Before a hedge fund signs on with an IT firm - cloud, network or otherwise - they have to know that the firm can handle any and all situations.
When it comes to IT and the Operational Due Diligence (ODD) process there are a few topics that come to mind on which funds need to put a great deal of focus and consideration. Infrastructure providers will assure you that data is secure and accessible, but the right questions need to be asked before making the full transition to the cloud. This is where the value of the Due Diligence Questionnaire (DDQ) really lies.
The first, and perhaps most important, question in the due diligence process pertains to data security. With many countries trying to hack in order to gain access to people’s intellectual property as well as “hacktivists” and other individuals trying to make a statement by steeling and acquiring sensitive personal information, data security is of the utmost importance in today’s business world. Though investors are becoming much more comfortable with the cloud as opposed to five years ago, many still make the assumption that data is safer residing physically onsite.
However, when firms take a closer look they can quickly see how much safer their data actually is when residing in a private cloud environment. In fact, the most common data security threats are internal and can occur when using malware through either email, a website download or with a USB drive. Certain infrastructure providers will work directly with clients by taking them on an in-person tour of their datacenters so they can see first-hand how and where their data is stored. They will also sit down and educate clients on how intrusion detection solutions are implemented and how to map out proper access controls and policies.
It is important that firms fully understand how all of their applications are being hosted. If data is being stored outside of the IT provider’s cloud, it is important to make sure the company has all the checks and balances needed to keep all of the data secure.
If firms choose to go with a VOIP service, they must ensure that investors understand how their voice system works and how they will be able to continue using phones in case of an internal outage. In cases where phones are no longer an option, they need to know other methods that allow them to carry out trades and continue to run the business effectively.
When Disaster Strikes
In the event of a natural disaster, knowing how to respond and, most importantly, how to continue operating is crucial to a firm’s survival. This was never more evident in the financial services industry than when Hurricane Sandy struck the northeast in October 2012. The majority of Wall Street operations were shut down and firms relied heavily upon their service providers for data protection and continued operations. Business continuity planning (BCP) is a large part of this. Identifying the specific internal and external threats to the firm during a potential breakdown or disaster is the only way a firm will stay afloat. Business continuity planning can act as a large part of the ODD process, adding a great deal of value and is very often an underrated component.
Next to business continuity planning, disaster recovery and what a firm’s plan is if their outsourced IT provider decides to close its doors is another key consideration. In that situation, how then does a firm continue to operate business as usual? While having available “hot seats,” alternate sites dedicated to recovery, is a good precaution, it is important to note that in many natural disaster situations, such as Hurricane Sandy, these locations will no longer be viable options either. With that in mind, it is very important that firms work closely with their IT solutions provider to develop an alternative plan.
Finally, when working in a co-sourced relationship, hedge funds and private equity firms must communicate with their service providers on a regular basis. This includes involving the vendor as part of the Operational Due Diligence process with investors. This also allows the service provider to understand what improved tools they can build to better automate and assist with the DDQ\ODD process. If firms take these steps during the process, they will be sure to have an excellent relationship with both their infrastructure providers and their investors.