Don't Miss

Operational Risk: Why 401k and 403b Sponsors Can’t Ignore It

Operational Risk

Operational Risk: Why 401k and 403b Sponsors Can’t Ignore It. Defined contribution (DC) plan sponsors running a 401k or 403b plan should make sure that operational risk is on their radar. Of the risks facing DC plans, it’s the most complex. Other risks also include longevity risk (the risk that participants might outlive their assets), investment and market risk (pertaining to investment returns in participants’ accounts and overall market returns), and credit risk (risk of loss to investors in more conservative investments such as bonds, money market, stable value funds, etc.). These three risks get a lot more airtime, but just because you don’t hear a lot about it doesn’t mean operational risk is any less important.

What is operational risk, and why does it matter? According to an article from Segal Consulting, a firm that provides consulting and actuarial services for public employee benefit programs, operational risk is “the risk of direct or indirect loss resulting from external events or inadequate or failed internal processes and systems.” In DC plans, those losses could stem from failures in many areas, such as compliance, financial reporting, transaction processing, data security, technology, vendor management, and more.

Failure to address operational risk can lead to dire consequences, such as sizable losses and litigation. However, staying on top of operational risk can have positive implications, such as a reduction of plan costs, better participant decision-making and service levels, and improvements in compliance. Most importantly, according to Segal, “… it can help to improve stakeholder confidence, which, in turn, may help to position the DC plan for continuously improved outcomes across key goals, such as employee participation, deferral rates, retention of rollover-eligible assets (where that is a goal), cost-effectiveness and participant investment diversification.” Sponsors should make operational risk a top priority.

From the Segal article, here are a few hypothetical examples of operational risk events:

As illustrated in the graphics, there are many areas where a DC plan is vulnerable to operational failure. Even design enhancements like auto-enrollment, auto-escalation, and investment guidance, while positive for participants and immensely supportive of retirement readiness, come with new operational requirements and additional risk.

While you may have delegated operational risk management to outside vendors such as third-party administrators (TPAs), who, by their nature, are qualified to take on those responsibilities, delegating these duties doesn’t relieve the plan sponsor of their fiduciary obligations. Therefore, sponsors should have a framework in place to minimize loss and damage from operational failures.

While such a risk management framework is generally a common practice among larger plans, it may not be as prevalent in smaller plans. An effective operational risk framework should include considerations such as:

  • plan governance,
  • best practices for conducting operational audits and risk assessments,
  • documented criteria for managing data security risks,
  • periodic peer reviews/benchmarking/requests for proposal,
  • a comprehensive investment policy statement, and
  • performance and risk measure criteria for plan functions such as customer service and website availability.

It may sound complicated, but it’s less complex than leaving your plan exposed to any number of operational risks and dealing with the aftermath if these risks aren’t managed properly. As a plan sponsor, there are a number of initial steps you can take to begin to form an integrated framework that includes all of these components. These include:

  • reviewing your committee’s job descriptions to make sure they specify who is responsible for which risks;
  • ensuring planned audits cover areas vulnerable to operational risks (i.e., processing of contributions and regulatory compliance);
  • requesting and reviewing your providers’ cybersecurity and data management policies, and consider creating an internal one of your own;
  • reviewing your current investment policy statement to ensure it accurately reflects your existing investment lineup and adequately documents policies and procedures for managing the plan’s investments, along with fiduciary roles and responsibilities.

Taking the time to make sure you’re effectively managing operational risk will help not only improve your plan, compliance, and ability to serve your participants, it will also give you peace of mind and some protection against the unknown, and potentially dire, risks. Short of not having to deal with these risks at all, it doesn’t get much better than that.

Robyn Kurdek

Robyn Kurdek

Freelance writer with nearly 2 decades of financial industry experience, with niche expertise in the defined contribution (DC) industry. I also have defined benefit (DB) plan knowledge. I write all types of content for retirement plan participants, sponsors and advisors, including web copy, newsletters, white papers, fact sheets, blog posts, financial wellness articles, and more. "I speak DC."
Robyn Kurdek

Check Also

Retirement Committee Trustees Immediately Accept Fiduciary Responsibility

  Retirement committee trustees frequently accept their positions without fully comprehending the responsibility.  Therefore, new retirement committee trustees do not always realize the magnitude of the commitment they have made to the plan participants.  Learning the nuances associated with serving ...