A Governance Framework for Resilience

Welcome to the second edition of The Arc, a bi-monthly magazine regarding issues of compliance, risk and sustainability related to the business of Private Equity (“PE”).

A compliance framework is a cornerstone to any modern strategic and operational feature of a PE Firm, and this edition of the Arc outlines how a PE Firm can structure their compliance framework to be sustainable and resilient.

What they have is what they lack. At formation, emerging private equity managers are equipped with the rigorous policies and procedures for commercial policies and investment procedures, overseen by an investment committee comprised of a competent and expert panel of senior or commercially technical members. However, they are either ill-equipped or lack initiative to deal with, or lack adequate financial resources to address immediate compliance, cybersecurity and sustainability risk considerations and requirements of institutional investors.

In this edition, we will address this problem by proposing an approach to compliance and a structure for governance that is:

1. Strategic; and
2. Sustainable.

However, this perceived freedom is not without its limits, including their:

1. licensing restrictions in operating a financial services business;
2. fiduciary obligations to investors;
3. financial services business viability; and
4. comprehension of a contemporary understanding of responsible investment practices.

Consequently, we recommend implementing at first instance a four-tiered governance structure:

1. Regulated Board: This is usually the entity that either holds a financial services licensee, is regulated alternative investment manager or a registered investment advisor
2. Executive Management Board or Steering Committee: This is a committee of senior executives responsible for certain risk areas, and key directors across regulated boards with a material interest in the organisation or the consolidated group;
3. Committees or Functional Designations: Committees or functional designations for compliance, cybersecurity, sustainability, finance and investment;
4. Business Line and Service Line teams, led by senior executives: This is necessary as the organisation grows.

A crucial step for EPEMs at formation is alignment of strategic objectives to regulatory expectations of securities regulators for financial service businesses. This will assist EPEMs to pre-empt and mitigate emerging threats based on: (1) their by-product assessment of incidence and impact to an organisation; and (2) a benchmark of risk based on an suitable measure of efficacy (but not necessarily best practice). Core Strategic Objectives can then be identified and aligned to each governance tier as follows:

Strategic Objectives	Delegated Committee	Risk Leader	Functional Areas
Responsible Investment	Investment Committee	Heads of Business Lines	Business Line teams
Legal, Ethical and Moral obligations	Sustainability (ESG) Committee or Function	Chief Compliance Officer and Heads of Business Lines	Sustainability Champions
Compliance	Compliance Committee or Function	Chief Compliance Officer	Chief Compliance Officer and nominated Regulated Compliance Officers
Alignment with Regulated Institutional Investors	Investment Committee, with assistance from Client Services/Marketing	Heads of Business Lines	Business Line teams Client Services/Marketing
Protection of Personal Data and Preservation of highly regulated data	Compliance Committee/Function and Financial/Fund Operations collaboratively	Chief Operations Officer and Chief Compliance Officer	Chief Compliance Officer and nominated Regulated Compliance Officers Chief Operations Officer and Data Analysis
Financial Sustainability	Finance and Fund Operations	Chief Financial Officer	Chief Financial Officer and Fund Operations Heads

How is this structure a sustainable approach to compliance and cybersecurity governance?

Our strategy creates a sustainable approach to compliance and cybersecurity governance as follows:

Strategy	Explanation
The Responsible Investment characteristics of the Organisation.	Demonstrates the importance of compliance and cybersecurity resilience.
Adherence to legal, ethical, and moral obligations required of the Organisation from stakeholders.	Indicates a requirement for systems thinking through cooperation with other stakeholders, mitigating residual compliance, cybersecurity and sustainability risk.
Adherence to a compliance framework that requires behaviour that reflects fairness, honesty and efficiency.	Demonstrates the importance of transparency and accountability in organisational dealings, and that ethical conduct is paramount.
Alignment with governance frameworks of highly regulated institutional investors and pension funds.	Indicates the Organisation must meet the expectations of clients for compliance risk management.
Adherence to obligations to the protection of personal data and preservation of highly regulated data.	Addresses a key compliance characteristic for financial services businesses.

An evolutionary approach

An alternative course for an EPEM is to allow its financial services business to evolve organically, reflecting a transition from small domestic and single product-based (private equity) enterprise to medium and potentially international diversely dynamic product-based enterprise.  However, this approach depends on: strong and persistent participation of Founders and Board over the life of an organisation; the integration of a culture with a mindset for compliance; and an appreciation of the value of investor protection and integrated risk management.

Element	Early Years	Midlife	Mature
Oversight Model	Audit/Internal Controls (“check the box compliance”) Value attributed to scarce financial assets:	Compliance/Risk (“risk-based approach”) Value attributed to concentration of highly regulated pension fund clients, focused on compliance and internal controls:	Operations/Compliance (“relative maturity in systems, structure and process”) Value attributed to data
Employees	~5-10	~20	~70+
Diversity of Offices	1 Office in one region	At least 3 Offices across different but culturally similar locations	several Offices in multiple locations and cultures
Standards for reporting the efficacy of alternatives	Board comprised of around 3 Founders, whose expertise was as follows: Science or Engineering, Finance, Management Consulting, Marketing.	Board	Board
Culture setting	Board	Board	Board

Elements of Good Governance

Good governance is demonstrated by:

1. Adoption of a Governance Framework; and
2. Management Processes to bolster compliance and cybersecurity risk management.  

Elements of Good Governance	Element Satisfied	Evaluation Explanatory
Leader buy-in	Strongly Satisfied, but culture changes with increasing size and scale.	By aligning stated Core Strategic Objectives to the Governance tiers, compliance, responsible investment practices are thereby made paramount from inception. From the establishment of the organisation these strategic objectives reflect a prudent and risk averse approach to the operation of a financial services business. It is important that the board, founders and senior executives have or are given a contemporary understanding of compliance and cybersecurity risk considerations, thereby influencing strategy and the adoption of best practices in compliance and cybersecurity from the start. This means that during these formative years, “Leadership buy-in”, is an inherent and enduring essential element.
Designated and separate functions for compliance and cybersecurity	Partially satisfied	Although the organisation has allocated and distinguished the functions essential for organisational compliance and the security of information assets to senior executives, these are not the principal functions nominated to those individuals nor their core competencies. This is understandable for emerging private equity organisations because of the constraints of size and scale. Nevertheless, robust governance is mitigated by the separation of the functions between compliance and cybersecurity to different individuals. Finally, as noted above, internal control through oversight by the Executive Management Board, involved directly in the development of strategy, design, implementation and management of the compliance and cybersecurity policies, is a favourable influence in preserving good governance and mitigating any compliance or cybersecurity risk.
Organisational Culture	As above, for Leadership Buy-In	Strong organisational culture is a natural consequence of the Leadership buy-in and their appreciation (gained from having worked at organisations with highly institutionalised processes) of the constraints of the regulatory obligations for operating a financial services business. Reinforcement of an ethical culture demonstrates to various securities regulators their comprehension that organisational culture is an essential element in the effective design of compliance risk management program.
Clear policies and procedures	Satisfied	By promoting responsible investment practices and constraints enforced by the quality and diversity of its institutional investors, clarity in policies and procedures is an unavoidable requirement for the organisation.
Response Plan	Partially satisfied, requires improvements in significant areas of the Analysis	The governance tiers reflect an intention to implement an effective response plan to threats and vulnerabilities in its compliance and cybersecurity frameworks, possessing these essential steps: 1. Identify, 2. Review, 3. Respond and Resolve, 4. Report and 5. Analyse for residual risk.

Sustainable and Resilient Governance

The most important obstacle for the implementation of an effective compliance and cybersecurity governance plan for emerging private equity managers, in the absence of dedicated resources for compliance and cybersecurity, is the overlooking of two core management processes:

1. Tracking return on risk mitigation; and
2. Implementing metrics to measure the effectiveness of risk mitigation policies and procedures.

Thus, for a truly resilient approach to implementing a compliance and cybersecurity governance plan, emerging private equity managers need to:

1. dedicate expertise and resources in the early years for the internal compliance and cybersecurity champions to be complemented with a dedicated complement of external and independent compliance and cybersecurity advisors sufficiently educated in relevant contemporary approaches for best practice to compliance, risk, threat intelligence, cybersecurity protection, and crisis management;
2. appointment of a compliance and cybersecurity champions who are senior officer with contemporary knowledge in those functional areas;
3. enhance transparency in communication and evaluation of the effectiveness of those compliance and cybersecurity functions, by either other senior executives or board members or by the external independent compliance or cybersecurity advisors. Those other personnel might also be other board members, whose capacity is increased because of a redesignation of the responsibility for securing information assets and mitigation of compliance risk to the external advisors;
4. enhance their operational and governance review of their counterparties and outsourced providers by sharing resources and capabilities, engaging in proactive policy and procedural enhancements, and influencing best practice through integration of compliance into product design; 
5. ensure a consistent framework for oversight derived from a comprehensive expertly integrated design of cybersecurity risk, impact and efficiency, and a combination of quantitative and qualitative aspects to metrics.

Training and Awareness

The final key ingredient in ensuring a robust compliance and cybersecurity governance structure is the training and awareness of personnel, which possesses the following characteristics:

1. Complete Compliance and Security Awareness: Compliance and Cybersecurity champions must have access to real time contemporary and diverse sources of knowledge of compliance risk scenarios and threat intelligence.
2. Assessment that is adequate: Training must be customised for various roles and functions within the organisation.
3. Qualified Personnel in compliance, risk, information technology, or role-based training for non-specialists conducting training: The organisation must invest in resources for a training program designed by external and qualified expertise or with contemporary experience. 
4. Responsive and Contemporary scenarios: Training and awareness programs should incorporate contemporary scenarios with circumstances and consequences that resonate with senior executives undergoing the training.
5. Provide multiple ways for training: Training and awareness should incorporate continuously updated online on-demand training.
6. Measure efficacy of training and assess contribution to improving awareness and protection for mitigation of cybersecurity risk: There must be a formal measure for the effectiveness of training, and so an accurate measure for a return on mitigation.
7. Assess Personnel and material Service Providers: There must be continuous assessment of the proficiency of personnel.

A cohesive and holistic structure

At Thaddeus Martin Compliance, we recommend the following approach:

1. Aligning the Compliance Strategy Objectives with Commercial Strategy Objectives.
2. Devising a Compliance Overarching Approach that applies to all Policies and Procedures that:
   • Clarifies the business context;
   • Common management processes for the implementation of the Compliance Strategy;
   • Structures Policy and Procedure topics according to three asset categories: People, Financial, and Information;
   • Defining People assets to include: employees, senior managers responsible for Compliance, Risk and Sustainability, agents and representatives, legally authorised or appointed representatives and material outsourced providers;
   • Clarifies the applicability of Policies and Procedures to relevant persons, by defining its application on People assets;
   • Clarifies the Governance structure and tiers of responsibility and oversight;
   • Creates the role of a “Convenor” for Compliance and for Cybersecurity, with the intention that Convenors are champions for each of those functional areas;
   • Enables Convenors to either create “committees” of expert panels and advisors for each of their functional areas;
   • Clarifies roles for a person responsible for Compliance, Cybersecurity and Chief Financial Officer;
   • Creates functional descriptions for Compliance, Cybersecurity and Finance to provide complementary or supplementary experience and expertise in those functional areas to each Convenor;   
   • Unifies risk management processes for all Policies and Procedures across the asset categories; 
   • Clarifies the interrelationships between Compliance, Cybersecurity and Finance functions;
   • Clarifies interrelationships between different Policies and Procedures;
   • Harmonises the procedure for selection, appointment and monitoring of People assets;
3. Devising of a Procedural Policy that maps out Policies and Procedures to:
   • Compliance Strategy Objectives; 
   • Asset Categories;
   • Applicable general laws, standards and conduct expectations.

The purpose of the procedural policy is to provide harmony and continuity as new policies and procedures are developed and as the business adapts to new laws and standards.

4. Incorporates charts that depicts the flows for responsibilities, reporting, information, oversight and control.
5. Devising a chart to reflect the structural intent:

• Board: Responsible for the Strategic Objectives.
• Compliance Convenor, CFO and Cybersecurity Convenor: Responsible for implementing the Strategic Objectives of the Board.
• Functions: Providing structure, systems and resources for each function.

6. Structuring documentation these parts:
   • Compliance Overarching Approach: This part provides an overview of the business context, the regulatory landscape, sets alignment of the compliance and cybersecurity strategic objectives with the commercial objectives, describes the governance structure, and the risk mitigation approach. This document evidences a significant amount your regulatory business plan. Regulatory business plans are required by securities regulators in most regions.
   • Procedural Policy: This part maps out policies and procedures according to three main asset categories, the relevant laws and regulations and stakeholders of the business. This document demonstrates that your current suite of policies and procedures reflects the nature, size, and scale of your business and operations.  
   • Suite of Policy and Procedures: These contain all the policies and procedures, which can grow over time.

7. Each policy and procedure for a subject matter is structured with nine key elements:
   • Asset Category – This element classifies a matter requiring a policy and procedure by the three asset categories (People, Financial, Information Assets) or as a specific obligation. This acts as a visual indicator informing the reader of the business context, prominence, relevance and applicability of a policy. 
   • Visual indicators – These are icons, acting as visual references to the three main segments of Policies and Procedures: (i) Compliance Strategic objectives and requisite policies; (ii) corresponding rules and procedures (laws, standards and conduct); (iii) the controls and risk mitigation metrics.
   • Strategic Objective – This is the corresponding compliance strategic objective setting out the relevant business context of the Policy and Procedures.
   • Policy Statement – These are the policy statements for a matter.
   • Laws – These are the relevant laws and regulations for a matter.
   • Standards – These are the relevant standards for a matter.
   • Conduct – These are statements about expected behaviour, roles and functions.
   • Controls – These are procedures ensuring the proper implementation of the policies.
   • Metrics – These are key indicators used to assess the controls and risk mitigation approaches.