Clear and present dangers

Five tips for addressing risk management at your private equity firm.

Private equity GPs often pride themselves on running ?lean and mean? when it comes to internal firm management and operations. In this manner costs are kept down, and fund managers can conduct their business more efficiently without being slowed down by red tape. While other businesses outside of the private equity industry could learn from this model, there is one facet of private equity firm management that too often has not gotten the attention it deserves: risk management. In other words, what is your firm doing to protect itself and the people who work there from the risk of liability?

It is not surprising that this subject only now is getting more time in the spotlight. Historically, private equity firms have been relatively immune from the throes of litigation faced by other types of businesses. Ours has been a more quiet, truly ?private? industry. Relationships have mattered, and filing a lawsuit against others in the industry would be considered an extreme measure.

With the industry's successes and tremendous growth, however, has come change. One of those changes has been an increase in both the frequency and severity (measured by cost) of litigation involving private equity firms and their employees. In previous articles, I and others have analyzed and categorized such lawsuits. Now it is the time to take a closer look at what your firm should be doing to minimize the risk of such claims.

What follows is a list of five risk management strategies that your firm should consider implementing. Use this list as a starting point for discussions among your firm's managers about appropriate risk management protocols that are tailored to your firm's own business practices. The list is by no means exclusive – there certainly will be more risk management strategies that your firm will want to deploy:

Designate who is in charge. At many corporations in America, there is a designated risk management department headed by a senior ?risk manager? who interacts with senior officers and the board of directors. While such an infrastructure is not needed at a typical private equity firm, it unfortunately is the case that at many firms it is not clear who is in charge of the risk management function. Too often the work by default falls on the shoulders of an already-overworked chief financial officer or general counsel (if there is one). As such, risk management projects get squeezed in when there is time. While private equity firms may not need a full-time risk manager, something more than the status quo is needed. The CFO or GC ultimately may be the right person to assume responsibility for the risk management program, but the assignment must be thought through. Will this person have the bandwidth to address risk management projects proactively? Will this person have enough authority within your organization to make others follow through on risk management-related recommendations? Should this person regularly report to a partner (or small committee of partners) who also bear supervisory responsibility?

Map out your firm's liability risks. Have your firm's managers recently had a chance to meet together to discuss what are the principal liability risks that your firm faces? If not, they should. Your firm cannot implement effective risk management strategies unless its managers collectively have identified what the key risks are that arise from your firm's particular circumstances and operations. Oftentimes, this exercise is aided by graphing the identified risks according to their frequency (from low to high along the x axis) and their severity (from low to high along the y axis). Such a tool can help a firm to prioritize which risks should be combated first and what measures should be taken. Even if your firm does not engage in a risk mapping exercise, it is important to take the time to evaluate your individual risk profile in order to address it effectively.

Pay particular attention to mitigating the risk of securities laws liability. The rash of corporate scandals and new corporate governance laws have made this a particularly dangerous time to be working in an industry that routinely buys, sells and distributes corporate stock. Both the plaintiff's lawyers who bring securities class action lawsuits and the federal and state governmental agencies who enforce the securities laws have been particularly aggressive in pursuing serious charges against perceived wrongdoers.

For a private equity firm who has even a small number of public companies in its portfolio (or has private companies who may pursue an initial public offering), the risk of such claims must be taken seriously. Concrete steps to address this risk, such as the following, should be considered.

First, your firm should maintain a well-defined insider trading policy that clearly explains what your firm's rules are and what the consequences of any violation will be. If the policy already exists but hasn't been revised recently, it may need beefing up to address recent changes in the law. The policy should be distributed to all employees on a periodic basis, and procedures should be put in place to ensure that the policy is enforced. Second, firm employees who serve as directors on the boards of public portfolio companies must pay scrupulous attention to a portfolio company's self-imposed ?black-out periods,? during which trading in the company's securities is prohibited for company insiders. Funds also should consider timing any distributions to fall outside of such black-out periods in order to reduce the risk that the distribution could be perceived as based on inside information. Finally, the non-public information that a firm's board representative to a public company receives (such as board meeting packets or periodic management reports) ideally should be kept as segregated files not easily accessible to others unless they have a legitimate need for access.

Reform your firm's document retention and creation practices. If your firm does not have a formal document retention policy in place, you are not alone. Many private equity firms currently leave most document retention decisions to the individual firm employee who handles the particular documents he or she works with. In this mode, you can have the ?pack-rat? partner who ?keeps everything? side-byside with the ?minimalist? partner who has the ?paperless? office and keeps almost no documents. Such a laissez-faire practice may be good for allowing individuals to practice business according to their own personal style. It can cause problems, however, for the firm as a whole.

For example, there are certain categories of business records that as a matter of law must be kept for specified periods of time. These legal requirements vary by state, further complicating the rules for firms with offices in multiple locations. Certain situations (such as the threat of involvement in a lawsuit or investigation) also can trigger immediate document preservation requirements. Your firm must understand and prepare to ensure prompt, full compliance with such laws. Additionally, in this era where your firm's employees are bombarded with literally thousands of emails and other documents per month, it simply isn't practical or wise to ?keep everything.? Indeed, your firm likely is already disposing of many of the business documents that pass through your doors. Rather than relying on the ad hoc decisions made by individual employees, it will make sense to have guidelines as to certain categories of documents that should be retained for specified periods of time. Firms that have addressed these issues often find that such guidelines help the firm to operate more efficiently, and, particularly in the context of possible litigation, to be better prepared for responding to requests for the firm's records.

Finally, your employees should have some direction from firm management on sensible email and note-taking practices. There are numerous cases where individuals at private equity firms have made flippant or careless remarks in such documents without recognizing that these can become permanent records subject to discovery and public disclosure in litigation. Such indiscretions can cause significant embarrassment to a firm, as well as increasing the risk of liability. We have found that a short training session for employees on this topic can go a long way to improving better document creation practices.

Protect yourself with insurance and strong rights to indemnification. While the liability risks facing your firm can be minimized, they can't be eliminated. It therefore is critical that your firm put in place the maximum protections available to protect its personnel from the risk of personal liability. These protections operate at two levels. First, your firm's portfolio companies should be required to have top-quality directors and officers liability (D&O) insurance and to put in place indemnification agreements for your firm's representatives to the board of directors. Both of these layers of protection should be reviewed by your firm's counsel to confirm that they are as bullet-proof as possible. Not all D&O insurance policies or indemnification agreements are created equal. It may take some negotiation on your behalf to ensure that these protections are as strong as they should be.

The second level of protection comes at the fund level. More and more private equity firms are purchasing ?private equity firm? insurance that in essence operates as D&O insurance for the firm itself. The coverage protects the firm and its managers from claims by investors or any other third parties with whom the managers do business. Finally, firm managers will want to make sure that they fully understand the scope of their rights to indemnification from the firm and when a firm's assets can (and cannot) be tapped to pay for work-related claims against the individual. By evaluating these protections, firm managers can assess whether there are any gaps that need to be filled to reduce the risk of personal liability.

Carl Metzger is a partner in the Boston office of Goodwin Procter, LLP. He can be reached at cmetzger@goodwinprocter.com.