CRO Profile: Pantheon’s Graeme Keenan
Having joined Pantheon in 1999 and appointed global head of operations in 2005, Graeme Keenan took on the role of chief risk officer in 2014 and was promoted to partner in 2015. He speaks to The Drawdown about the complexities of his role and the importance of seniority when it comes to risk management
The Drawdown (TDD): How did the chief risk officer role come about?
Graeme Keenan (GK): The CRO role at Pantheon existed in component parts previously. The head of operational risk was part of the finance team, and the risk process part of the investment team.
But in our preparations for authorisation as an AIF in 2014, the organisation decided to combine all the elements of these functions into a single function.
Risk has always been a very serious focus of the work we do, and being named as CRO was the beginning of it becoming a single role in Pantheon.
It is an incredibly interesting role, especially given how the industry has developed in the last 17 years since I started working in it.
TDD: What are your main areas of focus?
GK: There has and always will be a regulatory element to this role, but while new regulations brought this function together in a formal capacity, the role has evolved to provide clients what they need, while managing risks in the business has also become a big driver of the risk function. For example, whatever we do in the risk group, we implement across the whole organisation.
Part of our focus is on the investment risk side, covering risk limits, credit risk, liquidity risk, and then creating a framework across all of those elements and across our portfolios.
We also take into consideration any legal parameters and we monitor any internal limits around client portfolio composition, to ensure the level of risk stays within the tolerance of our clients’ expectations.
On the other side there’s operational risk, which covers a number of areas, such as internal and third party assessment of our processes and controls, which are very important to us and to our clients. It’s about ensuring we have the operational backbone to manage the capital our clients have entrusted to us.
Beyond these considerations, cyber security, data protection, business continuity and underlying GP operational risk are areas that have gained significant momentum and senior level focus in recent years.
TDD: How do you interact with other teams throughout Pantheon?
GK: We implement risk management across all parts of the organisation. When implementing new processes and controls we work across the investment, operations, finance, IT, legal and compliance teams. For new operating models, we need to fully understand the processes that we’re putting in place, so we review the end-to-end model to ensure processes and controls are robust. We also test the controls to make sure they have been properly implemented.
Beyond the internal checks, we use an external provider to conduct external controls reports – ISAE 3402 and SSAE 16, which attest to the quality of controls in place. These controls test both the quality of the processes and ensure they are completed throughout the year.
TDD: How do you ensure all of the processes and controls are understood throughout the organisation and seriously adhered to?
GK: It has to be embedded into the culture. It can be enforced in a rigid way but I don’t believe that is the ideal method.
The risk committee reports directly to the partnership board, so the impetus is coming from the top, which means right the way though the organisation there is a focus on risk management – for investment risk, portfolio construction, investment due diligence and operational process.
Operational process is of particular importance, and because of that it is handled by the risk team – we conduct all of the operational due diligence on GPs to whom we may commit capital. We transitioned this from the investment team three years ago to risk where there was specific and robust risk expertise at hand. It has equal standing in the investment process; a GP’s operational strength and integrity are as important as investment decisions.
TDD: Operational due diligence on GPs appears to have significantly increased in recent years – it seems as though the changes you have made to your team reflect this.
GK: Operational due diligence is highly important. As the industry has developed there are more requirements around valuations, treasury, fee disclosure and accounting within GPs. It’s necessary to ensure these are a focus for GPs and that they have both resources and processes to effectively manage their funds.
Over the last 17 years I’ve also seen made improvements in terms of transparency, with GPs providing more information and LPs looking for more detail. When I started out there was a minimum of information shared on a quarterly basis with slightly more detail in the yearly report. There has been a sea change in transparency, with GPs increasingly providing lots more detail in key areas such as valuations and ESG.
TDD: If you find GPs to be lacking when it comes to having proper operations and processes in place, how do you respond?
GK: We would turn down an investment if we feel a GP is not operationally sufficient. The other thing we can do is to increase our monitoring if we feel there are areas where GPs need to improve.
We want to see GPs taking an active role, especially those that are taking institutional capital for the first time. We have found they are very open to putting in the right processes and controls. They are very eager to understand what is expected and learn from our controls reports.
TDD: How does technology help you?
GK: Technology is incredibly important. We have a development team of around 20 people within Pantheon, which develop various technology solutions, whether that be storing and evaluating information from GPs or presenting that information to our LPs.
Technology has been a key facilitator as the level of information we receive and produce has increased, and in my view it’s very important to have that technological backbone to meet the various and growing challenges and requirements.
All of our technology is controlled in-house, but we look at both internal and external development. There are some non-industry specific solutions, such as CRM, middleware and reconciliation software, where it makes more sense to bring in existing products, whilst other software needs to be more bespoke, meaning we sometimes need to develop our own software.
The most important element is that wherever the technology has been developed, either in-house or externally, it is properly integrated into our own systems.
TDD: What makes you most happy in your role as CRO?
GK: The way private equity has evolved and continues to evolve and meet challenges. It is a dynamic asset class in the way that GPs adapt to the changing operational environment, and adapt to changing sources of capital.
Private equity is a very interesting area because of how it evolves and changes and being involved in those changes over the last 17 years has been so interesting from a risk management perspective.
If you look at the FX market or long equities, the template for risk management is very different compared with private equity. For this industry the risks are idiosyncratic, and require a template to highlight what the risks are, and then marry them with the risks and language used in other asset classes so they can be understood in context by clients.
TDD: What is your biggest frustration as a CRO?
GK: The industry has done much in terms of improving transparency and reporting, but there remains more work to be done on this. Over the past five years private equity has continued to see increasing demand for and increasing detail within the information they require from their private equity managers – detail around costs and risks have improved dramatically, but there’s still some way to go.
TDD: What advice would you give to organisations thinking about creating a dedicated CRO role?
GK: It is an incredibly important area and if you’re going to do it you need to commit the right amount of resources and ensure the person taking on the role has the right level of seniority to guarantee sufficient impact, and that they can improve risk management across the entire organisation. It’s key to ensure they are adequately resourced and are sufficiently senior.
Culture is also key; it is vital that senior management fully buy-in to the function.