OPERATIONAL RISKAssessing and Mitigating Operational Risk

in a Changing Environment

NICSA Compliance and Risk Management

Committee

April 2009

ABSTRACT

The business, legal, technological, and regulatory environment in which the mutual

fund industry operates is increasingly dynamic.

The identification and mitigation of operational risks in such an environment

presents challenges for investment management firms in the industry and their

service providers.

NICSA’s Compliance and Risk Management Committee attempts to assist by

categorizing, analyzing, and recommending the best practices in addressing these

risks.

DEFINITION

OPERATIONAL RISK

The risk of direct or indirect loss

resulting from inadequate or failed

internal processes, controls, and systems,

or from external events

BACKGROUND

• The business, legal, technological, and regulatory environment in which the

mutual fund industry operates is increasingly dynamic.

• Clear articulation of the risks is necessary for the consistent application of risk

management techniques across business lines.

• Risk is "owned" by all employees of mutual fund investment management firms.

• An effective risk management program does not require the elimination or even the exhaustive mitigation of operational risk.

DEFINITION

GOAL

Foster an environment and a process for the

knowledgeable and comprehensive assessment

and acceptance of risks posed by the internal

processes, people, and systems of any enterprise in

the mutual fund industry

DESIGNING AN OPERATIONAL

RISK FRAMEWORK

A RISK FRAMEWORK

• Formalizes the identification, measurement, and reporting of operational risks

• Provides an easy‐to‐use system of recording and reporting risk events and trends

IDENTIFYING EMERGING RISKS

• Metrics that alert managers to potential risk exposures within a risk category

• Must be measurable and well documented

• Monitor the results over time

Key Risk Indicators

• Develop a continuous process to monitor changes in legislation, regulations, and industry practicesEnvironmental Scan

• Consider developing consistent practices across the organization to capture and track incidents and events

Issue / Incident / Event Tracking

IDENTIFYING EMERGING RISKS

• Periodically review the risk assessment results to reflect changes in the organization, business process, and business environment

Periodic Review of Risk Assessments

• Include senior management in the periodic discussionsPeriodic Interviews

of Management

• Involve board members in discussions about risk from multiple perspectives

Interaction with the Funds’ Board

RISK CONTROL ASSESSMENTS

OF SERVICE PROVIDERS

INTERNAL

• Internal Audit

• Periodic certifications from service providers

• Results of due diligence meetings or due diligence questionnaires

• Periodic meetings with management and compliance and operational personnel of service providers

• Trend reporting regarding critical operational and compliance areas

EXTERNAL

• SAS-70 (now SSAE 16) Type I: Control assessment

• SAS-70 (now SSAE 16) Type II: Control assessment plus testing

OTHER KEY COMPONENTS

• Policies specify the requirements and obligations to be addressed

• Procedures specify how the requirements are to be fulfilled

Policies and Procedures

• Standard framework, risk ratings, and common terms

• Formal training plan

• Communication plan

Training and Communication

• Periodic audit reviews

• TestingPeriodic Review

MORE INFORMATION

Read the complete white paper on the NICSA website

APPENDICES

Risk Categories and Definitions

Example Tools and Techniques for Risk Assessment

Example Risk Assessment Template

Risk Convergence

DISCLAIMER

Although the techniques, tools, observations, thoughts, and conclusions contained in this white

paper represent the best thoughts of the individuals comprising the NICSA Compliance and Risk

Management Committee, they do not necessarily reflect the views of the National Investment

Company Service Association or any of its member organizations. Similarly, although the

matters addressed in this white paper relate to operational risk management within

organizations, nothing herein is intended to be or should be construed as legal advice. You

should contact your own counsel to get legal advice regarding this or any other matter.

©2009 NICSA – National Investment Company Service Association