Let’s connect!
HOT TOPICS / INSIGHTS Industry Insights

Risk Management and Internal Controls – The First Line of Defense for Family Offices

Daniel Cabo Jr.

11.17.21 | Industry Insights

Imagine you are interviewing to run a privately-held technology company, a position you have been coveting for years. But once you are able to poke around and do a little due diligence, you realize that the company is a house of cards, without key processes in place to mitigate risks. Not a great scenario for the company’s long-term success (or for your job security!).

Now picture that same scenario, except the technology company is a single family office, managing its Principals’ wealth. Similarly, the lack of a strong foundation makes sustainable growth and success questionable.

And yet, this is a problem for many family offices. While families spend a great deal of time managing investment risk, often less emphasis is placed on limiting other significant, even existential, risks. Given the scale of wealth involved, it is concerning that families do not invest the time to put in internal controls to address the wide range of organizational and operational risks tied to running such an entity; in many cases, the exposure is considerable.

While managing risk within the family office is a very broad topic—one that cannot be addressed in a single article—the following are some of the more significant issues that need to be identified and reviewed on an ongoing basis as the objectives and structure of the family office change.

Understanding the Risks

Currently, it is estimated that there are 10,000 single family offices worldwide, with approximately half created within the last two decades. Family offices come in many forms, but there is a commonality in their directive to preserve and grow the family’s wealth, with each office having a different approach and threshold to managing investment risk.

Protecting investment assets is typically forefront in the minds of families, yet other risks should be given equal consideration given the enormity of the consequences for ignoring them. These risks are usually associated with running a successful business, but they can also be found within the family office context.

They include:

  • Employee misappropriation of funds
  • Imprecise record keeping/financial reporting
  • Inadequate internal controls and business activities oversight
  • Noncompliance with labor laws and regulations
  • Issues with taxation

Another common problem area, which has increased dramatically within the last two years, is cybercrime. COVID-19 forced a change in work patterns that led family offices to deploy remote systems and networks to support staff working from home; many of these systems were hastily set up and the connections insecure. As such, risks arise and include:

  • Cyber (in)security
  • Information misuse or theft
  • Imprecise record keeping/reporting
  • Breaches in privacy and confidentiality

Finally, other risks are associated with employment, such as:

  • Ghost employees
  • Payroll fraud
  • Collusion

Internal Controls are Key

Internal controls provide a system of checks and balances to identify and mitigate risks while providing transparency for decision-making. They allow for formal processes and procedures that are repeatable, documented, and flexible. Effective internal controls can encompass:

  • Expense Management: Initiate bidding and purchasing policies, including vendor quotes and invoice approval, to control spending.
  • Delegation and Segregation of Duties: Assign specific responsibilities to specific employees so that no single person has broad authorization power. If staffing limits are a problem, consider stronger monitoring procedures.
  • Record Retention and Management: Establish policies for the retention and destruction of records, including secure storage and methods to dispose of records so that they cannot be retrieved by outsiders.
  • Policies and Procedures: Document accounting policies and procedures to help accounting and finance staff understand and follow formalized rules and maintain consistent and more secure controls.
  • Rules for Onboarding New Employees: Adhere to a screening plan to determine qualifications, reliability, and cultural fit when finding a new employee and integrating them into the organization.
  • Software and Hardware: Monitor external-facing systems, such as your firewalls, in real-time and update with the recommended patches from the manufacturer, as cybercriminals constantly seek out vulnerabilities in your lines of defense.
  • Social Media: Limit the use of social media, personal email, document sharing, and storage devices to avoid an intentional or inadvertent data breach.
  • Multi-factor Authentication: Adopt this most secure software authentication method, which requires multiple means of identification at login. Insist on complex passwords as well (no baby birthdays).
  • Disaster Preparation: Prepare an incident response plan in the event of a successful cyberattack or even an act of God (flood, earthquake, or fire) that designates a team leader and assigns specific responsibilities to selected individuals who act swiftly.
  • Review Financial Reports: Identify the proper individual to review various financial reports (general ledger, cash flow, and budget-to-actual) in a timely manner to help mitigate risk.

Identifying the Gaps

An internal review is the best place to start to identify areas of particular risk. The analysis should focus on the existing policies and procedures, including segregation of duties as well as daily functions that have changed due to COVID-19 and our transformed work environment.

Best practices recommend that internal controls be put into place when the family office is first established. This action will discourage inconsistency and serve to manage risk from the outset. However, no matter when the controls are put in place, they should be updated as the form and function of the family office change and evolve.

Internal controls are the first line of defense for a family office. Steps taken to introduce, maintain, and regularly revisit and upgrade those controls will go a long way in helping mitigate risk and protecting all that has been built for the family.

Questions? Contact your Berdon advisor.