One year after CAPSA released its new Guideline No. 10 on Risk Management for Plan Administrators, most pension plan administrators (including administrators of DB, DC and other capital accumulation plans) have begun their journey towards compliance and are committed to formalizing or enhancing their risk management frameworks. The pace and maturity of implementation vary significantly across plans, influenced by type of plan, size, complexity of administration and of investment and funding strategies, existing governance structures and the administrator’s experience with risk oversight.
Compliance in Practice: A Phased Implementation Approach
As administrators seek to translate the guideline into practice, many find value in approaching implementation as a phased journey. Plan administrators have generally approached their first year of implementation by following a simple three-step action plan:
- Training: acknowledging the new guideline and providing comprehensive training to key concerned parties, including representatives of the plan administrator and plan sponsor.
- Gap analysis: conducting a diagnostic to identify gaps in the current risk management practices against the guideline’s expectations.
- Formalization of the risk management framework, including:
- Drafting a formal overall risk statement, including risk appetite, tolerance and limits.
- Developing a central risk management dashboard that consolidates the four required steps of the risk management process, that is to identify, evaluate, manage and monitor risks.
Lessons From the Field: What We’re Seeing in Practice
What has emerged is a clear sense of momentum and intent. Most administrators have taken measurable steps toward compliance, recognizing the need for enhanced documentation and structure. Some pension plans are building entirely from scratch; many already had foundational elements or tools in place that could be leveraged or expanded. Still, there is considerable variation across the industry. The principle of proportionality has been widely embraced, but its interpretation varies. Larger plans with internal risk teams are building sophisticated frameworks supported by detailed dashboards and robust controls. Smaller or less complex plans are more likely to adopt a simpler approach that adapts existing tools.
Common Gaps Observed
Several gaps identified during the diagnostic phase are common to many plans. Many administrators still lack a clearly articulated and documented risk statement that defines risk appetite, tolerance, and limits. Others have not fully documented their risk management processes, and the existing process is often scattered over several documents. Many have yet to develop a consistent approach to evaluating residual risk. Governance documents that pre-date Guideline No. 10 often require updates, and oversight mechanisms for third-party and cybersecurity risks are frequently underdeveloped. Regarding cybersecurity specifically, many plans focus heavily on preventative controls but have not invested as deeply in resiliency planning to support rapid recovery should an incident occur. ESG integration also remains a source of uncertainty, with pension administrators seeking clear, practical ways to embed ESG considerations into governance and risk assessments. DC-specific risks such as communication / member education and retirement readiness are often neglected, especially when the DC plan is the heir to a legacy DB plan.
Implementation Challenges and Ideas to Explore
The following themes highlight the most common implementation challenges plan administrators are encountering, along with practical ideas to guide next-stage improvements:
- Right-sizing complexity: Smaller or less complex plans may struggle to balance thoroughness with practicality. This relates to the principle of proportionality which can be hard to translate in practice. This principle should help ensure that risk management remains effective, efficient, and manageable, without overburdening the plan with unnecessary complexity, taking into account the complexity of the plan’s strategies, level of operational risk and overall plan sophistication. An example of a simplified approach would include streamlined dashboards which provide a qualitative evaluation of residual risk for broad categories of risk rather than for each individual risk.
- Agreeing on an overall risk statement: This step can be challenging, particularly because administrators often have different appetites for financial versus non-financial risks as financial risks may be compensated and generally contribute to plan objectives, while non-financial risks are typically uncompensated, making the appetite much lower—though still balanced against the cost of control measures. There is also frequent confusion between risk appetite and risk tolerance, which are sometimes used interchangeably despite having distinct meanings.
Risk appetite reflects the level of risk the administrator is willing to accept to achieve plan objectives (an aspirational concept).
Risk tolerance reflects the acceptable variation in outcomes for a given risk (an operational boundary).
Risk appetite, tolerance, and limits can be defined at the plan level or by major risk category. Ultimately, what matters most is consistency: future decisions related to pension plan management must align with the agreed-upon overall risk statement.
- Clarifying responsibilities: Define the boundaries of responsibility between the plan administrator, the plan sponsor, and third parties (including both internal and external third parties). In the end, fiduciary duty ultimately lies with the plan administrator.
- Building on existing organizational risk frameworks: Leverage existing organizational risk frameworks if available, to avoid duplication and improve efficiency. Plan administrators should also work to align pension-specific frameworks with broader enterprise risk structures to avoid inconsistencies or duplication. At the same time, administrators should keep in mind that organizational risk frameworks may not be sufficiently pension specific or easily applicable in practice.
- Considering consolidation: Implementing a comprehensive risk dashboard can serve as a powerful tool to demonstrate a consolidated risk management framework. Centralizing various tools that have been created over time and confirming the purpose and relevance of each document already in place creates a more integrated and streamlined governance structure.
- Improving ESG oversight: How much is enough? Several approaches exist to tackle ESG risks, from high level to very detailed. The chosen approach can evolve with time and the evolving knowledge of the plan administrator. Treat these as ongoing areas for maturity, not one-time checklist items.
- Improving cybersecurity oversight: Plan administrators often argue that this risk lies with third parties who are actually utilizing technology in the plan’s daily operations, and that relying on cyber risk management and insurance at the organization level is sufficient. However, fiduciary liability always lies with the plan administrator, who needs to assess and ensure proper management of the cyber risk at the third-party level, as well as at their own level. Consulting IT / cyber risk experts is paramount as well as obtaining confirmation regarding adequate cyber insurance for third parties and for the administrators themselves.
- Fostering a risk-aware culture: Encourage continuous dialogue between all concerned parties, including the plan administrator, plan sponsor, third parties, legislators and experts to stay ahead of external and emerging risks. Implement a systematic training program. Ensure proper documentation of the risk management process. Keep the risk management framework alive.
- Moving one step at a time: Explicitly identify your vulnerabilities—those risks that a plan administrator is aware of but has not tackled yet, or has addressed insufficiently. Risk management is a journey. Start with the most pressing risks and refine the approach gradually.
Beyond Compliance: Strengthening Governance Resilience
Looking beyond compliance, CAPSA’s Guideline No. 10 represent a meaningful shift toward more deliberate, transparent, and outcome-oriented governance. Although the initial implementation of these frameworks may require significant effort, the long-term benefits are undeniable. Organizations should establish regular review cycles to ensure the framework remains relevant over time and incorporate KPIs to measure both compliance and operational effectiveness. Robust risk management supports stronger decision-making, improves transparency, builds concerned parties’ confidence, enhances sustainability, and ultimately reinforces the ability to meet fiduciary responsibility. The goal extends far beyond meeting regulatory expectations; it is about strengthening the governance foundation that protects plan members, sponsors, and administrators over the long term.
Turning Obligation into Opportunity
One year following the release of CAPSA Guideline No. 10, its influence on governance, accountability, and risk awareness is already evident. The administrators who approach implementation not as a compliance obligation but as an opportunity to elevate their governance systems will be best positioned to adapt to future regulatory changes and evolving risks. Whether achieved through a comprehensive dashboard or a streamlined framework tailored to the plan’s complexity, the purpose remains consistent: to bring structure, transparency, and intention to managing uncertainty in a way that supports the long-term success of the plan and the protection of its members.
This article was written by
Isabelle Clément, FSA, FCIA, CRM
Partner, Pension
Lydia Audet, FSA, FCIA
Principal, Pension and Investment Consulting
