In December 2012 the UK’s financial regulator wrote its famous ‘Dear CEO’ letter to all CEOs at London-based asset managers, expressing concern about endemic outsourcing risk in the sector. It encouraged them to seriously assess the risks associated with ‘the outsourcing of regulated activities and/or activities that are ‘critical or important’ in the support of regulated activities as set out in SYSC 8.1.4R.’
Its impact is still being felt. At a recent industry gathering in London focused on attracting assets, speakers highlighted the importance of presenting an ‘Institutional Quality’ operational management structure to potential investors. One suggested way to do this cost effectively was to surround yourself with an outsourced support team of experts in key areas such as legal, accounting, compliance, fund admin and IT.
It’s a curious situation. On the one hand we must consider outsourcing as the best option to present the right engagement model cost effectively to investors, but on the other hand the FCA wants us to be VERY careful about who we outsource to, and how we mitigate the associated operational risk.
In the noise surrounding the ‘Dear CEO’ letter, which has so far focused on the areas of fund admin and ops outsourcing, one key endemic risk has yet to gain appropriate profile: IT outsourcing, aka ‘the Cloud’. Nearly all London asset managers outsource IT to a smaller or larger degree. Small start-ups should, and now do, launch on a ‘Private Cloud IT Platform’ almost without exception. Larger funds have begun to realise that Cloud offers substantial genuine business benefit.
But who is conducting thorough due diligence on the institutional quality of these ‘Private Cloud’ offerings? Important factors such as financial viability, counter-party risk, the underlying IT architecture and platform, the data-centre topology and the size and scale of the vendor’s Cloud support team and Customer base must be considered. If your entire IT operation runs on another organisation’s platform, using another company’s staff, a thorough and constant risk assessment is warranted. It is a question all firms should be considering as the Cloud market continues to boom.