Considerations When Hiring an Outsourced CIO Firm

By Emily M. Berger, CFA, Director of Investment Risk Advisory, Financial Services

A popular trend among institutional investors and family offices is to hire an outsourced chief investment office (OCIO) firm to manage their investment portfolios, rather than maintain an internal investment team. This approach has the benefit of providing access to alternative investment managers, who have closed their funds to new investors. Another benefit is the ability to obtain diversified exposure to an alternative asset class with an investment amount that would otherwise only meet the minimum level for an individual manager.

The recent market dislocation and subsequent economic downturn have cast a bright light on the distinction between those OCIO firms that successfully integrated a holistic risk management approach and those that did not.

Key Evaluation Considerations

There are numerous risk-oriented considerations to keep in mind when selecting an OCIO. Some key areas to evaluate are:

Investment Vehicle Risk – It’s critical to evaluate the structure of the investment vehicle(s) employed by the OCIO. For example, some firms offer a fund-of-funds type vehicle for all investments, including more liquid equity and fixed income holdings. This design has the effect of negatively transforming the liquidity characteristics of these assets since they would be subject to the more restrictive redemption policies for the entire investment vehicle.

Transforming liquid assets in this manner is not recommended and a cautionary lesson from the financial crisis a decade ago. If an investor proceeded with this type of investment structure, they could maintain a more meaningful allocation in liquid investments outside of the commingled OCIO investment vehicle. This would provide them with more control and access to liquidity to fund grantmaking or operations in the event of an unexpected market dislocation.

Due Diligence Process Risk – There are often three stages of due diligence performed by OCIOs:

  • Investment Due Diligence: During this stage, the investment team evaluates the investment manager’s strategy, opportunities, and strategic fit within the portfolio. A comprehensive and best practice is to use an operational due diligence screen at this stage to ensure that an appropriate level of internal controls and institutionalization are in place. This more holistic approach enables the firm to advance only the managers who meet their internal criteria across the due diligence process.

  • Risk Management Due Diligence: Some firms have a dedicated team tasked with assessing the market risk employed by a particular investment manager. To the extent that a meeting is scheduled with the chief risk officer of a fund, it is helpful to include a member of both the investment and operational due diligence teams so that topics that impact investment strategy and liquidity risk management don’t get caught in the gaps between discussions. An example of this area would be the evaluation of the connection between a manager’s stress testing activities and the liquidity planning by their Treasury team.

  • Operational Due Diligence: This team is typically brought into the process at a later stage to vet a new manager from a business perspective ‒ assessing the firm’s operations, compliance program, cybersecurity practices, and internal controls, among others. Given the scope of topics covered by this team, an evaluation of the composition of the operational due diligence team is important. A team comprised of professionals with diverse backgrounds enables them to cover the range of operational due diligence topics most effectively.

Often these teams are tasked with evaluating and monitoring all investment managers in the portfolio. Given this mandate, it is important to evaluate the staffing levels of this team to determine whether resources have been appropriately allocated for their work. Additionally, the staging of operational due diligence reviews at the latter part of the process might make it more difficult to have influence for reasonable but borderline concerns.

Counterparty Risk ‒ Since trading counterparties are senior to investors, it’s critical to understand the key terms in trading documentation that would enable the counterparty to terminate the trading relationship and liquidate collateral held against exposure. Most investors ask about additional termination events in an ISDA, the primary documentation which governs derivatives trading with dealers, but they don’t necessarily track the performance and capital declines against these levels. Investors should not rely on the idea that any breach would be successfully renegotiated. Investors are not privy to the daily experience that counterparties have with the legal and operational aspects of a trading relationship.

Excessive margin call disputes and ongoing operational issues can make credit officers more inclined to terminate a trading relationship if a breach occurs. Counterparty risk assessment is typically part of the operational due diligence process but should be incorporated into the investment and risk due diligence process as well.

Portfolio Structure Risk – When evaluating OCIOs, it’s important to understand the asset allocation process, both across broad asset classes and within each asset class across managers/investments. If there is a market scenario projection to the process, investors should ask questions to better understand the influence that expected future returns have on the portfolio design process.

Tax Structure Risk – OCIO investment teams should consider the tax implications of their portfolio recommendations for their clients. For example, when making investment recommendations to private foundation clients, OCIO investment professionals should be knowledgeable about the scope of transactions that can generate unrelated business income tax (UBIT), a critical issue. Private real asset funds can easily generate UBIT in multiple states. OCIO professionals should also note that an investment which uses a blocker corporation could trigger a U.S. tax filing for foreign transfers of money.

Operational Risk at OCIO – When evaluating an OCIO, it’s important to understand the internal controls in place within the firm’s Treasury and Operations groups. We recommend setting up three types of groups for outgoing cash wires: one with authority to set up cash wire transactions only; one with the authority to approve but not release cash wires; and a final group to authorize and release the cash wire.

Attention should be paid to the calculation of performance and best practice is to follow the Global Investment Performance Standards (GIPS), which has been enhanced to GIPS 2020. Some firms will take the extra step to hire an external audit firm to verify their performance calculation procedures and compliance with the GIPS 2020 standards.

Many firms will hire an outside audit firm to conduct an audit of their internal controls and provide a copy of the resulting SOC-1 report Type 1 or Type 2 report upon request. These reports are always helpful to review to gain more insight into the focus on internal controls by the firm. This report provides an assessment of the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls. The Type 1 report covers a point in time, whereas the Type 2 report covers a period of time and is a more complete assessment.

Cybersecurity Risk – A meaningful amount of time should be spent understanding the structure of the firm’s IT environment and the procedures in place to keep staff updated on the ways to avoid breaches into the firm’s systems and controls by an unwanted outsider. Since cyber threats are constantly evolving, understanding the frequency with which a firm conducts system penetration testing is an important consideration. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. Firms should have regular training for employees to keep them updated.

Many firms conduct internally-generated phishing tests as part of the training process to keep employees vigilant. Employees who fail to recognize a simulated phishing attack may be assigned mandatory training to enhance their cybersecurity knowledge. Understanding the firm’s disaster recovery plan and procedures (DR Plan) is also a key step of the IT risk assessment. Some key features of an appropriate DR Plan include: (1) Identification and assessment of all critical systems across the front office and operations teams; (2) Establish back-up facilities and systems that are located in one or more reasonably geographically separate locations from the manager’s headquarters; (3) Plan for the production of regulatory reporting during this period; (4) Communication plan for the critical parties (employees, service providers, counterparties, clients, regulators) to the firm’s business, among others.


The topics covered in this article highlight a range of key areas to evaluate when selecting a new OCIO or when monitoring your existing OCIO. Given the current market environment, the topic of risk management is front of mind for most investors. Experienced OCIO firms will welcome a comprehensive risk management discussion as part of the regular client dialogue.

Contact Us

If you have any questions about integrating a comprehensive risk screening process in monitoring or selecting an OCIO, please contact:

Emily M. Berger, CFA
Director of Investment Risk Advisory, Financial Services | 646.699.2914