Skip to content 
By Hakan Yar, Co-chair of the LPEA Risk Management Technical Committee and Conducting Officer Risk Management at JTC as featured in Insight Out Magazine #25
Officially, Risk Management is one of the key pillars in a Private Equity (“PE”) Company (“PEC”) but not all national regulations are stipulating a distinctive separate risk management role as the Chief Risk Officer (“CRO”). Most of the national regulatory setups require only the role of the Chief Compliance Officer (“CCO”) like e.g. in the UK, Canada and USA while the EU regulation requires a distinctive so called “Permanent Risk Management Function” (“PRMF”).
The PRMF role can also be taken by the CCO, which is unfortunately quite often the case in the market practice. However, the typical CCO has a Legal background which fits very well for the Compliance function but showing some major restraints for an effective Risk function. Whereas the typical CRO has a (Quantitative) Finance, (Quantitative) Economics, Mathematics, Physics or (Industrial) Engineering background which fits very well with the quantitative requirements of Risk Management (e.g. advanced statistics-based risk measurement).
The Luxembourgish Financial Supervisory, the Commission de Surveillance du Secteur Financier (“CSSF“) requires in its latest Circular (18/698) in the context of the Alternative Investment Fund Managers Directive (“AIFMD”, an EU regulation) de facto a CRO function separate from the CCO (in Luxembourg, the CRO is officially called “Risk Management Conducting Officer” or PRMF and the CCO is called “Compliance Conducting Officer”, in which the title “Conducting Officer” refers to an “Senior Executive” role. Since this title is mainly used in Luxembourg only we will continue to use CRO and CCO in this article instead).
Due to this, all (Fund) Management Companies (“ManCo”)/Alternative Fund Investment Managers (“AIFM”) are obliged to have de facto a separate CCO and a separate CRO.I use the words “de facto” since the CCO can have also a dedicated Risk Manager who reports to her/him directly without being a CRO/Conducting Officer. However, the market requirements make it necessary that the CCO in this setup needs to understand risk management very well and that this risk manager is required to have very good skills and experiences in risk management which finally makes it necessary to pay higher salaries and this again leads de facto to a CRO role.
Currently, all PECs who are not following the AIFMD do not have a dedicated CRO. This does not mean that there is no risk management in place, but the risk analysis is run by the business operators and is embedded in the business processes. In regulatory terms expressed, only the “first line of defence” for the risk management is in place. That means there is no risk manager who conducts “independent” risk analysis of the PE deals and with this an independent unbiased view on these deals are unavoidably missing, which is in regulatory terms the “second line of defence”.
The fact is that the regulatory requirements, against all resistance by hard Lobby work, are getting stricter (like for the banks) and more demanding (and not only in the AIFMD context within the EU).
And all PECs who are following the AIFMD are obliged to have a CRO. And being a CRO in a financial institution is quite a challenge already but in a PE environment it is another special story as especially quantitative risk management for PECs are still in a “childhood”, or in the best will description, in an “adolescence” phase.
The role of the risk manager is defined according the AIFMD in a nutshell as follows: An independent risk manager/controller who defines the risk profile of the active funds and conducts, independently from the business and management, a proper qualitative and quantitative risk analysis.
The essential focus of the risk manager is only showing the potential “downsides” of the fund activities in all risk types (upsides are by definition “risk free”). The risk manager needs to have sufficient experience in risk management activities as establishing a proper risk management department, establishing adequate risk profiles, risk policies and risk procedures, implementing risk models for a proper qualitative and quantitative risk analysis for all relevant risk types, implementing stress test models for all relevant risk types and the compiling of adequate risk reports.
And here we are, since the “focus on the downsides” is where the dilemma of the CRO is starting: Since pointing only to potential downsides could be seen by the business as an “ugly” attempt to deteriorate a deal, to make a great deal look bad, to make the deal guys look foolish. And honestly, this feeling can be understood very well.
The deal guys made a huge effort, checked the company by a thorough due diligence over weeks and months, where they analysed properly and intensively all the potentials and weaknesses of the targeted portfolio company. And these deal guys are the real experts, they have the necessary knowledge, skills and experiences to judge the potential up- und downsides of a potential deal.
Then comes an “outsider”, called “independent risk manager” who runs his/her own “independent” risk analysis and digs only into the “downside” perspective. Yes, this is annoying and totally understandable. It is a natural reflex. Anyone who did a great job does not want to hear what s/he allegedly “missed” to do or to see or to consider. But if we are sincere we may all admit, that it is very useful that an “outsider”, being not that deep in the process, can bring a fresh and new view on “business downsides” which can help to improve business decision processes.
The allegedly “sad” part is that the “independent risk manager” is only obliged to look on the “downsides”. Not to annoy the deal guys, the business makers. That should be never the goal of a good risk manager since her/his salary depends on the success of these deal guys, too! The company’s success depends mainly on the success of its business people. Thus, a smart risk manager will never act against the business, rather wants to help to see risks where the business people maybe did not consider them at all or they categorised it just as minor risks. Anyone who is too deep into something can miss to see a broader picture from a vintage point. There is a famous German saying, “Den Wald vor lauter Bäumen nicht sehen“, which means „Unable to see the forest because of too many trees”. And this is valid for any endeavour, be it business, science or technology.
And unfortunately, all the risks are only “hidden” in the “downsides” of a business, nowhere else. It is the defined role of the “independent risk manager” to look only on this part, to control, measure, qualify and quantify the potential risks of the “downsides” and their impacts.
And this is by far not an easy job. A proper risk manager needs to have a good knowledge on the business, on the business processes, on the micro- and macroeconomy, on finance and investment, on quantitative methods (financial mathematics, mathematical statistics etc.) and alike to be just able to conduct proper full-scope risk analysis. But it does not end here since a proper risk manager needs to have good reporting skills, presentation skills, communication skills (finding the right “language” to report the risks, raise awareness for risks) and negotiation skills (e.g. very important for the communication to the regulator), too.
The “independent risk manager” does only an additional analysis as a support function, who help the business to summarise and to mitigate the risks by his/her analysis. To see concentrations, to show patterns to help to see that some businesses run more successfully than other businesses (because maybe we understand some businesses better than others) and that maybe other business experts are needed for certain business endeavours.
The “independent risk manager” just presents the risk figures and has no decision mandate. The presented figures shall help the business for a proper decision. But the business decision will finally be based on their own professional judgement which can also mean to reject totally or partly the outcome of the risk analysis of the “independent risk manager” due to better expertise and experience on this business. But still, business got an additional analysis which helped them to rethink their views on the business and based on their knowledge and experience they decided to run the deal with the before made assumptions.
If the CRO did a proper job then the business colleagues will find the risk analysis useful and maybe they will rethink the approach to mitigate the risks. And exactly this is the idea to have an “independent risk manager” who runs his/her “independent risk analysis”, to broaden the picture, to improve the decision base, and to create new opportunities by proper business risk mitigation.
The “independent risk manager” should not only be regarded as a function required by the financial supervisory (even though this role mainly exist thanks to the regulators), rather it should be seen as a real support opportunity to detect, summarise, discuss and mitigate potential risks as fast as possible. As the “independent risk manager” has a very specific profile, which is very broad, it should be used by the business continuously and in a very early process.
Yes, the risk manager is the “downsides” guy, but this guy is also the one who helps to see the broader picture on these “downsides” and will be the guide for the business to be better prepared in case elements of these “downsides” really come into being.
The most dangerous risk is still the unforeseen risk. And the best risk mitigation is to know most of the potential risks. All the rest can be subsumed just as fate.
Another not lesser important challenge beside the business makers, is the quarterly presenting of the risk reports to the members of the Board of Directors/Managers (“BoD” / ”BoM”) by the “independent risk manager”, the so called CRO, the PRMF.
The BoD is the top of the governance of ManCos/AIFMs and oversees the investment management, administration and marketing and do meet at least quarterly for the Quarterly Reporting but up to eight to ten times or in some cases even more in general.
Hence, the members of the BoD need to cover a broad set of expertise in portfolio/investment management, distribution, risk management, compliance, legal, fund administration/operations and finance, at least in theory. Further, depending on the size and necessary expertise for the ManCo, one to two “Independent Directors” (“ID”) need to be member of the BoD according to the CSSF regulations for board compositions. The members of the BoD have been or still are in the function of Managing Director, Conducting Officer, CEO, COO, CFO or in other similar Senior Executive roles or are by profession IDs sitting in several Boards.
Even though the members need to cover in theory a broad skill set, as described above, in reality of course, they will have a higher expertise in one field and lesser in the other. Nevertheless, the BoD members are carrying high legal liability towards the ManCo and even if they don’t have the expertise in all fields. That is why the members of the BoD need concise but clear and sufficiently explanatory reports, among others, the quarterly risk reports. For regulatory compliance the reports are the Compliance report including the AML/KYC/CTF reports, and the Risk report including the Investment Compliance report, are essential for the members of the BoD.
Whereas the Compliance/AML/KYC/CTF and the Investment Compliance reports are shown and verified easily, it changes quite fast for the quantitative risk analysis and stress test part of the Risk report.
PE Fund (“PEF”) risk reports have certain particularities. In the best case, the valuation and Net Asset Value (“NAV”) of the portfolio companies in the PEF are done quarterly, based on the calculated NAV frequency (delivered by the Fund Administration) and financial statements. But there are also cases, where the NAV and valuation are even just once a year.
Here starts the first challenge with the BoD members and especially with the IDs. The IDs are sitting in 10 or even 20 or more boards, and often in UCITS funds (funds with highly liquid assets) where the assets have daily market prices. And now, the CRO is presenting her/his risk analysis, stress tests and Key Risk Indicators (“KRI”, Key Performance Indicators for Risk Management based on financial ratios derived from the financial statements) based on e.g. Q2 (as end of June) figures presented end of August or even beginning of September. And the first question very often of an ID or other BoD member who has no profound experience in PEFs is e.g. “we are talking in end of August about risk figures as of end of June, hence we are missing almost two months of information as of today, which the board needs to consider quite a time gap…”. This question seems fair and legit at the first glance but inadequate at a second.
What these IDs are then missing are that the valuation and the NAV calculation are the real accurate “pricing”, the fair value of the portfolio companies in the PEF and if these aren’t done quarterly (like semi-annually or even annually) the next available are the quarterly financial statements to derive some KRIs as e.g. (internal or external) credit rating/scoring, debt to equity, EBITDA to debt etc in base, stressed and severe crisis scenarios. There is nothing else between e.g. Q1 and Q2, there are no other validated figures which could have been resilient enough for proper and prudent risk analysis.
Just general market and financial data information cannot be applied and cascaded down to a portfolio company without resilient observable data. Even for an expert judgement approach, applying general market and financial data on portfolio companies of a PEF without any prudent expert opinion would be torn apart by the deal experts in the valuation committee, in the risk management committee and in the executive committee and will harm the reputation of the CRO in the committees and to the general management.
If there is one resilient rational argument which justifies the application of general market and financial data, then and only then these data could be applied with some adjustments if needed. But this is rather very rarely the case. If there is no better data, no better argument, then there is nothing better than the available data of the quarter.
The explanation to the board and the different nature of PEFs to highly liquid UCITS funds with daily market data needs to be carefully and profoundly done, especially for IDs who have no experience or profound knowledge of PEFs. This part is more challenging and happens more often than thought e.g. a lot of so called Super-ManCos which just started to handle PEFs with the same composition of the board as before have members which are still unfamiliar with illiquid funds as PEFs.
Also, very important for the work of the CRO is to raise awareness for the work and burden of the tasks of the CRO and its team. The BoD are seeing an executive summary of the risk report with the annex/appendix of detailed risk reports where they see “only” the calculated risk figures and stress test scenario results and their interpretations. What they don’t see is the sophisticated and hard work to design the risk and stress test models which are often non-standardised specialised models adapted at least to the sector and localisation of the portfolio company to reach these results.
If the board members, even rightfully demanded, are asking for additional information and calculation or asking for the adjustment of the presented figures, they are often not aware how much more the workload for the CRO and its team is increasing, since some board members see just few “figures” which should be amended if needed without being aware of its feasibility, model sophistication and needed workload. Hence, making the board aware of this sophistication and workload is essential, also for a better understanding of the presented risk figures and the potential restraints and limitations (e.g. availability of only quarterly data and information).
This board reality will hopefully change but will take time. A way to close the knowledge and experience gap in the boards faster is to setup PE risk management and valuation training sessions for board members and IDs for instance offered by the LPEA Academy.
