Standard Differences: Differentiation Through Standardisation? (ISO9001, SAS70 & Management Systems)

By Professor Michael Mainelli
Published by Journal of Risk Finance, The Michael Mainelli Column, Volume 6, Number 1, Emerald Group Publishing Limited, pages 71-78.

What’s the Difference?

As hedge funds and asset managers increasingly compete for mandates, the standard sales process is starting to buckle. Take a typical sales visit by an institutional investor:

  • 60 minute presentation – we are the best because this is our theory, which is ours, and it is the best and we backtested it and it was great - or we don’t need to backtest it because we are great;
  • 60 minute interview with principal trader/strategist – I am the best, because I am and I always have been - except when I was with a house whose pockets weren’t deep enough to see me through;
  • 15 minute preliminary due diligence chat – we are the greatest, so we run the greatest shop and we never make mistakes.

You don’t really learn a lot from this process, do you? They told you they were the best before you visited (and that you should give them pots of money). When institutional investors were keen to diversify, fielding a credible trader or strategist gained a lot of funds to manage. However, markets are tightening and hedge funds and asset managers are keen to differentiate. Increasingly, but not universally, hedge funds and asset managers are being asked to prove that they are well-run; that operational risk is low. One axis of competition is compliance with standards such as ISO 9001 or SAS 70.

While there are a number of performance benchmarks, e.g. Morningstar, Lipper, S&P Micropal or various indices, the allocators of funds increasingly pay attention to operations, especially in light of Basel II’s operational risk requirements. This is hardly surprising. While a great fund might make quite a few percentage points in a good year, or lose quite a few percentage points in a bad year, what really loses all your money are operational risks (though we could have a vigorous discussion about market and liquidity risk interaction). Trading is unlikely to wipe your assets out completely over the too-typical annual evaluation period, but operational deficiencies, albeit rare, can wipe you out in days. However, operational risk is all about people [Howitt, Mainelli and Taylor, 2004]. When people are not managed to ‘do what they say they do’, operational losses occur. Can we validate well-run hedge fund or asset management operations from the outside?

Standards, What Standards?

Financial markets exacerbate timing problems with evaluating systems’ effectiveness. For instance, while one may have a life assurance organisation that is ‘fit for purpose’, who is going to carry the liability when a 25 year policy falls short? The regulatory environment puts a direct onus on senior management to have the right processes in place, but how do you know whether they are the right processes until it is too late? Institutional investors seek external validation that operations are run well because of the governance regimes under which these institutional investors increasingly work. Either for good motives or for the satiation of bureaucracy, institutional investors want to ‘put a tick in the box’ that the fund management operations meet basic operational standards. They would like a ‘kite mark’ that makes them able to say, “Ahhh, this really is a well-run, quality operation and this seal proves it to our lords and masters.”

Regulators are also adding pressure where they can see applicable external standards for operations or calculations. Asset managers appreciate that external verification of standards compliance can help them better control their dealings with regulators such as the FSA. As one hedge fund manager expressed, “we die if investors pull their money out; or if the FSA censures us, leading to investors pulling their money out.” And hedge funds and asset managers are responding to standards. For example, some fund management groups are using ISO 9001 certification in their marketing (more later, but approved by the International Organisation for Standarization and implemented by numerous certification bodies, e.g. BSI, Det Norske Veritas, Bureau Veritas, Lloyd’s Register, SGS), others SAS 70 (Statement on Auditing Standards 70 issued by the American Institute of Certified Public Accountants and implemented by audit firms). Several European fund managers have obtained ISO 9001 certification. Numerous European and US fund management firms have obtained SAS 70. If ISO 9001 or SAS 70 aren’t enough, particularly combined with the promulgation of requirements from numerous regulators, standards organisations such as the BSI would happily develop and manage new industry or sub-industry standards.

While first party verification has some benefits (e.g. stating “we iz brilliant and check ourselves regularly”) the benefits are significantly enhanced when the claim is verified by an independent assessor. There is little evidence of organisations achieving the benefits sought from quality management systems without the rigour of “external examination”. Third party verification requires an accepted universal standard (e.g. ISO 9001 or SAS 70) and a body of credible, independent (third party) assessors. To a degree, credit rating agencies are a kind of third party verification but they do not publish a universal standard and, when pressed, pull in their horns and point out that they really only focus on debt. There are other third party verification initiatives, e.g. RCP & Partners’ fiduciary ratings of private equity firms such as Adveq or Dresdnerbank’s Investment Management, as well as Morningstar’s launch of mutual fund fiduciary ratings in August 2004. RCP has rated 100 firms covering over 1,000 funds. These standards are not ‘open source’ tools, but rather proprietary. They can be ‘bought off the shelf’ as opposed to needing significant management time to get going. On the other hand, to improve performance over time will still need an operational management system. For hedge funds and asset managers seeking an externally-verifiable operational management standard, two camps seem to be emerging, ISO 9001 or SAS 70.

Quality versus Control?

Benjamin Franklin, when discussing quality, once said “the best is the cheapest” [I’m not paid for writing, so this article should be marvellous]. Franklin presumably recognised that, in the long term, higher quality results in lower costs. Higher quality is the objective of two management theories: quality management systems and total quality management. Quality management systems, such as ISO 9001 emphasise traditional control mechanisms (e.g. checklists, control logs, standard forms). Total quality management (TQM) is a philosophy where management use a set of approaches (e.g. discussion groups, quality circles, customer involvement) to build a culture of continuous improvement. While the cults of quality can be easily satirised [Mainelli and Harris, 2000], quality management systems are powerful tools.

Formal quality process standards began life soon after the Second World War. The USA and UK governments devised AQAPs (Allied Quality Assurance Procedures) as a means of standardising and controlling military supplies. This proved to be a very successful means of control and appealed to large commercial businesses as a mechanism for controlling their suppliers. The task of drawing up a quality assurance standard that had universal application proved onerous; it was not until 1979 that BS 5750 was first published. It was written from a manufacturing viewpoint, although it was stated that the words “products” and “services” were interchangeable. In 1987 BS 5750 was revised, reissued and adopted as European (EN 29000) and International (ISO 9000) standards. ISO 9001:2000 was issued in 2000 and greatly clarified the standards. Robert Pay, Director of Global Marketing at the BSI, notes that ISO 9001 “is the world’s most popular management system.”

SAS 70 also has a long lineage, but comes up the financial systems control route. Internal controls have always been a key issue in arriving at audit opinions. Statements on Auditing Procedures in the USA date to 1938. SAS 70 was first issued in 1992 to attempt to set a standard for essential controls in service organisations and expanded on the idea of validating the key components of the control environment, risk assessment, control activities, monitoring, information and communication set out in SAS 55. However, SAS 70 is clearly about auditing these components. In the UK, FRAG 21 is fairly comparable to SAS 70. There are also two types of Service Auditor’s Reports in SAS 70 Type I (less rigorous) and Type II (more rigorous).

Usual Suspects

At a theoretical level, the two standards seem to differ on whether the scope is inward and narrow, i.e. SAS 70 is concerned with internal controls, or outward and expanding, i.e. ISO 9001 is concerned with quality in its widest sense where many definitions of quality can be used but embrace the following theme: “quality is the satisfaction of customer requirements”. ISO 9001 is potentially a more all-embracing standard for operational risk management. ISO 9001 provides the opportunity for a third party to certify that ‘you do what you say you’ when it comes to running your operations. However, given that you specify the management system that is being certified, ISO 9001 suffers from being rather imprecise. A big challenge is in standardisation of the signalling metrics, but the general nature of ISO 9001 leaves such issues as examples to be worked by the interested applier. In a similar way, SAS 70 leaves the definition of ‘scope’ to the firm, so clients should carefully ask what is in or out of scope, and what type of audit was performed.

As with Sarbanes-Oxley, the international camp seems to be lining up against the USA camp. Sarbanes-Oxley has led numerous fund managers to investigate SAS 70 to verify what control systems are in place and that seem to work. Based outside the USA, SAS 70 does not seem strong, though the strength of adoption of FRAG 21 is a bit unclear. From the folks who brought you Enron, Adelphia, Worldcom or Global Crossing, i.e. USA CPAs, here’s another standard. SAS 70 audits require a USA CPA, not such an issue if one of the Big 4 audit firms are your auditors (and they are aggressively marketing these services to hedge funds and asset managers abroad), but more problematic for non-USA auditors and clients. SAS 70 is clearly subject to the whims of USA CPA regulation and politics. Fine if you’re based in the USA, but somewhat disconcerting to be pulled and pushed by USA regulatory compliance and professional issues when abroad. In some ways this is making a virtue of the glacial pace of standards evolution when undertaken (perhaps more accurately ‘negotiated’, ‘liased’, or ‘considered’) at an international forum such as the ISO.

Further, SAS 70 seems to recapitulate portions of the financial audit. There are clearly some complex issues here, but as directors’ responsibilities already include:

  • select suitable accounting policies and then apply them consistently;
  • make judgments and estimates that are reasonable and prudent;
  • state whether applicable accounting standards have been followed, subject to any material departures disclosed and explained in the financial statements;
  • prepare the financial statements on the going concern basis unless it is inappropriate to assume that the Company will continue in business;
  • keep proper accounting records – including setting an appropriate control environment;
  • safeguard the assets of the Company and take reasonable steps for the prevention and detection of fraud and other irregularities;

it seems a bit rich to re-audit looking for yet more controls by, in most instances, the same firm that performed the audit. If they were prepared to audit without verifying the existence of proper controls…well, what exactly did they do?

Standard Background Checks

So clearly, ISO 9001 is the correct choice for ex-USA firms? Well, not so fast. Few firms find that their sources of capital are completely ex-USA. Further, while ISO 9001 is very flexible, e.g. it can handle fast food joints, aircraft manufacturers, nuclear power plants or plumbers, it is not specifically targeted at financial and operational controls. So clearly, I ought to get both? Well, again, not so fast. A number of European authorities, e.g. Luxembourg, are interested in a more holistic fiduciary rating approach. Fiduciary rating is an interesting complement to ISO 9001 or SAS 70 as it is not simply a pass/fail rating. It’s also a bit expensive to get either ISO 9001 or SAS 70, not in external costs (though current estimates place SAS 70 as much more expensive, presumably because of the professional indemnity costs the auditing firms incur), but in significant amounts of management and staff time. The key costs are:

  • time costs of staff involved in developing the quality system, launching the system and training the staff (the most significant element);
  • fees for external assistance;
  • assessment and registration fees with certification body;
  • printing manuals and other peripheral expenses.

Outside the USA, there are clearly strong reasons for preferring ISO 9001 if funds are largely ex-USA. What might be involved? The key clauses in ISO 9001 cover principal components such as:

  • communicate with customers;
  • identify customer requirements;
  • meet customer requirements;
  • monitor and measure customer satisfaction;
  • meet regulatory requirements;
  • meet statutory requirements;
  • support internal communication;
  • provide quality infrastructure;
  • provide a quality work environment;
  • evaluate the effectiveness of training;
  • monitor and measure processes;
  • evaluate the suitability of quality management system;
  • evaluate the effectiveness of quality management system;
  • identify quality management system improvements;
  • improve quality management system.

The above are hardly objectionable and largely self-explanatory. Christopher Hall of Bruce Nelson Capital notes that the list of processes that needs documenting and monitoring is worryingly long. A big issue with quality management is whether it just adds more paperwork which slows down creativity and the desire to change systems, i.e. changing systems means you will be saddled with yet more forms and manuals to update in order to stay compliant. Further, systems can become over-professionalised, concentrating operational risk through an over-dependence on the few staff who understand the systems.

A dusty pile of procedure manuals does not equal quality, but ultimately ISO 9001 requires designing, documenting, implementing and monitoring a number of processes, up to as many as these 21 - quality management; resource management; regulatory research; market research; product design; purchasing; production; service provision; product protection; customer needs assessment; customer communications; internal communications; document control; record keeping; planning; training; internal audit; management review; monitoring and measuring; non-conformance management; continual improvement.

Christopher Hall has a simple equation: “Quality = Automation and Simplification of daily procedures so that they are simple enough for a donkey to understand”. ISO 9001 is flexible, but that flexibility brings with it the need for an ‘inner desire’ to improve and a concomitant potential complexity. A hedge fund or asset manager must look within and develop its own definition of quality. ISO 9001 allows organisations to define what quality means to them, and to specify how that quality will be assured. Who is going to help explain to Christopher’s donkey the choices made in the name of flexibility? or why our choices differ from a similar competitor’s? Christopher points to the well-trod quotation, “models are for the guidance of wise men and the obedience of fools” and notes that a similar principle applies to quality systems, “quality standards are for the guidance of wise men and should not be given to fools”. Although ISO9001 formal quality systems are minimum standards, they do lock in the tangible benefits of quality while the organisation travels along the road to improvement. The benefits, costs and risks are complex. As with any long journey, it makes sense to pace yourself and set milestones along the way.

So What’s a Poor Fund Manager to Do?

Z/Yen believes that standards can provide three generic benefits:

  • risk avoidance – standards should result in few crises and problems through the appropriate design, implementation and enforcement of controls, thus increasing survivability through the achievement of at least basic competence;
  • reward enhancement – standards should result in greater returns by generating increasing returns from management time and effort. There may be a temporary benefit of gaining business through differentiated marketing, as was the case for one commodity-trading firm that was an early adopter of ISO 9001 in the early 1990’s;
  • volatility reduction – by increasing consistency of performance costs are reduced and client satisfaction is increased. Basically, an investment in quality systems is the equivalent of reducing the price of the put option on the organization. Further, volatility reduction should over time provide strong evidence that the operational risk capital required under Basel II could be reduced compared to firms without an externally verified standard certificate [Mainelli, 2004].

This article is not about the mechanics of getting either standard. Total quality programmes embarked on in isolation often flounder by not defining tangible goals and benefits. The benefits gained may evaporate at later stages of the project. This article is about recognising that choosing any standard may have wider strategic ramifications. A fund manager ought to consider at least the following:

  • informing themselves to the point that they can state their position on the two leading standards and their international implications, as well as their position on fiduciary ratings;
  • being prepared for informed discussions with clients and regulators about standards, for instance, looking at the standards as a means of ‘outsourcing’ some compliance verification services;
  • having a policy about standards and fiduciary ratings, e.g. “we are currently seeking x” or “we believe that external quality standards are inappropriate for us because…”. Clearer responses to standards and ratings issues help everyone. At the moment, the good point is that competition around a handful of approaches might well result in sensible ‘free market’ offerings. A bad point is that increasing confusion could lead to formal regulatory standards impositions;
  • encouraging wider debate and consensus through industry fora and lobbies. Standards may well be a way of helping regulators to consolidate a plethora of requirements, e.g. within a flexible ‘interpretation’ of ISO 9001. However, a plethora of standards will do little good. Further, the ‘all or nothing’ nature of some standards makes them less useful to regulators who need gradations. Perhaps standards organisations should be compelled to provide centralised metrics that can be used to benchmark operational performance;
  • forcing standards organisations to prove correlations of standards implementation with improved performance or shareholder value.

The burden of regulation and compliance is increasingly rapidly in all industries, including finance. Moreover, managing regulation and compliance is becoming a core business skill for many [Mainelli, 2003]. “What should our response to regulation be?” is not just a compliance question, but a strategic one. An old Chinese proverb applies – “what you cannot avoid, welcome”. There may be a particularly good reason for welcoming a small set of externally verifiable standards, this is potentially a sensible market response to regulation (note to standards organisations: financial services is a huge market). Perhaps there is a ‘third way’ between complete anarchy and intrusive regulation. The third way might be for regulators to encourage outsourced compliance checking of flexible standards. Regulators would then need to promote their own reduced role, due to reduced risk, if the standards are externally validated.

So we circle back around to why firms seek these standards in the first place. Most hedge funds and asset managers have iconoclastic origins. They could well benefit from the implementation of considered external standards as they grow, but most investigate ISO 9001 or SAS 70 because of client requests, not an internal desire to improve through the use of standards or a considered approach to reducing operational risk. Their cultures are ones of breaking moulds, not conforming, though most will conform to standards in order to win business. ISO 9001 and SAS 70 provide an opportunity, probably temporary, for firms to differentiate themselves from the competition. Looked at from a market level, a lot of differentiation work may occur that over a few years leads to ISO 9001 or SAS 70 becoming a standard cost of doing business while providing no marketing benefit. Numerous benchmarks have followed a similar route. However, ISO 9001 in particular may have an enduring role in helping fund managers to manage better and, therefore, improve an entire industry for everyone’s benefit.

References

[1] Jonathan Howitt, Michael Mainelli and Charles Taylor, “Marionettes, or Masters of the Universe? The Human Factor in Operational Risk”, Operational Risk (A Special Edition of The RMA Journal), pages 52-57, The Risk Management Association (May 2004).
[2] Michael Mainelli and Ian Harris, Clean Business Cuisine: Now and Z/Yen, Milet Publishing (2000), Chapter Four: “Quality is Free”.
[3] Michael Mainelli, “Toward a Prime Metric: Operational Risk Measurement and Activity-Based Costing”, Operational Risk (A Special Edition of The RMA Journal), pages 34-40, The Risk Management Association (May 2004).
[4] Michael Mainelli, “The Consequences of Choice” (enterprise risk/reward management systems), European Business Forum, Issue 13, pages 23-26, Community of European Management Schools and PricewaterhouseCoopers (Spring 2003).

Thanks

I would like to thank a number of identifiable helpers such as Christopher Hall, Brandon Davies, Robert Pay and Ian Harris, as well as some anonymous helpers – you know who you are. Thank you all.


Michael Mainelli, PhD FCCA FCMC MBCS CITP MSI, originally did aerospace and computing research followed by seven years as a partner in a large international accountancy practice before a spell as Corporate Development Director of Europe’s largest R&D organisation, the UK’s Defence Evaluation and Research Agency, and becoming a director of Z/Yen (Michael_Mainelli@zyen.com). Michael also achieved the first ISO 9001 certification in the City of London financial markets for the accountancy practice in 1990 and went on to help clients, such as one of the largest commodity traders, achieve ISO 9001 certification.

Michael’s humorous risk/reward management novel, “Clean Business Cuisine: Now and Z/Yen”, written with Ian Harris, was published in 2000; it was a Sunday Times Book of the Week; Accountancy Age described it as “surprisingly funny considering it is written by a couple of accountants”.
Z/Yen Limited is a risk/reward management firm helping organisations make better choices. Z/Yen undertakes strategy, finance, systems, marketing and intelligence projects in a wide variety of fields (
www.zyen.com), such as developing an award-winning risk/reward prediction engine, helping a global charity win a good governance award or benchmarking transaction costs across global investment banks.

Z/Yen Limited, 5-7 St Helen’s Place, London EC3A 6AU, United Kingdom; tel: +44 (0) 207-562-9562.

[An edited version this article first appeared as "Standard Differences: Differentiation through Standardisation?” (ISO9001, SAS70 and management systems) Journal of Risk Finance, The Michael Mainelli Column, Volume 6, Number 1, Emerald Group Publishing Limited (January 2005) pages 71-78.]