DC Plans Need a Framework for Managing Operational Risks

An insight article offers a framework for identifying and managing operational risks, and Julian Regan, with Segal Marco Advisors, says even though the insight is given for public-sector DC plans, it could apply to corporate DC plans as well.

When a retirement plan faces challenges, plan sponsors tend to focus on shortcomings in oversight of investment, market or longevity risks. But, Segal Marco Advisers says, as public sector defined contribution (DC) plans continue to grow in size and complexity, sponsors need to look closer at operational risk: the risk of loss resulting from external events or failed internal processes.

A public sector letter from Segal Marco, “Operational Risk Is the Achilles’ Heel of Defined Contribution Plans,” offers a framework for identifying and managing these risks. Julian Regan, public sector market leader and senior vice president with Segal Marco in Boston, says even though the insight is given for public sector DC plans, it could apply to corporate DC plans, as well.

Regan offers examples of external events or failed internal processes:

  • The DC plan’s third-party administrator (TPA) fails to stop participants from contributing to the plan after they’ve reached the statutory contribution limit. “The Internal Revenue Service [IRS] has a communication piece that listed this as the No. 1 compliance failure,” Regan says.
  • The plan is supposed to make required minimum distributions (RMDs) to participants, but the recordkeeper doesn’t identify some participants who are supposed to receive them. According to Regan, if the IRS discovers this during an audit, the plan will have to go through a correction process with the agency.
  • In the industry over the years, there have been cases of lost or stolen participant data, Regan notes. “Unintentionally mishandling specific personal information such as Social Security numbers has been and can be an issue,” he says. “Plan sponsors can handle this through risk management and controls.”
  • A DC plan may not have been checking fees, and the asset-weighted expenses participants are paying—the total of investment management and administrative expenses—are excessive. Regan says this may not have been neglected purposely, but plan sponsors may be unaware of pricing available. This can open them up to legal suits, as has been occurring for a number of years. “Undertaking risk assessments or benchmarking relative to peer plans reduces the probability of that outcome,” he says.

The Segal Marco Advisors article says plan sponsors may be able to manage their operational risk by adopting a framework that includes:

  • A governance structure that enables assignment of risk-management roles, responsibilities and reporting requirements documented in policies, contracts and job descriptions;
  • A manageable program for conducting operational audits and risk assessments;
  • A documented approach to managing data security risks;
  • Periodic peer reviews, benchmarking and request for proposals process reviews to evaluate investment-related expenses and fees, disclosure practices and investment structure design;
  • A comprehensive investment policy that provides a framework for program design, decisionmaking, monitoring and performance measurement; and
  • Key performance and risk measures that establish thresholds across plan functions, including telephone customer service and website availability.

  What the framework looks like

Regan explains that a governance structure will look differently depending on plan size. For a multi-billion-dollar plan with resources to do so, the retirement plan board establishes a risk committee that reviews risk statistics and presents reports periodically. The board’s charter will have this risk committee included, with its objective to evaluate and monitor operational risks and mitigate them.

Also, for large plans, there should be an overall risk management policy. According to Regan, the policy would spell out actions the plan takes to manage risks; reporting protocols; assessments and the benchmarking framework; and written job descriptions for staff tasked with monitoring service providers for operational risk activities.

For smaller plans, it may be impractical to establish a risk oversight committee. But, Regan says, such plans can get to the same place through different mechanics and governance actions. These may include having the TPA regularly describe how it is monitoring operational risks. Smaller plans also may want to incorporate in their investment policy statement (IPS) a subsection on operational risks and how they are assessed. In addition, risk reporting may be provided by a plan’s recordkeeper.

Risk assessment measures may be driven by terms in contracts with plan providers. For example, Regan says, in the contract with the TPA or recordkeeper, it may stipulate that all calls to the call center will be answered within 30 seconds or less, or that all contributions will be deposited in participants’ accounts in line with their investment choices within one business day. Once these standards are set, plan sponsors can then task the risk committee or an outside firm with taking a sample of data and testing it to ensure standards are being met.

“I think it’s very fair to say there are a lot of plans in existence doing many of these things, but they are not formalized in a framework,” Regan says. “That’s what we’re getting at; if plans consider how this fits into their overall governance framework, they can be more effective at mitigating risks.”

Additional risk measures and peer reviews

Participant feedback can be another measure of operational risks. According to Regan, most plans require TPAs to track complaints, not only the number of them, but the severity. “If the number or severity increases, this could indicate some service deficiencies that need to be addressed,” he says.

In addition, public sector DC plans may want to periodically survey participants about their satisfaction with websites, call centers and communications, and compare the scores from one survey with the next.

Regan says many contracts with TPAs or recordkeepers require that a website be available for participants to see their plan information or even perform certain transactions. A key measure of operational risk is making sure the website availability is not contracted or too low.

Regan says, for peer reviews, DC plans do not have to go as far as issuing a request for information (RFI) or requests for proposals (RFPs). Plans can sample peer practices using benchmarking reports performed by outside parties. Public sector plans, especially large ones, can find information online because government plan information is made available to the public.

Reviews of fees and expenses should be done every one to five years, Regan recommends.