PE Tech Report


Like this article?

Sign up to our free newsletter

RiskMutation: How ACA Compliance Group is spearheading the operational response to evolving business risks following Covid-19

Business disruption, cybersecurity challenges and greater compliance burdens have long been acknowledged as being among the foremost operational challenges facing the hedge fund, private equity and investment management industries.


Business disruption, cybersecurity challenges and greater compliance burdens have long been acknowledged as being among the foremost operational challenges facing the hedge fund, private equity and investment management industries.

But 2020’s coronavirus pandemic has heralded sweeping changes to the ways financial services firms operate, and Carlo di Florio (pictured), global chief services officer at ACA Compliance Group (ACA), believes Covid-19 has significantly challenged the compliance and risk management process in light of the upheaval.

As the Covid-19 crisis has unfolded, ACA has charted the continuously evolving events that have upended the once-normal business environment: the initial health crisis of the pandemic later gave way to broader economic shocks, and subsequently drew in a vast array of challenges spanning investment risks, geopolitical tensions, disruptions to regional and global supply chains, and heightened cyber and regulatory challenges during remote working, among other things.

New threats

Against this backdrop, such risks have interacted and evolved from one form to another in new and unexpected and non-linear ways, without any clear sequential beginning, middle, or end – a phenomenon identified by the ACA as “RiskMutation”.

For financial services firms, the RiskMutation theory is accelerating the modernisation of risk and compliance management, says di Florio.

As a result, firms must be alive not only to the new threats brought about by the constantly-changing risks – but also the fresh opportunities emerging out of this new landscape.

Expanding further, di Florio explains how the RiskMutation concept reflects the acceleration, interconnectedness and rapid mutation of risks in ways different than traditionally seen in asset management.

“What struck us with the pandemic was just how rapidly a health pandemic created massive business disruption,” di Florio observes, noting the wholesale shift to remote working amid lockdown and social distancing measures.

“The massive business disruption then mutated into a global economic crisis the likes of which we haven’t seen since the Great Depression.”

Hedge funds, private equity firms and asset managers have quickly adapted to the new environment, enacting their business continuity plans and switching rapidly to home working. The initial challenges during the early weeks of the pandemic centred around firms continuing their operations and determining how their investments were impacted and the damage, if any, to portfolios.

“They were able to transition pretty smoothly by deploying their business continuity plans and leveraging their systems,” di Florio reflects.

Later, though, following the transition to remote working, hedge funds, private equity and other asset management clients needed to demonstrate third-party oversight and governance mechanisms.

That, in turn, has served up new headaches – specifically in the form of technology and cybersecurity issues – says di Florio, whose responsibilities include oversight, management, and strategic growth of ACA’s global regulatory compliance, cybersecurity and risk,  and performance practices.

“Firms had to figure out how to manage and monitor their teams and their people, and know whether they had adequate systems and technology,” he says. “They had to think about who were their third-party providers, and whether there was risk being presented to the firm through those providers.”

Storm clouds gather

As the coronavirus crisis deepened, other challenges arose around meeting regulatory requirements and expectations.

While regulators provided more time to firms to prepare certain public filing requirements, that leeway itself created something of a “perfect storm” within the regulatory community.

“The Securities and Exchange Commission, the Financial Conduct Authority and other regulators  were appropriately giving firms relief when it comes to filing certain financial reports. But it meant that information was material and non-public for longer, presenting its own bucket of risks.”

Similarly, the surge in market volatility and  trading volumes tore through markets, posing additional risks to managers running an assortment of strategies and investments.

“When you see volumes go up, and volatility go up, and trading increase at a time when there is a lot of material, non-public information out there, that makes regulators concerned,” he continues, noting that the remote working environment during lockdown ultimately made it tricky for firms to police potential trading violations.

Future challenges

As the coronavirus has driven an overhaul of investment managers’ operational environment, ACA has identified a number of key driving forces set to shape the future of risk and compliance, which will challenge chief compliance officers and chief risk officers on a day-to-day basis for the foreseeable future.

The immediate task looming over CCOs, chief risk officers and cybersecurity officers, according to di Florio, is how to ‘do more with less’, as firms look to streamline their budgets, operate their business more efficiently, and cut costs around risk and compliance to navigate a difficult economic environment.

“Everyone has suffered through this pandemic, and we expect increased pressures on those business models that had to tighten their belts.”

The second major force is an anticipation that both regulators and allocators will expect more from asset managers. “More reporting, more transparency, more metrics” is how di Florio puts it.

“Those are conflicting challenges, and so provide further strain and stress on compliance and risk. Within the RiskMutation environment, this requires firms to really adapt and be agile and resilient,” he continues.

Next, many firms are starting to take a “healthy look” at this upheaval through the lens of operational resilience, and how the as-yet-to-be-determined fallout from the Covid-19 pandemic could impact firms’ future responses to cyber threats, business continuity, data privacy and more.

“These forces, and others, will require firms and risk and compliance officers to think about how they can navigate the future successfully,” he says.

Risk response

In that context, ACA has identified three areas – RegTech, outsourcing and operational resilience – where it can assist firms in successfully navigating the future of risk and compliance in the age of RiskMutation.

“We provide risk and compliance consulting to clients, we can provide outsourcing support, and we have regulatory technology solutions that our clients can deploy,” says di Florio.

ACA has seen a 25 per cent rise in demand for its outsourced managed services since the Covid-19 outbreak, while its cybersecurity and RegTech solutions are also seeing increased demand.

Beginning with RegTech, ACA offers ComplianceAlpha, an integrated, holistic platform that clients can incorporate at their firm to help manage the compliance and risk programme end-to-end, spanning surveillance, employee compliance, policies and procedures, marketing reviews, and more.

“ComplianceAlpha provides monitoring, testing and surveillance capabilities to help identify issues – particularly in discrete areas such as, for instance, insider trading, marketing or money laundering– and then investigate and remediate those issues,” di Florio says.

“This then allows firms to demonstrate to investors, allocators and regulators that they are able to manage risk and compliance effectively through the programme.”

He continues: “The sheer amount of information that investors are asking for from hedge funds and private equity firms and asset managers is increasing. They want to see key performance indicators. They want to understand how effectively you’re managing risk and compliance and they want to see  firms appropriately leveraging technology and data analytics into the management, monitoring and reporting associated with their programs.

“Firms need to make sure their employees are trading securities appropriately, for instance; that they’re disclosing all of their trades; that the firm is vetting those trades before they do them,” says di Florio.

“The technology solutions we offer help firms not only manage risk and compliance but also provide that transparency demanded by investors, allocators and regulators.”

‘Expertise on demand’

ACA’s outsourcing and managed services solutions offer a similar function.

“If you talk to chief compliance and risk officers today, they’ll say there’s a lot of stress on their teams particularly as they’re being asked to downsize and do more with less,” he notes. “They’re trying to determine where the critical need is – what activities they are focused on, and what activities can be more cost-effectively and efficiently outsourced to trusted third parties.”

While outsourcing a business function allows asset managers to draw on specialist expertise where and when they need it, there can be a lot of material to review, di Florio explains. 

“A firm like ACA can do all of that in a review, and help a firm scale up or down seamlessly so the firm has better support, agility and efficiency.”

“By working with consultants and deploying regulatory technology and outsourcing, firms are able to drive down costs 50, 60, 70, or even 80 per cent,” says di Florio. “This allows them to do more with less while maintaining the rigor of their programmes.”

But while firms can deploy regulatory technology intelligently, effectively and efficiently, and outsource the right processes and functions to trusted third parties, the remaining challenge facing firms is to design an internal operational resilience model allowing them to oversee those third-party partners, and adapt and adjust as the changing environment throws up new threats and vulnerabilities. 

As di Florio outlines, when firms deploy regulatory technology and outsource more of the risk and compliance processes to credible and trusted parties, they also introduce potential operational risk to their business functions.

“You need to govern and oversee those third parties and those providers – that’s where the third strategy of operational resilience comes in,” di Florio adds. Here, the firm offers a consulting element for firms aiming to better combat those threats.

Reflecting on how the RiskMutation phenomenon is shaking up the asset management industry, di Florio underlines the need for firms to build agility, scalability, and resilience into their processes, systems, and culture by incorporating technology, outsourcing, and operational resilience.

“People have a lot of trust in ACA because our team is comprised of former regulators, experienced in-house professionals and technical experts  across the compliance, cyber, risk, performance and tech  spectrum,” he says. “We understand what regulators, investors and firms expect and require and we bring that trusted advice and value to our clients .”

Download ACA’s whitepaper: The Future of Risk and Compliance in the Age of RiskMutation

Like this article? Sign up to our free newsletter