What is DC plan operational risk?

Risk is the chance of something happening that will affect the ability to achieve objectives. Traditionally, for retirement plans (both defined benefit and defined contribution), the discussion is in terms of investment risk and longevity risk. Yet operational risk is every bit as important.

Operational risk is the risk of direct or indirect loss resulting from unanticipated events or inadequate or failed internal and external processes, people and systems.

It encompasses potential losses attributable to failures across a range of functions. Compliance with the Internal Revenue Code (IRC) and the Employee Retirement Income Security Act of 1974 (ERISA) is part of operational risk. Operational risk also covers these crucially important areas:

• Transaction processing;
• Participant financial reporting,
• Recordkeeping services;
• Data security; and
• Consolidation of plans through mergers.

Merger increase operational risk because they have implications for plan administration, benchmarking fees and consolidation of vendors.

Many experts consider operational risk to be the broadest, largest and most complex risk category. The overlap among functions, such as data security and recordkeeping services, adds to the complexity.

Operational failures can, and do, occur for a number of reasons, including:

• The volume of transactions;
• The use of multiple interfaces;
• Inadequate internal controls;
• Manual processes;
• Poor data;
• Increasing sophistication of cyber criminals; and
• Changing regulations or new laws.

Anything new — investment structures, technology and service-delivery platforms — can increase operational risk.

Evolving plan designs also have that effect. For example, multiemployer DC plans are more frequently adding a 401(k) feature (usually with participant direction) or increasing the valuation frequency of member account balances.

These features enhance benefits and options for participants, but, at the same time, add operational requirements.

DC trustees should seek to fully understand their vulnerability to operational risk. Protecting plan assets and data and the fund’s tax-qualified status requires an increasingly sophisticated, proactive approach.

Adopting an integrated framework of policies and procedures for managing operational risk can be a helpful step.