Pension Governance: Risk Management Gone Awry!


Risk management is a cornerstone of sound pension governance yet very few pension funds understand what proper risk management actually entails. I will discuss some important risk management concepts below, highlighting the strengths and weaknesses of risk management using some clear examples.

Let's begin by defining "risk management". The five major risk categories below are taken from CPP Investment Board's site:

  1. Investment risk: The risk inherent in achieving investment goals and objectives, including market, credit and liquidity risk. The operationalization of our Risk/Return Accountability Framework has substantially increased the risk management focus of our investment decision-making. Under this approach, risk decisions are made at the total portfolio level. The board of directors approves an active risk limit, and management strives to maximize active returns within this limit not within individual asset classes.

  2. Strategic risk: The risk that an enterprise or particular business area will make inappropriate strategic choices or be unable to successfully implement selected strategies. The CPP Investment Board's business plans are created annually to operationalize our strategic direction. Progress against the business plans is reviews quarterly by senior management with our board of directors.

  3. Legislative and regulatory risk: The risk of loss due to non-compliance with actual or proposed laws, rules and regulations and prescribed industry practices. Our primary risk management strategy here is our compliance management process, which ensures we have robust practices in place to manage legislative and regulatory risk. It includes oversight by our Legal department and also obtains input from external legal counsel to ensure completeness and accuracy in compliance with all relevant regulations.

  4. Operational risk: The risk of loss from inadequate or failed internal processes, people or systems, or from external factors. Strategies to mitigate operational risk include performing risk and control reviews and continuing our strong hiring practices to ensure that we have the right resources to meet our business challenges. Our operational risk activities also include a business continuity program that defines the best response to any business interruption at the CPP Investment Board.

  5. Reputation risk: Risk of loss of reputation, credibility or image due to internal or external factors. Reputational risk management will continue to be a key focus for our Enterprise Risk and Controls Group in 2008. We will strengthen our approach by building on the solid foundation we currently have in place. The CPP Investment Board has built a culture based on strong ethics which guides all our activities as reflected in our code of conduct. As an example, all employees and directors are required to disclose and personal trading or business interests that might lead to a real potential or perceived conflict of interest or result in personal benefit.

In terms of managing risk, CPPIB states the following:

The board of directors is responsible for ensuring that management has identified the principal risks of the business and has established appropriate policies and internal controls. In turn, management is responsible for recommending policies to the board for its consideration and approval, establishing internal controls and procedures to effectively manage the risks of the organization and providing reports to the board and its committees. Internal auditors, in the course of executing their audit plans, also provide input to management and the board on the effectiveness of the organization’s risk management practices.

We continuously review, assess and manage our risk management concepts and other practices to ensure that risk is managed effectively. For example, the board of directors limits the maximum investment risk that management can assume. The board of directors likewise approves maximum allocations to various investment activities and asset classes.

It also approves credit risk limits, while the president approves the amount of risk that can be taken relative to passive benchmarks (active risk). We also manage cash liquidity risk. Management presents to the board a quarterly report on our compliance with all risk limits, other constraints and the effectiveness of our risk management controls.

It is worth noting that CPPIB happens to have implemented one of the better risk management systems around. They even have a whole division run by John Ilkiw, Senior Vice-President - Portfolio Design and Risk Management, that is responsible for research to support the development of investment policies and value-added strategies including risk management.

Furthermore, CPPIB has a set of policies, guidelines and by-laws that help govern all five risk categories mentioned above. Of these, The Statement of Investment of Objectives, Policies, return expectations and Risk Management for the Investment Portfolio, is the document that explains how investment risk is managed.

On page 7, we see how active risk - the risk taken away from the Policy Portfolio - is managed:

7.1 The Board reviews and approves annually a Fund-level active risk limit relative to the Reference Portfolio within which CPPIB has discretion to make and implement investment decisions with the objective of earning returns above the Reference Portfolio.

7.2 The risk limit is large enough to permit CPPIB the flexibility to achieve the total Fund value-added objectives established by the Board, but not so large as to put Fund assets at undue risk of loss relative to the performance of the Reference Portfolio.

7.3 At no time can the Fund’s active risk exceed the Board-established limit, unless authorized by the Board.

7.4 CPPIB monitors, evaluates and manages active risk exposures relative to Reference Portfolio and allocates risk exposures across investment departments as necessary to maximize the Fund’s active management returns.

7.5 CPPIB reports the active risk exposures to the Board at least quarterly or more frequently as required.

In terms of managing market, credit and other financial risks, CPPIB has implemented the following procedures:

9.1 Market risk is managed by diversifying across different asset classes and investment strategies such that Fund assets are not imprudently exposed to any single unexpected event. In addition, risk budgeting principles and analytical tools are used to measure, monitor and evaluate prospective Fund performance under different market conditions using Value-at-Risk and Capital-at-Risk measures.

9.2 Until credit risk can be reliably incorporated into an integrated market risk model, it will be managed by adhering to credit policies and limits developed by CPPIB, and reviewed and approved by the Board at least annually. Exceptions to Board approved policies or limits can be granted by the President and CEO, but are subject to the review of the Board as soon as is practical.

9.3 Individual private market investments that exceed Board-established dollar limits must be approved by the Board before being implemented. Examples of such private markets investments include private equity, private debt, private infrastructure and private real estate.

9.4 Wherever possible the volatility of private market or non-regularly traded assets is estimated using suitable public market proxies.

9.5 CPPIB reports the Fund’s exposure to market, credit and other financial risks to the Board at least quarterly or more frequently as required.

Now, a couple of my observations. As I have stated in previous posts, the failure of CPPIB to provide clear performance benchmarks for each and every internal and external investment activity is a serious shortcoming. The investment policies should cover all investment activities in detail, providing information on how the benchmarks accurately reflect the risk and return profile of underlying investments. Moreover, CPPIB should clearly state what the approved asset mix weight ranges for each of the major asset classes. CPPIB should also disclose the active risk budget for the total Fund.

In terms of risk management, however, it is clear that CPPIB has implemented a proactive approach by informing its board of directors on a quarterly or more frequent basis of prospective fund performance using Value-at-risk (VaR) and Capital-at-risk (CaR) measures. These measures ensure that any severe investment losses will be brought to the board's attention on a timely basis and the necessary steps will be taken to mitigate any losses that exceed VaR limits (VaR is estimate of the maximum potential change in the value of a portfolio of financial instruments with a given probability over a specified time period).

Why is this important? Well, go back to PSP Investments' 2008 Annual Report and ask yourself how did its board approve CDOs in the first place and what risk measures were undertaken to mitigate the risks of this portfolio? Was the $470 million loss in CDOs marked-to-market and if so, how did PSP's senior management and board allow it to reach such a level without stop losses being triggered or without properly hedging these losses?

I point this out because on page 21 of the Annual Report, we read that in addition to VaR, "PSP Investments uses other investment risk measures including stress testing, scenario analysis and
sensitivity analysis." Surely these measures should have sufficed to mitigate investment losses at a certain dollar amount.

They obviously did not work. The magnitude of the losses exposes some serious shortcomings in the entire risk management process that governs investments at the PSP Fund. (
Was the board of directors properly informed of the risks of these investments and were they made aware of the losses on a timely basis? If so, why weren't stop losses triggered and why wasn't the portfolio adequately hedged? Was there proper segregation of duties between risk management staff and investment staff and between the CIO & CEO functions at the pension fund? Who was ultimately responsible for these losses and more importantly how are they held accountable?)

Moreover, on page 15 of the Annual Report, we read the following:

PSP Investments has an active management strategy designed to add value to the Policy Portfolio, in accordance with a risk budget, approved by the Board, which management allocates to active strategies. Within this framework, management works to optimize its “roster” of active strategies, in order to meet the value-added objectives set out above, under the “Investment Objectives” heading.

Active management involves both internal and external managers and is not limited to the asset classes of the Policy Portfolio. It includes mandates in other spheres such as currency management and tactical asset- allocation across countries and asset classes. Indeed, PSP Investments believes that the best way to achieve its active management target is through the diversification of its return sources. That process continued in fiscal year 2008: we added four new active mandates, using internal and external managers.

Also, in the careers section of PSP Investments' website, under the position of Manager, External Managers Search & Monitoring, we read the following:

Within Public Markets at PSP Investments, the External Manager Search & Monitoring team currently manages a portfolio of approximately $12 billion. These assets are invested with over 20 external managers, in a variety of traditional and alternative strategies. The Manager, External Manager Search & Monitoring will play a crucial role in managing this portion of PSP’s assets.

Given the abysmal performance of active management in Public Markets in FY 2008 (equities underperfomed their benchmark primarily due to public equities' severe underperformance), shouldn't PSP Investments provide a detailed portfolio breakdown of these active internal and external strategies so that stakeholders can understand where losses were concentrated? Shouldn't PSP Investments disclose who is the Vice President responsible for searching and monitoring external managers and how this person and their team are compensated for this activity? (i.e. what is their performance benchmark and does it adequately reflect the beta and the risks of the underlying investment strategies?)

Importantly, if this $12 billion portfolio of external managers swings wildly from one year to the next, then this signals a concentration of beta (market) risk, indicating too many traditional and/or alternative managers that are highly correlated to public indexes. This might also indicate too many external managers are highly correlated to each other. If this is the case, then why bother paying investment management fees for beta when you can just as easily swap into a large cap index
or replicate their main positions through passive derivative instruments for a fraction of the cost?

I am not reinventing anything new here. Leading authorities on risk management like Dr. Frank Sortino have written books and papers about how to properly measure and mitigate against investment risk. One of these, Managing Downside Risks in Financial Markets, has a whole chapter that discusses risks from alpha to omega. For Sortino, it isn't just about risk-adjusted returns but about managing downside risks for each investment activity of a pension fund. (Dr. Sortino founded the Pension Research Institute).

It is worth noting that some pension funds also include explicit discussions on funding risk and operational risk management on their website. For example, the Hospitals of Ontario Pension Plan (HOOPP), states the following for funding risk management:

Living up to its pension obligations, current and future, is HOOPP’s number one priority. But it is by no means our only priority. On the funding side, we’re also committed to:
  • keeping contribution rates at reasonable levels, so the Plan remains affordable
  • keeping contribution rates stable, so that members and participating employers can budget accordingly

To help achieve these important objectives, HOOPP has implemented and advanced a number of funding risk management safeguards. For example:

  • HOOPP conducts a funding valuation each year to gauge the Plan's assets and liabilities (pension obligations). As part of the valuation process, HOOPP works with an independent actuarial advisor to prepare projections of its future funding requirements.
  • HOOPP has established a detailed funding policy that:
    • provides a framework for making informed funding decisions
    • sets “trigger” points that flag potential adjustments to contribution and/or benefit levels

While these are important safeguards, risk management is an ongoing process. HOOPP lowered its long-term investment return assumption in 2007. Adopting a lower, more conservative investment return assumption is consistent with the Plan’s move toward a more risk-averse investment strategy.

We also moved ahead with the implementation of a multi-year funding and risk management program designed to:

  • improve the quality and availability of funding data
  • better measure and manage funding risk
  • bring investment strategies more in line with funding needs
On operational risk management, HOOPP states the following:

In addition to funding and investment risk, HOOPP faces a number of operational risks related to the day-to-day governance and administration of the Plan. While it is impossible to predict let alone preclude every operational risk, HOOPP has – based on industry best practices – taken a number of key steps to protect the Plan and its stakeholders:

HOOPP’s Board conducts an annual review of its governance structure and procedures.

  • The Plan has a number of policies in place designed to minimize operational risk, such as:
    • a code of business conduct
    • a policy governing confidentiality and disclosure of information
    • a whistle-blower protection policy
    • conflicts of interest policies
    • a privacy policy

  • HOOPP has a regularly tested business continuity plan in place. This rigorous plan is designed to ensure that HOOPP can – in the event of a disaster – recover its critical systems at an off-site location and carry on core business functions (including the processing and payment of pensions).

  • During 2007:
    • HOOPP introduced a succession planning strategy to ensure it has the knowledge-based talent it needs going forward
    • moved forward with comprehensive reviews of its internal controls and compliance processes
I highlight whistle-blower protection policy because in my opinion, without proper protection for whistle-blowers, all risk management policies at pension funds are doomed to fail. This is the single most important policy and unfortunately very few public pension funds have implemented whistle-blowing protection policies with any teeth. (They should work with Certified Fraud Examiners to develop these policies and publicly disclose them to all stakeholders. Moreover, whistle-blowers should be protected for having the courage to come forth when they see something that is not in the best interest of beneficiaries and other stakeholders.)

Succession planning is also important and many pension funds do not take the adequate measures to ensure continuity of their investment staff if senior members leave. Of course, any pension fund (or investment fund for that matter) that suffers from a high employee turnover rate is doomed to suffer from low employee morale and succession planning issues. All of these issues need to be addressed by the board of directors and the information needs to be transparent to all stakeholders.

Finally, I urge all board of directors to view this checklist provided by the Japanese Financial Services Agency (press cancel when window pops up and print). Sound pension governance includes a self-assessment questionnaire that asks some tough questions. Given the importance of board of directors at these public pension funds, self-assessments should be carried out on an annual basis.

Comments