The ongoing accounting issues at Steinhoff have again highlighted the need for better governance and risk oversight in the world of investing.

By Nigel Morriss, head of Mercer Sentinel and operational risk in Africa, Middle East, India and Turkey for Mercer Wealth, and Mark Lindhiem, chief strategist for Alexander Forbes Investments.

Steinhoff has impacted South African as well as global investors who have suffered financial losses, and it unfortunately will not be the last.

This is because despite increased regulation, more sophisticated markets and better-informed investors, the risks of investing remain and, in many cases, increase over time, in both size and quantum.

In recent years, operational risks have been at the forefront of the risks facing investment institutions, as evident in the fundamental paradigm shift seen since the last global financial crisis. The dial has moved distinctly away from a singular focus on investment manager selection and investment returns in isolation.

The systematic meltdown of the financial markets in 2008, coupled with high profile cases of fraud and internal control failures, has re-aligned the focus on operational risk. Following the financial crisis, the investment world has become more complex. Financial regulators have become more focused and the burden on asset managers to implement the tidal wave of emerging regulatory obligations is onerous. However, whilst the cost of implementing and complying with the new regulatory landscape is significant, it is dwarfed by the consequences of non-compliance.

Asset allocators and investors expect an operational risk assessment to fully complement any investment due diligence exercise. In short – investing has become more complicated, bringing new degrees of risk for investment institutions.

Successfully navigating these operational risks offers organisations the ability to focus on maximising alpha generation by implementing best-in-class oversight, processes, and controls. Investment institutions should therefore seek guidance in identifying the risks within their organisations and implement appropriate mitigating measures.

There are two main categories of risk, which investment institutions needs to proactively address – thematic and developing. Thematic risks are classic organisational risks, which largely remain unaddressed, including:

* Governance: the relative informality and structure of governing bodies/committees limits the ability of key decision-makers to act decisively.

* Automation: the failure within investment and operations infrastructure to support automation introduces the risk of human error.

* Guideline compliance: an inability to systematically code and monitor mandate restrictions continues to be problematic – however, the importance of investment guideline compliance is increasingly being recognised.

* Cash controls: insufficient controls surrounding the process for authorising cash release increases fraud risk.

* Technology: the connectivity between critical order management, execution and middle-office systems is poor.

* Third parties: appropriate third-party and outsourced service provider oversight models are under-developed.

In addition to these risks, new and developing risks are emerging due to new technologies and regulations. Many organisations are trying to catch up with market best practice but the bar continues to rise, and market standards are increasingly more challenging. Emerging risks include:

* Cybersecurity: the threat of successful penetration has become a key business risk; repeated, successful cyber-breaches signal the sophistication of cyber-criminals, highlighting weaknesses within IT infrastructures.

* Background checks: the risk of fraud, other criminal activity, or reputational damage arising from deficient or non-existing criminal and financial background checks on new hires.

* Regulation: the industry faces a torrent of highly complex and impactful regulatory demands from global regulators.

To keep pace with this ever-evolving risk climate, investment institutions need to move away from the traditional and obsolete due diligence exercises that focus primarily on investments and alpha generation, and which do not fully address the current risk environment.

Rather, organisations should conduct comprehensive risk assessments that include a thorough review of front-, middle- and back-office functions – that is, investment and operational due diligence – and focusses on the risks and costs of governance and execution that could result in alpha erosion.

We believe this holistic view in navigating the myriad of operational risks is essential as the opportunities – and threats – to businesses in the region increase.