With the release of CAPSA’s Risk Management Guideline (“Guideline”) in final form on September 9, 2024, plan sponsors and plan administrators now face the challenge of implementation. Despite that the Guideline is a voluntary best practice standard, they reflect what pension regulators expect¹ of plan administrators as part of their fiduciary duty. Plan administrators will be required to demonstrate that they have considered the risks outlined in the Guideline and have established a process to identify, evaluate, manage and monitor material pension plan risks.  Although the Guideline provides valuable tools and resources for plan administrators, in our experience working with clients, there are certain topics that we think deserve more comprehensive elaboration to help facilitate effective implementation. 

Setting risk appetite

Risk appetite is a broad statement of the amount and type of risk the plan administrator is willing to accept in pursuit of its goals, while meeting its fiduciary duty, and is therefore quantifiable.  The Guideline suggests a prerequisite to developing a risk management framework is to have a written statement of the overall risk appetite, risk tolerance and risk limits.  However, quantifying an overall risk appetite can be challenging if a documented risk register and short- and long-term objectives don’t already exist for the plan.  In this instance, it will be more effective to begin by first identifying the strategic objectives and creating a risk register identifying and evaluating the financial, operational, compliance, and reputational risks facing the plan. Plan administrators should remain flexible, starting with what is obvious and known, rather than following a rigid sequence of steps. The risk appetite will become clearer as the process of identifying and assessing risks in the pursuit of achieving the plan’s strategic objectives progresses.

Materiality assessment

The term “material” is used throughout the Guideline to describe the degree of a risk’s potential impact and probability of occurring.  A material risk is one where the likelihood of the risk occurring is high and the extent of the loss may be significant. Assessing materiality of risk is an important exercise because it helps prioritize resources and ensures that the most critical risks are addressed promptly.  When assessing materiality other considerations to keep in mind include: 

• assess both quantitative and qualitative factors, i.e., not just degree of financial loss, but also reputational damage, regulatory penalties, stakeholder trust, etc.;
• industry best practices and norms relative to peers;
• past incidents and their impacts on the plan;
• the degree of interdependencies and potential for risks to compound increasing risk materiality.

Since materiality can change overtime, it is important to evaluate risk materiality periodically, i.e., on an annual basis. 

Measuring effectiveness of controls

The Guideline discusses the need to document the controls that are or could be put in place to reduce the severity and/or likelihood of risks materializing and to measure the effectiveness of controls.  A common mistake made in developing risk mitigation strategies is assuming that having policies and procedures are in and of themselves effective controls. To understand this better, first requires an understanding of the difference between a policy, a procedure and a control.  For example: 

Policies are essentially guiding principles and rules, i.e., “member data may not be transmitted electronically unless it is encrypted”.

Procedures describe how a policy will be implemented, i.e., “once a file containing member data is created it must be encrypted using TLS protocol and transmitted through a VPN secured network.”

Controls are one or more mechanisms put in place to mitigate the risks of a failure or gap in the procedures and enable the policy outcome (the Guideline provides examples of controls in section 5.3 Step Three: Managing Risks.).  In this example, the control is the use of encrypting software and transmission through a secure VPN. 

However, the use of encryption software and VPN is not on its own an effective control if there is nothing preventing unencrypted member data from being transmitted.  The control objective in this example is to prevent the transmission of unencrypted data. To achieve this objective, multiple control activities may need to be put in place in addition to the use of encryption software, such as data transmission training, limiting access to member data to select personnel, firewalls to prevent transmission of unencrypted data, etc.  To assess whether your controls are effective, the controls should²:

• prevent or minimize risks: this may require multiple measures to be effective;
• detect failures early: use of exception reporting and other mechanisms to identify failures in the process promptly; and,
• correct and mitigate: address failures and take steps to minimize the chances of risks recurring.

Finally, the controls should be suitable for the specific risks being managed. They should be consistent, repeatable, and fit-for-purpose, adhering to the principles of proportionality. Remember, sophisticated risk assessment tools may be unnecessary and costly if the risks are simple and straightforward.

Third-party risk

Third-party risk is increasingly drawing the attention of regulators and poses significant challenges for plan administrators. This is due to the necessity of sharing large amounts of sensitive data with outsourced service providers and their growing dependence on technology to conduct various business functions.  Consequently, this creates multiple points of vulnerability such as data privacy breaches, cyberattacks, and reliance on the provider’s business continuity plan to deliver services to the plan administrator (or plan members). In addition to third-party due diligence and monitoring considerations discussed in the Guideline, a practical starting point for assessing outsourced service provider risk is to categorize and assign risk levels based on i) outsourced function, ii) data sensitivity, and iii) level of reliance on the outsourced provider. This approach helps prioritize relationships that pose the highest potential risk and require the most attention.

Perfection paralysis

The development of a risk management framework can be daunting for many plan administrators. The feeling of being overwhelmed can itself cause procrastination. However, going in with a mindset that everything must be done right the first time may result in nothing being done at all.  It is important not to get caught up in an endless loop of preparation, analysis or finding the perfect time to start the project.  Here are some strategies to avoid perfection paralysis:

• breakdown a task into smaller more manageable parts, prioritizing tasks based on impact and urgency;
• spread the workload between doer and reviewer amongst individuals or teams in order  to manage workload; and
• remember the 80/20 rule. It may not be reasonable to identify and address every single risk that can impact the plan. Focus on risk materiality and probability. Having 80% of risks identified and addressed initially is a great start. Remember the process is iterative and will continuously improve with experience.

Governance and objective assessment

Good governance in the context of pension plan risk management needs to be effective.  CAPSA Guideline No. 4: Pension Plan Governance describes what effective governance looks like.  An independent and objective review is necessary to properly assess the risk management framework and effectiveness of controls.  To ensure independence and objectivity in the assessment, the following measures should be taken:

• Separation of Duties: The individuals conducting the assessment should be different from those who developed the risk management controls.
• Conflicts of Interest: If the plan sponsor and plan administrator are the same entity, or if independence cannot be achieved internally, consider outsourcing the review and assessment to a qualified third-party to avoid potential conflicts. Outsourcing can also help eliminate bias in evaluating the design and adequacy of the risk management framework.
• Appropriate Knowledge and Skill: One of the risks identified in Appendix A of the Guideline is governance risk, which arises when plan administrators lack the necessary skills or knowledge to fulfill their fiduciary duties. Plan administrators should assess whether they have the internal expertise to identify gaps and evaluate the adequacy of controls, particularly in areas such as cybersecurity, ESG, and overall risk management. If needed, they should seek assistance from professionals.

Conclusion:

The implementation of CAPSA's Risk Management Guideline presents both challenges and opportunities for plan sponsors and administrators. While the guideline provides a comprehensive framework, successful implementation requires a nuanced approach that goes beyond mere compliance. As pension plans navigate this new landscape, it's crucial to remember that risk management is an ongoing process that will require continuous refinement.

1 Note Office of the Superintendent of Financial Institutions published a letter, dated September 12, 2024, to administrators of federally regulated pension plans that it expects adoption of the Guideline to meet their fiduciary duties. Furthermore, the BC Financial Services Authority  has indicated it will adopt CAPSA’s Risk Management Guideline as its primary guidance related to management of Natural Catastrophes and Climate-Related Risks (NCCR) for pension plan administrators and intends to separate out its Information Security Guideline for B.C. pension plan administrators and harmonize it with other pension regulators. 

2 Comcover, the Australian Government's self-managed insurance fund has published a Risk Management Toolkit as a resource for Fund Members. Element 5: Control Effectiveness, of the Risk Management Toolkit. https://www.finance.gov.au/government/comcover/risk-services/management/risk-management-toolkit

TELUS Health

TELUS Health is a world leader in providing digital and in-person solutions that support the total wellbeing of individuals. Our compensation, retirement and benefits solutions teams have contributed to the financial health of thousands of organizations and their employees. Through the unified strength of TELUS Health, our experienced teams strive to provide innovative, sustainable and flexible solutions that meet the compensation, retirement and benefits needs of customers across North America. https://go.telushealth.com/en-ca/personalized-consulting-services.

© 2024 TELUS Health (Canada) Ltd. All Rights Reserved.

Alana Dubinski, Chief Compliance Officer, TELUS Health Investment Management

Alana Dubinski, CIM, is the Chief Compliance Officer of TELUS Health Investment Management and heads up various strategic initiatives within the Retirement & Benefit Solutions division of TELUS Health including the Investment & Risk ESG Working Group. Alana has over 25 years of experience working in compliance, risk management, and investment operations at national and international banks, asset managers, and consulting firms to help clients implement practical solutions to governance and risk management challenges.  

TJ Modi, Vice President, Regulatory, Governance and Legal Consulting, TELUS Health

Tejash Modi (TJ) is a Partner in TELUS Health’s Consulting line of business under Employer Solutions and the Practice Leader for the company’s Regulatory and Governance, Legal and Compliance Consulting Practices.  He is a licensed and practicing lawyer; he was admitted to the Ontario Bar in Canada in 2001. TJ has been with the company for over 18 years, and prior to that, worked for four years as an associate lawyer at an international human resources consulting firm, and 1.5 years as an associate lawyer with a litigation firm. He graduated with a Juris Doctor from Osgoode Hall Law School and a Master of Business Administration from the Schulich School of Business in 1999.