How robust is your pension plan’s risk management framework?

Special Notice – November 7, 2024

In light of emerging and evolving risks within the pension landscape, the Canadian Association of Pension Supervisory Authorities (CAPSA) has released Guideline No. 10 – Risk Management for Plan Administrators (the Guideline). The new Guideline highlights the importance of a robust risk management framework that includes the identification, evaluation, management, and regular monitoring of material risks to assist plan administrators to better manage a plan’s funded status and protect the plan from adverse risks. It also supports plan administrators in fulfilling their fiduciary duties and required standard of care.

The Guideline outlines overarching risk management principles and delves deeply into the specific topics of risks related to:

• third-party service providers;
• cybersecurity;
• investments;
• the integration of Environmental, Social, and Governance (ESG) factors; and
• the use of leverage within a pension plan investment strategy.

The Guideline is relevant to all types of pension plans—defined benefit, defined contribution, target benefit, pooled registered, and hybrid plans across all jurisdictions. Highlighting the importance of the new Guideline, the Office of the Superintendent of Financial Institutions (OSFI) issued a letter to administrators of federally regulated pension plans stating their expectations that the Guideline be followed for plans subject to the Pension Benefits Standards Act, 1985.

Risk management framework

The Guideline recommends that plan administrators create and maintain a risk management framework tailored to their specific pension plan’s characteristics, including its size, complexity, and the nature of the risks it faces. This framework should help identify, evaluate, manage, and monitor risks regularly to safeguard a plan’s funded status and meet fiduciary duties.

A plan administrator should first establish, in the form of a written statement, their overall risk appetite, risk tolerance, and risk limits, and incorporate these into the governance and risk management framework for the plan.

Risk appetite is the amount and type of risk that the plan administrator is able and willing to accept while meeting their fiduciary duty.

Risk tolerance is the variation in outcomes that the plan administrator can accept for a given risk and may differ for different risks, based on operating environment, stakeholders, etc., but must be clearly understood by the individuals making risk-related decisions on a given issue.

Risk limits represent thresholds that should not be exceeded based on the plan’s risk appetite statement. Risk limits help to ensure that risks are effectively managed and that they align with the plan’s risk appetite and risk tolerance.

The Guideline also introduces a four-step process that should be followed:

Step 1: Identify Risks

There is a wide range of risks that may be relevant to pension plans and plan administrators may want to consider drawing from several sources when identifying risks. Risks, both immediate and prolonged, may be interrelated, correlated, or cumulative. Plan administrators should examine the interaction between different risks to consider how they may be interconnected. Plan administrators should document the risks identified (e.g., in a risk register) as well as  the stakeholders that are impacted by each risk. A risk register provides a template to record the risks and should document the controls that are in place to mitigate them. It could also include an assessment of the implications of each risk as well as any potential opportunities. For larger plans, a risk committee may be appropriate.

Step 2: Evaluate Risks

Each identified risk should be evaluated and prioritized according to the overall threat that it poses to the plan’s viability and the potential impact on the plan’s stakeholders. A variety of risk assessment tools exist to assist  in developing a sound approach to risk management. A simple risk heat map can help with evaluating and prioritizing risks based on the magnitude of the risk and the likelihood of an event occurring. An administrator should ensure that risks determined to be material to a pension plan are quantified.

Step 3: Manage Risks

Effective controls should be implemented to manage identified risks. This could include policies, procedures, contingency plans, systems, training and education, insurance, and external audits. Plan administrators should establish controls to mitigate and manage plan risk as part of their fiduciary obligation and standard of care. The cost and feasibility of implementing a control should be commensurate with the magnitude and likelihood of the risk event it is intended to mitigate.

After implementing risk controls, the plan administrator should assess the residual (remaining) risks, if any, against their risk limits. They must then decide whether to accept the residual risk; eliminate the risk; address it with additional mitigation strategies; or transfer part or all of the risk to a third party.

Step 4: Monitor Risks

Risk management is a continuous process rather than a one-time exercise. Monitoring, combined with contingency planning, is key to a timely and measured response when an adverse risk event occurs. Therefore, continuous monitoring and reviewing of the risks, the risk management framework, and controls is necessary to ensure they remain effective. The plan’s risk register should be reviewed at least once a year to evaluate the effectiveness of controls, to capture any emerging risks and to document factors which may influence the likelihood or potential severity of identified risks.

CAPSA Guideline No. 10 includes risk considerations on five identified risks that most pension plans in Canada are currently facing. Plan administrators are advised to tailor their risk management practices to align with their plan’s unique investment beliefs, circumstances, and risks.

Third-Party Risk: Since many pension plans outsource critical functions to external service providers, administrators need to ensure these third parties adhere to the plan’s established governance and risk management standards.

Plan administrators must recognize that even when services and responsibilities are delegated to third-party providers, they still retain their fiduciary duties and remain accountable for the oversight, management, and administration of the plan.

Cybersecurity: Increasing reliance on digital systems requires administrators to actively manage cyber risks, which include both internal (inadvertent information disclosure from lack of procedures and training) and external (malicious software and hacking) threats to sensitive data and pension assets. Plan administrators should consider if they have sufficient expertise to understand and manage the evolving nature of cyber risk, and if the potential impact is well understood, including exposure of third parties.

Cyber risks typically involve both an “incident” and a “response.” Plan administrators need to build their cyber resilience, which includes the ability to assess and reduce the risk of a cyber incident and the capability to recover if one occurs. Plan administrators must familiarize themselves with legislation governing privacy and data security in the plan’s and individual members’ jurisdictions and implement a strategy to ensure they comply with reporting requirements in the event of a cyber incident.

Investment Risk: Pension standards legislation in Canada mandates that the pension plan administrator invest the assets of the pension fund with the same level of care a reasonably prudent person would use when managing someone else’s property. Administrators are expected to apply the knowledge or skills they have (or should have) due to their profession or business.

For plans with simpler investment strategies, the Guideline recommends regular governance self-assessments, separating operational and risk management duties, and engaging third-party reviewers to evaluate operational and risk management practices. This ensures that even smaller or less complex plans maintain robust oversight. Plans with alternative investments are susceptible to risk of misvaluation, particularly during volatile market conditions. Independent interim valuations of illiquid assets may be appropriate during these periods.

Some tools used to manage investment risk include setting maximum and minimum exposures to asset classes, risk-based sensitivity limits, stress testing, scenario analysis and asset liability modelling. The plan’s Statement of Investment Policies and Procedures (SIP&P) should reflect the categories of investment risk the plan is vulnerable to as well as the level of acceptable risk to achieve the plan objectives for funding member benefits. Investment strategies are guided by the SIP&P and must be consistent with the plan’s overall risk appetite.

Environmental, Social, and Governance (ESG): ESG considerations are becoming increasingly relevant to pension plan risk management, and plan administrators need to integrate these factors into their governance framework and investment strategies to fulfill their fiduciary responsibilities.

ESG risks, especially those related to climate change, can be systemic and affect both the short-term and long-term performance of investments. Identifying and managing these risks is crucial as they are often complex, interrelated with other risks, and difficult to quantify. Administrators are encouraged to develop investment policies that reflect their views on the potential financial implications of ESG risks. This could include setting investment limits or targets related to ESG considerations. They must also ensure that third-party asset managers align with the plan’s ESG objectives. Best practice includes disclosing to stakeholders how ESG considerations are integrated into the plan’s governance and investment processes. Establishing investment beliefs about ESG and its application to the plan’s financial risk-return profile can be helpful. These can be included in the SIP&P and other policies (e.g., external manager selection and due diligence frameworks).

Use of Leverage: The use of leverage within a pension plan investment strategy introduces several risks, including the amplified impact of market volatility, liquidity risk, and counterparty risk. Leveraging can be used in pension plans to implement a Liability Driven Investment (LDI) strategy to increase exposure to return-seeking assets, and to seek investment efficiencies/opportunities.

Plan administrators using leverage must have a sound understanding of how it affects the pension plan’s overall risk profile and should continuously monitor and manage associated risks to ensure that the use of leverage aligns with the plan’s overall investment strategy and risk appetite. Stress testing and scenario analysis are essential for assessing the potential impact of leverage on the plan’s assets and liabilities under different market conditions.

Plans that use leverage must document policies and procedures about its use in their SIP&P, including the rationale for using it, types of leverage used, and how leverage is integrated into the overall investment strategy.

Implications for Pension Plan Administrators

For organizations that offer registered pension plans, adopting the practices outlined in CAPSA Guideline No. 10 will improve governance and assist pension plan administrators in fulfilling their fiduciary duties when it comes to managing material risks associated with their pension plan. Many of the recommendations also help protect plans and sponsors against reputational risk. By establishing a robust risk management framework, plan administrators can better protect the assets of the pension plan, reduce operational risks, and continue to enhance the controls in place to safeguard the benefits promised to plan members.

Plan Administrators should:

• Review and update their current risk management practices against CAPSA’s recommended framework.
• Take steps to clearly define and document third-party responsibilities, and to implement effective oversight of third-party responsibilities.
• Regularly assess cyber risks and implement appropriate measures to protect plan data and systems.
• Ensure the investment risks faced by the plan are identified, evaluated, and managed, including understanding the rationale for, and risks inherent with, the use of leverage.
• Identify and respond to material ESG risks and opportunities in a manner appropriate for their plan’s circumstances and investment beliefs.
• Consider periodic, independent reviews of the adequacy of a plan administrator’s risk management framework.

Plan administrators are encouraged to adapt their risk management practices to reflect their specific plan’s investment beliefs, circumstances, and risks.

Plan governance is complex! We can help you make sense of it. Please reach out to your Eckler consultant to continue the conversation or visit our website to learn more about our governance solutions.