptions on a SOC 1 also raises concerns as no one is perfect, and there is always a suspicion that the organisation is playing to the test. Analysing how exceptions were spotted, escalated and remedied is always insightful.

War stories

Telling the truth and not hiding issues is crucial when dealing with an ODD inspection, however intrusive it feels at the time.

At one manager, due diligence questionnaires (DDQ) were sent out before the review which asked for wash-up reports related to any business continuity events. The COO said there were none. Clients were about to invest in the fund when there was a request for another review, as some clients wanted to seed a new fund with the manager. This updated review uncovered a wash-up report on a business continuity incident that had preceded the initial final report (and “pass”). It showed a catastrophic IT failure the firm had had with a blackout for 36 hours and no sensible back-up for six months.

When ODD asked for the incident log, they were told that the owner was away. The next day, a clearly poorly forged incident log was produced. Logs are chronological and this one wasn’t. When the COO was questioned, he admitted they had only just filled it in. The firm had also failed to report the incident to the UK regulator as required. This warranted an instant fail. A year later and with a new COO in place, they had turned the ship around and passed.

There is an obvious distinction to be drawn between an outright “fail” and issues that require some action and can be fixed.

Aberrations do occur, as witnessed with a four-person fund in Switzerland that US investors wanted ODD to assess an institutional level, when there was no way it could pass. Their strategy required rebalancing too much for such a small team, with no resources. This justified a narrative verdict to explain why it was not suitable for investment at that time, rather than a strict “pass” or “fail”. A year later, the fund had beefed up its infrastructure and people and were put on the “buy” list. The lens required is an institutional one, that of very conservative pension trustees.

ODD like to assess whether management are setting an example, so things like quarterly board meetings and a decent structure are important. An executive committee and other committees reporting into the board are all good markers of how an organisation governs itself. There must be a degree of accountability, though this does vary from manager to manager.

There is more comfort seeing SOC 1 reports from the larger audit firms; a report from an auditor in Utah who is essentially a one-man band and can barely be found in the phone directory gives minimal comfort; it could have been written by anyone. Of course, the big firms do cost more, but their reports do carry credibility.

Crisis management

ODD has been talking up crisis management for a long time and needs to be taken seriously. It pays to get a proper crisis management consultant to analyse the potential risks and then run fully immersive exercises. It is vital to see how the team and the key managers respond in an unusually high-pressure situation, as hidden strengths and weaknesses will emerge.

It is also worth hiring a PR company that has the right influence and contacts in the press; they have to be properly connected. Social media is the game changer now as problems can go global, often before anyone internally has concluded there is a crisis afoot. The stakes are extremely high, so it is worth making that investment ahead of a crisis.

A classic example emerged when a relatively innocuous disciplinary issue at a fund manager blew up into something significant because the initial handling and communication was botched. The manager’s lawyers advised the fund to say as little publicly as possible about the issue and the information vacuum sank the strategy. One significant investor pulled out and the rest followed in quick succession. It ultimately cost the CEO his job and raised questions about future ownership of the manager. All because the maxim of letting people know as much as possible in a crisis was ignored.

Don’t forget the simple things

About 75 percent of firms are refreshing background checks, which is a huge rise over the last five years. The financial soundness check is good practice with the Senior Managers and Certification Regime (SMCR) imminent in the UK. Every three years is probably adequate, but some already do it annually and SMCR will only accelerate this.

Introducing a very simple personal solvency attestation at an insurance broker revealed that the number two in the IT department was deeply in debt. He was at a broker where client money was going through the accounts and he knew the backdoor to all of this. He had none of these issues when he was hired when checks had first been carried out. An honest man was cleared, perhaps before he became a desperate man.

Good technology helps enormously with business continuity and disaster recovery, however regular testing is vital.

Data centres rated at Tier 3 or higher are a prerequisite for just about anybody in financial services, and managers must make sure that the comms and server room is locked – it is not unheard of to find them open.

Many anecdotes are legendary, but while they make good stories firms want to be known for their first rate compliance records rather than as the butt of industry jokes, such as the unforgettable failings of one firm who kept data servers in the kitchen to help cool them down.

All of these improvements make it easier to attract fresh investors, and managers should welcome, not fear, detailed ODD reviews.

Chris Goodeve Ballard is the former UK head of Operational Due Diligence (ODD) at Aon and now a director of 2nd Phase Consulting (www.2pc.co.uk). Chris has a long career in compliance at various financial services organisations, as well as time at the Pensions Ombudsman, a spell in the Army, and as a commission-only salesman, which gave him a good insight into why people can do unusual things when under pressure. He even spent some time working underground with the National Coal Board at Orgreave and Manton Collieries.