In June 2023, the Canadian Association of Pension Supervisory Authorities released detailed draft guidelines on pension plan risk management. CAPSA is inviting submissions from pensions stakeholders until September 30, 2023.
This guidance builds on previously released CAPSA guidelines on governance, funding, and investment practices, and provides specific recommendations on risk management, third-party risk, cyber risk, ESG risk, leverage risk, and for target pension plan administrators. CAPSA acknowledges that each plan’s methods of implementing its guidance may vary, depending on its specific circumstances and complexity of its strategies.
General Risk Management
CAPSA begins by clarifying its advice from its previous governance guideline on how to identify and manage risk. It notes that a plan’s risk management framework should identify short- and long-term risks in plan governance and administration, asset investment, funding and benefit adequacy, and plan member communication.
CAPSA then reviews key risk concepts: risk appetite is the amount and type of risk that a plan administrator will accept; risk tolerance is the administrator’s willingness to accept a given level of residual risk; risk capacity is the administrator’s ability to bear risk; and risk limits are quantitative or qualitative thresholds that cannot be crossed based on the plan’s risk appetite statement. CAPSA advises administrators to establish their overall risk appetite, risk tolerance and risk capacity in a written statement, and incorporate them into their overall governance frameworks.
CAPSA advises plan administrators to engage in the following five-step risk management process:
- Identify and document the plan’s objectives, which may focus on benefit security (i.e., funding targets), predictability (i.e., replacement income targets in a target benefit plan), and/or affordability (i.e., level of contribution rates);
- Identify and document long- and short-term risks in a register, as well as controls to mitigate these risks and factors that could change the level of risk. Determine risks by reviewing materials such as audit and actuarial reports, service provider contracts, member complaints, legal decisions, administration and investment reports, and information about emerging factors;
- Evaluate and prioritize risks based on their nature, size, complexity and potential impact on the plan. Quantify material risks as much as possible, and engage in appropriate contingency planning;
- Implement controls to manage and measure the plan’s exposure to risk. Controls may include financial policies, audits and performance evaluations, disaster recovery plans, contingency plans, training and education, insurance, external audits, and appropriate communications. Determine whether to accept the remaining risk, avoid the risk, implement further controls, or transfer the risk to a third party; and
- Monitor risk controls to ensure they operate effectively. Review information from numerous sources when doing so, such as member surveys, audit reports, valuation reports, and investment reports.
CAPSA then reviews risk management guidelines specific to certain types of risk: third-party risk, cyber risk, ESG risk, leverage risk, and risk for target benefit plans. It notes the above five-step process should be followed for all types of risk.
CAPSA emphasizes that while administrators may outsource various tasks to third parties, including investment managers, accountants, lawyers, and third-party pension administrators, they remain responsible for overall plan management. Third-party risks involve a third party failing to provide the agreed-upon services, including failing to protect plan data.
To mitigate third-party risk, CAPSA advises administrators to perform thorough due diligence: service providers’ responsibilities should be clearly defined and documented, and be subject to oversight. CAPSA goes on to provide non-exhaustive questions for administrators to consider when establishing their third-party risk management approach, including about the appointment process, due diligence, written contracts, and fees.
Cyber risk is the risk of financial losses, operational disruption, and reputational damage arising from unauthorized access to plan information. Cyber risk includes both internal risks (i.e., disgruntled employees) and external risks (i.e., cyber-crime), and may come in the form of malware, phishing, hacking, or informational leaks.
Managing cyber risk can be challenging, CAPSA warns, because of rapidly evolving technology and the sensitivity of information that plans hold, but administrators have a fiduciary duty to manage these risks. CAPSA advises administrators to ensure it has sufficient technological expertise and training to ensure cyber risk is well understood, to consider having appropriate cyber insurance in place, and to consider third-party service providers’ cyber risks during selection and review processes.
In addition, CAPSA advises administrators to develop response plans for cyber incidents. These plans and policies should include the detection of cyber incidents, resiliency plans regarding the return to normal operations, and incident reporting requirements.
Environmental, social and governance (“ESG”) factors are wide-ranging, and include climate change, employee safety and fair wages, board independence, among many others. “Using ESG information to provide financial insight is consistent with an administrator’s fiduciary duty,” CAPSA notes. “Conversely, ignoring or failing to consider ESG information that might materially affect the fund’s financial performance could be a breach of fiduciary duty.”
Administrators may determine it is consistent with their fiduciary duty to use ESG factors as a tiebreaker between otherwise economically equivalent investment options, as well as in investor engagement and proxy voting.
In terms of ESG considerations around plan governance, CAPSA advises administrators to include relevant ESG factors in its risk management framework, follow market and legislative developments on ESG practices, and ensure all relevant parties and service providers have sufficient experience regarding ESG to meet the administrator’s standard of care.
CAPSA further advises administrators to develop a written policy on their investment beliefs about ESG factors and their application to investment performance, either incorporated into existing policies or as a stand-alone document.
CAPSA notes that administrators may find it helpful to incorporate ESG risks into investment decisions by establishing certain limits or targets, such as limits on exposure to greenhouse gas emissions or targets for investment in “green” assets. These must be consistent with the administrator’s fiduciary duty, and the administrator should periodically review these tactics.
Finally, CAPSA advises that administrators review any third-party service providers’ approach to ESG risks, develop written policies regarding stewardship activities such as proxy voting, and disclose the extent to which ESG information is considered in plan decisions.
Interested parties can email submissions to [email protected] until September 30, 2023.
Sara joined Koskie Minsky’s Pensions and Benefits practice as an associate in 2021, after summering and articling with the firm.
Sara received her J.D. from the University of Toronto Faculty of Law. During law school, she volunteered as a caseworker at the Advocates for Injured Workers legal clinic, and worked as a research assistant at both the David Asper Centre for Constitutional Rights and on a project investigating wage theft in the informal construction sector. In 2020, her research paper on deductions from minimum wage due to in-kind payments won the Canadian Bar Association’s labour and employment essay contest.
Sara also holds a B.A. in English and Classics from McGill University, and a Certificate in Transnational Law from the Université de Genève. She previously worked as a financial journalist.