When it comes to IT and the Operational Due Diligence (ODD) process, funds need to give a great deal of focus and consideration to a few topics in particular. Infrastructure providers will assure you that data is secure and accessible, but you need to ask the right questions before making the full transition to the cloud. This is where the value of a Due Diligence Questionnaire really lies.
The first, and perhaps most important, question in the ODD process pertains to data security. With many countries trying to hack data to gain access to people’s intellectual property, as well as “hacktivists” and other individuals trying to make a statement by stealing and acquiring sensitive personal information, data security is of the utmost importance in today’s business world. Though investors are becoming much more comfortable with the cloud as opposed to five years ago, many still make the assumption that data is safer residing physically on site.
However, when firms take a closer look, they can quickly see how much safer their data actually is when residing in a private cloud environment. In fact, the most common data security threats are internal and often involve systems being infected by malware, through email, a website download or by way of a USB drive. Certain infrastructure providers will work directly with clients by taking them on an in-person tour of their data centers, so the clients can see firsthand how and where their data is stored. The providers will also sit down and educate clients about how intrusion-detection solutions are implemented and how to map out proper access controls and policies.
It is important that firms fully understand how all of their applications are being hosted. If data is being stored outside the IT provider’s cloud, it is important to make sure the company has all the checks and balances needed to keep all the data secure.
If firms choose to go with a Voice over Internet Protocol (VoIP) service, they must ensure that investors understand how their voice system works and how to continue using phones in case of an internal outage. In cases where phones are no longer an option, firms need to know of other methods that will allow them to carry out trades and continue to run the business effectively.
In the event of a natural disaster, knowing how to respond and, most important, how to continue operating is crucial to a firm’s survival. This was never more evident in the financial services industry than when Hurricane Sandy struck the Northeast in October 2012. The majority of Wall Street operations were shut down, and firms relied heavily on their service providers for data protection and continued operations. Business continuity planning is a large part of this. Identifying the specific internal and external threats to the firm during a potential breakdown or disaster is the only way a firm will stay afloat. Business continuity planning can act as a large part of the ODD process, adding a great deal of value, and is very often an underrated component.
Next to business continuity planning, disaster recovery and a firm’s plans in the event that its outsourced IT provider decides to close its doors are another key consideration. In that situation, how then does a firm continue to do business as usual? While having available “hot seats”-alternate sites dedicated to recovery-is a good precaution, it is important to note that in many natural disaster situations, such as Hurricane Sandy, these locations will no longer be viable options either. With that in mind, it is very important that firms work closely with their IT solutions provider to develop an alternate plan.
Finally, when working in a co-sourced relationship, hedge funds and private equity firms must communicate with their service providers on a regular basis. This includes involving the vendor as part of the ODD process with investors. This also allows the service provider to understand what improved tools they can build to better automate and assist with the ODD/Due Diligence Questionnaire process. If firms take these steps during the process, they will be sure to have an excellent relationship with both their infrastructure providers and their investors.
The views represented in this commentary are those of its author and do not reflect the opinion of Traders Magazine or its staff. Traders Magazine welcomes reader feedback on this column and on all issues relevant to the institutional trading community. Please send your comments to Traderseditorial@sourcemedia.com
(c) 2014 Traders Magazine and SourceMedia, Inc. All Rights Reserved.