Fatskills
Practice. Master. Repeat.
Study Guide: Due Diligence and Selecting Managers — Operational Due Diligence (ODD)
Source: https://www.fatskills.com/caia/chapter/due-diligence-and-selecting-managers-operational-due-diligence-odd

Due Diligence and Selecting Managers — Operational Due Diligence (ODD)

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

Due Diligence and Selecting Managers — Operational Due Diligence (ODD)

CAIA Level II | High-Density Study Guide


What Is It?

  1. What is this topic?
    Operational Due Diligence (ODD) is the systematic assessment of a fund manager’s non-investment risks—infrastructure, controls, compliance, and operational resilience—to avoid fraud, errors, or failures.
  2. How is it tested, applied, or used?
    CAIA tests ODD as a qualitative risk-assessment framework in manager selection, while real-world audits and compliance teams use it to vet fund operations, detect red flags, and document findings for investors or regulators.

Why Does the Exam Ask This?

CAIA tests ODD to measure: - Risk judgment: Can you distinguish operational risks (e.g., weak controls) from investment risks (e.g., market exposure)? - Compliance logic: Do you know which regulatory standards (e.g., GIPS, AIFMD) apply to ODD and how to document compliance? - Practical capability: Can you spot red flags (e.g., lack of segregation of duties) and recommend fixes in a due diligence report? - Audit readiness: Are you prepared to defend your ODD process to investors, regulators, or internal audit teams?


What Do I Need to Know First?

  1. Investment Due Diligence (IDD): How managers generate returns (strategy, performance, team).
  2. Key Operational Risks: Fraud, cybersecurity, valuation errors, trade errors, compliance failures.
  3. Regulatory Frameworks: AIFMD, GIPS, SEC Rule 206(4)-7 (Compliance Programs).
  4. Fund Structures: LP vs. GP roles, side letters, fee structures.
  5. Basic Audit Concepts: Segregation of duties, four-eyes principle, independent verification.

Topic Snapshot

ODD sits at the intersection of risk management and manager selection in CAIA Level II. It’s not about performance—it’s about whether the manager’s operations can reliably execute the strategy without blowing up. Investors and allocators use ODD to avoid Madoff-style frauds, valuation blowups, or compliance violations. In the exam, expect scenario-based questions testing your ability to identify risks, classify them, and recommend mitigations.


Exam / Job / Audit Weighting

  • Frequency: High (appears in every CAIA Level II exam in some form).
  • Difficulty Rating: Intermediate (requires qualitative judgment, not just memorization).
  • Question Type:
  • Exam: Scenario-based MCQs, short-answer risk identification, case studies on red flags.
  • Real-World: Due diligence reports, audit findings, compliance memos, investor presentations.

Difficulty Level

Intermediate


Must-Know Rules, Formulas, Standards, or Principles

  1. The "Four Pillars" of ODD (CAIA Framework):
  2. Infrastructure: IT, cybersecurity, disaster recovery.
  3. Controls: Trade reconciliation, valuation, segregation of duties.
  4. Compliance: Regulatory adherence (e.g., AIFMD, SEC), GIPS compliance.
  5. People & Processes: Key person risk, turnover, outsourcing risks.

  6. Red Flag Checklist (Top 5 Operational Risks):

  7. No independent valuation (manager marks their own book).
  8. Lack of segregation of duties (e.g., trader also does reconciliations).
  9. High employee turnover in key roles (CFO, COO, compliance).
  10. Over-reliance on a single vendor (e.g., prime broker, administrator).
  11. Side letters with preferential terms (creates conflicts of interest).

  12. Regulatory Hooks:

  13. AIFMD (EU): Requires independent valuation, risk management, and ODD documentation.
  14. SEC Rule 206(4)-7: Mandates annual compliance reviews and written policies.
  15. GIPS: Requires independent verification of performance claims.

Misconceptions

  1. "ODD is just background checks on the manager."
    Wrong: ODD covers systems, controls, and processes, not just the team’s reputation.
  2. "If the manager has strong performance, ODD doesn’t matter."
    Wrong: Madoff had great returns—until he didn’t. ODD catches hidden risks.
  3. "ODD is only for hedge funds."
    Wrong: Applies to private equity, real assets, and even traditional asset managers.
  4. "A clean audit opinion means ODD is done."
    Wrong: Audits sample controls; ODD is deeper (e.g., testing disaster recovery).
  5. "ODD is a one-time check."
    Wrong: Requires ongoing monitoring (e.g., quarterly reviews, surprise visits).

Common Mistakes

  1. Confusing ODD with IDD (Investment Due Diligence):
  2. Mistake: Focusing on strategy or performance instead of operations.
  3. Fix: Ask: "Can this manager execute the strategy without blowing up?"

  4. Ignoring "soft" red flags:

  5. Mistake: Dismissing high turnover, weak IT, or no disaster recovery as "minor."
  6. Fix: Every red flag is a potential failure point—document and escalate.

  7. Over-relying on the manager’s self-assessment:

  8. Mistake: Taking the manager’s word on controls without independent testing.
  9. Fix: Verify, don’t trust—e.g., test trade reconciliations, check backup systems.

  10. Failing to document findings:

  11. Mistake: Not writing down risks, mitigations, and follow-ups.
  12. Fix: If it’s not documented, it didn’t happen—regulators and investors demand records.

  13. Treating ODD as a "check-the-box" exercise:

  14. Mistake: Running through a generic checklist without tailoring to the strategy.
  15. Fix: Customize ODD—e.g., a quant fund needs different controls than a PE fund.

The Common Trap

Assuming that "no news is good news." - Trap: If the manager doesn’t mention a risk, you assume it’s not a problem. - Reality: Silence = red flag. Example: - If the manager doesn’t discuss cybersecurity, it likely means they have no plan. - If they can’t explain their valuation process, they’re probably marking their own book. - How to avoid: Ask direct questions and demand evidence (e.g., "Show me your last disaster recovery test results").


Terms to Remember

  1. Segregation of Duties (SoD): No single person controls all steps of a process (e.g., trader ≠ reconciler).
  2. Four-Eyes Principle: Two people must approve critical actions (e.g., wire transfers).
  3. Independent Valuation: Third party (not the manager) marks the portfolio.
  4. Key Person Risk: Over-reliance on one individual (e.g., founder, CIO).
  5. Side Letters: Special terms for certain investors (creates conflicts of interest).

Step-by-Step Process

1. Pre-Meeting Preparation

  • Review: Fund documents (PPM, audited financials, compliance manual).
  • Check: Past ODD reports, regulatory filings (SEC, AIFMD), news (lawsuits, turnover).
  • Prepare: Tailored checklist (e.g., quant fund → model risk; PE fund → cash flow controls).

2. On-Site / Virtual Due Diligence

  • Infrastructure:
  • IT: Cybersecurity (penetration tests?), disaster recovery (tested?).
  • Systems: Trade capture, reconciliation, reporting (automated? manual?).
  • Controls:
  • Valuation: Who marks the book? Independent? Methodology?
  • Trade Reconciliation: Daily? Who checks? What’s the error rate?
  • Cash Controls: Who approves wires? Dual signatures?
  • Compliance:
  • Regulatory: AIFMD, SEC, GIPS compliance? Any past violations?
  • Policies: Written procedures for conflicts, gifts, personal trading?
  • People & Processes:
  • Turnover: High in key roles (CFO, COO, compliance)?
  • Outsourcing: Who does what? Any single points of failure?

3. Red Flag Identification

  • Immediate Dealbreakers:
  • No independent valuation.
  • No segregation of duties (e.g., trader = reconciler).
  • No disaster recovery plan.
  • Serious Concerns (Mitigatable):
  • High turnover in key roles.
  • Over-reliance on a single vendor (e.g., prime broker).
  • Side letters with preferential terms.

4. Risk Assessment & Mitigation

  • Classify Risks:
  • High: Could kill the fund (e.g., fraud, valuation errors).
  • Medium: Could impair performance (e.g., trade errors, compliance fines).
  • Low: Operational inefficiencies (e.g., slow reporting).
  • Mitigation Plan:
  • High risks: Walk away or demand immediate fixes (e.g., hire independent valuer).
  • Medium risks: Monitor closely (e.g., quarterly reviews).
  • Low risks: Note in report but don’t overreact.

5. Documentation & Reporting

  • Due Diligence Report:
  • Summary: Key findings (good/bad).
  • Risks: List all red flags, even minor ones.
  • Mitigations: What the manager agreed to fix.
  • Recommendation: Invest, don’t invest, or conditional investment.
  • Follow-Up:
  • Track fixes (e.g., "Manager will implement SoD by Q3").
  • Ongoing monitoring (e.g., quarterly calls, surprise visits).

Exam Answer Builder

1-Mark Question (MCQ)

What it tests: Basic ODD knowledge (e.g., definitions, red flags). Example Question: Which of the following is the MOST serious operational red flag in a hedge fund? A) High employee turnover in the marketing team B) Lack of independent valuation C) Slow monthly reporting D) Use of a single prime broker

Correct Answer: B) Lack of independent valuation Key Tip: Independent valuation is a dealbreaker—without it, the manager can manipulate returns.


2-3 Mark Question (Short Answer)

What it tests: Risk identification and classification. Example Question: A private equity fund’s CFO also approves all wire transfers. What operational risk does this create, and how should an investor mitigate it?

Model Answer: - Risk: Lack of segregation of duties (SoD)Fraud risk (CFO could misappropriate funds). - Mitigation: - Demand four-eyes principle (two signatures for wires). - Require independent reconciliation of cash movements. - Monitor wire activity via surprise audits.

Key Tip: Always link the risk to a specific failure (e.g., fraud, errors) and propose a fix.


5-Mark Question (Case Study)

What it tests: Comprehensive ODD application. Example Question: You are conducting ODD on a quant hedge fund. The fund: - Uses a proprietary model for portfolio construction. - Has no independent model validation. - Experienced a 20% drawdown last year due to a "model error." - The CIO is the only person who understands the model.

Identify the key operational risks and recommend mitigations.

Model Answer: 1. Key Risks:
- Model Risk: No independent validation → undiscovered errors (e.g., 20% drawdown).
- Key Person Risk: Only the CIO understands the model → bus factor = 1.
- Lack of Transparency: Investors can’t verify the model’s logic. 2. Mitigations:
- Independent Model Validation: Hire a third-party quant firm to review the model.
- Documentation: Require full model documentation (code, assumptions, backtests).
- Succession Plan: Train a backup team or hire a co-CIO.
- Stress Testing: Demand regular scenario analysis (e.g., "What if correlation breaks?").

Key Tip: Structure your answer (Risks → Mitigations) and be specific (e.g., "hire a third-party quant firm," not just "improve controls").


Case Study (Applied ODD)

What it tests: Real-world ODD judgment. Example Question: An investor is considering a real estate fund. The fund: - Has no independent property valuations (the manager values assets). - Uses a single property manager for all assets. - Has a side letter giving one investor preferential redemption terms.

What are the top 3 operational risks, and should the investor proceed?

Model Answer: 1. Top 3 Risks:
- Valuation Risk: Manager marks own book → overstated NAV.
- Concentration Risk: Single property manager → operational failure risk.
- Conflict of Interest: Side letter → unfair treatment of other investors. 2. Recommendation:
- Do not invest unless the manager:
- Hires an independent valuer.
- Diversifies property managers.
- Eliminates the side letter or discloses it to all investors.

Key Tip: Always state your recommendation (invest/don’t invest/conditional) and justify it with risks.


This vs That

Operational Due Diligence (ODD) Investment Due Diligence (IDD)
Focuses on non-investment risks (controls, compliance, operations). Focuses on investment risks (strategy, performance, team).
Asks: "Can the manager execute the strategy without blowing up?" Asks: "Can the manager generate returns?"
Key tools: Checklists, site visits, control testing. Key tools: Performance analysis, strategy deep dives, reference checks.
Example red flags: No SoD, weak IT, high turnover. Example red flags: Style drift, poor track record, key person risk.
Regulatory focus: AIFMD, SEC compliance, GIPS. Regulatory focus: Suitability, disclosure, performance reporting.

Time-Saver Hack

The "3-Question ODD Screen" (Quick Red Flag Check) Ask the manager: 1. "Who marks the portfolio, and how do you ensure independence?"
- Bad answer: "We do it internally." → Dealbreaker.
- Good answer: "A third-party administrator values 100% of positions daily." 2. "Who approves wire transfers, and what’s the process?"
- Bad answer: "The CFO does it alone." → Fraud risk.
- Good answer: "Two signatures, with a 24-hour hold for large wires." 3. "What’s your disaster recovery plan, and when was it last tested?"
- Bad answer: "We have backups." → Untested = useless.
- Good answer: "Tested quarterly, with a 2-hour RTO (Recovery Time Objective)."

If any answer is weak → Walk away or demand fixes.


Mini Scenarios

1. Basic Scenario

You’re reviewing a small hedge fund. The CFO also handles trade reconciliations. What’s happening? - Red flag: No segregation of dutiesFraud risk (CFO could manipulate trades). What to notice first? - Single point of failure in controls.


2. Applied Scenario

A private equity fund outsources its back office to a single administrator. The administrator has no disaster recovery plan. What’s happening? - Concentration risk: If the administrator fails, the fund can’t operate. - Operational risk: No backup



ADVERTISEMENT