Risk can generally be defined as the chance of something happening that will impact entities’ or individuals’ ability to achieve their objectives. For retirement plans, investment risk and longevity risk tend to receive the most attention from the media and stakeholders alike. However, as 401(k), 403(b), 457 and other defined contribution (DC) plans continue to grow in size and complexity, sponsors need to strengthen their focus on operational risk.
Managing operational risk matters. The potential consequences of failing to adequately address operational risk can be severe. Events, such as compliance failures, reporting errors and data breaches, may lead to sizeable losses and/or litigation and could threaten the tax-qualified status of the plan. Many experts believe that operational risk, more than any other risk category, is the leading cause of reputation risk.
Managing operational risk effectively may lead to improved service quality, reduced costs, improved participant decision making and better compliance. Both the Internal Revenue Service (IRS) and the Department of Labor (DOL) auditors look at plans’ “internal controls” to determine the extent of their audits.
Moreover, it can help to improve stakeholder confidence, which, in turn, may help to position DC plans for continuously improved outcomes across key goals, such as employee participation, deferral rates, retention of rollover-eligible assets (where that is a goal), cost effectiveness and participant investment diversification.
Operational risk is the risk of direct or indirect loss resulting from external events or inadequate or failed internal processes, people and systems. For DC plans, operational risk encompasses potential losses attributable to failures across a range of functions, including Internal Revenue Code (IRC) and Employee Retirement Income Security Act of 1974 (ERISA) compliance, participant financial reporting, transaction processing, data security, technology, business continuity and vendor management. Given that scope, operational risk is considered by many experts to be the broadest, largest and most complex risk category. The overlap among some functions, such as data security and vendor management, adds to the complexity.
The following are just a few hypothetical examples of operational risk events by function:
Operational failures can, and do, occur in part because of transaction volume, multiple interfaces, manual processes and changing regulatory frameworks. Evolving plan designs, investment structures, technology and service-delivery platforms can also increase operational risk. For example, the move among DC plans to adopt features such as auto-enrollment, auto-escalation, and investment guidance may enhance design, but adds new operational requirements.
DC plan sponsors should seek to fully understand their vulnerability to operational risk. Protecting plan assets and data and the plan’s tax-qualified status requires an increasingly sophisticated approach to managing operational risk. Adopting an integrated framework for managing operational risk, as discussed below, can be helpful particularly now when data breaches generally are becoming more frequent and are growing in magnitude.
DC plan sponsors typically delegate operational risk management to service providers and staff who manage risk in accordance with responsibilities documented in contracts, policies and job descriptions. Recordkeepers that provide participant recordkeeping, communications, contribution processing, website maintenance and records retention bear extensive responsibility for managing operational risk due to the breadth of their operations. A plan’s investment managers, auditor, custodian, counsel and investment consultant also share responsibility within their respective functions.
Despite delegating risk-management tasks, DC plan sponsors remain responsible as fiduciaries for the adequacy of their oversight across all functions and categories. If they have not already, plan sponsors, their staffs and service providers must maintain a framework to minimize the probability and severity of loss related to operational-risk events.
A number of sponsors of large DC plans, like other institutional investors, already maintain distinct risk and compliance units to centralize accountability within their organizations. While that approach may not be practical for smaller plans or plans with limited resources, DC plan sponsors may be able to manage their operational risk equally well by adopting a framework that includes the following components:
Risk management and internal controls are intended to reduce the probability of operational failures and the severity of their impact, if they do occur. This framework lays a solid foundation for effective oversight of DC plan operational risk.
In addition to performing periodic audits of operations, plan sponsors may wish to conduct other risk assessments, for example:
For DC plan sponsors that wish to delegate responsibility for these assessments to outside experts, Sibson Consulting, Segal Marco Advisors and/or external auditors can perform operational risk assessments.
It is important to note that the financial audit filed with plan’s annual Form 5500 is likely not sufficient oversight of operational risk as it focuses only on mistakes that have a “material” impact on the financial statement, not the individual mistakes that the DOL and IRS auditors pursue.
* SOC reports are an independent auditor’s assessment of service providers’ procedures. They are part of the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements.
Many DC plan sponsors already have in place some of the components outlined above. Combining those components into an integrated approach to managing operational risk demonstrates an awareness of risk and an understanding of the importance of addressing it that participants, service providers and other stakeholders may find reassuring.
Recommended first steps to an integrated approach to managing operational risk include:
For more information about managing operational risk or other risks DC plans face, contact your Sibson benefits consultant and your Segal Marco Advisors investment consultant or the following experts:
To receive Ideas and other Sibson publications, join our email list.
Sponsors of DC plans face tough decisions. We understand those challenges as well as options for meeting them. Having worked with hundreds of clients for more than 50 years, Sibson Consulting has insight into the spectrum of design characteristics and features of all types of compensation and benefit plans, including benchmarking and design of total rewards that encompass financial and non-financial rewards.
Sibson’s DC plan consulting services include the following:
Segal Marco Advisors, the SEC-registered member of The Segal Group of which Sibson is also a member, provides the following investment solutions for DC plan sponsors:
Share this page