Taking on some risky business

Kris Hall
Reporter
Professional Pensions
Hall joined Professional Pensions as a reporter in July 2005. Prior to this he worked on local newspapers for more than three years. He has since left PP.

Geraldine Brassett
Head of client management
MNPA
Brassett is head of client management, responsible for the management of client relationships through MNPA’s client management team and for a portfolio of her own clients. She has wide experience of administration from a third-party administrator and in-house perspective. She regularly speaks on administration topics and is a FPMI.

Brian Critchell
Senior account manager
Paymaster
Critchell is responsible for relationships with a number of key clients, and is also in charge of Paymaster’s technical development team.

Steve Connor
Technical director
HS Administrative Services
Connor is technical director for HS Administrative Services. HS is a specialist provider of third-party scheme administration and a member of the AEGON Group. Connor has worked for HS for 14 years and, in addition to his general management role, has overall responsibility for systems infrastructure, development and operations.

Clive Wickenden
Client services director
Capita Hartshead
Wickenden looks after and makes sure Capita Hartshead is providing the services its clients really want.


Hall: Risk management is becoming increasingly important to scheme administrators, both from regulatory pressure and strengthening reports and internal controls. I will start by asking whether there is an argument for more focus to be placed on risk management in the industry, especially as the pensions industry is becoming more regulated and more controlled.

Wickenden: We are already seeing increased focus. In the last 12-18 months The Pensions Regulator has been taking a very active interest in governance and risk management.
At the end of November they issued their code of practice on internal controls. Certainly the trustee boards that I work with have been taking a much more active interest in risk and management over the last 12 months. Most of the larger ones already now have annual business plans and risk registers that they review, certainly twice a year if not every meeting.
At Capita, we are very risk conscious; we produce a FRAG21 report every year and have done so for the last four years, which we distribute to all our clients. We take risk very, very seriously. We are there, although there is a way to go as not every scheme has started thinking about it yet.

Hall: Do you think this is a combination of what you’re doing yourself or something that predominantly the advisers or administrators should be looking at?

Wickenden: I think advisers are looking at it, because they see it as another income stream. I think it is being driven by the regulator and central bodies and consulting actuaries and administrators.
Plus, good pension schemes – any good pension scheme with an independent trustee will certainly be thinking about it already. It is just keeping the momentum going.

Hall: Geraldine, what is the administrator’s point of view?

Brassett: I absolutely agree with Clive. It is quite interesting, because we have seen the focus on internal controls and scheme governance grow rapidly in the last 18 months. This has been evidenced by a number of changes.
We have seen more organisations as a matter of good practice wanting to send in their own internal audit teams to review our systems, processes and so on.
Again, picking up on Clive’s earlier point the majority of our trustees have business plans in place and risk registers that they review regularly.
All these points highlight an increased focus from trustees on administration. Prior to simplification it was not unusual for admini-stration to be low down the agenda and have a five minute slot to cover the key points from the stewardship report.
Now, they are much more interested in how we manage risk within their pension scheme and how you translate that through to running our organisation.
Like Capita, MNPA is very risk focused, we manage our business through quantifying and mitigating risk. Although some organisations produce FRAG 21 reports, at MNPA we have adopted the AAF 0106 new standard that has been published by the Audit and Assurance Facility of the Institute of Chartered Accountants in England and Wales, which tests the robustness of your control environment.
More visibility and evidence of internal controls needs to be provided by administrators to their client – they need to be proactive, not reactive in providing that information.

Hall: Are these sentiments the rest of you would agree with?

Critchell: You are going to get a great deal of agreement here. Paymaster was one of the first to publish a FRAG report. I echo the point that this is already best practice and the best run schemes have been focused on risk management for some considerable time. It is just now got onto the political agenda.
The problem will be for the middle-order and the smaller pension schemes – how are they going to deal with the issue of internal controls? Clive mentioned the regulator’s new code of practice 09.
Let me just say it was extremely well written and very concise – not at all prescriptive, which is of benefit because it does not tie down the larger pension schemes and the larger organisations like ourselves that already have established control procedures and practices.
It does not actually give a lot of guidance to the smaller schemes and providers, other than to say maybe you don’t need to be quite so prescriptive.
Nevertheless, all pension schemes have to have a code of internal controls. Let us hope that what we do is able to be disseminated and trickle down and be adapted for that middle order, so that all pensions schemes can comply with the regulator’s requirements.

Hall: Deviating a little from what you are saying, do you think there is perhaps a level difference between the larger schemes, the middle-order and the tail-end schemes in the size of scheme and the level of risk management that is being adopted?

Critchell: There should not be a difference, but it is a fact of life that very large pension schemes have the resources to make risk management easier.
We have already mentioned how some organisations use internal auditors to come into their pension administrators, to provide additional investigative analysis of whether the control processes are working. Not every employer is able to do that, so there will be graded approaches to this in the marketplace, as there usually is.
Connor: You will find much agreement here as risk management is an important issue for all administration providers.
Although risk and its control have been the focus of much recent publicity, in reality it is simply part of the day-to-day agenda, and business as usual, for administration companies. Recent legislative changes have also generated a range of project work and hence even more attention being given to the techniques of risk management amongst trustees and those involved with their schemes administration.
The benefits of an effective risk-management approach, involving the two stage process of risk assessment and risk mitigation, is applicable to all schemes regardless of their size precisely because it identifies those risks relevant to the specific scheme.

Hall: That guides us into the second question. What are the most common risks, and how do different risks concern different schemes?

Connor: There are a number of generic areas of risk that are relevant to most schemes. These might include the quality of data, accuracy of calculations and robustness of process amongst others.
The key issue is to consider the background and idiosyncrasies of a specific schemes and quantify the degree to which the risks apply to that individual scheme. The point is that while there are obvious and common risks, they do not apply equally and it is really up to schemes to apply risk techniques to their own circumstances.
One of the things that we should be doing as administrators is to help trustees by being open and making them aware of any risks that we perceive. Administrators understand the intricacies of individual schemes and are ideally poised to provide trustees with this information. I think that this is an area where an experienced administrator can add real value.

Hall: Taking that into account, is the onus on administrators to improve the way they approach the trustees, in speaking a language the trustees understand?
Obviously the onus is now on trustees to get to grips with schemes and understand more, almost to lead the scheme themselves. In terms of the administrator’s role, in the past there has been a suggestion that trustees and administrators have been two separate parties that have not been singing from the same hymn sheet.

Connor: Trustees are a knowledgeable and intelligent group of people who take their duties very seriously so there is certainly no need to “dumb things down”.
I think it is just a communication issue, to make sure that trustees are adequately informed of any administration risks, without necessarily having to be cognisant with all the intricacies and practicalities of carrying out administration themselves, unless of course they want to be.

Critchell: I agree with Steve on that entirely, but nevertheless it is an opportunity for administrators as professionals to clearly demonstrate some value-add in what has often been seen as a commodity. There is an opportunity also to make the admin session of trustees’ meetings “sexy” and exciting when talking about risk issues.
We complain that we do not often get a full hearing and sometimes we are on at the end of trustee meetings around big issues. I understand entirely where trustees are coming from. When Maxwell fell off the boat it was not because of pension administration, it was because of fraud and lack of security of assets in the pension funds. Investment risk and funding risk are huge issues.
However, there is an opportunity for us to be proactive and demonstrate that the culture we have embedded for so long in managing operational risk is a valuable tool, with an additional check on what trustees are trying to achieve in managing risk across the whole pension scheme.
You might almost argue that governance has now become a risk because of the increased focus we have on it.

Brassett: It is interesting picking up on your point about making administration “sexy” and exciting for trustees – which we all know it has been for ages anyway.
I think it is incumbent on the administrator now to give visibility to controls. Trustees want proof that appropriate controls exist and are being adhered to and the governance that the administration of the scheme is operating within – it is not enough to turn up and say everything is fine, it has to be evidenced.
There is a much greater requirement on administrators to provide that visibility and evidence of the quality of the controls. At the moment we are trying to do that in quite a difficult environment because new legislation is not prescriptive in how things are done, only that they must be done. When you think of the new simplification requirements, they are not terribly prescriptive in terms of process.
That means that HM Revenue & Customs’ intention is the operation of a light-touch regime, but we are trying to implement that against a backdrop of increased governance and a need to protect the trustees. There is a sense that they almost contradict each other. You have to have robust controls to protect the trustees and yet we are being told that the benefits of the light-touch regime means that we do not have to work to such prescriptive methods as we used to.
It is a challenge at the moment to get that balance right and we are all finding our way to achieving best practice.
You also mentioned calculations – of course the type of administration service we deliver these days is very much geared around automated calculations. That to a large degree gives you increased risk, because once you have automated a calculation and signed it off and are using it in the live environment it will only be subject to spot-checking.
It is very important therefore that trustees satisfy themselves that those controls which govern initial testing, regression testing and sign-off are extremely robust, because if that is not done properly a systematic error could result that could be perpetuated going forwards.

Wickenden: Administration, over recent times, has formed a large percentage of the complaints The Pensions Advisory Service (TPAS) have had to deal with. Trustees are taking admin much more seriously now than they used to. Certainly the four of us around this table can remember where you just turned up, told them what you’d done and went away.
Now you are questioned. Again, historically, third-party administrators (TPAs) always reported the quantity of work they had done and not the quality of the work they’d done. There’s certainly a move within the industry, I think it started with companies such as ourselves, to shift the focus on that onto much more qualitative reporting and making trustees aware of all the good work we do.
Yes, things do go wrong occasionally but they form a very small minority of the work we do. When they do go wrong, we have the controls and the procedures in place to make sure it doesn’t happen again.

Hall: We’ve talked about administrators previously being about quantity not quality. What is going to change in the approach? Administration is a commodity, and, at the end of the day, whether it’s quantity or quality, you’ve still got to make your money and these schemes are still just your clients. How far do you go? It is a money-making business for the likes of yourselves at the end of the day.

Connor: How far you go is based on your assessment of risk and you go as far as you need to, to get the risk to an acceptable level.
Having reduced risk to a level acceptable to the trustee and to the administrator, you then have to make sure your business is profitable as well. The point is that you cannot have one without the other. It would be impossible in the long term to have a profitable business unless you managed risk effectively because, sooner or later, badly managed risk will come back and bite you.
All the quality providers are in the same boat in that we want to manage our risks to an acceptable level for all parties concerned. In that respect it is a relatively level playing field, although I would not call it commoditised.

Hall: You also mentioned earlier on the internal controls, the Code 09 from TPR. With legislation that in many respects hampers the industry and in other respects aids it, is there not a risk or a fear that the industry could end up benchmarking risk management? Then once that is benchmarked, who wants to move beyond that benchmark?
Is that a fear? Is it is something that could inevitably happen?

Wickenden: There is a fear in some quarters of over governance. I think we are seeing that, certainly in the defined contributions side.
The four of us might not like to admit it, but I am sure we would agree there is a shift in the DC market from trust towards contract. A lot of that is because companies and employers don’t particularly want all the governance issues that go with trusts. It will be interesting to see the consultation and the feedback that the regulator gets on the paper that they issued on governance in DC schemes. It is intimated that it will also apply to contract-based schemes. Will we see a renaissance of trust? Who knows?
Personally I do not think so. I would not want to second-guess where the industry’s going. I am not so sure about benchmarking on risk management.

Brassett: Ultimately it will become a “tick in the box”. It will never be a positive differentiator between one provider and another. Trustees looking for administration services from providers like us will expect it to be there.
It is more likely to be a negative differentiator if a third party administrator cannot evidence it. It will always be features of the service over and above that governance, providing you have got that “tick in the box” that will differentiate one provider from the other. Some of those measures you were talking about will become more important providing the right governance is there. Benchmarking between providers will happen.
This new AAF 0106 standard will potentially be the catalyst that will make that happen. Although some providers have produced FRAG21 reports, they have never been able to benchmark one provider against the other in quite the same way as adoption of this new standard will allow the industry to do.
It will be interesting to see how many providers adopt the new standard and in what time scales, thereby providing a very visible benchmarking of robustness of control environments, one provider against another.

Hall: In that respect, is it time that the government and the industry sat back and let the controls, standards and codes that are in place now do their job? With a watchful eye, if you like? They seem to be pushing so much into the arena at the moment, there seems to be so much that pension schemes, trustees and employees have to get to grips with.

Critchell: I agree with the comment Geraldine made; we are in danger of becoming over regulated and there is the law of unintended consequences.
I am not sure that you can say categorically that the vast increase in regulation has hastened the demise of good quality defined benefit schemes, and employers looking for an escape route have moved to contract-based DC plans. But it certainly must have been a factor. On the other hand, I do not think laissez faire is a valid way forward either. We have got to strike a balance between the regulators and the industry.
There is evidence that we have a much more consultative government than we have had in the past. Almost anything goes out to consultation and they do listen. We have kept going on about TPR’s code of practice 09, but it was well written and incorporated material sourced from Watson Wyatt, I think.
That is evidence of the legislators listening to the industry and us all trying to work together to come up with a sensible balance between regulation and actually getting the job done. We do not always succeed, but we have to keep trying, so laissez faire is out.

Hall: Figures recently published by the Association of British Insurers made me think. A lot of people have been hinting that it would happen very soon and it now seems that membership of the DC schemes outweighs that of the DB schemes. Obviously it is based on a poll, so we can take that with a pinch of salt. Essentially, there are huge differences between a DC scheme and a DB scheme, but how do those translate into risk management?

Wickenden: Yes, the risks are still there, they are just slightly different. You have not got the automated calculation routine risk, but a major risk is making sure the money is invested on time in the right place.
I am sure we are all aware of instances where that has not happened and we have had to face the consequences.
It is a complete nightmare to try and unwind and redo DC investments. I know of a few consultancies/administrators that have had major issues on that, or did a few years ago, most of them have got their house in order now.
So it is a different set of risks, but they need to be managed in exactly the same way.
Hall: All agreed?

Brassett: Yes, the principles are the same.

Hall: We have mentioned risks and techniques. Coming back to the main theme, how do you effectively identify risks, and, once you have identified them, how do you assess them and where do you go from there? Do you each have a different plan that you follow?

Connor: There are many aspects to this. For a start, the business processes themselves have to be thoroughly well engineered. As part of the normal operations, an assessment of risk is built in from the design stage onwards.
We have people with specific expertise in the areas of audit, risk assessment and compliance. We have people involved in legislative analysis to make sure that our processes are based on sound principles. Internal audit, external audit, ISO accreditation and a comprehensive information security policy all play their part.
We are very happy to work with auditors engaged directly on behalf of our clients as well as all audits provide opportunities to learn and improve.
A risk based approach to audit is now the norm and the findings are all the better as a result. We are constantly involved and subject to risk assessment, it has become a fact of life and part of our day-to-day processes.

Critchell: That is absolutely right, it is an ongoing process. We might have differences in the degree of what we do, but essentially the principles are the same.
That is why we were so confident earlier in the assertion that some trustees might benefit from just having a look at the risk control processes that we use in administration, and adopting them elsewhere. The basis that we use is generally called enterprise risk management and it is a structured process. Essentially it means you have to understand the context in which you are operating.
Steve made the point about the appetite you need as a commercial organisation to accept some levels of risk. There are risks from changes in regulation and changes in legislation, but any review or assessment should include existing risks, to ensure you have identified who owns them and what category they fall into, whether they are external risks or whether it is something within your own organisation.
You must be careful not to be completely inward looking, for example, see whether you have any dependencies. We have a lot of clients we share with other organisations. Obviously, we share them with investment managers and some risks are insured and offloaded.
Having a lot of dependencies can affect the way in which we can manage risk for those pension schemes. We have to prioritise risks, identify the controls to put in place to mitigate them, see if they’re effective or not and see what the net position is – whether we and the trustees can live with that – and then identify what we need to do as further action. We then tend to use a red-amber-green traffic light approach.
That is what trustees like to see in reports. It is now becoming a governance requirement that we should report annually to trustees about the effectiveness of our risk review. This process is continuous. If at any point in that cycle you do not come to an acceptable answer, you need to go back and start again until you have got it right. My best tip for the day is to have a team staff suggestion box.
As client managers, we are often focused on the trustees. It pays to listen to the people who are actually doing the work. Often they will come up with some really good ideas that we haven’t thought of.

Brassett: That is a really good point, because the way we operate risk management within our organisation is to try and make it part of our culture.
There’s no point having your risk management structure determined by the people at the top and actually not part of the way you work for the teams providing services on a day-to-day basis. The way MNPA operates is that every department, client management, administration and so on is actually involved in determining their own risks and then the contingency plans and the mitigating actions for those risks. This results in buy in from the whole business to the risk management structure.
Often the only people who can mitigate those risks are the people who are actually delivering the service. It is very, very important that the whole organisation buys in to your risk management strategy and understands what risks you’re trying to mitigate and how you are trying to mitigate them. The other point, picking up on what Brian said, is internal measures.
If you have not got the right internal measures in place, you cannot actually know what some of your risks might be. If you are not measuring your levels of internal and external service failures or, for example, levels of re-work, you cannot properly quantify your risk. Your risk register and your measures must tie in together.

Wickenden: I do not have a lot to add to any of that. I think Steve mentioned early on, every scheme is going to be slightly different. There are a lot of generic tools out there on the market, but bear in mind that we cannot just apply them carte blanche.
It is vital that you take the views of everybody involved in the scheme. Different layers of people will see different risks. If you have a trustee board with financial directors and company directors on it they are going to be looking at a much different risk than the administrator who is doing the day-to-day work. You need to take the views of everyone involved to make sure that you get the full range of risks covered and build your risk register around those.

Hall: This might seem like a naïve question, but when you take on a new client or a new scheme, you obviously approach the trustees – is there a way that you prioritise the way you assess the different risks?
Would you start in the investment area, for example, or would you start in another area? Obviously the trustees will want to start seeing results as early on as possible. Is there a particular area that you would target?

Wickenden: I think the first area we would go through would be the implementation project. There are inherent risks in taking a new client on, as we’ll all be aware.
Certainly over the last three or four years, trustees have become very, very interested in those risks. Probably because a lot of them had things that have gone wrong when they tried to move previously. That is something becoming more and more a focus of any new business pitch now, how well the implementation project will be managed and the risk reporting that goes on into that.
As part of that process, we would sit down and talk with trustees and try and get to know what they think the risks are in their operations. We know where the potential risks are in what we do, but again coming back to it, every scheme is different.
You need to talk to the trustees and the people involved on the other side of the fence to find out and make sure you have everything covered, or there might be something you won’t be aware of in taking that on, to build into your risk matrix and risk register so you can then monitor and report on it going forward.

Brassett: That implementation piece is really important, because quite often that sets the tone of the service going forward.
The better you manage the risks around that implementation, the better the service you are likely to have going forward.
Quite a lot of providers now precede the implementation process with a due diligence exercise, which means they do some risk assessment even before they start to implement, and sometimes even before they are appointed to provide the service. So looking at risk starts really early on in the process, even before point of sale.

Hall: From the other point of view, if you like, if a contract comes to an end and you are replaced with another player, is there feedback between yourself and the client? Where are we going wrong, why is our replacement taking this contract, where can we improve our sales? Or is it a case of contract loss, forget about it and move on?

Critchell: It is a very difficult question to answer because contracts come to an end for a variety of reasons. You might be caught up in the corporate restructuring of a global company, or the merger of several UK schemes to save money.
We could be the innocent party as in that example, but if you’ve lost a client for poor service, there shouldn’t be any surprises by the time you come to lose them. If you have ignored the warning signals, either your own signals from your own internal assessments, or the feedback from the client and from the members, then some might argue that you probably deserved your fate.
Having said this, one of the by-products of this new focus on risk management and reporting is that, as a commercial organisation, you will now have more tools to assess the strength of your client relationships. From my perspective, our risk management process includes an assessment of the impact on the customer relationship of any of the risks that we’re trying to manage.
So we are actually building in early warning signals to avoid relationships going wrong and leading to the loss of a client before it happens.

Connor: I think that a risk management regime, important though it is, has to operate alongside sound, fundamental business principles.
Those of being open, honest and trying to avoid any surprises for your clients are high on my list. Possibly the most effective risk mitigation techniques of all are those of encouraging personal ownership and the application of common sense to all the activities within our organisations.
Of course you still have to maintain formal risk controls to ensure that everyone understands the full extent of exposure, but it should be a very rare event for clients to bring any deficiencies to your attention. Not because problems never occur, of course they do from time to time, but because you are proactive in managing risks and communication issues with the client.
In fact, having effective communication channels with your clients is in itself another very effective mechanism to minimise risk.

Hall: You have identified the risk, you have assessed the risks and you are moving on to manage the risks. I am generally interested in how technology plays a key role in all of this. Has technology made your job easier or harder in the respect that it has opened so many more doors for you? Technology surely plays a huge role?

Connor: Technology provides huge opportunities but can be a double-edged sword as it also provides unique areas of risk that need to be managed, particularly in terms of avoiding the introduction of systematic error.
You must have effective testing and management control of your technology in place to avoid these problems. Of course technology gives you real strength from a process viewpoint and its application to workflow is particularly effective from a risk perspective, enabling standardised processes to be properly designed, applied