Risky Business

The recent headline that a trusted family office consultant was accused of embezzling over $1 million dollars from the family highlights one of the key and often overlooked risks that family offices face in protecting the wealth of the family - internal risk.

Family offices need to manage several different kinds of risks including:

• Internal Risk: Operational and reputational risks from internal sources (i.e. staff).  
• External Risk: External threats such as cybersecurity, ligation, natural disasters, and physical security risks.
• Investment Risk: Possibility of loss of money and/or liquidity from certain asset classes and investments.

Family Office Risk Landscape 

Denton recently surveyed over 200 family offices to gain insights into how they perceive and manage operational and investment risk. The survey, “Surveying the Risk and Threat Landscape to Family Offices,” indicates that many family offices are taking a reactionary rather than a precautionary or preventative approach to risk management. This reactionary stance is creating exposure for families that cannot be easily or quickly minimized.

Edward Marshall, Global Head of Family Offices for Denton in their latest Threat and Risk Assessment Survey, writes:

“Family offices continue to be hampered by resourcing challenges across core functional areas and mindsets, as identified in our last risk report. Families continue to have reactionary risk mindsets, lack robust insider threat programs, and see technology as a risk management panacea.”

Priority is given to legal, investment, and financial risks because these risks are both well-known and well-understood. They are known quantities, easily definable, and well-established mitigation strategies can be used.  Internal risks on the other hand are often overlooked creating gaps in the family office’s risk management profile.

Internal Risks

Internal risks are easily understood but can be hard to address. This includes not just fraud, but also key-person risk as well as a lack of succession planning. Mitigation strategies include more proactive succession planning, identifying, and reducing key-person risk with more robust knowledge management and training.

Cybersecurity and data security came in a close second, and attracting and retaining talent rounded out the top three. All three of these top three risks are interrelated. If you lose a key person, you lose their operational knowledge as well as the knowledge of the client, and with the loss of a key person comes the risk that office or client data will be lost or taken. People leave for a reason, and turnover is closely connected to attracting and retaining talent.

Mitigation for personnel issues requires a holistic approach that starts with a company culture that attracts and retains talent and plans for advancement and succession. This can be a tricky balance for single family offices that often have a very flat reporting structure and compensation can vary from the market. 

Specific to staffing, the report cited the fact that many family offices do not monitor employees' security profiles. While more family offices are conducting pre-employment background checks, only 37% of those surveyed periodically reassess an employee's security profile. A recent news article cited a case where the Heinz Family Office is suing a long term trusted employee accused of embezzling $1 million. Family offices need to be more proactive and look to reduce the opportunity for fraud by having checks and balances in place. A reactionary mindset can be problematic in this area. As one long time senior family office consultant would say “It’s not a problem, until it’s a problem and then it’s a big problem.”

In addition to human risk factors, operational risks need to be considered as well. Operational risk can be addressed through well-defined policies and process automation (i.e. technology). Offices using manual processes are subject to errors and offer more opportunities for fraud and data manipulation than an automated approach where the data is electronically acquired and user intervention and manipulation is limited. Automated systems can also improve the work environment through better employee satisfaction by allowing staff to focus on higher value tasks. 

Well-documented policies and procedures that ensure separation of duties and regular testing and auditing of these procedures can go a long way in providing 1) less opportunity for fraud and 2) early detection if there is an issue. The use of institutional quality technology (vs. retail) can provide guard rails with roles-based user access and audit capabilities. Over-reliance on human capital and/or using cheaper, retail-based products can provide gaps. Gaps can create opportunities for fraud.

While technology plays a critical component in closing these gaps, technology by itself cannot solve long-standing internal issues such as staff and skill shortages, poor risk processes in family office operations, and risk awareness culture deficiencies. In addition, firms should look beyond the initial costs of using technology, requiring background checks, and adding more people to the process to what the potential financial and reputational costs could be.

Conclusion

The modern family office lives in a world of ever-increasing risks involving internal and external threats. Some threats are easier to address, such as those internal to the organization, which can be managed with planning, automation, and recognition of the key roles that your employees have in maintaining business continuity. Of these factors, planning is the most pragmatic way to take on the challenge of building a successful family office in a risky environment. 

Resources

• Denton Law Survey
• Heinz Family Office Lawsuit
• Bill Pay Mistake: Not Protecting Again Internal Fraud Video