Improving the RFP Process

A few months ago I was asked to complete a Request for Information ("RFI") by the sponsor of a large pension plan. Their goal was to hire an independent outside party to vet the investment management policies and procedures of its outsourced manager. I've long maintained that it is an excellent idea to have someone review operations and render a second opinion about how asset managers perform relative to a retirement plan's objectives, how much risk is being taken to generate returns, the extent to which the asset manager is mitigating risks and much more.

While this type of "kick the tires" engagement is not as common as many think it should be, that could change quickly. The Outsourced Chief Investment Officer ("OCIO") business model (sometimes referred to as the Delegated Investment Management or Fiduciary Management approach) is rapidly growing at the same time that recent mandates such as the U.S. Department of Labor's Fiduciary Rule, along with a flurry of lawsuits that allege breach, call more attention to how in-house plan fiduciaries hire and monitor their vendors.

Given the relative newness of this type of engagement and the fact that a review can mean different things to different people, I strongly recommend that the hiring party consider how much work they want done and what budget applies. In the case of the aforementioned invitation to submit a work plan and detailed budget, my colleagues and I were told by the plan sponsor they weren't really sure what should be done. Our suggestion was to carry out a preliminary review of existing policies, procedures and operations, report the findings to the trustees and then discuss what could be done as a subsequent and more granular assessment, if needed. This would get the ball rolling in terms of identifying urgent concerns and avoid having to write a big check. Even with an opportunity to ask questions of the hiring plan, there were still many unknowns. For example, would the plan sponsor be willing to pay for a complete investigation of items such as vendor's data security measures, adherence to its compliance manual, growth plans, risk management stance, employee personal trading safeguards, measures to avoid conflicts of interest, business strength, type of liability insurance in place and verification (if true) that back office cash management was separate from trading or instead have an examiner concentrate on a subset? When the plan sponsor said it wanted to have an outside reviewer look at historical investment performance numbers, was its goal to assess data frequently or over a longer period of time, relative to a selected benchmark, relative to an asset-liability management hurdle, based on risk per return units and so on?

Anyone who has reviewed bid documents from public and corporate plan sponsors will likely conclude that there is not much consistency, especially for due diligence and governance assignments. That's not ideal. Yes, it's true that facts and circumstances will differ but clarity in terms of what a hiring plan wants can be a plus for everyone. I think it would likewise be helpful for the bid document to state a budget number or "not to exceed" range and let the respondents suggest what work could be reasonably done for that fee. Both the buyer and seller would know at the outset whether it makes sense to proceed with discussions. Another way to go would have the plan sponsor hire someone to interview its in-house fiduciaries, identify and rank their major concerns and then use that information to create a structured Request for Information or Request for Proposal ("RFP") that would be distributed to potential review firms. This exercise would entail a short-run expense but could save money in the long-run by ensuring that the plan sponsor and the review team are in sync about expectations and deliverables.

The bidding process is often a tough one for both buyer and seller. In 2015, I interviewed the co-CEO of a company called InHub, Mr. Kent Costello. I have no economic connection with this company. I had asked for a demo after reading about the use of technology to help fiduciaries with their search and hiring of third parties. In answer to my question about the limitations of the existing RFP process for the buyer, Kent said "It can be difficult for investment committees to put together a list of questions that will help them to effectively compare firms and service offerings ... Poorly crafted, irrelevant, or repetitive questions will lead to a weak due diligence process and leave the committee confused and frustrated. Worse yet, it could mean the selection of an inadequate vendor." Just as important, he pointed out that sellers could be reluctant to take the time and money to prepare a detailed proposal, "given the low likelihood of winning the business..." Click to read "Electronic RFP Process and Fiduciary Duty."

Process improvement is always a plus, whether applied to crafting a bid document, responding with a proposal or implementing the work, once hired.

Hamsters , Cyber Security and Retirement Plans

I typically mute the remote during commercials but a recent ad caught my attention. In "Who's sharing your cloud?" the Ogilvy Group adds glam (actor Dominic Cooper), cute (tiny hamster) and a morality tale (video unexpectedly goes viral) to showcase the downside of not having a dedicated cloud server for a business. This short promotion is a great illustration of risk management at its core.

  • Something seemingly benign creates a costly problem.
  • By not being pro-active, an organization incurs a loss.
  • The cause could have been evaluated and addressed ahead of an adverse effect.

While this television spot and similar messages about technology risk are typically geared to the business community at large, retirement plan sponsors should take heed. Sensitive data about participants, in the wrong hands, can be disastrous. According to "Top 10 Cybersecurity Trends for Financial Services in 2015" (Think Advisor, November 25, 2014), concerns about the integrity of third party infrastructure are paramount. The new year is expected to yield "active cyber risk mitigation and monitoring" as a replacement of the "current self-certification process. (The latter technique is thought to be less reliable.) Concentrating on the protection of "high-risk and high-value" data collections is likewise expected to occur instead of a broad and generalized approach.

In a twist of innovation, insurance companies are "racing to actuarially quantify new cyber risks" and offer policies to insure explicit dollar damages as well as indirect losses due to diminished "brand, reputation and goodwill." Click to read "Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues" (Insurance Industry Working Session Readout Report, Department of Homeland Security, July 2014).

In its editorial about the "Challenges of cybersecurity" (August 18, 2014), Pensions & Investments laid out a list of enterprise risk management priorities that should consume those in charge of pensions, endowments, foundations, mutual funds, custodian banks and alternative investment pools. These include, but are not limited to:

  • Preventing access to proprietary data by unauthorized persons;
  • Avoiding the likelihood of leaks by institutional service providers that could "compromise confidential investment details" or make hacking easier;
  • Establishing parameters to block front-running; and
  • Attempting to seal off access to data about beneficiaries and other confidential information from intruders.

A critical task for a plan sponsor is to gather sufficient knowledge about how a candidate asset manager or other type of vendor secures its operations from unwanted hackers. Asking questions as part of an RFP makes sense although responses could be too technical for a member(s) of a plan committee to meaningful interpret. As a result, a plan sponsor could end up having to hire another vendor - an organization to make sense of the replies about cyber security from the first vendor. Moreover, the issuance of an RFP may not occur frequently enough to adequately monitor a retirement plan's exposure to cyber security risks. Kent Costello shares his views in "Automating the Institutional Investing RFP" (June 26, 2014, Information Week: WallStreet & Technology).

Lack of transparency is another issue. In "What investors need to know about cybersecurity: How to evaluate investment risks" (June 2014), authors with PriceWaterhouseCoopers or the IRRCi bemoan the "hidden" sources of cybersecurity threats. They add that prevailing disclosure standards "are not designed to adequately differentiate between companies' relative readiness, nor are they effective at helping predict which companies are likely to suffer negative impacts due to a security shortcoming."

None of these warnings are comforting, especially when one considers the layers of vulnerability. A plan sponsor, at the corporate or government employer level, has a chance of having non-retirement plan data stolen by a cyber thief. At the retirement plan level, a sponsor could see its participant data compromised. As a customer, there is a chance for a technology snafu with one or more of its service providers to trickle down to the plan sponsor. As an investor, regardless of plan design, there is the risk of being exposed to cyber meltdowns experienced by a company or asset manager. A defined benefit plan with an investment in Target or Sony for example could pay for security breaches in the form of lower stock prices. A 401(k) plan sponsor that selected a mutual fund that owns shares in a cyber victim company may have to change its investment line-up.

On November 9, 2011, the ERISA Advisory Council presented its report on "Privacy and Security Issues Affecting Employee Benefit Plans." A handy "Chart of Practices Useful to Certain Plan Administrators to Minimize Security Breaches" is included. As part of its focus on cybersecurity, the U.S. Securities and Exchange Commission ("SEC") released a sampling of questions it plans to ask during regulatory examinations. Refer to the agenda of "OCIE Cybersecurity Initiative," National Exam Program Risk Alert, April 15, 2014.

Happy New Year fiduciaries. More work is on its way.

New is Not Necessarily Better and Could be Worse

Every now and then, my husband likes to remind me that older is better in terms of quality. His father's tools still get used, our washer and dryer from twenty years ago are in place and his 1989 Honda was only recently sold when I nudged him to buy a car with air bags. Incidentally, the CRV was sold with 400,000 miles to a neighbor who still drives it on a regular basis. I was reminded of his words when I read a New York Times article on the failure of "new math." More recently the concept that new can be counterproductive came to light when a meeting organizer insisted on using technology that was so "cutting edge" that a few of us could not join because we did not have the requisite equipment. As a result, we have to schedule anew, costing time that could have been avoided.

Applied to pensions, adding too much complexity by trying something untested and/or sold as "the next big thing" can spell trouble. As I wrote in "Investment Complexity Risk" (August 1, 2014), transactions that are hard to explain make it difficult for an investor to "appropriately identify the right benchmark to track performance." When that occurs, tasks such as portfolio rebalancing, assessment as to whether fees paid are "reasonable" and/or constructing an effective hedge strategy are difficult to achieve.

While "new" does not automatically mean "complex," the reality is that capital markets and service providers such as asset managers are increasingly dependent on one another. What happens with one organization can have a far-reaching impact on others. Consider Goldman Sachs Group Inc. ("Goldman"). Its plan to retract prime brokerage services to some hedge funds while increasing fees to those that remain as clients will impact the institutional investors that have exposures to asset managers that either need to look elsewhere for capital or will pay more money to Goldman. See "Goldman Sachs Cuts Roster of Hedge-Fund Clients" by Justin Baer and Juliet Chung (Wall Street Journal, August 4, 2014).

Some institutional investors are throwing their proverbial hands in the air when it comes to in-house management. Pensions & Investments reporter Douglas Appell describes a trend in seeking third party help as the result of "today's volatile markets." Refer to "Complexity of investments pushes funds to seek outsourcing help" (July 9, 2012). Asset managers are similarly outsourcing certain tasks such as performance measurement and attribution. According to "Managing complexity and change in a new landscape: Global survey on asset management investment operations" (Ernst and Young, 2014), partners Alex Birkin and Alan Fish write that "Firms are only beginning to realize the opportunity in outsourcing more complex processes."

Contracting others to augment one's core business is not bad or good on its face. Importantly, end-users must understand what they are buying and what may not be covered by the agreement. Based on my experience as a forensic economist and investment risk governance expert, disputes often arise when expectations - even those that are codified with a letter of engagement - differ. Ambiguous language is one culprit. In-house and external counsel as well as those tasked with dotting the due diligence "i's" can play a vital role in clarifying the terms of outsourcing. Similarly, attorneys can work with their institutional investor clients to ensure that a Request for Proposal ("RFP") questionnaire includes ample questions about the nature of the contracts in place between asset managers being considered and the vendors to said asset managers.

The principles of good contracting are tried and true. Some may sneer at old fashioned ideas but they have a place in one's investment risk governance toolbox. When the lights go out, a pencil has a lot more value than a computer that doesn't work.

New RFP Template to Select and Monitor 401(k) Plan Vendors

In June 2012, the Association for Financial Professionals (AFP) debuted its Request for Proposal (RFP) template to "help treasury and finance professionals evaluate 401(k) plan service providers." Developed in response for help in selecting vendors who provide products and services to companies that sponsor defined contribution benefit plans, the detailed guide considers numerous facets of the purchasing process.

Dr. Susan Mangiero, CFA, certified financial risk manager and Accredited Investment Fiduciary AnalystTM served as a member of the drafting committee. Click here to purchase a copy of the 401(k) Service Provider RFP template.

Public Pension Risk Management and Fiduciary Liability

A few weeks ago, Attorney Terren B. Magid and Dr. Susan Mangiero jointly presented on the topic of pension risk management and fiduciary liability with a particular emphasis on public plans. Attorney Magid's insights reflect a particularly unique perspective inasmuch as he served as executive director of the $17 billion Indiana Public Employees' Retirement Fund ("PERF"). Dr. Mangiero shares her views as an independent risk management and valuation consultant, author, trainer and expert witness.

Click to download the 25-page webinar transcript for public pension fiduciaries entitled "Are You Properly Mitigating Risk? Assess Your Fiduciary IQ" with Attorney Terren B. Magid (Bingham McHale LLP) and Dr. Susan Mangiero (Fiduciary Leadership, LLC). Comments about ERISA plans are provided when applicable.

Topics discussed include, but are not limited, to the following:

  • Public Pension Transparency Act
  • Discount Rate Choice
  • Dodd-Frank Wall Street Reform and Municipal Advisor Registration
  • Expanded Definition of ERISA Fiduciary
  • Fee Disclosure Under ERISA 408(b)(2)
  • Failure to Pay and Actuarially Required Contribution ("ARC")
  • Benefit Reductions
  • RFP Process
  • Fiduciary Audits
  • D&O Policy Review
  • Vendor Contract Examination
  • Qualitative and Quantitative "Investment Risk Alphabet Soup"
  • Interrelated Risk Factors
  • Key Person Risk
  • Hard to Value Investing
  • Model Risk
  • Stress Testing
  • Pension Litigation
  • Fiduciary Breach Vulnerability
  • Characteristics of a Good Model
  • Side Pockets and Investment Performance.

Comments are welcome.