Article
A Strategy for Employee Benefit Plan Management
A critical legal duty accompanies the responsibility of employers to manage their employee benefit plan (“EBP”) complex fairly and safely. Tactics for managing the associated risks are not intuitive and pose a significant challenge for the typical executives who populate a plan management committee.
Risk management is often left for others in an enterprise to consider, but current events mandate a change in thinking and action. A framework of standardized procedures is needed.
A management strategy for ensuring conformance with best practices and governmental regulations is known as GRC (for governance, risk management, and compliance). GRC is not a technology. Instead, it is a set of practices and processes that provide a structured approach to aligning EBP management with the governing board’s risk tolerance and opportunities objectives. GRC helps EBP committees reduce data security risks, control plan expenses, and meet compliance requirements. It also helps improve decision-making and performance through an integrated view of the organization’s risk culture.
Aligning with the Enterprise’s Risk Culture
An enterprise’s risk culture includes the values, beliefs, and behaviors about the governance, assurance, and management of risk, including setting risk appetite and tolerances, views about the impact of risk on conduct and decisions, and modeling of appropriate risk-taking behavior. When boards of directors decide to sponsor EBPs, they understand inherent risks and residual risks lurk in implementing such plans. Inherent risk is the level of risk without actions and controls, and residual risk is the level of risk after measures and controls are in place.
In order to develop and maintain an EBP risk management framework, it is essential to know the parameters the enterprise’s board or governing authority established in each of the three vital decision-making criteria, risk tolerance, risk appetite, and risk capacity.
Inherent risk is the level of risk without actions and controls, and residual risk is the level of risk after measures and controls are in place.
Who Participates in Developing a GRC Framework?
A governing authority such as an EBP committee must prioritize monitoring over the direction and control exercised by people in charge of EBP programs. That entails establishing the enterprise’s mission, vision, values, appetite for risk, tolerance for risk, capacity for accepting risk, ethical standards, and a high-level declaration of goals and objectives.
The widely held view that risk management embeds deeply in governance and compliance unavoidably involves cross-functional participation. Accordingly, board members, senior executives in finance, human resources, and information technology all have a role in EBP risk framework development.
Modern Chief Financial Officers (“CFO”) are responsible for much more than just maintaining assets and keeping track of finances. The CFO handles the purse strings and drives risk management by selectively forming and supporting business improvement projects. The CFO is now an essential strategic team member and contributes to setting the organization’s direction. The success of EBP management practices depends on the CFO’s backing.
Executives in human resources oversee the organization’s “human capital” and carry out duties crucial to GRC success. The tactical responsibility for advancing and fostering the enterprise’s purpose, vision, and values, as established by the governing authority, usually rests with the human resources team. As frontline managers of EBP operations, they are often the first to encounter the events with the most significant potential harm for plan participants and the enterprise.
The Chief Information Officer (“CIO”) must set up the necessary systems to ensure that the enterprise gathers and keeps data for EBPs in a way that enables the distribution of the appropriate data to the proper individuals at the right time and in the suitable format. Protecting personally identifiable information is imperative and depends on sufficient technological resources. The CIO must participate in developing the GRC framework and then collaborate with the EBP committee to identify the current technologies, assess them, and decide which needs upgrading when regulatory requirements call for it.
The Case for GRC Frameworks
Many organizations (both at the corporate level and on EBP committees) fail to establish goals and strategies based on a thorough understanding of performance, risk, and associated compliance issues tailored to the uniqueness of their environment. Many also fail to implement their plans, keep track of results, and make required adjustments.
Many EBP sponsors find it challenging to comply with regulatory and other requirements or even stay on top of the requirements that apply to them internally. Even those that do a somewhat adequate job often fail to demand or confirm the same for third parties they employ. In short, the status quo for many organizations is neither sustainable nor acceptable.
Conclusion
A growing number of employers are experiencing the consequences of the dangers associated with sponsoring EBPs. Profound economic and reputational damage to those organizations and the careers of their fiduciary committee members signal the need for a dramatic change in attention to risk management.
Managing EBPs on an outdated or intuition-based approach is not a strategy but foolishness. Implementing an integrated governance, risk management, and compliance framework can reduce inherent risks in operations, investment decision-making, third-party service providers, and internal support services significantly and should be a priority consideration by C-suite leaders.
An advisory firm that specializes in GRC framework development can significantly reduce time, costs and ensure a quality upgrade to their EBP management practices.