Co-Chairmen

David Martin
Sr. Vice President/Chief Risk Officer
AllianceBernstein L.P.

Kenneth Winston
Managing Director/Chief Risk Officer
Morgan Stanley Investment Management

The Working Group

Mark C. Abbott, PRM
Managing Director, Quantitative Risk Management
Guardian Life

Sarah Collins
Sr. Risk Management Officer
The Dreyfus Corporation

Bennett Golub
Managing Director and Head of Risk and Quantitative Analysis
BlackRock, Inc.
RISK PRINCIPLES
Jacques Longerstaey
Managing Director, Head of Risk Management
FOR
Putnam Investments

Barbara Lucas
Partner
Capital Market Risk Advisors
ASSET MANAGERS
Thomas Madden
Vice Chairman
Federated Investment Advisory Companies

Erwin Martens
Executive Vice President, Risk Management
TIAA-CREF

Charles Massare, Jr.

Partner, Director of Quantitative Research & Risk Management
Lord, Abbett & Co. LLC February 25, 2008
Philip Hausken
Vice President, Head of Risk and Compliance
Northern Trust Global Investments

Leslie Rahl
President
Capital Market Risk Advisors Prepared by
Abe Riazati
Managing Director, Head of Investment Risk
Evergreen Investments

Jacob Rosengarten
Buy Side Risk Managers Forum
Managing Director
Goldman Sachs Asset Management
and
Theresa Schnepf
Managing Director, Risk Management
JP Morgan Asset Management Capital Market Risk Advisors
Mike Thorfinnson
Chief Operating Officer and Chief Risk Officer
TD Asset Management Copyright © 2008 Buy Side Risk Managers Forum
and Capital Market Risk Advisors, Inc. The Risk
Terry Watson
Global Risk& Compliance Director Principles for Asset Managers may be reproduced on
Barclays Global Investors condition that said reproductions are not sold or
otherwise reproduced for profit, and on condition that
Abraham L. Wons these Risk Principles are produced in their entirety,
Director, Operational Risk Management
Wellington Management Company
including this notice and all accompanying
disclaimers. All other rights reserved.
TABLE OF CONTENTS

1. INTRODUCTION .............................................................................. 5
1.1 Changing Risks Require Changes in Risk Management. ..................................5

1.2 Understanding the Relationship Between Risk and Reward Enhances All
Aspects of the Asset Management Business.........................................................6

1.3 Each Asset Manager Must Consider Risk From Its Own Perspective. ............7

2. WHAT IS RISK? ................................................................................ 8

3. WHAT IS RISK MANAGEMENT? ................................................ 8

4. SUMMARY OF THE RISK PRINCIPLES..................................... 9

5. GOVERNANCE PRINCIPLES ...................................................... 10

5.1 Effective Risk Governance is an Important Component of Effective Risk
Management. ........................................................................................................10

5.2 Segregation of Functions Provides a Key Check and Balance. .......................11

5.3 Understanding and Managing Risk is Everyone’s Responsibility. .................12

5.4 Independence of Control Groups From the Line Organization is a Good

Check and Balance...............................................................................................13

5.5 Independent Risk Management is an Important Control. ...............................13

5.6 Acknowledging and Understanding Fiduciary Responsibilities is Crucial to

Managing Risk. ....................................................................................................14

5.7 Senior Management’s Establishment of a Risk Conscious Culture is a

Component of Effective Risk Management. ......................................................14

5.8 Written Policies, Procedures, Ethics Codes, Guidelines and Documentation

Should be Clear, Unambiguous and Achievable. Say What You Do and Do
What You Say. ......................................................................................................15

5.9 Formal Exception and Escalation Procedures are Important. ........................15

5.10 Reputation Risk is a Critical Factor in Asset Management Businesses and

Must be Carefully Managed. ..............................................................................15

5.11 Employee Education is Critical to a Risk Conscious Culture. ........................16

2
5.12 It is Important to Determine and Track Firm Risk Tolerance. ......................16

5.13 Consideration Should be Given to the Risk, Compliance, Operations, Legal,

and Systems Risks Posed by New Products and Strategies Prior to Launch..16

6. INVESTMENT RISK PRINCIPLES ............................................. 17

6.1 Investment Performance Should be Measured and Monitored ......................17

6.2 Investment Risk Should be Measured and Monitored. ....................................18

6.3 Liquidity Risk Should be Measured and Monitored. .......................................18

6.4 Concentration Risk Needs to be Tracked and Understood ..............................19

6.5 Risks Attributable to Leverage Should be Tracked and Understood. ............19

6.6 Client Risk Tolerances and Expectations Should be Known and Monitored.19

6.7 Valuation Methodologies Should be Fair and Consistent. ...............................20

6.8 The Use of Various Statistical Tools and Avoidance of Over-Reliance on Any
Single Statistical Tool is Desirable......................................................................21

6.9 Stress Testing is an Important Tool in Analyzing Risk. ...................................21

6.10 Capacity Should Be Taken Into Consideration in Accepting New Investments

and Allocating Opportunities Among Existing Investors ................................21

6.11 Issuer and Counterparty Credit Risk Should be Tracked and Managed on an
Aggregate Basis. ...................................................................................................22

7. OPERATIONAL RISK PRINCIPLES .......................................... 23

7.1 Operational Risk Should be Measured and Monitored. ..................................23

7.2 Adequate Systems, Processes and Resources are an Integral Part of Risk
Management. ........................................................................................................23

7.3 Spreadsheet and other End-User Tool Risk Should be Reduced and/or
Controlled to the Greatest Extent Possible ........................................................24

7.4 Model Risk Should be Identified and Controlled. ............................................24

7.5 Adequate Backup and Disaster Recovery is Critical. .......................................25

7.6 Effective Records Management is Becoming Increasingly Crucial ................25

3
7.7 Effective System Security is Necessary to Protect the Interests of Employees
and Clients ............................................................................................................26

7.8 Risk Pertaining to Subadvisors, Custodians and Outsourced Service

Providers Should be Managed ............................................................................27

4
1. INTRODUCTION
The Buy Side Risk Managers Forum (“BSRMF”) is composed of heads of risk
management and chief risk officers from “traditional” asset management and investment
advisory companies, i.e., money managers offering mutual funds, managed accounts and
other traditional investment products1. Its membership includes asset management firms
operating in the U.S. and around the world focused on retail, high net worth and
institutional clients. The group, which explores and attempts to define best practices for
buy side firms, has prepared this document in conjunction with Capital Markets Risk
Advisers for the purpose of setting out general principles of good risk management for
use by its members. In so doing, BSRMF has drawn on the experience and expertise of
its members as well as the extensive work done in the past by various groups with respect
to risk management2.

While these earlier works have been extremely valuable in fostering the development of
sound risk management practices, BSRMF believes a new set of principles is appropriate
at this time for several reasons. First, in recent years, the asset management industry’s
understanding of risk has continued to evolve as a result of market, economic and
technological developments. Second, there is a growing appreciation among asset
managers and other market participants that risk management is not only important in
minimizing and controlling loss; it can also play a significant role in the portfolio
construction and management process, where a better understanding of the relationship
between risk and return can enhance performance. Finally, unlike earlier work which
focused on risk issues primarily from the institutional investor, hedge fund and banking
perspectives, these principles are primarily for the purpose of providing guidance to
traditional asset management firms in developing and assessing their risk management
programs and have been drafted from that perspective. Although they overlap in some
respects with principles applicable to other types of financial services firms and
institutional investors, they also differ in many ways.

1.1 Changing Risks Require Changes in Risk Management.

In recent years, there have been many market events and developments that changed our
understanding of risk. Examples of some such occurrences include the following:

 The subprime mortgage meltdown, the asset-backed commercial paper

and SIV debacle, the Asian crisis, the failure of Long Term Capital,
the Russian debt crisis, the bursting of the technology bubble, the

1 While some “traditional” firms offer hedge funds in addition to other products, and some risk
management principles are applicable to all investment products, including hedge funds, these principles
are primarily directed at traditional (as opposed to hedge fund) managers.
2 See, for example, Risk Standards for Institutional Investment Managers and Institutional Investors,
created by the Risk Standards Working Group (1996); Sound Practices for Hedge Fund Managers
created by the Managed Funds Association (2005); Sound Practices for the Management and
Supervision of Operational Risk, Basel Committee Publications No. 96 (2003).
5
 failure of Enron and WorldCom, among other events, which changed
our understanding of the interrelationship between various risks and
how to measure and monitor them.

 The market timing scandal, IPO allocation cases, as well as numerous

litigations involving improper valuations, misleading disclosures,
undisclosed conflicts of interest and other fiduciary lapses, and the
severe consequences faced by affected firms, all of which have
increased awareness of the potential magnitude of reputational risk.

 The development of new instruments, including credit default swaps,

CDOs, volatility and correlation swaps and other complex new
instruments, which provided additional sources of liquidity and
opportunity while also demonstrating the hidden costs of complexity,
the perils of “marking to model,” placing too much reliance on ratings,
expected correlations and other assumptions, and the need for a more
integrated approach to risk management.

 The development of new systems and technologies which make it

easier to measure and track risk but which introduce new risks into the
process.

 September 11, and various operational blow-ups, which changed asset

managers’ awareness of the importance of business continuity plans,
disaster recovery and the management of other operational risks.

As a result of these and other events, thinking on risk management has evolved and no
doubt will continue to do so. Today, there is a growing awareness that risk governance is
an important aspect of risk management, that development of a risk conscious culture is
itself a form of risk management, that risk management must be applied at both the
enterprise and portfolio level, that operational risk management is at least as significant
as investment risk management and that risk management is not strictly quantitative but
also qualitative in nature. As a result of this broader understanding of risk, market
participants are increasingly aware that risk management can no longer be viewed as the
responsibility of one individual or one department; it is the responsibility of all.

1.2 Understanding the Relationship Between Risk and Reward

Enhances All Aspects of the Asset Management Business
Although in the past risk management was thought of primarily as a mechanism for
measuring, monitoring and preventing market loss, there is a growing awareness that it
also serves a broader, more proactive purpose. The asset management business has two
classes of risks: those that have alpha associated with them and those that are
characterized strictly by the risk of loss. Unlike market risk, counterparty and operational
risk have no return (alpha) associated with them and thus, should be minimized to the
extent that is cost effective and practical. Market risk (including its credit spread
component), on the other hand, does not need to be minimized; it needs to be optimized
6
in order to maximize a portfolio’s risk adjusted return, which is a firm’s principal
investment function. Market risk is, in a sense, a strategic asset which, like all strategic
assets, should be allocated in a thoughtful manner. A knowledgeable risk management
team can help asset managers maximize risk-adjusted returns and budget risk to
opportunities with the best investment potential while reducing operational and other
non-investment risk in a cost-effective way. It is advisable for asset management
companies to continually take into account the role of risk in portfolio construction,
investment management, and other aspects of their business.

1.3 Each Asset Manager Must Consider Risk From Its Own
Perspective.
While certain risks are common to all market participants, asset managers generally think
about risk differently than either proprietary traders (including commercial and
investment banks) or institutional investors. Unlike proprietary traders investing their
own capital, traditional asset managers typically invest their clients’ money according to
specific investment objectives and guidelines chosen by their clients, in some cases in
consultation with the managers. At the portfolio level, the major risk is not meeting
client objectives. Portfolio managers need to understand how well they have performed
relative to such objectives, what risk factors may lead them to deviate from these
objectives, and whether the risks being taken are concomitant with the expected rewards.
For portfolios designed to track a specific benchmark, there may be hard limits on
deviations from the benchmark. In those cases, managers are constrained in managing
portfolios. Even at the “enterprise” level, while buy side firms face comparable risks to
proprietary trading firms, i.e., with respect to those generic risks that are common to all
trading organizations such as operational and disaster recovery risk, they also face
fiduciary risk vis-à-vis their clients that proprietary trading organizations generally need
not be concerned with. These include risks relating to the management of conflicts of
interest between clients, fair allocations of limited opportunities, and management of
operational, systems, counterparty credit, legal and reputational risks in a way that
comports with the high standard of care fiduciaries are required to meet. Thus, even
where a general risk management principle is applicable to all types of market
participants, each asset manager must apply that principle in a way that is consistent with
its own unique perspective.

The purpose of the principles set forth below is to provide a general framework reflecting
the evolving understanding of risk from the buy side perspective. It is hoped that the
principles will provide a useful reference for buy side firms in developing and assessing
their own risk management structures and programs. Since buy side firms differ greatly
one from another in terms of size, complexity, product mix, client type and legal and
regulatory structures, however, what is appropriate for one firm may not be appropriate
for another. These principles are in no way intended to be prescriptive. Each firm must
determine whether and to what extent they make sense in light of its unique
characteristics.

7
2. WHAT IS RISK?
Risk can be defined in many ways. In a narrow sense, risk is the possibility of loss or a
bad outcome, but in a broader sense, is a neutral measure of the degree to which
uncertainty exists about the outcome of an action. As shown from the picture below, buy
side firms are subject to a long and constantly growing roster of risks, including but not
limited to fiduciary risk, market risk, liquidity risk, counterparty and issuer credit risk,
operational risk, legal risk and reputational risk.

Risk-taking is an intrinsic part of all investment businesses including the asset

management business. Without risk, there would be no returns. Although risks neither
can nor should be eliminated, in a well-controlled risk environment, they can generally be
anticipated and managed and the adequacy of compensation received for risk-taking can
be assessed, making it possible to rationalize the relationship between risk and reward.

3. WHAT IS RISK MANAGEMENT?

Risk management is the process of identifying, assessing and controlling both enterprise
and portfolio risks in order to minimize unanticipated losses and uncompensated risks
and optimize the reward/risk ratio. While risk management and compliance are closely
related in the sense that both areas are responsible for managing various types of risks,
the focus of risk management personnel generally is on market, credit and operational
risk while the focus of compliance departments is on legal and regulatory risk.
Additionally, a risk manager usually has a strategic role that differs from the role of the
compliance officer. That said, the division of responsibilities between risk and
compliance differs from firm to firm, and there is no standardized division of
8
responsibility. In defining risk management for purposes of these principles, the BSRMF
has taken a ‘holistic’ rather than ‘jurisdictional’ approach, and, although we have not
attempted to delineate all legal and compliance risks, we have addressed the major
categories of risks facing asset management companies without regard to where
responsibility for management of such risks is lodged.

In establishing and assessing each firm’s risk management program, it is important to

keep in mind that different firms face different types and levels of risks. Risk
management in retail firms is different than risk management in institutional firms. Risk
management for pooled investment vehicles is different than risk management for
managed accounts. Firms dealing in single geographies and time zones face different
risks than those operating across geographies and time zones. Firms dealing exclusively
in highly liquid exchange-traded instruments face different issues than those dealing in
illiquid and complex OTC instruments. Firms with a single office have different risks
than multi-branch firms. Large firms have different issues than small firms. Regulated
firms and firms subject to regulatory capital regimes face different issues than
unregulated firms.

Even as to any single category of risk common to multiple firms, moreover, there is a
broad range of acceptable risk management approaches and often no consensus as to
what constitutes “best practice.” Accordingly, in designing and maintaining risk
management programs, it is important for buy side firms to identify the specific risks
most relevant to their businesses and to monitor how those risks change over time.
Equally important is the development of risk management programs that are achievable,
not aspirational, in the context of a particular firm, taking into account the nature of its
products and clients, as well as their size, complexity, culture and resources. The most
elaborate risk management program will fail if it doesn’t fit the organization or is beyond
the organization’s ability to implement. When it comes to buy side risk management, one
size will never fit all.

4. SUMMARY OF THE RISK PRINCIPLES

The following principles address issues that are typically relevant to buy side firms. For
ease of reference, they are divided into three sections:

 The Governance section contains risk principles relating to

organizational structure, and oversight mechanisms. It addresses the
importance of independent controls, segregation of functions, senior
management involvement in risk management and oversight and
adoption of appropriate policies and procedures;

 The Investment Risk section contains risk principles relating to the

need for various risk controls at the portfolio level. It addresses
market risk, liquidity risk, leverage, valuations and other aspects of
investment risk; and

9
  The Operational Risk section contains risk principles relating to
various types of risks that occur in the ordinary course of business and
in disasters. It addresses the importance of identifying, assessing, and
monitoring these risks, putting in place adequate systems and
minimizing manual processes, managing counterparty credit risk, and
assuring business continuity in a disaster.

These principles are offered as a guide to boards, trustees, senior managers and risk
personnel who are developing and evaluating their risk management structure. The
degree to which any particular principle is critical to any particular firm, however, will,
as explained above, depend on many factors, and each firm is well-advised to carefully
consider its particular risks and the most effective way to address them.

5. GOVERNANCE PRINCIPLES
One of the keys to effective risk management is a risk governance structure that provides
appropriate senior level oversight, segregation of functions, independent control groups
and organizational checks and balances within a risk conscious culture. Principles
relevant to risk governance are set forth below.

5.1 Effective Risk Governance is an Important Component of

Effective Risk Management.
Risk governance refers to the creation of checks and balances through organizational
structure. Although risk governance structures will vary depending on the size and
complexity of each organization, effective risk management generally requires:

 Establishment of organizational checks and balances, including an

appropriate segregation of front/back and/or middle office functions; 3

 Creation of a culture in which understanding and managing risk is

everyone’s responsibility;

 Independent control groups, including, where possible, a risk manager4

reporting and/or having access to the CAO, CEO, Board, Executive
Committee or the like;

3 In an asset management company, portfolio management, research and trading are typically front office
functions, while customer support, account opening and documentation functions are typically middle
office functions (to the extent a middle office exists), and operations and systems are back office
functions.
4 We note that, according to a recent survey of mutual funds conducted by the Investment Company
Institute (“ICI”), “[t]he vast majority of mutual fund organizations do not appear to have established the
position of CRO to oversee the organization’s risks,” although there is a growing trend towards creating
such positions. ICI, “Chief Risk Officers in the Mutual Fund Industry: Who Are They and What is their
Role Within the Organization?”
10
  Senior management and board level understanding of risks, definition
of risk tolerances, and setting of risk management and ethical tone;

 An organizational structure in which risk management roles and

responsibilities are clearly defined, including written policies and other
procedures identifying the specific people within the organization who
are authorized to approve various actions, make exceptions to various
policies, etc.

5.2 Segregation of Functions Provides a Key Check and

Balance.
Asset management companies should be organized in a manner that provides appropriate
checks and balances. This necessitates the segregation of control functions from line
functions as well as the segregation of front office functions from middle/back office
functions to ensure independent verification of trade details, valuations, etc.

Experience has shown the importance of adequate segregation of investment and support
functions. Depending on the size and complexity of the organization, as well as its
culture, this may necessitate dividing responsibilities between a front, middle and back
office or in the alternative, a front and back office only. From a control perspective, the
existence or non-existence of a middle office is not particularly important. What is
important is that the front office person responsible for bringing in new clients and/or
entering into transactions, i.e., the marketer, portfolio manager or trader, is not the person
(or the subordinate or superior of the person) responsible for determining the
acceptability of the client or counterparty from a credit perspective, or for checking and
entering full trade details, confirming, comparing and settling the trade, valuing the trade
initially and on an ongoing basis, monitoring the risks attributable to the transaction
(consistent with the risk measurement system that has been established), and determining
whether it is acceptable to exceed established limits without participation of various
control groups.

Appropriate segregation of functions requires that trades be verified, confirmed,

compared, valued, etc. by people other than traders and that independent checks and
balances exist at every stage of the process to prevent intentional or unintentional
misstatements and other errors to remain unresolved.

11
5.3 Understanding and Managing Risk is Everyone’s
Responsibility.
While designated risk management professionals play a significant role in managing and
controlling risk, risk management is much more than policing and enforcing limits.
Viewed in the broadest sense, risk management is the responsibility of all. Employees at
every level must be cognizant of risks and willing to do their part to make sure those risks
within their sphere of responsibility are managed in a manner that is consistent with the
firm’s policies, disclosures provided to clients as well as client guidelines. Even the most
detailed and sophisticated risk management programs are unlikely to be effective in the
absence of a risk conscious culture.

 Boards of Directors, trustees or other governing bodies have a

responsibility to understand the major risks applicable to their firms
and approve and periodically review the firm-wide risk management
framework, including how risk is to be identified, assessed, monitored
and controlled.

 Senior management is responsible for overseeing the establishment

and implementation of a risk management framework, including
policies, procedures, systems and methodologies, and for assuring they
are complied with. A management that considers the risks attributable
to new products and strategies before they are approved for first use
and periodically thereafter, that sets risk tolerances at the enterprise
level and makes sure they are adhered to, and that receives information
on an ongoing basis sufficient to enable it to anticipate problems and
make midcourse corrections, is a management that is less likely to
encounter the types of problems, including unanticipated losses,
reputational and operational blow-ups, style drift, and guideline
breaches, that have caused losses to investors and buy-side firms in the
past.

 Line managers are responsible for complying with applicable policies

and procedures and should be evaluated on how well they do so.

 Portfolio managers are responsible for maintaining levels of portfolio

risk consistent with representations made to clients and/or required by
client guidelines. (Risk levels should be monitored with a view to
preventing both insufficient and excessive risk-taking.)

 Operations personnel are responsible for adhering to operational

policies and procedures to control risk.

 Control groups are responsible for measuring and monitoring risk and
for conducting independent reviews of compliance with risk
management and other policies.

12
5.4 Independence of Control Groups From the Line
Organization is a Good Check and Balance.
Control groups play a vital function in asset management businesses. These groups,
including risk management5, credit, legal, compliance, financial control and internal audit
can be centralized or decentralized, and can be structured in various ways, depending on
the size and complexity of the organization and the range of products traded.

Regardless how they are structured, control groups need to have sufficient independence
to be able to perform proper monitoring. This generally means that they should report
outside the business lines they are charged with monitoring, and possibly to the board, the
CEO or at other very senior levels to assure proper stature in the firm as well as access to
key decision makers.

5.5 Independent Risk Management is an Important Control.

While a dedicated risk management staff may not be feasible or appropriate for all firms,
a knowledgeable, skilled, risk manager (“CRO”) reporting and/or having access to the
CAO, CEO, Board, Executive Committee or the like can be an important component of
effective risk management. Regardless of reporting lines, a mechanism by which the
opinions of the risk manager can be freely communicated to senior management and the
Board can be a valuable component of effective risk management.

Although in some firms the CRO serves primarily as a monitor and enforcer of limits, a
broader, more proactive role for consideration of risk is beneficial. This might entail
independent risk personnel considering risk on both an enterprise-wide and discrete basis,
coordinating the periodic identification of risks by various business groups, as well as
providing input into investment strategy, risk budgeting, portfolio construction, etc. on an
advisory basis. Alternatively, the proactive aspects of risk could be separated from the
monitoring and compliance aspects of risk management, with the former functions
performed by front office personnel and the latter performed by independent risk
managers. Either way, it is useful to consider whether risk is being taken intelligently
and strategically with a reasonable expectation of being rewarded. The goal is not to
eliminate risk, but rather to identify and understand risks being taken and insure that the
risks retained are well understood and well managed.

Another role of a CRO is to identify opportunities where risk can be laid off or
transformed. Some firms, for example, are more skilled at managing market risk than
operational risk and might elect to outsource complex, operational intensive risk and take
on direct market risk instead. Others are more skilled at managing credit risk than market
risk, etc.

5 Risk management typically includes risk monitoring and control functions as well as a strategic function.
In some firms, these functions are combined in a single organizational unit; in other firms, they are
separate. Thus the degree to which risk management should be considered a control group varies from
firm to firm.
13
The CRO is also generally a key member of senior management and can add substantial
value by briefing line managers on evolving practices and new tools as well as systemic
risk themes as they evolve.

The CRO should oversee the creation and implementation of written risk policies that are
clear and realistic rather than aspirational. While line groups and other control groups,
including Legal and Compliance are involved in creation of some policies, it is usually
the CRO who insures that risk policies adequately address the risk issues relevant to the
particular firm, that consistent risk policies are adopted throughout the organization, and
that they are followed and updated on both a periodic basis and as circumstances change
(i.e. large market moves, crises, problems with competitors, changes in regulations, etc.).
One of the most important roles of effective risk policies is to clearly identify exceptions
and establish appropriate escalation procedures, and related documentation.

5.6 Acknowledging and Understanding Fiduciary

Responsibilities is Crucial to Managing Risk.
Fiduciaries have a legal obligation to act in the best interest of their clients, to treat all
clients fairly and to meet a very high standard of care. For buy side firms acting in a
fiduciary capacity, it is important that the nature and extent of their fiduciary duties be
clearly understood by employees and clients alike. To accomplish this, fiduciary
obligations should be clearly spelled out in applicable investment or management
agreements and other legal documentation, and understood by all relevant parties.
Equally important, employees need to be cognizant of their fiduciary obligations and to
consider those obligations in their ongoing decision-making. If a particular action or
decision would benefit one client or class of clients over another, or other conflicts of
interest exist, such action, decision or conflict should be considered from a fiduciary risk
perspective and appropriately disclosed and or resolved. The incorporation of a fiduciary
mindset into a firm’s culture is itself a risk control.

It is also important for fiduciaries to remember that placing client money with or out-
sourcing to external advisers and sub-advisers, administrators or other third party service
providers does not extinguish the fiduciary obligation owed to clients. Accordingly, it is
advisable that third party and outsourced relationships be reviewed and managed so as to
assure that fiduciary issues are identified and fiduciary obligations are met.

5.7 Senior Management’s Establishment of a Risk Conscious

Culture is a Component of Effective Risk Management.

One of the most important risk controls a buy side business can have is a risk conscious
culture in which risks are well-understood, tolerances are clearly defined and risk/return
tradeoffs are considered. Creating a risk conscious culture requires conscious effort by
senior management. In addition to determining and communicating their risk tolerances,
senior managers set the ethical and fiduciary tone for the organization. Whether or not
this necessitates the adoption of a formal ethics policy (as is legally required under some
regulatory schemes) or a less formal but equally rigorous articulation of values, effective
14
risk management involves having senior management define both the risk profile and
values of the organization, communicate them to employees at the outset of the
employment relationship and periodically thereafter, and require that those values be
adhered to at all times by themselves and their employees.

5.8 Written Policies, Procedures, Ethics Codes, Guidelines and

Documentation Should be Clear, Unambiguous and
Achievable. Say What You Do and Do What You Say.
Asset managers and investment advisers are in many cases legally required to adopt
written policies, procedures and ethics codes. Even where not legally required, written
policies and procedures and formal ethics codes have become increasingly common for
asset management firms. These are useful risk management tools so long as they are
realistic rather than aspirational and so long as they are actually followed. It is less risky
to adopt policies and procedures that are realistic, even if flawed, than to adopt perfect
policies and procedures that cannot realistically be adhered to.

In addition to written policies and procedures, asset managers must adhere to investment
guidelines provided by clients or disclosed in fund or account documentation. Because of
the fiduciary and legal significance of staying within the relevant guidelines and
disclosures, it is important that these documents be clear and unambiguous on their face,
requiring little or no interpretation on the part of the firm. In addition to a legal review,
guidelines and disclosures describing investment strategies, restrictions, etc. warrant
careful review by affected business areas to be sure that each affected business unit has
the ability to comply with such guidelines.

5.9 Formal Exception and Escalation Procedures are

Important.
In a complex business environment, operational problems, limit breaches, etc. can and do
happen and exceptions from established policies and procedures are occasionally
necessary. In order to limit risks attributable to such exceptions, it is helpful to identify
who within an organization has exception authority, how long various exceptions can
exist, who in the management chain needs to be apprised of exceptions, and what
documentation needs to be kept. It is also useful to determine in advance what
exceptions, particularly those involving investment guidelines should be brought to a
client’s attention, and the time frame within which to do so.

5.10 Reputation Risk is a Critical Factor in Asset Management

Businesses and Must be Carefully Managed.
In fiduciary businesses, reputation is critical. History has shown that the harm caused by
reputational risk can be grossly disproportional to the injury caused to investors by
matters giving rise to that risk. Sources of “reputational” exposures are present in
virtually every facet of a firm’s business and every business/client relationship a firm
enters into. These issues must be evaluated on a continuing basis.
15
To prevent problems from developing, senior management must articulate, adhere to (and
require others to adhere to) clear ethical standards, and create a risk conscious culture.

Asset managers must always remember that they are fiduciaries. To the extent a written
ethics statement is in place, it should address how key conflicts are handled so as to
control conflicts between the interests of multiple clients and the interests of the firm and
its employees.

5.11 Employee Education is Critical to a Risk Conscious

Culture.
Depending on the applicable regulatory framework, many asset managers have a legal
obligation to provide ongoing education to their employees with respect to ethics and
compliance issues. Even where education is not legally required, it is a critical aspect of
developing a risk conscious culture. Employees need to be aware of what it means to be
a fiduciary, what legal, compliance, and risk management issues are relevant to particular
departments and the firm, and how the firm chooses to deal with them as well as to
understand the particular business issues applicable to various functions and how they
change over time. The better employees understand the risks attributable to their
businesses, products and functions, the more likely they are to control them.

5.12 It is Important to Determine & Track Firm Risk Tolerance.

To the extent deemed desirable, every organization should decide its risk profile and
tolerance and whether or not a limit structure is appropriate. The level of aggregation for
firm metrics and house limits vary by firm as do concentration limits.

Risk exists at both an ‘enterprise’ and portfolio level. Both are important but lend
themselves to different metrics. Whether or not it is desirable to aggregate portfolio risk
is a firm by firm issue. Whether to aggregate market and concentration risks at the
enterprise level is a controversial issue, with no consensus on “best practice.” It is
generally agreed, however, that aggregating counterparty exposure across rpducts (equity,
debt, securities lending, etc.) and other relationships with the lender is also a vital part of
assessing overall risk.

Whatever approach is taken, risk exposures should be measured and managed and
reported on a regular basis as well as when significant market moves occur.

5.13 Consideration Should be Given to The Market, Compliance,

Operations, Legal and Systems Risks Posed by New
Products and Strategies Prior to Launch.
The asset management world is constantly evolving and new products are being
developed. Written policies regarding new product development and launch can reduce
16
risk. The approach that is most often used is a new product committee that typically
includes representatives of the front office, operations, systems, risk management, legal,
and financial control. Each member is responsible for identifying issues raised by the
product within his/her area of responsibility and making sure that these issues are
satisfactorily resolved in advance of approval and first use of the product. The decision
whether to trade a new product and how to address whatever risk, legal, systems,
operations or other issues it raises should be considered and resolved prior to launch of
the product.

6. INVESTMENT RISK PRINCIPLES

In contrast to proprietary traders who establish their own risk tolerance, in asset
management firms, responsibility for establishing investment guidelines and risk profiles
usually is the responsibility of the client, in some cases in consultation with the manager.
Moreover, for those investment portfolios that are measured versus a benchmark rather
than on an absolute return basis, a key investment risk is that performance will fall short
of the benchmark. Accordingly, asset managers are often judged by the variability of
returns relative to the benchmark and therefore risk is also often tracked relative to the
benchmark. Despite these differences, there are various risk management principles that
are relevant to investment risk oversight in asset management companies.

6.1 Investment Performance Should be Measured and

Monitored
Performance analysis is an important facet of investment risk management. Every
portfolio should have a defined benchmark or other objective and should be monitored
against that benchmark or objective. Performance attribution should be undertaken to
isolate the factors that have contributed to under or over performance.

17
6.2 Investment Risk Should be Measured and Monitored.
Regardless whether risk tolerances have been selected by the client or asset manager,
various metrics should be considered to measure and monitor investment risk. Some
common metrics include standard deviation, tracking error (standard deviation of the
difference of returns between a portfolio and a benchmark), expected shortfall, downside
semi-standard deviation, and value at risk (VaR)6. While each metric is useful, none tells
the entire story. Thus it is useful to employ a combination of metrics.

Measuring risk can be done on either an ex post or ex ante basis. Both can be important
to a robust approach. Where back-testing is used, expected returns, risks and correlations
should be updated and reassessed based on comparisons of risk and returns to what back-
tests have forecast. Risk attribution should also be performed in a manner consistent with
the methodology used for performance attribution.

Once a framework for measuring risk is established, some firms may find it useful to
allocate a risk budget and to track performance per unit of risk budget. When VaR or
other risk budgeting metrics are used, consideration should be given to tracking and
setting goals based on a return to VaR or other metric chosen.

6.3 Liquidity Risk Should be Measured and Monitored.

Liquidity risk is another key element of market risk that requires significant attention.
There are two key components of liquidity risk:

 The liquidity of individual instruments and the implication of such

liquidity for pricing.

 Any mismatch between the liquidity of the portfolio versus the

liquidity provisions offered to investors.

There have been many high profile problems recently and over time (including freezes in
the asset-backed commercial paper, CDO and subprime mortgage securities markets as
well as so-called “break the buck” concerns involving money market funds triggered by
“Kitchen Sink bonds” in 1994 or SIV’s more recently) where the need to fund
redemptions and/or margin calls precipitated losses and failures at funds trading illiquid
and longer dated securities. For this reason, measuring and monitoring liquidity risk is an
important aspect of risk management.

6 VaR is widely used in banks and other “sell side” firms. For example, 99% one-day VaR would be -
3.5% if the distribution of one-day returns on the investment was such that 99% of the time, the return
was expected to be -3.5% or more. When used by an asset manager whose objective is benchmarked,
relative VaR expressing behavior versus the benchmark is used. Thus a $99 one-day relative VaR would
be -3.5% if the distribution of one-day returns was such that 99% of the time, the difference between the
return on the portfolio and the return on the benchmark was expected to be -3.5% or more..
18
6.4 Concentration Risk Needs to be Tracked and Understood
Concentration risk can affect a portfolio in several ways. A concentrated, undiversified
portfolio has unique risks inherent in its structure. In addition, large concentrations in
individual instruments can make liquidation at mark-to-market prices difficult if those
mark-to-market prices are based on typical transaction size and do not reflect the size of
the position. As a result, mark-to-market values can differ significantly from liquidation
values.

In addition to concentration risk at the portfolio level, asset management firms face
concentration risk across portfolios with respect to both individual investments and
strategies. Excessive concentrations across portfolios and excessive exposure to
particular factors (value vs. growth or vintage for example) have the potential to put a
firm’s franchise at risk and need to be tracked and understood.

6.5 Risks Attributable to Leverage Should be Tracked and

Understood.
Leverage can be defined in a variety of ways. The most commonly used definitions
involve borrowed money. However, instruments such as options have ‘embedded
leverage’ and instruments such as futures create leverage due to the way they are
margined. One common definition of leverage decomposes every instrument into its
effective notional long and short components. The total value of the longs plus the total
value of the shorts is then divided by the net asset value to compute leverage. In view of
the many possible meanings of “leverage,” it is important to define and describe to clients
how a particular firm is using the term so that clients will have a clear understanding of
what is being communicated.

Regardless how leverage is defined, it is important from a risk management perspective

that the incremental risks to a portfolio attributable to leverage be understood, tracked
and controlled.

6.6 Client Risk Tolerances and Expectations Should be Known

and Monitored.
To the extent possible, every asset management firm should be aware of its clients' risk
tolerances and expectations. Risk tolerances and expectations are typically derived from
explicit quantitative and qualitative client guidelines as well as written and oral
representations made to clients by asset managers in formal disclosure documents,
marketing presentations, RFPs and the like. Guidelines and expectations warrant close
scrutiny by asset managers and clients should have a clear understanding of the degree to
which asset managers are or are not willing to take responsibility. Every effort should be
made to ascertain whether or not asset managers have the capacity to monitor guidelines
and expectations before agreeing to do so.

19
Whatever client tolerances and expectations are monitored, asset managers should
consider tracking the lower bound of client risk expectations as well as the upper bound.
For example, marketing materials that say “we expect the standard deviation to be in the
range of 4-6%,” can be equally concerning to a client when the portfolio is
underperforming and the standard deviation is at 2% as when it is at 7%. Clear
procedures should be put in place for dealing with portfolios that are approaching various
tolerance parameters or guideline breaches. These might include escalating discussions
with clients, senior management, and others as parameters warrant, hard or soft limits,
and hedging techniques.

Just as portfolio managers generally make it clear that they cannot promise a given level
of return in a risky portfolio, so too should they avoid promising a specific outcome with
regard to a given risk statistic. A manager can promise to keep ex ante risk measures at
certain levels, but it is necessary to have clear client communication about the possibility
that ex post risk measures can vary from the desired outcome.

6.7 Valuation Methodologies Should be Fair and Consistent.

Valuation risk is a subcomponent of investment risk that is key for asset managers
because inaccurate valuations result in incorrect NAVs, potentially causing unfair
treatment to one set of investors versus another, and possibly inflating manager incentive
compensation. Investors who buy in at inflated prices or redeem at deflated prices are
unfairly disadvantaged. Fair and accurate valuations are essential.

The difference between how reasonable people choose to value complex instruments can
be substantial and can actually be more significant than a 1 day VaR. New accounting
and disclosure requirements will heighten awareness and scrutiny of these issues. It is
important to ensure that the valuation methods used to price instruments traded are not
only fair but also consistent with best practices as well as all applicable laws, regulations
and accounting standards. Valuation methodologies should be consistently applied and
verifiable. Valuation policies and practices should incorporate the concept of “fair value”
with particular attention to firms operating across time zones and portfolios with
geographic diversification.

In order to achieve fairness and consistency, asset managers often use a variety of
objective third-party sources to price instruments in client portfolios. These sources
include (1) market quotations if readily available and (2) various independent pricing and
data base services. In the absence of such sources, valuations may be determined by
using pricing models based on verified assumptions, or other techniques. Otherwise,
securities and assets in a client's portfolio are valued at "fair value" as determined in good
faith by designated decision makers within the organization.

A valuation committee can provide important supervisory oversight of the firm’s

procedures for valuing portfolio instruments. A valuation committee is often responsible
for (i) approving overrides of prices, (ii) determining what valuation methodology is
appropriate in the case of securities for which there are no readily available market

20
quotations, or for which special circumstances7 make the use of readily available market
quotations inappropriate, (iii) approving models and the assumptions to be used in
connection therewith, and (iv) determining fair value for securities for which none of the
methods set forth above is deemed to be appropriate.

6.8 The Use of Various Statistical Tools and Avoidance of Over-

Reliance on Any Single Statistical Tool is Desirable.
No one statistic suffices to describe complex investment risk in its entirety. Each metric
has its strengths and weaknesses. For example, VaR tells how much you could lose
every day or every month, but is not indicative of potential cumulative loss. Standard
deviations of return tell you about the past, not the future, and do not take into account
the impact of liquidity, bid/offer spreads, frequencies of marks to market, etc.

A risk manager looking at a single metric can get a distorted picture of risk by focusing
on a single risk element. It therefore may be advisable for asset managers to avoid over-
reliance on any single statistic. They should instead use a variety of statistics that
quantify different aspects of investment risk.

6.9 Stress Testing is an Important Tool in Analyzing Risk.

Whatever metrics are selected for measuring portfolio risk, stress testing is an extremely
useful part of the risk measurement tool kit. Stress testing can be done in various ways,
some of which are extremely quantitive and data intensive, and others of which are more
approximate. Whatever method is chosen, understanding a portfolio’s sensitivity to
market changes is a key element of effective risk management. Even when a portfolio is
constructed by bottoms up stock picking and hugs its benchmark sector weights tightly,
anticipating the potential impact of trends or events such as interest rate shifts, volatility
changes, correlation changes, credit spreads widening, etc. can be extremely useful. It
can also be useful to stress test against various themes (i.e. commodity prices, China,
etc.), as well as to look at historical crises.

6.10 Capacity Should Be Taken Into Consideration in Accepting

New Investments and Allocating Opportunities Among
Existing Investors
Many less liquid opportunities are of limited size. Accordingly, there is a limit as to how
much money can profitably be invested in a limited opportunity as well as an issue as to
how to allocate limited opportunities among existing investors. It is important to keep
capacity issues in mind in marketing products and strategies and to equitably share
limited opportunities with existing investors.

7 “Special circumstances” might include ownership of a very large or illiquid position, or other factors
that, in the reasonable judgment of the Valuation Committee, would likely make market quotations or the
prices obtained from independent pricing and database services inadequate measures of the value of a
position.
21
6.11 Issuer and Counterparty Credit Risk Should be Tracked
and Managed on an Aggregate Basis

There are two types of credit risk that are relevant to asset management companies:

 Issuer credit risk is the credit risk attributable to individual securities;

 Counterparty8 credit risk is the risk attributable to the downgrading

and/or insolvency of a counterparty.

In dealing with issuer credit risk, asset managers typically rely on either rating agencies’
assessments where available or their own internal rating systems based on a combination
of internal and external analyses. The degree to which independent issuer credit analysis
is appropriate differs from firm to firm, depending on the nature of the instruments
traded, size, resources and other factors. For firms involved in evaluating the
creditworthiness of unrated issuers of equity, consideration should be give to the newer
equity-based credit exposure measurement tools as well as the credit default swap
market. In evaluating the creditworthiness of unrated debt issuers, the type and maturity
of instrument (i.e. 3 year bullet, 5 year inverse floater, subordinated debt, etc.) also needs
to be considered.

Counterparty credit risk is the risk of loss attributable to changes in the ability of
counterparties to meet their financial obligations. Exposure to individual counterparties
may be present in many different parts of an organization. For example, an asset
management company may trade, do repos and securities lending with, and buy debt and
equity issued by, a counterparty with whom it has outstanding derivatives transactions,
and who also serves as its administrator. Although it is difficult to develop a
comprehensive approach to managing counterparty credit risk, consideration should be
given to tracking this risk on an aggregate basis. Additionally, it should be noted that
credit exposure consists not only of today’s exposure but potential future exposure. A
$100MM, 10 year interest swap, for example, will likely have a negligible mark-to-
market at inception, but the mark-to-market can grow significantly over a 10 year period.
For this reason, firms should consider including potential future exposure as well as
today’s exposure when assessing counterparty risk.

In addition, firms might consider whether their counterparty risk measures for
collateralized transactions should include:

8
A counterparty is an obligor on whom a firm relies to fulfill contractual or financial obligations. In the
normal course of its business, a firm deals with various types of counterparties, including but not limited to
distributors, custodians, trustees, administrators, prime brokers, securities dealers, derivatives
counterparties, repo counterparties, securities lending counterparties, and external advisors and sub-
advisors.
22
  The bid/offer spread in a “normal market” (assuming mid point marks
are being used)

 The liquidation incremental bid/offer spread that might be incurred if

they were to unwind under stress conditions.

 The type and frequency of interim collateral exchange arrangements

intended to lower exposure.

 The 5-15 days that in practice it might take to deal with OTC defaults
and the potential impact of market changes during that time.

7. OPERATIONAL RISK PRINCIPLES

In addition to the risks attributable to an asset manager’s governance and investment risk
management, there are various types of operational risk that need to be addressed. Set
forth below are various principles that apply to the management of operational risk.

7.1 Operational Risk Should be Measured and Monitored.

Operational risk includes all aspects of errors and mistakes that can be made in the
ordinary course of business and well as in a disaster. It is important to have adequate
monitoring and tracking of all elements of back office operations that can go wrong. This
includes fails, reconciliation differences, customer complaints, guideline breaches,
systems issues, etc. The key to effective operational risk management is to create a
process that tracks the various elements of operational risk over time, identifies trends
that could be an early warning sign of trouble and to implement an exception/escalation
process that ensures that problems that are significant, large, aged or growing are dealt
with at increasingly higher levels of management. Manual processes are generally more
likely to cause operational problems than automated ones which have been thoroughly
tested. Therefore, they should receive a heightened degree of scrutiny. Likewise,
transactions that need to be forced fit into a system need extra scrutiny. End user systems
built in Excel or similar tools that are used for books and records and/or are official risk
management/compliance tools, should receive a high level of scrutiny.

7.2 Adequate Systems, Processes and Resources are an Integral

Part of Risk Management.
Advances in technology have resulted in the widespread availability of industry standard
and proprietary systems for quantitative research, portfolio management, portfolio risk
measurement, sales support, trading, settlement and record-keeping. The availability of
such tools, while not a substitute for good risk management and oversight, enhances asset
managers’ ability to track and value positions, allocate trades among various clients,
measure and monitor risks, improve guideline compliance, control conflicts, etc.
Conversely, the lack of adequate systems and processes is often a flashing red light
23
indicative of major risk issues. For this reason, it is appropriate for every asset
management company to review on a periodic basis the adequacy of its systems,
processes and resources, taking into account the nature of its products and businesses,
size, customer type and other relevant factors. End user applications (i.e. Excel type
applications) that are used for valuation or risk management should be subjected to in-
depth review and standards. It is likewise appropriate to review on a regular basis
whether adequate resources have been assigned to the risk function as well as to all areas
of the firm and to insure that these resources are properly utilized.

7.3 Spreadsheet and other End-User Tool Risk Should be

Reduced and/or Controlled to the Greatest Extent Possible
Spreadsheet risk is the risk related to the use of spreadsheets and other end-user
developed and maintained applications and data bases (“end user tools”) in the trading of
products and instruments that can not be processed by a firm’s existing computing and
accounting systems. While the proliferation of new products and instruments continues
to pose challenges for existing systems, an inability to enter and track all positions in
official, carefully vetted and tested systems presents a source of risk that should be
eliminated to the greatest extent possible, particularly where end user tools are relied
upon for information that is used in a fund’s official books and records. When end user
tools are necessary, however, some level of independent review and control should be
considered.

7.4 Model Risk Should be Identified and Controlled.

Asset managers rely on models for investment decisions, portfolio valuations, measuring
and/or guiding risk mitigation, tracking limits and guidelines, analyzing business
strategies, etc. Models significantly enhance the ability of a firm to properly manage its
activities. Some models are relied upon for official calculations (i.e. valuations, fee
calculations, etc.) and some are for internal, analytical purposes only. While vetting and
review can be useful for all models, it is critical for the first category. For these critical
models, proper documentation and validation should be done (1) at the time a model is
initially developed or used; (2) periodically over time; and (3) when market conditions
change significantly from the last time the model was reviewed.

The key components of a model review include assessments of:

(A) The data and assumptions on which it is based, including any data
mapping;

(B) The analytical and theoretic component, which includes the model’s
algorithms and functional form;

(C) The outputs of the model and how those outputs are used;

(D) An analysis of what weaknesses in the model would be exposed

24
 (i) In different historical periods of rates, curve shape, volatility,
etc; and

(ii) In stressed markets.

In reviewing models, many market participants focus on the analytical and theoretical
components but the other factors listed above are just as important. Model failure is
usually the result of bad input, bad assumptions embedded in the model, and/or
inappropriate application of the model rather than miscoding. A governance process on
ongoing maintenance and improvements/review of models is also desirable. It is
important to determine that a model “fits” market data if it is being used as a component
of the valuation process. It is also important to ascertain whether the model used for
valuation and the model you use for risk are similar or different.

7.5 Adequate Backup and Disaster Recovery is Critical.

Major catastrophic events such as Hurricane Katrina and September 11th have heightened
awareness of the importance of backup and recovery plans. Off site backup of key
systems and information (preferably in a different region and definitely in a different
power grid) is essential. It is also important that key employees have access to backup
and disaster plans not only at their desk, but also at home, in their car and at other remote
locations and ideally through an internet site, if possible. Plans should include not only
what to do if your business is affected by terror, fire, water, power problems, a pandemic
outbreak, acts of terrorism (e.g., bomb threats), bioterrorism (e.g., the discovery of
anthrax), or government imposed quarantines (which the Federal Government is
expecting in the case of a pandemic), etc. but also if key suppliers and service providers
are also affected by a disaster (i.e. NYSE, administrators, custodians, etc.). In planning
for such scenarios, organizations may want to assess the availability of necessary
redundancies – including infrastructure redundancies as well as operational and human
capital – and human-resource related issues, such as transportation, medical care,
accommodating extended absences, law enforcement, and insurance issues, among
others.

7.6 Effective Records Management is Becoming Increasingly

Crucial
More information and records are created and stored today than ever before. As a result,
it is becoming increasingly important for firms to establish and maintain an effective
records management origram that addresses the creation, identification, retention,
retrieval, and ultimate disposition of records. In creating and administering such
programs, firms may want to consider mechanisms necessary to comply with any
preservation obligations resulting from litigation or governmental examinations or
inspections. Factors contributing to an effective records management program include:
(1) realistic and practical policies that are tailored to the particular organization, (2)
employees being aware of and trained regarding their responsibilities, (3) periodic testing
of the program to ensure that it is working as intended, and (4) revising the program as
necessary to adjust to changing circumstances and regulatory environment.
25
7.7 Effective System Security is Necessary to Protect the
Interests of Employees and Clients
Asset management companies typically are in possession of confidential client, employee
and other sensitive information. In addition to having a fiduciary duty to maintain the
confidentiality of such information, in many instances they are also subject to privacy and
secrecy laws which require not only the safeguarding of such information, but also timely
notification of breaches of security. In light of the business, legal and reputational risks
associated with breaches of security, maintaining effective information security is
critically important. Among other things, this includes:

 Physical security – i.e. the focus on restricting access to building

infrastructure & office space and the safety of personnel. General
Controls include physical barriers (security guards, turnstiles, etc.) and
ensuring that proper background / reference checks are performed for
all personnel and third-party service providers. Application controls
include door locks, surveillance cameras and environmental
monitoring.

 Network security – i.e. protecting the corporate network from

malicious software attacks, the mass loss of data, and unauthorized
access by external parties. General controls include internet firewalls,
proxy servers, content filters, anti virus, anti Spam, software patch
management, remote access security and the continuous monitoring of
the network perimeter. Application controls include multi-factor
authentication and encryption.

 Information security – i.e. preserving the confidentiality and integrity

of information as it is collected / created, stored, transported, shared /
distributed, and retained or destroyed. Where feasible information and
systems should be classified and access should only be granted on a
need to know basis. General controls include information security
policy, awareness training, disposal procedures, access and identity
management, and change, problem and quality management.
Application controls include encryption, event logging, and the
ongoing control testing of high risk information and systems.

26
7.8 Risk Pertaining to Subadvisors, Custodians and Outsourced
Service Providers Should be Managed.
Asset management companies often rely on third parties including subadvisors,
custodians and various types of outsourced service providers who perform operational,
accounting, recordkeeping and other types of services. In utilizing the services of such
third parties, it is important from a risk management perspective to keep in mind that
asset managers have ongoing fiduciary obligations to their customers even though they
have delegated certain of their responsibilities to others. It is therefore critical to perform
careful reviews of the capabilities of third parties at inception of relationships and on an
ongoing basis, and to review information provided by third parties for completeness,
balance and accuracy in order to be able to determine whether such third parties meet the
risk management, credit, operational, legal and other relevant standards of the reviewing
company with respect to the function they are performing. It is not sufficient to merely
ascertain that a prospective subadvisor or provider of outsourced services has in place
risk management controls; rather, a qualitative judgment as to their sufficiency needs to
be made. Where feasible, on site visits to subadvisors, custodians and other key service
providers should be part of the initial and ongoing due diligence.

27