In the face of an ever-changing and increasingly complex pension landscape, the Canadian Association of Pension Supervisory Authorities (“CAPSA”) released Guideline No. 10, Guideline for Risk Management for Plan Administrators (the “Risk Management Guideline”) on September 9, 2024, to assist pension plan administrators in preparing a risk management framework as part of good plan governance.
This Sidebar provides an overview of the Risk Management Guideline and outlines several overarching principles for risk management that pension plan administrators across Canada will want to consider when applying the recommendations in the Risk Management Guidelines to their plans.
The Risk Management Guideline applies to all Canadian registered pension plans, regardless of type or size, and is intended to support pension plan administrators in fulfilling their fiduciary duties and meeting their legislated standard of care. More specifically, the Risk Management Guideline provides that the establishment and implementation of a risk management framework to identify, evaluate, manage, and monitor risks facing a plan can be an important element in fulfilling a plan administrator’s duties.
CAPSA describes pension risk management as establishing:
As discussed in further detail below, the Risk Management Guideline sets out a four-step risk management process and specific considerations for third-party risk, cyber security risk, investment risk governance, environmental, social, governance (“ESG”) issues, and the use of leverage. The Risk Management Guideline also provides that a plan administrator should establish an overall risk appetite, risk tolerance, and risk limits[2], in the form of a written statement, and incorporate these into the governance and risk management frameworks for the plan.
Notably, the Risk Management Guideline expressly provides that pension regulators may periodically review the risk management framework prepared by the plan administrator to assess whether the plan administrator is fulfilling its fiduciary duty and meeting the standard of care. Following the release of the Risk Management Guideline, the Office of the Superintendent of Financial Institutions noted in a letter that it expects administrators of federally regulated pension plans subject to the Pension Benefits Standards Act, 1985 follow the Risk Management Guideline.
The four-step risk management process is as follows:
The Risk Management Guideline also outlines specific enumerated areas of risk that warrant consideration as part of a risk management review.
The Risk Management Guideline notes that while risk management is an important consideration for plan administrators in meeting their fiduciary duty and standard of care, it is also an important consideration for plan sponsors. Both the plan administrator and the plan sponsor may benefit from a better understanding of the risks impacting each other (e.g., funding risks). These considerations may inform the plan sponsor’s own risk assessment in terms of its tolerance for managing fluctuations in its contribution requirements and ability to continue to fund the plan and discharge its corporate fiduciary duty.
CAPSA recommends that each plan administrator review the Risk Management Guideline and explore how it will implement the recommended practices in a manner that is appropriate for its plan membership and organization – emphasizing that the circumstances of a plan, such as size of membership, plan assets, and investment complexity, need to be considered when designing an appropriate risk management framework. CAPSA has also advised in a letter to stakeholders that where IT system changes or process changes are needed to support changes related to the plan administrator’s review of the Risk Management Guideline, they should be implemented by January 1, 2026.
* * * * *
If you have any questions regarding these new governance requirements, please do not hesitate to call any of us – we’re here to help.
[1] CAPSA notes in the Guideline that the method of implementing the concepts addressed in the Guideline may differ from one pension plan to another, depending on factors like the plan type, the complexity of its administration and investment strategies, and the size of the plan membership and plan assets.
[2] The Guideline defines risk appetite, risk tolerance, and risk limits as follows: (i) “Risk appetite” is the amount and type of risk that the plan administrator is able and willing to accept while meeting their fiduciary duty; (ii) “Risk tolerance” is the variation in outcomes that the plan administrator can accept for a given risk; and, (iii) “Risk limits” represent thresholds that should not be exceeded based on the plan’s risk appetite statement. The Guideline notes that considering how to incorporate risk appetite, risk tolerance, and risk limits into the governance and risk management frameworks is both integral and a prerequisite step to constructing those frameworks.
[3] The Risk Management Guideline defines “cyber risk” as the risk of financial loss, operational disruption, or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification, or destruction of information technology systems and/or the data contained therein. In the context of a pension plan, cyber risk includes both internal risks (e.g., disgruntled employees or a lack of controls on access) and external risks (e.g., hacktivists, state-sponsored threat activists, or cybercriminals).
This Sidebar client update provides general information and should not be relied upon as legal advice. This publication is copyrighted by Brown Mills Klinck Prezioso LLP and may not be reproduced in whole or in part in any form without the express written consent of Brown Mills Klinck Prezioso LLP. ©