September 28, 2017

Operational Risk Is the Achilles’ Heel of DC Plans

A Framework for Managing It

Risk can generally be defined as the chance of something happening that will impact entities’ or individuals’ ability to achieve their objectives. For retirement plans, investment risk and longevity risk tend to receive the most attention from the media and stakeholders alike. However, as defined contribution (DC) plans continue to grow in size and complexity, sponsors need to strengthen their focus on operational risk.

Managing operational risk matters. The potential consequences of failing to adequately address operational risk can be severe. Events, such as compliance failures, reporting errors and data breaches, may lead to sizeable lossesand/or litigation and could threaten the tax-qualified status of the plan. Many experts believe that operational risk, more than any other risk category, is the leading cause of reputation risk.

Managing operational risk effectively may lead to improved service quality, reduced costs, improved participant decision making and better compliance. Moreover, it can help to improve stakeholder confidence, which, in turn, may help to position the DC plan for continuously improved outcomes across key goals, such as employee participation, deferral rates, retention of rollover-eligible assets (where that is a goal), cost effectiveness and participant investment diversification.

Overview of Operational Risk

Operational risk is the risk of direct or indirect loss resulting from external events or inadequate or failed internal processes, people and systems. For DC plans, operational risk encompasses potential losses attributable to failures across a range of functions, including Internal Revenue Code (IRC) compliance, participant financial reporting, transaction processing, data security, technology, business continuity and vendor management. Given that scope, operational risk is considered by many experts to be the broadest, largest and most complex risk category. (See “Operational Risk in Context: Other DC Plan Risks” near the bottom of this page). The overlap among some functions, such as data security and vendor management, adds to the complexity.

The following are just a few hypothetical examples of operational risk events by function:

A third-party administrator (TPA) inadvertently allows participants in a governmental deferred compensation plan under IRC Section 457(b) to contribute amounts in excess of the 2017 limit of $18,000.

Transaction Processing
Participant-requested investment transfers are delayed by several business days during which the value of the affected investment options changes materially.

Participant Financial Reporting
Participant statements misstate balances, prompting some participants to transfer assets to higher-risk investment options that subsequently incur losses.

Vendor Selection
A plan sponsor selects a new TPA only to find out that the TPA is exiting the business and/or possesses inadequate capabilities, necessitating another change in TPA.

Data Security
A plan sponsor and its TPA unknowingly cause a data breach when exchanging confidential information about participants.


Operational failures can, and do, occur in part because of transaction volume, multiple interfaces, manual processes and changing regulatory frameworks. Evolving plan designs, investment structures, technology and service-delivery platforms can also increase operational risk. For example, the move among DC plans to adopt features such as auto-enrollment, auto-escalation, and investment guidance may enhance design, but adds new operational requirements.

DC plan sponsors should seek to fully understand their vulnerability to operational risk. Protecting plan assets and data and the plan’s tax-qualified status requires an increasingly sophisticated approach to managing operational risk. Adopting an integrated framework for managing operational risk, as discussed below, can be helpful particularly now when data breaches generally are becoming more frequent and are growing in magnitude.

Key Components of a Framework for Managing Operational Risk

DC plan sponsors typically delegate operational risk management to service providers and staff who manage risk in accordance with responsibilities documented in contracts, policies and job descriptions. TPAs that provide participant recordkeeping, communications, contribution processing, website maintenance and records retention bear extensive responsibility for managing operational risk due to the breadth of their operations. A plan’s investment managers, auditor, custodian, counsel and investment consultant also share responsibility within their respective functions.

Despite delegating risk-management tasks, DC plan sponsors remain responsible as fiduciaries for the adequacy of their oversight across all functions and categories. If they have not already, plan sponsors, their staffs and service providers must maintain a framework to minimize the probability and severity of loss related to operational-risk events.

Responsibilities of Public Sector DC Plan Fiduciaries

“Plan fiduciary” is a longstanding legal term under the common law of trusts defined as anyone who:

  • Exercises discretionary authority or control over plan assets,
  • Exercises discretionary authority or responsibility in plan management or administration, or
  • Renders investment advice for a fee or other compensation.

That definition was codified by the Employee Retirement Income Security Act of 1974 (ERISA), which also described the affirmative duties of a fiduciary as including:

  • Acting prudently with respect to plan assets,
  • Diversifying investment of assets to minimize risk of large losses,
  • Acting with loyalty for the exclusive benefit of trust beneficiaries, and
  • Complying with plan provisions and applicable laws.

Although public sector plans are not subject to ERISA, the law provides best practices that many plan sponsors choose to follow, and many state and local laws contain fiduciary standards that are similar to ERISA rules.

When a plan sponsor hires someone to conduct plan management functions, that is a fiduciary action which requires oversight of the plan providers and any functions they perform.

A number of large public sector retirement plan sponsors, like other institutional investors, already maintain distinct risk and compliance units to centralize accountability within their organizations. While that approach may not be practical for smaller plans or plans with limited resources, DC plan sponsors may be able to manage their operational risk equally well by adopting a framework that includes the following components:

  • A governance structure that enables assignment of risk-management roles, and reporting requirements documented in policies, contracts and job descriptions;
  • A manageable program for conducting operational audits and risk assessments (described in the text box below) to evaluate the integrity of internal controls, compliance, participant financial reporting, service quality and data security;
  • A documented approach to managing data security risks to be implemented as a component of the operational risk program or as a stand-alone policy;
  • Periodic peer reviews, benchmarking and request for proposals processes reviews to evaluate investment-related expenses and fees, disclosure practices and investment structure design in the context of best practices;
  • A comprehensive investment policy that provides a framework for investment program design, decision making, monitoring and performance measurement; and
  • Key performance and risk measures to establish thresholds across plan functions, including, for example, telephone customer service, contribution processing and website availability.

Risk management and internal controls are intended to reduce the probability of operational failures and the severity of their impact, if they do occur. This framework lays a solid foundation for effective oversight of DC plan operational risk.


Operational Risk Assessments

In addition to performing periodic audits of operations, plan sponsors may wish to conduct other risk assessments, for example:

  • Testing controls put in place by TPAs and custodians through statistical sampling,
  • Reviewing service providers’ Service Organization Control (SOC) audits SOC 1® and SOC 2®* paying particular attention to any negative findings.
  • Benchmarking administrative costs, investment fees and of related disclosures relative to peer and best practices.
  • Conducting periodic surveys to measure participant satisfaction and service quality.
  • Auditing performance of key functions, including contribution processing, plan document adherence and call center responsiveness against agreed-upon standards (“report cards”).

For DC plan sponsors that wish to delegate responsibility for these assessments to outside experts, Segal Consulting, Segal Marco Advisors and/or external auditors can perform operational risk assessments.

* SOC reports are an independent auditor’s assessment of service providers’ procedures. They are part of the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements.

Getting Started on an Integrated Approach to Managing Operational Risk

Many state and local jurisdictions that offer DC plans already have in place some of the components outlined above. Combining those components into an integrated approach to managing operational risk demonstrates an awareness of risk and an understanding of the importance of addressing it that participants, service providers and other stakeholders may find reassuring.

Recommended first steps to an integrated approach to managing operational risk include:

  • Review committee charters (where applicable), contracts and job descriptions to ensure that they specify who is responsible for managing each risk by category.
  • Catalogue planned audits and assessments to ensure that they cover key areas, including contribution processing, plan documents and regulatory compliance.
  • Request a copy of your key service providers’ cybersecurity policies and business-continuity plans, and ask for annual updates. Consider developing an internal policy.
  • Check the investment policy to ensure that it properly documents the current state of the menu of investment options, roles of fiduciaries and reporting requirements.
  • Review service providers’ reports to ensure that they provide a snapshot of results against a set of key risk measures in an executive-summary or dashboard format. 

Although the above steps may seem routine, they can mark the beginnings of a repeatable framework that positions the plan for management of known — and unknown — risks and improved results across compliance, operational and participant-service functions.


Operational Risk in Context: Other DC Plan Risks


Questions? Contact Us

For more information about managing operational risk or other risks DC plans face, contact your Segal benefits consultant and your Segal Marco Advisors investment consultant or the following authors:

Wendy Carter
Contact Wendy

Julian Regan
Contact Julian

Segal’s consulting services for state and local governments that sponsor DC plans include the following:

  • Plan design,
  • Plan assessment studies,
  • Participant communications,
  • Compliance consulting,
  • Vendor searches for TPAs and other service providers, and
  • Administration and technology consulting.

Segal Marco Advisors, the SEC-registered member of The Segal Group, provides the following investment solutions for DC plan sponsors:

  • Fiduciary oversight and training,
  • Creation and ongoing review of investment policy statements,
  • Ongoing monitoring and performance analysis,
  • Investment menu design and evaluation,
  • Selection of best-in-class investment managers and options,
  • Oversight and monitoring of recordkeepers, and
  • Benchmarking services (including fees and administrative services).

Segal Select Insurance Services, Inc., the member of The Segal Group that provides brokerage services for a wide range of insurance coverage, can help plan sponsors obtain fiduciary liability, cyber liability insurance and crime insurance.

To receive future public sector publications, join The Segal Group’s email list.



Public sector entities face tough decisions. We understand those challenges as well as options for meeting them. Having worked with hundreds of public sector clients for more than 50 years, Segal Consulting has insight into the spectrum of design characteristics and features of all types of compensation and benefit plans throughout all levels of government. We provide the following services:

  • Health and welfare plan consulting for active and retiree coverage, including pharmacy benefit management,
  • Defined benefit and defined contribution retirement plan consulting, including plan design and modeling,
  • Compliance consulting,
  • Benchmarking and design of total rewards that encompass financial and
    non-financial rewards,
  • Participant communications, including personalized statements, and
  • Administration and technology consulting.

Segal Marco Advisors provides investment solutions.

Segal Select Insurance Services, Inc. provides brokerage services for a wide range of insurance coverage, including fiduciary liability insurance and cyber liability insurance.


Share this page