Dick Kamp and Varsha Bindraban: A good understanding of IT is crucial for pension fund managers

Dick Kamp and Varsha Bindraban: A good understanding of IT is crucial for pension fund managers

February 18, 2025

Risk Management Pensionfunds
Dick Kamp

This column was originally written in Dutch. This is an English translation.

By Dick Kamp, Director of Pension, Investment & Risk at Milliman Pensioen, and Varsha Bindraban, independent IT Risk & Compliance manager
 
The relationship between information technology and pension funds is closer than ever. The transition to the new pension system is also one of the largest IT operations of our time. Some of you may remember the millennium bug. We think that the current operation is at least equal in terms of effort. It is therefore extremely important for the pension fund manager to have a good understanding of the use of IT.

IT is an increasingly important part of how organisations do business. This applies to both the role IT plays in business processes and the opportunities and risks associated with the use and development of IT. These are more than enough reasons why this should be an important area of focus for a pension fund director.

Pension administrations are extremely complex. As the following examples illustrate, this involves various problems in the area of IT deployment.

1) High volumes and changing participant needs require a high degree of automation

The size of pension funds is, after all, enormous in terms of participant numbers. At the same time, there is a trend towards making pensions more individual. This customisation entails more activities. This can only be realised when the pension administration is automated to such a degree that, with a few exceptions, no manual changes are necessary. An additional advantage of fewer manual changes is that the risk of errors due to human error is reduced.

2) Cost pressure

Pension funds are under great cost pressure. Automation and achieving economies of scale are effective ways to keep costs as low as possible.

3) Outsourcing relationships

Due to the high costs and complexity involved in the development of IT systems and the necessary scale, pension administration is carried out by a limited number of (outsourced) pension administrators. These administrators are at a distance from the pension fund itself. The pension administrator may in turn be dependent on one or more providers of specific functionalities within the pension administration platform (for example, a communication portal or an intermediate administration).

4) Innovation in the field of IT

In the further development of IT, increasing use is being made of innovations such as artificial intelligence. This is happening in the area of participant communication, but also with regard to decision-making systems. It is vital that if this type of innovation is used (and there will be no getting around it in the end), it is properly managed.

5) Changing participant needs require more interaction and functionality

With the advent of the new pension system, the involvement and freedom of choice of the participant with regard to their own pension will increase, with the result that more interaction will be possible/required. This places greater demands on the functionality of the pension administration platforms.

6) Complexity of the IT landscape

If we look at the IT landscape of a pension administration in more detail, it consists of various subsystems that communicate with each other. These systems can be located at the pension provider itself, but can also be outsourced. In addition, pension administration is only one part of the pension fund's process. Looking at asset management, the IT landscape is just as complex. Asset managers also use a variety of IT systems and employ artificial intelligence to make investment decisions. An additional complication is that companies in the asset management sector can be extremely large and their activities can transcend different continents. The pension fund manager himself has little to no influence on the IT policy of these companies.

On top of this, cyber risks are becoming increasingly prominent. There are parties in the world whose business model is to hold IT systems hostage. This threatens the pension fund's business operations. IT systems in the asset management sector, for example, are very attractive and there are constant attacks within this sector.

Given the role IT plays in business operations, governments, central banks and regulators are very concerned about IT's vulnerability. Laws are therefore being developed that aim to increase the resilience of companies with regard to IT. DORA is a current example of this.

The challenge

The extensive and complex role that IT fulfils makes it difficult for a pension fund director to control, understand or optimally utilise it. While the pension fund director is not necessarily an expert in this field, he or she is still ultimately responsible for the processes within a pension fund.

In addition to traditional responsibilities, this responsibility involves a variety of issues, such as:

  • The formulation of strategic objectives and the associated business/IT alignment.
  • The management of risks with regard to the use of IT and the management of outsourced services.
  • The obligation to (continue to) comply with applicable laws and regulations, which are becoming increasingly extensive.

 
Approach

In addition to specialised knowledge of the various facets being of enormous added value in taking on this difficult challenge, a holistic and structured approach can be supportive.

The Plan-Do-Check-Act principle can be applied here.
 

Column Dick Kamp en Varsha Bindraban - visual column (ENG)

 

Plan:

  1. Take an ‘IT snapshot’: obtain (periodic) total insight into the IT landscape.
    1. Is the IT landscape still adequate for the intended objective and/or strategic development direction?
    2. Which outsourcing parties are involved?
  2. Map the landscape of opportunities and threats.
    1. What are the current threats and weaknesses within the landscape?
    2. What developments can be expected and what opportunities and threats do they entail?
  3. Develop or re-evaluate your own IT policy (including security policy) in an iterative process that takes into account technological, legislative and regulatory developments.
  4. Ensure long-term alignment between your own strategic development and that of the outsourcing or subcontracting parties (which may lead to a reorientation of the relationship).

Do:

  1. Implement both the strategic policy and the IT policy as established.
    1. This may lead to the repurchase, development or renovation of IT platforms to continue to support operational management.
  2. Implement mitigating measures where necessary to manage identified risks.

Check:

  1. Monitor external developments in the field of legislation and regulations, technology and cyber threats
  2. Monitor the implementation of the IT policy and the effectiveness of operational management.
  3. Monitor the implementation of the IT policy of the outsourcing and subcontracting parties and their continued alignment with your own IT policy.
  4. Monitor the implementation of the strategy by the outsourcing and subcontracting parties and their alignment with your own strategy.

Act:

  1. Where there are deviations from your own IT policy, take action to bring it back into line or revise the IT policy (if necessary).
  2. Evaluate the implementation of the IT policy of the outsourcing or subcontracting parties and discuss the findings to ensure they remain in line with your own IT policy.
  3. Evaluate your own strategy and adjust it if necessary to continue to meet the fund's needs.
  4. Evaluate the implementation of the strategy of the outsourcing or subcontracting party and determine that it is still in line with your own strategy and reconsider the collaboration if necessary.

 
Conclusion

IT within pension funds is vital and complex. As a pension fund director, you can no longer avoid devoting significant attention to this. In addition to the current use of IT that is necessary to keep complex business operations running, attention will have to be paid to the use of IT in the future to enable the pension fund to keep up with the constantly changing world, in which developments such as AI will play a prominent role. At the same time, cyber and continuity risks are more of a given than an opportunity. Controlling these risks has therefore become a basic condition for effective operation.

With the accompanying development of legislation and regulations and supervision in the areas of IT, cyber, continuity and the management of outsourcing relationships, there must also be a thorough action plan in the area of compliance. Fortunately, the pension fund administrator is not alone in becoming ‘future-proof’.

 

This is the thirty-sixth column in a series on risk management. The series aims to encourage readers to consider risk management as an integral part of running a pension fund.

  
Varsha Bindraban has been dealing with IT audit and IT Risk Management issues in a variety of sectors at home and abroad for 14 years. After stepping down from her role as Senior Manager in the IT Assurance & Advisory practice within the Big Four in 2023, she started her own firm focusing on IT Risk & Compliance within the financial sector. She does this from the conviction that the human aspect within IT Risk & Compliance is the most important factor for successful IT risk management. For instance, she advises management on DORA-related issues and implements a variety of IT frameworks in a way that is appropriate within the context and culture.