CAPSA Opens Consultation on New Risk Management Guideline
July 31, 2023
In June 2023, the Canadian Association of Pension Supervisory Authorities released detailed draft guidelines on pension plan risk management. CAPSA is inviting submissions from pensions stakeholders until September 30, 2023.
This guidance builds on previously released CAPSA guidelines on governance, funding, and investment practices, and provides specific recommendations on risk management, third-party risk, cyber risk, ESG risk, leverage risk, and for target pension plan administrators. CAPSA acknowledges that each plan’s methods of implementing its guidance may vary, depending on its specific circumstances and complexity of its strategies.
General Risk Management
CAPSA begins by clarifying its advice from its previous governance guideline on how to identify and manage risk. It notes that a plan’s risk management framework should identify short- and long-term risks in plan governance and administration, asset investment, funding and benefit adequacy, and plan member communication.
CAPSA then reviews key risk concepts: risk appetite is the amount and type of risk that a plan administrator will accept; risk tolerance is the administrator’s willingness to accept a given level of residual risk; risk capacity is the administrator’s ability to bear risk; and risk limits are quantitative or qualitative thresholds that cannot be crossed based on the plan’s risk appetite statement. CAPSA advises administrators to establish their overall risk appetite, risk tolerance and risk capacity in a written statement, and incorporate them into their overall governance frameworks.
CAPSA advises plan administrators to engage in the following five-step risk management process:
- Identify and document the plan’s objectives, which may focus on benefit security (i.e., funding targets), predictability (i.e., replacement income targets in a target benefit plan), and/or affordability (i.e., level of contribution rates);
- Identify and document long- and short-term risks in a register, as well as controls to mitigate these risks and factors that could change the level of risk. Determine risks by reviewing materials such as audit and actuarial reports, service provider contracts, member complaints, legal decisions, administration and investment reports, and information about emerging factors;
- Evaluate and prioritize risks based on their nature, size, complexity and potential impact on the plan. Quantify material risks as much as possible, and engage in appropriate contingency planning;
- Implement controls to manage and measure the plan’s exposure to risk. Controls may include financial policies, audits and performance evaluations, disaster recovery plans, contingency plans, training and education, insurance, external audits, and appropriate communications. Determine whether to accept the remaining risk, avoid the risk, implement further controls, or transfer the risk to a third party; and
- Monitor risk controls to ensure they operate effectively. Review information from numerous sources when doing so, such as member surveys, audit reports, valuation reports, and investment reports.
CAPSA then reviews risk management guidelines specific to certain types of risk: third-party risk, cyber risk, ESG risk, leverage risk, and risk for target benefit plans. It notes the above five-step process should be followed for all types of risk.
CAPSA emphasizes that while administrators may outsource various tasks to third parties, including investment managers, accountants, lawyers, and third-party pension administrators, they remain responsible for overall plan management. Third-party risks involve a third party failing to provide the agreed-upon services, including failing to protect plan data.
To mitigate third-party risk, CAPSA advises administrators to perform thorough due diligence: service providers’ responsibilities should be clearly defined and documented, and be subject to oversight. CAPSA goes on to provide non-exhaustive questions for administrators to consider when establishing their third-party risk management approach, including about the appointment process, due diligence, written contracts, and fees.
Cyber risk is the risk of financial losses, operational disruption, and reputational damage arising from unauthorized access to plan information. Cyber risk includes both internal risks (i.e., disgruntled employees) and external risks (i.e., cyber-crime), and may come in the form of malware, phishing, hacking, or informational leaks.
Managing cyber risk can be challenging, CAPSA warns, because of rapidly evolving technology and the sensitivity of information that plans hold, but administrators have a fiduciary duty to manage these risks. CAPSA advises administrators to ensure it has sufficient technological expertise and training to ensure cyber risk is well understood, to consider having appropriate cyber insurance in place, and to consider third-party service providers’ cyber risks during selection and review processes.
In addition, CAPSA advises administrators to develop response plans for cyber incidents. These plans and policies should include the detection of cyber incidents, resiliency plans regarding the return to normal operations, and incident reporting requirements.
Environmental, social and governance (“ESG”) factors are wide-ranging, and include climate change, employee safety and fair wages, board independence, among many others. “Using ESG information to provide financial insight is consistent with an administrator’s fiduciary duty,” CAPSA notes. “Conversely, ignoring or failing to consider ESG information that might materially affect the fund’s financial performance could be a breach of fiduciary duty.”
Administrators may determine it is consistent with their fiduciary duty to use ESG factors as a tiebreaker between otherwise economically equivalent investment options, as well as in investor engagement and proxy voting.
In terms of ESG considerations around plan governance, CAPSA advises administrators to include relevant ESG factors in its risk management framework, follow market and legislative developments on ESG practices, and ensure all relevant parties and service providers have sufficient experience regarding ESG to meet the administrator’s standard of care.
CAPSA further advises administrators to develop a written policy on their investment beliefs about ESG factors and their application to investment performance, either incorporated into existing policies or as a stand-alone document.
CAPSA notes that administrators may find it helpful to incorporate ESG risks into investment decisions by establishing certain limits or targets, such as limits on exposure to greenhouse gas emissions or targets for investment in “green” assets. These must be consistent with the administrator’s fiduciary duty, and the administrator should periodically review these tactics.
Finally, CAPSA advises that administrators review any third-party service providers’ approach to ESG risks, develop written policies regarding stewardship activities such as proxy voting, and disclose the extent to which ESG information is considered in plan decisions.
Leverage includes all strategies used to achieve economic exposure greater than the capital invested. Common types of leverage include financial leverage (accessing additional funds to invest, which may appear as liabilities on a balance sheet), synthetic leverage (derivatives contracts that may allow the plan to increase exposure to certain assets, for example), and embedded leverage (leveraged investments acquired indirectly through a plan’s holdings of a third-party managed investments). Leverage may be non-recourse, which limits the plan’s exposure to the amount invested, or recourse, in which a counterparty can require the plan to pay additional amounts to cover losses that exceed the amount invested.
CAPSA notes that leveraged investment strategies can have increased market risk through amplified losses, increased liquidity risk by a reduced ability to convert assets to cash without losses, and increased counterparty risk due to a counterparty’s potential inability to meet its contractual obligations in derivative or repurchase agreements.
To mitigate leverage risk, CAPSA advises plan administrators to seek advice and assistance from external experts when implementing and managing leveraged strategies, though emphasizes the administrator retains responsibility for investment decisions. Administrators should document their decisions regarding leverage, the guidelines and controls involved, the purposes for which it is used and how leverage affects the plan’s broader investment approach, and how the administrator will oversee the use of leverage. This information should be incorporated into its Statement of Investment Policies and Procedures.
If a plan invests in a pooled fund that employs leverage, CAPSA advises the administrator to document material instances of embedded leverage and its effects on associated risks, and to ensure the plan’s investment risk metrics reflect the pooled fund’s leverage.
Finally, CAPSA advises administrators to stress test their portfolios, including leveraged strategies, under a variety of market conditions and scenarios, and to consider incorporating reverse stress testing as well.
Target Pension Arrangements
CAPSA advises administrators of target benefit plans to consider a variety of specific risks, such as the risk that the target benefit is not achievable due to poor plan design or low returns; the risk that members do not understand the variable nature of their benefit; and the risk of poor governance resulting in ad hoc benefit adjustment decisions.
Target plan administrators should develop funding and benefit policies, referring to CAPSA Guideline No. 7’s section on target pension arrangements. In addition, administrators should develop policies that ensure trustees perform their fiduciary duties, and should ensure that all communications to plan members are clear that pension benefits may be adjusted depending on the plan’s financial health.
CAPSA advises target plan administrators to ensure that portfolio limits (that is, the maximum and minimum exposures to each asset class) function as an effective control mechanism. Any breaches should trigger a review of the investment strategy, and if there are repeated breaches, the administrator should review whether changes to the risk appetite statement and SIP&P are necessary.
CAPSA also provides guidance on risk-based sensitivity limits, stress testing and asset liability modeling, and alternative assets held directly by the fund. Finally, in terms of risk reporting, CAPSA advises target plan administrators to quantify material investment risks in all relevant categories, including market risks, credit risks, liquidity, and currency risk.
Interested parties can email submissions to firstname.lastname@example.org until September 30, 2023.
Pension and Benefits