Pensions get risk-ready

Isabelle Tremblay, Director, Asset Owner Segment Lead

In September 2024, the Canadian Association of Pension Supervisory Authorities (CAPSA) released Guideline No. 10—a framework that sets clear expectations for how pension plan administrators manage risk. But at its core, the guideline isn’t just about risk avoidance; it’s about building a pension plan that’s more transparent and resilient. 

The guideline can help strengthen oversight and help pension plans better respond to emerging risks (like cybersecurity or ESG). This is especially important as plans operate in an increasingly complex landscape, with market volatility and more intense scrutiny.

Effective immediately, the guideline applies to all plan types, including defined benefit, defined contribution target benefit, pooled registered pension plans (PRPPs) and hybrid plans. But while it’s already in effect, plan administrators have until January 1, 2026, to fully implement the provisions. Plans that act early are more likely to have a smoother path to compliance.

Plans that act early will have a smoother path to compliance

A refresher on Guideline No. 10

For those unfamiliar with Guideline No. 10, it sets out a four-part risk management cycle plan administrators should follow:

1. Identify risks: Plans need to proactively identity material risks that could affect funding, benefits or governance. These include familiar areas like investment and operational risks as well as more complex areas like cybersecurity, ESG risks, third-party service providers, and leverage and liquidity issues. It’s also important to remember that administrators remain responsible for risk oversight even when key plan functions are outsourced. Read our Future of pension plan management whitepaper for a deeper dive into risk management and how to decide when to outsource.

2. Evaluate risks: Once identified, risks should be assessed based on likelihood and impact, and use tools like risk heat maps to visualize their exposures. The level of evaluation should be proportional to the size and complexity of the plan, but even small plans need to engage in formal evaluation.

3. Manage risks: Guideline No. 10 calls for clear, documented controls to mitigate material risks. These might include insurance coverage, delegation and oversight frameworks, risk limits or thresholds, contingency and response planned, and internal audits or compliance reviews. Administrators should also define their risk appetite and identify any residual risks after mitigation.

4. Monitor and report: Risk oversight should be embedded into ongoing operations and reviewed at least annually. Reports should be made to governing bodies (e.g. boards, committees) and this risk management framework should evolve with emerging issues.

Guideline No. 10 calls for clear, documented controls to mitigate material risks

The implementation challenge

CAPSA’s guideline is principle-based—not prescriptive. While this offers flexibility, it also creates ambiguity. Many administrators are now asking: Where do we start? What’s enough? What will regulators expect in practice?

Some key implementation hurdles include:

• Building the risk register: Many pension plans don’t yet have a formalized risk register or documented approach to risk categorization. Administrators may struggle with identifying the full range of internal and external threats—especially in areas like cyber, ESG and third-party risk.
• Defining appetite and tolerance: CAPSA encourages administrators to articulate a clear risk appetite, define acceptable tolerances and align them with plan objectives requires careful planning.
• Governance and accountability gaps: The guideline stresses that fiduciary responsibility lies with administrators, even if operational duties are delegated. This means boards or pension committees must now enhance their oversight functions, clearly assign roles and regularly review risk-related reporting.
• Capacity constraints: Smaller plans or single-employer arrangements may lack internal resources or expertise to manage the entire cycle effectively. Even large plans may need to coordinate across multiple departments, vendors and systems to embed risk monitoring into day-to-day processes.

Many administrators are now asking: Where do we start? What’s enough? What will regulators expect in practice?

Practical support

To meet the January 2026 deadlines with confidence, most plans will need support beyond what their current models provide. Here are five areas where practical guidance can make a difference:

1. Gap analysis and planning: The first step in understanding where your current governance, documentation and oversight processes fall short of Guideline 10. A structured gap analysis can help establish priorities and timelines—and reassure boards that progress is underway.
2. Framework and tool development: From creating risk registers or setting evaluation criteria and escalation thresholds, administrators benefit from standardized tools that can be customized to fit their plan type, size and structure.
3. Technology and documentation systems: Plans will need systems to record, review and report on risks. These may include dashboards, workflow automation or documentation retention tools, especially to support regular board reviews and potential audits.
4. Governance structure review: Oversight roles should be clearly defined. Whether responsibility lies with the sponsor, a pension committee or a board, those tasked with risk governance must receive regular report, training and authority to act.
5. Training and education: Plans sponsors, trustees and administrators need to understand the expectations and terminology used in Guideline No. 10. Training sessions can help build a risk-aware culture and prepare for regulatory scrutiny. 

The clock is ticking

CAPSA has been clear: the guideline is already in effect and implementation should be completed by January 1, 2026. Plans that act early will have a smoother path to compliance. This includes running pilot programs, test to risk registers, update governance charters, and educate boards and service providers.