Risk assessment involves establishing an appropriate risk appetite, identifying specific legal, economic, and reputational risks, evaluating the effectiveness of mitigation measures and controls related to specific risks, and comparing the residual risk to the agreed upon overall risk appetite and adjusting mitigation measures and controls as necessary. As the business environment frequently evolves, effective risk assessment procedures require regular and ongoing review of strategic and operational matters.
Many risk areas touch on specific and often technical issues. A GP may require the assistance of external specialists when dealing with specific risk areas such as legal risk, market/public relations risk, treasury risk, tax risk, financial crime risk, labor relations risk, regulatory risk or information technology risk.
Preferably, and where practical, GP should establish a fully or largely independent risk management function within the company. The risk manager should act as a second line of defense, ensuring that all risks are measured and assessed to the highest standards, fully and in all parts of the process.
Where possible it is preferred that the risk manager provides his/ her independent opinion on the risks assessed in all decision making processes concerning the GP’s investments. The risk manager should be as independent as possible, to make sure he/ she is not influenced in his/her judgment or is feeling dependent upon other parts of the GP organization to give his/her opinion.
Risk assessment should be a regular ongoing process that identiﬁes, measures, monitors and mitigates risks and should combine the GP 's assessment of risk management with quantitative measures to support that assessment.
The assessment should involve the firm's senior management and include both fund-level risks and those of the GP own business.
Any processes or procedures introduced in an organization should normally be subject to an analysis comparing costs, benefits and potential regulatory implications.
When an organization introduces new risk assessment infrastructure or procedures, it should be borne in mind that much of its existing business processes are likely to involve proactive risk assessment and mitigation, and that introducing procedures is therefore partly about making explicit what is already in place. This is particularly true for private equity firms, which are likely to have well-developed risk assessment and mitigation approaches and processes already embedded in their investment decision-making process.
A GP should seek external specialist support when necessary to address specific areas of risk that go beyond its internal competencies.