Driving Risk Across the Enterprise: The Road Ahead

Jan 8 2016 | 7:12pm ET

Editor’s Note: The increasing use of SaaS systems is a macro trend in the alternative investment industry, enabling managers to concentrate on building their core businesses without the distraction of managing systems development and technology infrastructure. Yet for as much as investment managers worry about portfolio risk, they tend to miss the risks inherent in deploying such third-party systems, explains Robert Barsky of C&A Consulting.

Driving Information Across the Enterprise - The Road Ahead

By Robert M. Barsky

Principal, IT Practice, C&A Consulting 

In a leadership role, you are responsible for results, for applying strategic solutions to achieve the most value and greatest impact in building a business.  Since the consequences are on your watch, you gain an intimate understanding of how to identify and assess risks, anticipate (and initiate) changes and apply technology and other tools as a foundation for enterprise growth.  

Let’s think about your organization for a minute:

  • Is it possible that 40-50 service personnel you never heard of may have access to your firm’s trading activity in near real time?  
  • Are there programmers in your organization (or off-shore) that are operating critical systems in production from their desktops and from home?
  • Do executives in your organization routinely upload the firm’s confidential information into the cloud outside of the firm’s secured infrastructure?

Before answering these questions with a resounding, “No!” you should know that all three of these situations are typically found in hedge funds today.  Often, the CIO/CTO does not realize that these situations exist or wrongly believes they have been eliminated.  Usually, the CCO and other executives are unaware.  

In fact, the CCO, CFO, other executives and even the firm’s quantitative analysts often use flash drives or file sharing software such as DropBox for convenience. They understand that these practices violate their firm policies and guidelines, and expose a security risk.  However, the executives don’t fully realize the extent to which an organization’s most critical data is exposed.  File sharing sites, for example, host the data during the period of transfer, meaning that the information is copied to their cloud and away from the supervision and security of the hedge fund’s network infrastructure.

EVALUATING THE RISKS IN DEPLOYING 3RD PARTY SERVICES

A major challenge to controlling and managing the firm’s intellectual property is the deployment of Software-as-a-Service (SaaS) vendor applications for critical applications such as order management, contact management (CRM), portfolio management, risk management, and the general ledger.  The increasing use of these systems is a macro trend in the industry, enabling hedge funds to concentrate on building their core businesses without the distraction of self-managing systems development and an ever-growing technology infrastructure.  

The use of third party administrators to manage the firm’s books and records is perhaps the most significant of these services.  While satisfying the demands of investor diligence, the associated cost and capability of the firm to monitor outside administration of its books varies widely.      

Third party SaaS applications are typically managed by vendors with specialized expertise.  The systems may be hosted in a shared (multi-tenant) environment or on equipment dedicated to a single firm.  Typically, the data center environment is managed by the vendor in their cloud.  

The vendor service center usually has access to the application system in order to provide timely response to any problems or questions.  One major order management system vendor, for example, has a team of 40-50 service center personnel with the capability to log-in and view trading activity contemporaneously with the entry of data into the system by the hedge fund. 

  • By establishing a control framework, a firm can monitor and manage these vendors to a high degree and at reasonable cost.  A strong control framework could include:
  • Requiring the vendor to maintain a rigorous audit trail, including log-in data.  This would be reviewed periodically by the firm.  
  • Requiring the vendor to provide policy information on its hiring practices and qualification standards.
  • Requiring the vendor to perform background checks on its service center employees.
  • Conducting an annual site visit, including a review of the vendor’s procedures and operating controls.
  • Maintaining a well-defined service level agreement.  
  • Requiring the vendor to promptly disclose breaches of security, even if the firm’s specific system application was unaffected.  

DO YOU KNOW WHAT YOUR PROGRAMMERS ARE DOING?

It may be hard to believe that programmers often retain the capability to make changes directly into the production environment.  This violates security protocols and audit guidelines but remains a common practice stemming from the inertia of a legacy environment, the speed with which the original developer often can fix a problem in production, and a lack of documentation and information sharing.  

The exposure also extends to consultants who operate production systems from remote locations and from outside the firm’s direct oversight.  

A formal change control process is needed, including quality assurance testing, before program changes are entered into production.  The production operation should be separately managed within the technology organization.  Run books are required and included as an integral component of the disaster recovery test conducted at least once or twice during the year.    

Finally, management should closely review critical systems and workflow to identify and eliminate any single points of failure.  

Robert M. Barsky is a principal in the Information Technology Practice at C&A Consulting LLC. C&A’s IT practice provides strategic guidance including technology, data security, operations assessments, future state roadmaps, and digital media planning, along with tactical assistance including business continuity planning, vendor evaluations, PMO, and data management and governance.


In Depth

Q&A: Star Mountain's Brett Hickey On Investing In 'The Growth Engine Of America'

Sep 22 2017 | 5:06pm ET

Lower middle-market companies form the economic fabric of the nation, but they can...

Lifestyle

CFA Institute To Add Computer Science To Exam Curriculum

May 24 2017 | 9:25pm ET

Starting in 2019, financial industry executives sitting for the coveted Chartered...

Guest Contributor

Don’t Overlook These 6 Hybrid Cloud Concerns

Sep 14 2017 | 6:27pm ET

Cloud-based technology solutions have made tremendous inroads into the alternative...

 

From the current issue of

With NFL season on the horizon, it’s time to take a look at our Fantasy Football value picks. Last year, we nailed it on Drew Brees, Jordan Howard, Frank Gore and Dwayne Allen. We missed pretty badly on Duke Johnson, Demaryius Thomas, Mohammed Sanu and Eli Manning.