Sidebar header

Strategic Risk Management: Best Practices for Pension Plan Administrators

Date:
October 09, 2024

Subscribe to e-mail updates


In the face of an ever-changing and increasingly complex pension landscape, the Canadian Association of Pension Supervisory Authorities (“CAPSA”) released Guideline No. 10, Guideline for Risk Management for Plan Administrators (the “Risk Management Guideline”) on September 9, 2024, to assist pension plan administrators in preparing a risk management framework as part of good plan governance. 

This Sidebar provides an overview of the Risk Management Guideline and outlines several overarching principles for risk management that pension plan administrators across Canada will want to consider when applying the recommendations in the Risk Management Guidelines to their plans.

Overview

The Risk Management Guideline applies to all Canadian registered pension plans, regardless of type or size, and is intended to support pension plan administrators in fulfilling their fiduciary duties and meeting their legislated standard of care. More specifically, the Risk Management Guideline provides that the establishment and implementation of a risk management framework to identify, evaluate, manage, and monitor risks facing a plan can be an important element in fulfilling a plan administrator’s duties. 

CAPSA describes pension risk management as establishing:

  • sound governance and oversight practices commensurate with the pension plan’s complexity and size[1];
  • processes and methodologies for identifying, evaluating, managing, and monitoring risks that may adversely impact a pension plan’s ability to operate as intended and deliver benefits to plan beneficiaries; and,
  • effective controls (in the form of systems, procedures, or arrangements) to understand, manage, and mitigate those risks.

As discussed in further detail below, the Risk Management Guideline sets out a four-step risk management process and specific considerations for third-party risk, cyber security risk, investment risk governance, environmental, social, governance (“ESG”) issues, and the use of leverage. The Risk Management Guideline also provides that a plan administrator should establish an overall risk appetite, risk tolerance, and risk limits[2], in the form of a written statement, and incorporate these into the governance and risk management frameworks for the plan.

Notably, the Risk Management Guideline expressly provides that pension regulators may periodically review the risk management framework prepared by the plan administrator to assess whether the plan administrator is fulfilling its fiduciary duty and meeting the standard of care. Following the release of the Risk Management Guideline, the Office of the Superintendent of Financial Institutions noted in a letter that it expects administrators of federally regulated pension plans subject to the Pension Benefits Standards Act, 1985 follow the Risk Management Guideline.

Risk Management Four-Step Process

The four-step risk management process is as follows:

  • Step 1: Identify Risks – Plan administrators should identify and record the risks to which the plan may be exposed and examine how they are interconnected. Common risks facing pension plans include funding risks, actuarial risks, investment risks, governance risks, and operational risks.
  • Step 2: Evaluate Risks – Plan administrators should then develop a process for evaluating and prioritizing identified risks according to the overall threat that they pose to the plan’s viability and potential impact on the plan’s stakeholders. For example, one common way of evaluating and prioritizing risks is to evaluate the potential severity of the risk against the probability of it occurring by using a heat map. Appendix B of the Risk Management Guideline includes a sample heat map. The prioritization of risks based on likelihood and potential severity will influence the extent to which mitigating action should be taken.
  • Step 3: Manage Risks – Plan administrators should establish controls to mitigate and manage plan risk. These controls should be suitable for the nature of the risk and proportionate to its likelihood and potential impact. Potential controls may include (but are not limited to): financial policies, reviews or performance evaluations, disaster recovery plans, contingency plans, training and education, insurance, and external audits. The Risk Management Guideline notes that plan administrators should consider some form of independent review of the adequacy of the risk management framework put in place.
  • Step 4: Monitor Risks – Risk management is an iterative process. Plan administrators should monitor and review risks on an ongoing basis and repeat the risk identification and evaluation steps at intervals that are proportionate to the circumstances of the plan. The risk management framework and controls should also be evaluated regularly to ensure that they continue to be appropriate and effective. No particular review interval is specified in the Risk Management Guideline.

Risk Management Specific Topics

The Risk Management Guideline also outlines specific enumerated areas of risk that warrant consideration as part of a risk management review.

  • Third-Party Risk: Plan administrators often rely upon third-party service providers to carry out a variety of administrative and investment activities for the plan. Appropriate diligence and monitoring of these third parties should be built into the plan’s risk management framework. In particular, a plan administrator will want to ensure that any third parties who are engaged also have appropriate risk management processes and procedures in place, particularly with respect to the specific risks listed in Risk Management Guideline.
  • Cyber Security Risk: Plan administrators and their third-party service providers control substantial amounts of financial assets and personal and confidential data. Steps should be taken to protect plan beneficiaries’ information and plan assets against the risk of cyber attacks and to build resilience against cyber risk more generally[3]. Pension regulators have become increasingly focussed on cyber risk, including the Financial Services Regulatory Authority of Ontario (“FSRA”) whose Guidance on IT Risk Management came into effect on April 1, 2024. FSRA’s Guidance on IT Risk Management is discussed in our January 2024 Sidebar, Navigating Risk in a Digital World: A Review of FSRA's Finalized Guidance on IT Risk Management. 
  • Investment Risk Governance: There are a wide range of investment risk management practices available to plan administrators. The utility of these practices will depend on the complexity of the plan administrator’s investment strategy and risk appetite. Commonly used practices include portfolio limits, risk-based sensitivity limits, stress testing, and asset liability modelling.
  • ESG Issues: The Risk Management Guideline expressly provides that a plan administrator (either directly or through its delegates) should consider whether and how ESG information may be material to assessing the financial-risk return profile of investments and that ignoring or failing to consider material ESG information could be a breach of a plan administrator’s fiduciary duty.
  • Use of Leverage: The use of leverage can amplify potential gains and losses on investments and increase exposures to other investment-related risks. Using leverage therefore increases the importance of managing related risks, like market risk, liquidity risk, and counterparty risk.

Considerations for Plan Sponsors

The Risk Management Guideline notes that while risk management is an important consideration for plan administrators in meeting their fiduciary duty and standard of care, it is also an important consideration for plan sponsors. Both the plan administrator and the plan sponsor may benefit from a better understanding of the risks impacting each other (e.g., funding risks). These considerations may inform the plan sponsor’s own risk assessment in terms of its tolerance for managing fluctuations in its contribution requirements and ability to continue to fund the plan and discharge its corporate fiduciary duty.

Conclusion

CAPSA recommends that each plan administrator review the Risk Management Guideline and explore how it will implement the recommended practices in a manner that is appropriate for its plan membership and organization – emphasizing that the circumstances of a plan, such as size of membership, plan assets, and investment complexity, need to be considered when designing an appropriate risk management framework. CAPSA has also advised in a letter to stakeholders that where IT system changes or process changes are needed to support changes related to the plan administrator’s review of the Risk Management Guideline, they should be implemented by January 1, 2026.

* * * * *

If you have any questions regarding these new governance requirements, please do not hesitate to call any of us – we’re here to help.

[1] CAPSA notes in the Guideline that the method of implementing the concepts addressed in the Guideline may differ from one pension plan to another, depending on factors like the plan type, the complexity of its administration and investment strategies, and the size of the plan membership and plan assets.

[2] The Guideline defines risk appetite, risk tolerance, and risk limits as follows: (i) “Risk appetite” is the amount and type of risk that the plan administrator is able and willing to accept while meeting their fiduciary duty; (ii) “Risk tolerance” is the variation in outcomes that the plan administrator can accept for a given risk; and, (iii) “Risk limits” represent thresholds that should not be exceeded based on the plan’s risk appetite statement.  The Guideline notes that considering how to incorporate risk appetite, risk tolerance, and risk limits into the governance and risk management frameworks is both integral and a prerequisite step to constructing those frameworks.

[3] The Risk Management Guideline defines “cyber risk” as the risk of financial loss, operational disruption, or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification, or destruction of information technology systems and/or the data contained therein. In the context of a pension plan, cyber risk includes both internal risks (e.g., disgruntled employees or a lack of controls on access) and external risks (e.g., hacktivists, state-sponsored threat activists, or cybercriminals).


This Sidebar client update provides general information and should not be relied upon as legal advice. This publication is copyrighted by Brown Mills Klinck Prezioso LLP and may not be reproduced in whole or in part in any form without the express written consent of Brown Mills Klinck Prezioso LLP. ©


Share
Print this Page icon