There’s probably never been more risks facing private markets than now, at a time when CFOs and COOs are struggling to attract and retain talent, understand and comply with a constantly changing and growing regulatory regime, wary of a proliferating set of cybersecurity threats and, for some, raise funds in a highly competitive market and chaotic economic outlook.
Mid-market and emerging managers are facing all of this while continuing to institutionalize and professionalize their firms in response to LP demand, sometimes with resistance from the front office.
“We got a lot of resistance from the front office,” said Lindsey Ord of Climate Fund Managers. “But they’re seeing the importance of putting in assumptions (into new tools) that can give you a great view.”
Even so, change is always a hard sell. “We’ll just keep pushing ahead,” Ord said.
Building a tech platform that frees up CFOs and COOs is critical, but needs to be done with careful planning and caution. Ord noted that while it is important to approach solving data and tech issues with an open mind, “the most important thing is to be really clear on your requirements,” or you risk a clumsy architecture.
Meanwhile, even as cybersecurity threats grow in number, insurance companies are refusing to issue policies to those who don’t already have them – at present, policies can only be renewed. And even if you do have one, it’s not clear it will pay off. ‘Read the fine print’ is the watchword, because, as one participant said: “It feels like the insurers are setting you up to fail.”
Phoenix Equity CFO Steve Darrington, a British PE industry veteran, said: “I have a principle and it’s of professional paranoia.” He’s turned to insurer Mactavish – “an outstanding organization that writes and places risk,” he says.
Two CFOs on one panel alone reported that servers used by portfolio companies had been hijacked for crypto-mining.
Here are some tips from Eric Huttman, CEO of FX services firm MillTech FX by Millennium Global from a risk panel he was on. The questions a CFO should ask a vendor are:
- “Where is the data? Second step is, where else is the data? A hack is really only meaningful if they locked access to something they don’t have access to anywhere else.”
- “Do you have a cyber rating, are you an ISO27001 firm or SOC2 (System and Organization Controls) firm in the US.”
- “Do you have a Chief Information Security Officer?”
- “What was the result of your last penetration test?” (If the vendor doesn’t know what a test is, be worried!)
- “How many times do you do penetration tests? We do it at least twice a year.”
And a CFO speaking privately about her (and others’) challenge of getting internal support and buy-in to her cybersecurity efforts said: “How do you get your people interested in cybersecurity? You get hacked!”
Insights from panelists
There was no shortage of excellent insights from panelists and attendees, but below are some choice quotes from panelists at the Forum – along with some of their service provider recommendations – as well as the results of polls taken live at the venue. (And you can find out more about the CFO Network here!)
A tip on managing SFDR disclosure? “We use Greenstone Plus. We used Excel and that proved increasingly stressful.” – Amandeep Johal, legal counsel of portfolio governance, Triton Partners (Other providers are available, of course.)
“One of the more niche challenges people face is: are you Article 6 or are you Article 8? When that first came out a couple of years ago, it was fairly clear cut. But if you speak to lawyers in London, they have different views… You may think I do a bunch of stuff to promote ESG, therefore I’m Article 8, I don’t do that then I’m Article 6. But actually [some think that] if you do anything around ESG, if you reporting around ESG, then you turn into an Article 8 fund, but then you’re somehow deficient because you’re not [fulfilling the other Article 8 criteria].” – Nathan Brown, COO, Arcmont Asset Management
Novel fund types
“This shift to open-ended funds will have material implications for valuations. Clean governance has to be clear about who’s responsible for valuations. Maybe I also have to think about involving a third-party… (it’s) definitely the ask from investors.” – Vincenz Rentsch, Partners Group
“[I keep my team focused] on the use case for the data as well as minimizing the manual tasks in the data process as much as possible. We are working with an outsourced provider, it takes 90 percent [of the] burden off the front office. You need to have a place for your unstructured data too – the data warehouse. We use Snowflake, and a lot of our clients do, too.” – Sahem Gulati, head of strategy and consulting, M&G Investments
“We had 350 applications for two positions and narrowed it down to seven interviews and nobody we had were going to be a perfect fit. It’s (still) incredibly difficult to find – skilled staff.” – Isha Doshi, partner and CFO, TLG Capital
The risk register normally gets updated every six months but “so much has changed in 10 or 12 weeks, so much is changing dynamically.” – Marie Joyce, COO/CFO of Irish renewable energy firm NTR
“We’ve a risk register with a thousand lines and a (look) at that reminds you of… risks that get revisited. But it’s useless if you don’t do something with it… risk culture is people understanding the acceptable tolerance of risk.” – Steve Darrington, CFO, Phoenix Equity.