Articles | August 7, 2024

Getting Started with Managing Operational Risk

Retirement Plan Insider Podcast Episode 6

Managing operational risk is a must for sponsors of retirement plans. But how to get started?

Co-hosts and Segal retirement experts Rick Reed and Robert Krebner interview benefits administration pro Michael Venezia to provide tips on everything from conducting cybersecurity assessments to implementing proactive measures to protect employee and retirement account data.

Get savvy to the future of retirement security and the key role plan sponsors play. Listen now.

Two data center engineers assessing operational risk retirement cybersecurity

Podcast Transcript

Speakers

Richard Reed, Vice President, Defined Contribution Practice Director
Robert Krebner, Consultant, Princeton
Michael Venezia, Vice President, Senior Consultant, Administration & Technology Consulting, New York

 

Retirement Plan Insider Podcast Series

 

Our quarterly podcast, Retirement Plan Insider, brings you everything you need to know about defined contribution (DC) plan governance, operations, investments and compliance. Each quarter, Segal’s DC experts will be giving you the lowdown on the latest developments in the field. From regulatory issues and best practices to investment strategies, we’ll be covering it all. 

 

Listen On Apple Podcasts
Listen On Spotify

 

Podcast transcript

Narrator: Governance, operations, investments, compliance. These are the four pillars of risk that define contribution plan sponsors need to stay up on. Every quarter, we're going to be giving you the scoop, the skinny, the lowdown on all the latest developments in the field, everything you need to know to stay current and informed. We're going to be talking regulatory issues, best practices, investment strategies, all of it, about what it all means and more important, what it means to you. So put on your swimsuit, we're going to be doing some deep dives. Welcome to the Retirement Plans Insider from Segal. 

Rick Reed: Hello. My name is Rick Reed and I'm the defined contribution practice director at Segal and the host of today's Retirement Plan Insider podcast. Today I'm joined by my colleague, Robert Krebner, who's a retirement consultant in our New York region and works with some of Segal's largest corporate clients. These clients include many public and private higher education institutions, as well as companies and communications, sports and the entertainment industries. Hi, Robert, would you mind giving a little bit more information about yourself? 

Robert Krebner: Hi, Rick. Thanks for having me, and glad to be back. As you mentioned, I'm a consultant in our New York retirement practice, and I specialize in benefit administration for both our pension and defined contribution to clients. 

Rick Reed: Great. Thanks for joining today. Our topic of discussion is about operational risk and how plan sponsors can manage or mitigate that risk when working with a workplace retirement program. When we talk about these retirement programs in the workplace, we're referring to 401(k) plans, 403(b) plans that are in higher education or not for profits, and even 457 plans that might be in the government sector or in healthcare. So today, Mike Venezia is also joining us and he's going to share his expertise on operational risk. Mike is a vice president and senior consultant in Segal's administration and technology consulting practice, and he's affiliated also with our New York office. 

Mike has nearly 30 years experience in HR and benefits outsourcing and technology, and he leads Segal's ATC Consulting for the corporate market where he addresses technology, administration and operational needs of various employers, including corporations, non-profits, and as I said before, higher education institutions, among others. So Mike, when you work with your clients, are there certain areas that you focus on? 

Michael Venezia: Yeah, well, there's a few different areas. I mean, when you think about operational risk, and that's a pretty broad term. I put it in two categories, the first being just day-to-day management of the plan, managing risk of errors, keeping on top of quality, doing everything you need to make sure that the operation is running smoothly. The other category, which is a pretty popular topic these days, is data security and cyber threats, ensuring that participant data and retirement accounts are secure and protected. It's super important. 

Robert Krebner: So Mike, why is managing operational risks such an important topic in today's world, and why is it more important today than it's really been in the past few years? 

Michael Venezia: Yeah, there's a few things I'd say here. From a retiree or participant perspective, super important. So employees expect access to their benefits to be easy and frictionless. I mean, they expect it to be there when they need it. In today's society, things are moving so quick, everybody's busy, employees and retirees can't waste a lot of time with benefits issues. And let's face it, the benefits administration business is not a zero defect business. So there are things that come up, but when those operational issues come up, it can take hours to days to get resolved sometimes. As an impact on employee productivity for your active workforce, let alone just the amount of frustration and stress that that adds to an employee just impacts their overall engagement and morale. I'll give you a little bit of an example. I don't know if you guys have ever had it, but I'm assuming you've had an issue maybe with the utility company, cable company, cell phone provider, where maybe the bill's messed up or service is disrupted. 

I mean, something's going on where you have to address it. So spending countless... At least I've done this, I've spent hours on the customer service phone number or through the help desk trying to get the issue resolved. It's super time-consuming, really frustrating, and it makes you get to the point where you're like, "I just don't want to call again." So think about that experience in the benefit space. If there's operational issues, that could be even more impactful. I mean, you're talking about people's retirement and money that they've saved. I mean, it's super personal for them. So anything that a plan sponsor can do to mitigate that is super important. 

We've all been there, and I can say it's not fun. That's from the employee perspective, and I hope nobody ever has to be in that arena again. But what do you think about managing operational risk? Why is it important to sponsors of those retirement plans? 

Michael Venezia: Yeah, so I mean, from a plan sponsor perspective, I'd say it's a core component to managing a structured retirement plan. I mean, it's something that every plan sponsor should be focused on. The operational issues that occur can lead to several different things that can lead to legal ramifications and liability. There's financial repercussions and penalties that can apply. Worst case, you could have a potential disqualification of the retirement plan altogether, and not to mention just reputational damage to the organization. So pretty wide sweeping, but some really significant impacts for a plan sponsor. 

Rick Reed: Would you say this is an important topic because it's commonplace across many employers? I mean it's unavoidable. 

Michael Venezia: Absolutely. Yeah, and like I said, when you're talking about record keeping and administration operations, I mean, as much as we want to make it 100% foolproof, it just isn't. It's not a zero defect business. But there are things that plan sponsors can do to manage that operational risk, mitigate the risk, and get as close to zero defect as possible. 

Rick Reed: What are some of those things that they can do to manage it? 

Michael Venezia: So from my perspective, it isn't something a plan sponsor can do off the side of their desk. It really needs to be a core responsibility. I know that plan sponsors have a lot of different responsibilities, they're juggling as fiduciaries, and there's communication challenges, and there's all kinds of things they need to do, but they really need to keep a focus on operational risk. There's a few things that I would say, things that they could do to kind of put in place that might help mitigate. Establishing a governance structure, I'd say is maybe the first thing that you can... If you have that kind of a structure, you can leverage that to assign risk management roles in a framework for reporting risk and operations and just the overall management. Performing audits on a regular basis, I know a lot of plans and sponsors are probably doing this now, but I think it's important to have those audits done on a regular basis as well as proactively anticipating what the operational risk areas are. 

So for example, doing everything you can to mitigate foreign INA violations or maybe checking RMD calculation and doing transaction accuracy audits, just getting out in front of it and maybe sitting down with your team or if you're working with a third party administrator, just thinking through which areas in terms of the operation that could be most vulnerable for issues. Managing delivery closely, like I said, I don't think it's something you do off the side of your desk. I think you do need to manage it actively. If you work with a TPA record keeper, establishing KPIs or having performance standards, contractually I think is important, and they should be focused in a few different areas. Accuracy, timeliness, customer satisfaction. I mean, no one performance measure is going to cover the entire operation, which is why you want to have a pretty balanced scorecard. 

A couple other things that I would mention too is meeting with your TPA regularly or your internal team, if it's an in-sourced operation. To review performance metrics, data's your friend. You need to understand the data. You should have the data and metrics, maybe even anticipating any upcoming events that might introduce a level of risk. I grew up in the TPA space. I've worked for a lot of large third-party administrators, and this is one of the things that kept me up at night. It was just anticipating where the next issue may happen. Change is always introduced, system changes, legislative changes. It can be IRS changes. Those are going to come, and so being able to be out in front of those, know that they're coming, plan for them, and then putting the right guardrails and structure around it will help mitigate the risk. The last thing I would say is ensuring that your procedures are documented and they align with the plan documents and the law. That seems pretty basic, but super important. 

Rick Reed: Oh yeah. I would say that's what we see a lot in day-to-day operations. You hear we've done it that way for years, and then you find out it's a little off balance from what the plan document says. So yeah, thanks for sharing those tips for managing the risk. You mentioned some really good things there. Are these things that employers take on themselves or do they work with you and Segal or other experts on certain areas? 

Michael Venezia: Yeah, I think it depends on level of expertise and time. Certainly they can proactively do some of these internally, working with their team, thinking about the operational risks and processes and reviewing documentation. But Segal's here to help as well. I mean, the administration and technology practice, we do this all the time. We do operational assessments. We will review the operational retirement plan operations and help so we can get as involved as much as a plan sponsor needs us to. 

Robert Krebner: If I'm a plan sponsor and I work with record keepers, can I just assume my third party administrators are handling everything or should I be a little more proactive? 

Michael Venezia: Yeah, certainly proactive, actively managing it, whether you're doing this or with a third party administrator. You definitely need to be involved and you need to be on top of it. It's one of the keys I think, when you work with the TPA is you cannot... even though they could be great, and I've managed those operations and we've managed the plans well, but like I said, there's always something that comes up in the group that you're working with, and let's face it, TPAs have turnover. The group that you're working with may be super solid in one year, and then the next year you've got a whole bunch of new people that are working on the plan. And so definitely worth being actively involved. I think having visibility to the metrics is super important. And just having an open dialogue. It should be open status meetings, whether it's weekly or biweekly, and just talking about operational cadence issues, risk areas, as well as what's coming around the corner that the group needs to anticipate. 

Robert Krebner: So let's shift a little bit to cybersecurity. And I see cyber breaches in the news almost every day or at least once a week. And so I just want to get your thoughts on when it comes to mitigating the risk around cybersecurity, how can that be done from an employee data perspective? 

Michael Venezia: Yeah, this is a super important topic. You're right. It seems to be in the news or maybe in social media at least weekly. I'm sure there's lots of people that are listening to this podcast that have been impacted in some way from a data breach. At least I have. I seem to get a letter from an organization that I've worked with or maybe a company or maybe mortgage company, car loan, phone company, whatever. I seem to get a letter a week. It feels like where some kind of a breach has occurred. In a lot of cases, it doesn't actually say that significant data has been shared, but the obligation is to notify. So it's out there. And they seem to be relatively commonplace these days. And one of my concerns is that people are just becoming numb to the whole topic. 

Now, when it comes to retirement accounts plan sponsors can't be complacent. I mean, they really need to do all they can to protect employee data and retirement accounts. Certainly it's their fiduciary responsibility, but failure to be proactive and that can lead to ramifications that we spoke of earlier, like the legal issues and penalties and potential plan disqualifications. 

Robert Krebner: I really like that when you say proactive, I mean it sounds like one of these situations where once it's out there, it's too late. I mean, there's really no going backwards when it comes to data breaches or reputation that's really been lost. 

Michael Venezia: And there's a few things that I'll call out that you certainly can do. I mean, there's certain cybersecurity assessments that a plan sponsor should consider. Segal can help with these as well if they need the support. We do NIST assessments so that the... National Institute of Standards and Technology issue guidance around cybersecurity. It's a super comprehensive process. The second is the DOL's employee benefit security administration, security best practices. And the last that I'd mentioned is just HIPAA high tech standards. That was promulgated by law and enforced by the Office of Civil Rights. That one's a bit more narrowly focused on protecting EPHI, but all-important, should be done on a consistent basis. And if a client needs some support there, we certainly can help. 

Robert Krebner: So those assessments that you just mentioned, I assume once they take place, they're going to reveal some current practices and some best practices that a plan sponsor can take. So give me a sneak preview on some of these best practices that these assessments might reveal. 

Michael Venezia: Sure. Yeah, there's several. In some of these may seem obvious and maybe others maybe not so much. I mean, starting with strong authentication methods, and this is pretty prominent. I'm sure everybody's seen these. The multifactor authentication beyond just username and password. Robust password policies. And I'm talking now at an organizational level. Having unique passwords, certain character lengths, forcing password changes every, call it 60, 90 days. Leveraging biometrics when authenticating accounts is a pretty secure way. Leveraging iPhone facial and fingerprint recognition. Encrypting data, again, seems to be relatively obvious, but really need to have the data encryption in place for data that's in transit and at rest, performing regular security audits and vulnerability tests, penetration testing, that kind of thing. 

Implementing access controls, to ensure that authorized personnel have access to... Only those people have access to sensitive data and others do not. And conducting employee training, making employees aware of the cybersecurity topics, best practices, phishing awareness, which I think a lot of organizations are doing at this point, and pretty consistently. Providing clear instructions and just raising awareness to how to report an incident is important. 

Practically monitoring account activity for suspicious behavior, again, at an organizational level that's important. The incident response plan to quickly address and mitigate the impact of security breaches is important to have that out there and proactively having a plan in place and at the ready if you need it. So there's lots of different things that could be done at the organizational level. And I'd say if an organization doesn't have these in place, they certainly need to consider it. Some of these would fall into the IT and risk management office, but certainly impacts plan sponsors as well. And whether it's following best practices or taking a quick assessment and the assessments that I mentioned before can identify some of those vulnerabilities and at least you can get a plan in place. 

Rick Reed: Really just don't know. We don't know. Mike, quick question. You mentioned biometrics, and I know some of the record keepers have implemented what I'll call voice print technology as a way to identify when people call into their call centers. And it makes things convenient, but should people be concerned regarding AI technology? Does that raise the stakes on operational risk? And are there things that employers can rely on from the record keepers or the TPAs? 

Michael Venezia: Yeah. AI kind of adds a whole new dynamic. I think the facial recognition, the voice, biometric recognition, all great technology and fairly secure actually. But when you get used to that, there are nefarious ways of using AI that can lead to potential issues. I'm not sure if you guys have heard some of the reports that have happened in the news. I mean, I'm actually aware of somebody that had an incident where a friend of mine's parents got a call who they thought was from their grandchild, who was having an issue and basically needed some money, and was asked to wire the money to help this particular person. And as it turned out, it was fraudulent, and it was somebody who got the voice biometrics of the grandchild and it sounded just like him. So you just need to be careful. There's lots of ways that criminals are out there trying to steal data, but I think in working with your retirement plan, you just need to make sure that you're working within the secure channels to do that. 

Robert Krebner: And what does an employee... What can I do to help protect my retirement accounts and my data? 

Michael Venezia: And this is an important aspect. It's not just about the plan sponsors. I mean, the organization can do as much as they can to secure the data, but I'll tell you, about 50% of the fraud that happens occurs because an employee just didn't protect their own data. So there's certainly some things that can be done; checking your account frequently. So your retirement account, I do it for my own account, just making sure that you're checking it I think is important. Enabling strong passwords, not sharing that password with others. That's something that does lead to fraudulent activity, enabling multi-factor authentication. So like one-to-one time code type functionality that I think many people are probably used to at this point. 

Avoiding sharing your personal information, social security number, account numbers, avoid sharing that over email or phone unless you know it's through a secure channel. I would say don't access retirement accounts over public WiFi. Sitting in Starbucks and doing that is probably not a good idea. And just be aware of the phishing scams. They're getting more and more sophisticated. Don't open suspicious emails or emails that you're just not aware of the sender or accessing links in an email that you're just not aware of. 

Robert Krebner: And to the extent possible, it's the responsibility of the plan sponsor too, as a fiduciary to help encourage these best practices and send out phishing tests and things like that to help train employees, is it not? 

Michael Venezia: Yeah, for sure. 

Rick Reed: Wow, that's a lot of good information. I mean, some of it's... I would like to think is common sense for people, but others we do what's convenient. Sometimes it's not always the best choice. So let's return back to the retirement plan sponsor a little bit. Could you talk about what you envision their role to be in managing operational risk? 

Michael Venezia: Sure. Yeah. Like I mentioned before, I think from my perspective, it should be a top priority for all retirement plans and plan sponsors. We've mentioned this, they've got a fiduciary responsibility to evaluate record keepers and ensure that they've got the right and proper practices and infrastructure in place to keep participant data safe. If you're working with the TPA, you need to make sure that they've got tight security protocols. Participants expect their employer to protect their data. Keeping retirement savings that they've worked so hard to accumulate over time is just a general expectation that they have of a plan sponsor in the plan. 

I mean, imagine a real world scenario. Imagine if you worked for 30 years and you've been contributing to the 401(k) or 403(b) plan. You've accumulated these savings. And for many people, that's their primary source of retirement income. And one day you're checking the balance like you have done every week, and on this particular day you check and your account is zero and your balance is zero and your funds are gone. I mean, that's a real world scenario that can happen, that all plan administrators and plan sponsors should be concerned about and should be doing all they can to combat. 

Rick Reed: I think we've covered this next topic, but I want to ask it anyway. Where do you think things are going in terms of the risk? Do you think things are getting better or worse in terms of retirement security? 

Michael Venezia: Yeah, I think just the speed at which technology is moving and we talked about AI and there's just lots of other technology that's just hard to keep up with. That level of speed I think is just opening up the potential risk down the road. So I don't think it's going to get any easier or better. I think it's going to continue to rise. Let's face it, criminals have lots of ways to get at data. You see ads, you see commercials on TV. We know about the different ways that... We talked about the way they can get at data sometimes. But if you think about on a macro level, so kind of stepping outside of just the retirement plan for a second, there's large financial institutions. Take JP Morgan Chase, for example. I mean, they've reported to have... facing billions of hack attempts on a daily basis. 

So I mean the volume is just out of control and technology is just enabling that. So the other example I'll give you is to an individual retirement accounts coming and bringing it back to this topic, it's a significant target. Pension plans, 401(k) plans. I mean, those are rising every year. Fidelity investments reports several hundred thousand attempts on a daily basis. So retirement record keepers, we may prevent millions of attempts over the course of a year, and it only takes one. It only takes one attempt for somebody's data to be compromised or account to be compromised, and the impact to that is significant for that person. So it's super important and worth mentioning again, that plan sponsors, they face potential litigation if they aren't properly putting the proper protocols and framework in place. And the organization just has a responsibility to make sure that those accounts are protected. 

Rick Reed: Recently, we've seen the Department of Labor come out with various standards to help fiduciaries, like you said, build a framework, so it's standardized. What could they do to evaluate a record keeper to determine if they have good protocols in place for cybersecurity, et cetera? So I think that's really important. And I think I would agree, people need to be proactive and reach out to their TPA or record keepers, see what they already have in place. 

Robert Krebner: And I like this reminder because all I was going to say was that with all the technology advancements, honestly, it's getting hard to keep up. And I'd like to think that technology's making things safer with the introduction of things like multifactor and other types of protections. But I think you're right. I think there are new threats emerging and plan sponsors really need to continue to stay on top of this. 

Michael Venezia: There's always a balance between user experience and operational risk. So deploying technology in other ways that make things just so much easier. Take the Amazon experience. And our lives are getting easier from one perspective, leveraging technology. And that's all great, but it does come with an added level of risk and something that just needs to be managed. 

Robert Krebner: Are there any other strategies that we haven't spoken about? Things like stale data and managing that? Talk to me a little bit more about maybe anything that we haven't covered so far. 

Michael Venezia: Yeah, there's several things that a plan sponsor can do outside of what we've covered already. You mentioned stale data. I think just general data cleanup or just data integrity, reviewing data for inaccuracies or gaps and putting in a plan to rectify that. Whenever you have data issues, it just steamrolls into other issues, whether it's manual processes or just potential issues down the road. So as much as your data can be cleaned, the better off you'll be for it. Doing some things on a proactive basis like a missing participant search now through the DOL best practice guidance, I think is important. Death audits. So engaging an outside firm to assist in locating deceased participants. I mean, the DOL has been pretty focused on that over the last several years. Some of our plan sponsors listening may have already been involved with that process. 

I think putting together a responsibility matrix is important. Just a framework for clearly assigning and documenting the risk management responsibilities if you're working with your team and a process for that, I'd say if there's automated features that you can implement in your plan, it's something to consider. Things like auto enrollment, auto escalation, I mean, it just reduces the level of manual processes and brings down the volume of participant-driven transactions. One thing I'd mention, I think that's important to think about, and this may not be super prevalent for some of the plan sponsors, but considering a seven-day hold for certain transactions, so a seven-day hold basically means if somebody's processing a transfer or withdrawal before that money leaves the plan, there's a seven-day period there where it gets delayed until it goes out. It allows time for checking that transaction, making sure that the transaction is legitimate and accurate, and it just lends some additional stability to money leaving the plan. 

And there may be two other things I'll mention real quick. So bank account information in an account profile, having that information out there maybe for a certain number of days before funds leave the plan, I think is important. Again, that can kind of follow the seven-day hold. I mean, make sure that those accounts are on file well before a transaction is processed. If a fraudulent transaction is being processed, in a lot of cases they're updating back account information, they're processing withdrawal. And that's all happening kind of along the same time. And then along the lines of cybersecurity, I think ensuring that you've got the proper level of cyber liability insurance just to protect the organization in case there is a potential data breach down the road. 

Rick Reed: All right. Well my last question is Segal's vision for a successful retirement program is based on three pillars and centers around providing a retirement program that provides meaningful retirement income. It ensures that the benefit payments are safe and secure, and the program is also understood and appreciated by the participants and other stakeholders. So how does this plan oversight and mitigating operational risk fit into this concept? 

Michael Venezia: Yeah, I think the impacts for not managing operational risk, it affects all, it can have a negative effect on all of them. All three pillars. The first, plan sponsors need to provide an environment where retirement income can grow and participants can feel confident the plan is run well. Otherwise, they're not going to participate. The second, the benefit payments need to be safe and secure. So retirement income can be accessed when it's needed. That should be a top priority. And the last thing I'd say is a well-run plan will build reputational confidence with participants so they feel confident in investing and they grow to appreciate the benefits that are offered by the company. Conversely, a poorly run plan with operational issues will have the opposite effect. Last thing I would say, I think is maybe to wrap things up that I hope the plan sponsors listening to this podcast took something away from the discussion. 

I mean isn't... As I mentioned before, it isn't lost on me that plan sponsors are asked to juggle many priorities in their role. And I would just encourage any plan sponsor to ensure they have a focus on data security and managing operational risk. And it should be at the top of their priority list. And to use a sports analogy, I would say don't play defense. Go on offense. Take the proactive steps to identify and mitigate risk areas. Operations in retirement administration, like I said before, is not a zero defect business. But you can get pretty close. And if you take the proactive steps to mitigate the risk of errors, and if any plan sponsors out there need some help doing that, don't hesitate to give Segal a call. And the administration technology practice can help. 

Rick Reed: Well, Mike, thanks so much for sharing your expertise. I mean, this was really informative. Now while talking about operational risk may not be the most exciting topic when talking about retirement plan oversight, it does sound like it's important and something that sponsors should ensure that there aren't mistakes. Those mistakes are avoided and participant data and even their account balances are protected. So also to our listeners, I'd like to thank you all for listening. And for more Retirement Plan Insider podcast episodes, please check out our website at www.segalco.com, and type in 'retirement plan insider' in the search bar. And don't forget to join us for our next quarterly episode of The Retirement Plan Insider. Thank you all, and I appreciate you being here today, Mike. 

Michael Venezia: Likewise. You bet. You bet. 

See related insights

Mature Couple Cleaning House Together

The Era of Financial Well-Being Is Here

Learn how financial well-being benefits help employees reduce financial stress and save for retirement in the latest Retirement Plan Insider podcast.
Worried Business Man Talking On A Video Call In A Modern Office

Nondiscrimination Testing: Common Pitfalls and How to Avoid Them

Episode 4 of Retirement Plan Insider takes a close look at nondiscrimination testing, a requirement that can be a thorn in the side of plan sponsors.
Senior People Happy With Digital App Life Insurance Information

401(k) Best Practices — Process, Process, Process

Episode 3 of Retirement Plan Insider shares 401(k) best practices & investment consulting trends for building a user-friendly, cost-effective DC plan.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.