EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Family Office Advisory Services offer domestic and cross-border tax services to high net worth individuals and families.
Read more
While external challenges have accelerated the adoption of risk management strategies among SFOs, our data show that most family offices still need to mature in how they plan for risks.
According to the EY Family Office study released earlier this year, only 49% of SFOs said they were confident they have a structured process in place for identifying risks, and 30% said decisions about risk management are not made at the highest levels of the organization.
To protect against growing technological, cyber, regulatory and reputational risks, SFOs must implement a risk framework and management system to recognize potential areas of concern. This includes identifying risks, maintaining an ongoing review process and implementing a comprehensive sourcing plan so SFOs can avoid or respond to risks.
Why risk frameworks are needed
The multitude and enhanced connectivity of devices found in the modern world allow individuals to interact and send messages instantaneously. But this growing complexity and widespread connectivity have made the communications ecosystem more vulnerable to hackers and other bad actors. In the EY study, nearly three-quarters of SFOs revealed they had experienced a cyber attack or data breach in recent years.
Cybersecurity isn’t the only area that family offices must navigate in this changing environment. Other trends — such as rising pressure for SFOs to take a public stand on ESG issues, changes to tax law since 2017 and the government push to make SFOs more transparent in sharing their data — complicate the risks. It’s easy to understand why many family offices are concerned by the potential risks coming from many directions.
While most SFOs understand the importance of addressing these new risks, family office executives are also tasked with striking the right balance between the risk tolerance and the risk appetite of their clients. SFOs often choose not to adopt a risk management framework to save funds, but this decision only reduces their ability to recognize the potential loss from an issue and make informed decisions. In the long run, this approach often leads to higher costs.
Additionally, without a risk framework, family members are often not provided with a suitable structure to understand risk. Once a management system is in place, SFOs will find it easier to discuss the trade-offs of risk-mitigation strategies with families, allowing for greater transparency and cooperation in the planning process.
While formal risk management may seem costly, the absence of a risk framework can lead to surprises or unrealistic expectations for SFOs and the families themselves. To foster trust and confidence within the organization and with stakeholders, SFOs should leverage their risk framework so clients can understand the stakes and make informed decisions in this complex environment.
Evaluating risk
Building an effective risk framework begins by leveraging an SFO’s existing governance system. SFOs that maintain formal governance structures allow executives to coordinate demands and prioritize strategic planning, providing a strong foundation for the creation of a comprehensive risk strategy.
Elevating a single individual to the position of Chief Risk Officer (CRO) to look across the whole organization can help streamline the decision-making process. A CRO can also be instrumental in determining areas on which to focus, incentivizing and rewarding the team for hitting goals, and measuring results.
With these governance systems in place, SFOs should seek to map out their current risks, including known and unknown risks, across each area of focus. As it’s often difficult to predict when or how risks will arise, SFOs may have to take a range of preventive measures to reduce their vulnerabilities.
Once risks are identified, it’s important to think about how to assess and respond to potential incidents. Understanding what can and can’t be controlled, both before and after intrusive events, is essential when planning for emergencies. If an SFO finds it has limited resources to protect stakeholders in a specific area, executives should consider onboarding people, processes or technology that allow them to respond more effectively. If certain risks cannot be avoided, executives should plan to mitigate future losses by monitoring the threat, calculating the magnitude and likelihood of potential damage, and taking proactive steps, such as purchasing insurance.
What’s most important is to identify places where the speed of response will matter. SFOs cannot always prevent an incident from occurring, but they can control how they react. Without a framework, SFOs may not be able to focus their limited resources on areas where they will have a maximum impact.
In the end, a commonly agreed ownership strategy remains essential to success. By implementing formal governance structures, SFOs can prioritize risk domains and allocate resources toward areas of strategic focus.
Maintaining the framework
The risk analysis process doesn’t end once a framework is created. To maintain an effective structure to evaluate risk, SFOs should conduct ongoing reviews of their plan to ensure their methods remain up to date. Much like a cybersecurity pen test, where a computer system is safely hacked to check for vulnerabilities, executives must continually probe their framework to find weak points.
A comprehensive review of risk frameworks frequently reveals the need to incorporate new methods and technologies into the planning process. While US SFOs may intend to make up for these deficiencies by investing in in-house solutions, the reality is that SFOS will have to outsource many processes to acquire the skills and technologies they need. The level of outsourcing at an SFO depends on the size and resources of the organization; building and maintaining technological solutions can be prohibitively expensive.
To find the right balance between “building” and “buying” solutions, SFOs should evaluate, based on their size and capital, whether they can hire the right people and develop systems in-house. Cyber and physical security are two areas where third parties tend to have more expertise and resources than most family offices.
In our rapidly changing world, we are often unaware of all the risks we face. And it’s only human nature to think that the disasters we see on the news won’t happen to us. Still, SFOs that do not prioritize and maintain a risk framework can place their clients at significant peril. By creating a comprehensive framework that considers different types of risks and controls, SFOs can interpret, monitor and respond to risks effectively, ensuring safer operations and better protection of their clients.