15 April 2025
Navigating Operational Risk: Challenges and Strategies for Private Equity Firms
Private equity firms are facing a new generation of operational challenges. Responsibility to their portfolio companies is a key part of turning this challenge into an opportunity.
Operational risk remains a constant threat for private equity firms. Unlike market or credit risk, which are largely driven by external factors such as global interest rates or currency fluctuations, operational risks are often within a firm's direct control. This makes any failure in managing them particularly damaging, both to reputation and the bottom line. While these risks are primarily internal, having appropriate risk management strategies in place is essential for mitigating their potential impact.
Even as the market evolves, some operational risks remain familiar. Failures of IT or other systems that interrupt payments or other critical business activities. Errors in ‘change management’, such as botched migration to new software. Litigation from customers facing investment losses. While insurance can help mitigate some financial consequences from system failures or litigation, these risks are fundamentally a part of operational risk management.
In recent years, these have been joined by a newer generation of risks, such as cyber-attacks that cause system outages and disrupt daily activities. “The frequency of ransomware attacks, where attackers disable computer systems and demand cash payments to restore access, has increased significantly,” says Thomas Falcon, Technical Director of Financial Institutions at Gallagher.
These ransomware incidents have hit some of the biggest, most structurally critical organisations in the global financial market. In February 2023, ransomware attackers breached the defences of ION Markets, a provider of services that facilitate the trading and settlement of exchange-traded derivatives. The number of market participants affected by the ensuing outage potentially ran into the thousands, including major banks and asset managers.
Later the same year, a US subsidiary of a Chinese bank came under a ransomware attack that caused temporary disruption to the trading of US Treasury bills and required an emergency liquidity injection from the parent bank. The US Securities and Exchange Commission later settled charges with the bank for failing to keep accurate records of customer transactions after the attack. Regulatory and legal consequences from such failures can further exacerbate the damage.
The average cost of a ransomware breach on financial services firms has now reached USD4.92m, with the sector now spending billions of dollars annually on cybersecurity. This underscores the need for comprehensive cybersecurity strategies and risk management, including insurance as a potential financial safety net.
The broad impact of geopolitical risks
As global tensions rise, so does the threat of hybrid warfare with the boundaries of battlegrounds blurring. The sabotage of critical infrastructure and cyber warfare are tactics that can have a ripple effect, impacting the daily operations of organisations, regardless of whether they are the direct target.
Aside from incurring losses due to the market effects of conflict or economic protectionism, firms in strategically vital industries such as high-tech manufacturing are in greater danger of having their data stolen or interfered with by state actors. Businesses must also pay close attention to their supply chains to ensure they are not unwittingly exposed to sanctioned entities.
The consequences of operational risk management failures, including those related to regulatory issues, can be severe. Private equity groups or other financial entities may incur significant legal costs while responding to regulatory investigations. In addition, if found in violation of regulations, these firms could also face hefty fines, further exacerbating the financial and reputational damage.
“Insurance can provide solutions for some of these risks,” says Falcon continues. “For example, cyber insurance can cover costs related to data breaches, including legal fees, damages and expenses for rectifying affected computer systems. Professional indemnity insurance can help cover legal costs incurred during regulators' investigations. However, fines are typically uninsurable by law, as that would defeat their deterrent effect.”
Increasingly, the challenge is to apply these standards across the value chain, encompassing portfolio companies. By spotting gaps in these firms’ defences and making them more resilient in the long run, they can reduce operational challenges and add value. This includes helping develop softer skills with portfolio companies, such as leadership and engagement, and providing oversight and support for critical change management processes. Insurance can play a role in addressing specific risks related to legal and reputational damages, but the focus must remain on developing long-term, resilient operational strategies. All this can reduce investment losses and create additional value for the firm itself.
For private equity firms, operational risk management is more than a defensive strategy - it’s a value-creation opportunity. By embedding robust governance frameworks and instilling resilience across portfolio companies, firms can manage emerging risks while creating competitive advantages. Ensuring compliance, enhancing risk management practices, and utilising tools like insurance to mitigate the financial impact of key exposures allow private equity investors to balance risk and reward effectively. The most successful firms will view operational risk not as a burden but as a pathway to building stronger, more sustainable portfolios.
"For private equity firms, operational risk management is more than a defensive strategy - it’s a value-creation opportunity."
Let's talk
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.