Business Continuity & Risk Management – Topics on Private Equity Executives’ Minds

The focus was being prepared to face the challenges that private equity firms face around business continuity and keeping the business running in the event of system failure, natural disaster, cyber-attack, key man dependency or any other interruption.

What started as a focused session grew in scope and breadth as event went on. George addressed business continuity, starting with the big picture which is risk management. Only by understanding and going through the process of evaluating your risk management strategies can you prioritize and start to make plans to mitigate risks and keep your business running under any circumstances. That’s not just a technology issue; it concerns processes and people and external events.

A recent article from KPMG outlined the risks faced continually by private equity firms and listed these as:
>> Technology risks – A lot of PE firms still work on basic, isolated systems which do not interoperate, and keep data in silos.
>> Third party risks – The risks associated with your firm’s supply chain.
>> Fraud and misconduct risks – These are heightened by the face to face nature of private equity operations where conversations are rarely recorded.
>> Cyber risks – We hear about these all the time and comes in many guises, phishing attacks, DDoS attacks, hacking, malicious malware, cyber espionage, data theft and ransomware to name a few.
>> Compliance risks – With the impending GDPR and ever more stringent transparency regulations coming from the FCA, compliance is key.
>> Crisis management risk – Risks to a firm’s reputation which can be catastrophic.

During the session George addressed how to mitigate these risks and what resources are available to help firms do that, he also discussed how to change the mindset of the whole organization, which is crucial when looking at risk management. If your firm has a great business continuity plan in place but no one knows about it, or hasn’t had any training on how to act or behave, this renders it useless. Your firm might have policies in place which prohibit the use of personal devices for business use, but if this is not widely known and reinforced, shadow IT can build up and pose risks to the firm’s business. If one department doesn’t know that their suppliers need to adhere to certain standards, it can weaken the whole supply chain and put the firm at risk. If a member of the IT team leaves, but he is the only one who knows how to use a system, then the firm can be put at risk. It is important to identify all risks, categorize them, and develop strategies to mitigate these risks. Then disseminate the knowledge and reinforce it regularly.

That’s not to say that firms should put the onus onto every member of staff to respond to an incident, as it’s important to build a competent incident response team who can carry out the business continuity plan’s specific actions. It means all employees should be aware of the risks, the modus operandi, the right way to behave and operate, and what to do in the event of an incident. Ideally staff should have the means to work from home, using the same systems and accessing the same data they use in the office. By using cloud services, firms can ensure secure access from a web browser whether it’s in the office, at home or from a temporary place of work. Finally, firms should investigate more ways of recording and data and knowledge, so the risks of dependencies on personnel are reduced. This could also help with compliance and reporting, using those records as evidence of good practice and to disprove claims of fraudulent or misplaced activity.