The control of financial risks by Dutch pension funds is generally in order. However, funds can and must further professionalise their risk management. There is a lot more that Dutch pension funds could be doing, particularly in the area of data and systems. Integrated, fund-wide systems for risk management, also known as GRC tooling, are currently used to a limited extent. There is also work to be done when it comes to the control of non-financial risks run by pension funds, such as when outsourcing activities. Research by KPMG reveals that the way in which Dutch pension funds structure their risk management is satisfactory. "However, further professionalisation is necessary on a number of specific aspects", says Veronique de Boer-Achmad of KPMG Pensions Advisory. De Boer-Achmad: “If we look at risk strategy and risk appetite, the funds are still falling short. Risk appetite is a measure of the bandwidth within which the company is prepared to take risks. The risk appetite for financial risks is often determined across the board and also translated into measurable KRIs. There is still substantial room for improvement, particularly in terms of quantifying risk appetite for non-financial risks. We see that many pension funds outsource crucial processes. Again, the fund needs to be in control of the resultant risks itself without putting itself in the position of the outsourcing party. This demands periodic risk analyses by the fund itself and clear agreements on, for example, periodic reporting on the current risks of the parties to whom services have been outsourced. In this way, the current risk profile can be compared against the fund's risk appetite."

GRC tooling warrants extra attention

The risk management framework of pension funds generally consists of six components.  De Boer-Achmad: “Besides culture, they are risk strategy and appetite, governance and organisation, policy and process, risk monitoring and risk reporting and the use of data and IT systems. Our research shows that improvements are needed in two components of risk management in order to be sufficiently effective. With regard to data and IT systems, we looked above all at the extent of the use of GRC tooling and the degree to which action and incident management takes place. We see that tools developed in-house are used to a limited extent. As such, there is scope for giving the risk management function the resources and infrastructure to perform tasks more effectively and efficiently. As regards governance, we looked at the use of the ‘three lines-model’. Generally speaking, the functions within this model are formally set out, with roles and responsibilities being documented. However, their actual operation could be improved in practice."

Making efforts more transparent

KPMG's research reveals that many pension funds still have trouble demonstrating that they are in control. De Boer-Achmad: "In many cases, the implementation of control measures is still not monitored centrally, which means that there is limited understanding of which risks may not be being adequately controlled. The reports required by internal and external stakeholders often still result in a range of partly overlapping documents drawn up on an ad hoc basis. And an important area of concern is the knowledge of specific risks, for instance IT risks. This knowledge is not always sufficiently available and is often dependent on individuals. That goes for both the first and the second lines. And as pointed out previously, the risks of outsourcing activities warrant additional attention. Remaining in control of your own outsourcing risks while not putting yourself in the position of the outsourcing party is a tricky balance to strike. Currently, there is too much dependence on the analyses and reports of the party to whom services have been outsourced without making the link with the risks and risk appetite of the fund itself."