Toolkit for Risk-based pensions supervision

Case Study Kenya

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Riskbased Pensions Supervision provides a structured approach focusing on identifyingpotentialrisksfacedbypensionfundsandassessingthefinancialand operationalfactorsinplacetomitigatethoserisks.Thisprocessthenallowsthe supervisory authority to direct its resources towards the issues and institutions whichposethegreatestthreat. The IOPS Toolkit for Riskbased Pensions Supervisors provides a 5module framework for pensions supervisors looking to apply a system of riskbased supervision. A webbased format allows: a flexible approach to providing updates and additions; users to download each module separately as required; andaportalofferingusersmoredetailedresources,casestudiesandguidance. Thewebsiteisaccessibleatwww.iopstoolkit.org. ThisdocumentcontainstheKenyanCaseStudy.

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

KENYA1
I.
A.

Background
PensionSystem

The retirement benefits sector in Kenya is composed of the civil service scheme, the National Social Security Fund (NSSF), occupational schemes and individual pension schemes. The coverage of the pension schemes is currently 15% of the total work force. The NSSF has the highest proportion of membershipat67%withestimatedmembershipof800,000(theCivilServiceSchemeaccountingforover 20%ofthiscoverage,withoccupationalandindividualschemes,ofwhichthereareapproximately1350in operation,around10%).

Table1:RetirementBenefitsSectorKenya
SchemeType LegalStructure Membership CivilService Scheme ActofParliament allcivilservants NationalSocial SecurityFund ActofParliament formalsector workersin companieswith5+ Occupational Schemes TrustDeed formalsectorworkers incompaniesthat haveschemes IndividualSchemes

TrustDeed individuals formal/informal sectorjoin voluntarily funded Subjecttothe Authority

Funding Regulation

Nonfunded Exemptfromthe Authority

funded Subjecttothe Authority

funded Subjecttothe Authority

B.

RiskbasedSupervisoryApproach2

Aspecializedagency,theRetirementBenefitsAuthority(RBA)isresponsibleforthesupervisionoffunds. The riskbased supervisory approach of the RBA has also been adapted from the Australian model. The goal is to measure the solvency of DB schemes and the investment risk of DC schemes, applying a risk scoretoeachschemewhichthendeterminesthesupervisoryresponse.TheRBAwill,onanannualbasis, carryoutariskprofilingexerciseaimedatidentifyingschemewithhighlevelofrisk.
1

ThiscasestudywaspreparedbytheRetirementBenefitsAuthority,Kenya.

DetailsoftheAPRAshistoricaldevelopmentandmovestowardsriskbasedsupervisionareavailableinRiskbased SupervisionofPensionFunds:EmergingPracticesandChallenges,Brunneretal2008

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

As well as refining the qualitative and quantitative measures to be used in the initial risk scoring of schemes,theRBAisalsolookingtodevelopamethodologyforstresstestsoravalueatriskmeasure andstandardproceduresforchoosingandapplyinginterventions.

II.

RiskbasedSupervisionProcess
Figure1. RBSProcess

1. RiskFocus
SupervisoryObjectives TheRBAoutlinetheirobjectivesasfollows: RegulateandsupervisetheestablishmentandmanagementofretirementBenefitsschemes ProtecttheinterestsofmembersandsponsorsofretirementBenefitsschemes PromotethedevelopmentoftheretirementBenefitsindustry

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Advise the Minister for Finance on the national policy to be followed with regard to the retirementBenefitsindustry Implementallgovernmentpoliciesrelatingthereto

InadditiontheRBAlayoutasocialagenda(reduceoldagepoverty,educationinitiatives)andaneconomic agenda(encouragegreatersavings,spurdevelopmentofcountryscapitalmarketsetc.). NatureofPensionSystem In terms of risk measurement, the RBA has identified the following risks as the main areas for consideration: Counterparty Default Risk: Risk of loss from the failures of a counterparty to meet its obligations Balance Sheet and Market Risk: Risk of losses due to movements in interest rates and othermarketprices OperationalRisk:Theriskoflossesresultingfrominadequateinternalprocesses,people andsystemswhethertheseareinternaltotheregulatedentityorinaserviceprovider LiquidityRisk:Theriskthataninstitutionwillnotbeabletomeetitspaymentobligations astheyfallduewithoutexcessivecost Legal and Regulatory Risk: The likelihood of adverse consequences arising from the failuretocomplywithallrelevantlawsandregulations Strategic Risk: Risks to the continued viability of an entity as a result of change in the operatingenvironment,includinginternallydrivenchangesuchasmergerorintroduction ofnewproductline Contagion and Related Party Risk: Risk to an entitys business as a result of close association with another entity the risks may be direct through financial exposure or indirectthroughreputationdamage.

The risk scoring model shown below breaks these risk areas into three main categories which are consideredintheanalysisofinherentrisk:Investment,Insurance,andNonfinancial.

2. RiskFactors
A. Individual

Thetablesummarizestheriskscoringsystem.Wherearesultissatisfactorythescoreis0.Entriesinbold are to be flagged for breaches of compliance and for immediate investigation, whatever the overall risk score.

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Table2:RBARiskScoring
Riskfactor 1.1Inherentriskinvestment Satisfactoryresult Satisfactoryinvestmentpolicy statement Recentreviewofstatement Investmentreturnaboveaverage Riskmeasures(e.g.diversification) belowaverage Unsatisfactoryresult Lackofsatisfactoryinvestmentpolicystatement Lackofevidenceofupdatingofstatement Assetclass(es)outsiderange80120%of average Individualholdingsabovethreshold(e.g.2%of portfolio) Noncompliancewithassetlimits Liquidityconcerns Riskscore 1 0.5 0.25 0.25to0.5 1 0.250.5 0.5 0.25 0.5 1 0.5 0.5 0.5

1.2Inherentriskinsurance

insurancerisknotpresent insuranceriskinsured capacitytohandlenoninsuredrisk

1.3Inherentrisknonfinancial

relativelysimpleplanprovisions andprocedures transparentoutsourcing procedures capacitytohandlegreater complexity

2.1 Management and control Trusteeoversight satisfactoryTrusteeoversight process satisfactorilycompleted

uninsuredlifeordisabilitybenefitsbeyond capacityofschemetoabsorb uninsuredpensionsatretirementinsmallDB scheme uninsuredpensionsatretirementinDCscheme actuarialvaluations uninsuredpensionsatretirementinDCscheme noorunsatisfactoryactuarialvaluations definedbenefitschemewithcomplexprovisions beyondcapacityofscheme nontransparentoutsourcingoffunctions largenumberofinvestmentoptionsinDC schemeswherecapacitynotpresenttohandle this nontransparentdeclarationofinterestinDC schemes Lackofproperoversightprocess Noorunsatisfactorycompletionofgovernance selfassessmentquestionnaire

0.51 0.5 0.5

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

2.2 Management and control Operationsandcontrol 2.3 Management and control Independentreview 3.1CapitalsupportFund

governanceselfassessment questionnaire Trusteesmeetingfitandproper criteria Clearlinesofresponsibilityand accountability satisfactorycompletionof interrogatories satisfactoryfilingrecord,including paymentofcontributionsontime lownumberofcomplaints, complaintssatisfactorilyresolved expensesaspercentageofnormal cost/contributionsbelowaverage independentprofessionalsusedin reviewprocess professionalsingoodstanding easilyunderstandablereports withoutqualifications DBschemesfundedratioand solvencyratioinexcessof100% DBschemeswithunfunded liability/solvencydeficit satisfactoryrecoveryplaninplace andbeingimplemented DBschemesactuarialvaluation basissatisfactorycomparedto peers Ratesofreturnonfundoverlast3 yearsinexcessofaverage

ConcernsaboutTrusteesmeetingfitand propercriteria Lackofproperdocumentation Concernsaboutdocumentfilingandcooperation withRBA unsatisfactorycompletionofinterrogatories unsatisfactoryfilingrecordand/orhistoryof latepayments largenumberofcomplaintsnotsatisfactorily resolved expensesmorethan20%aboveindustrylevel

concernsaboutindependence(e.g.professional isemployeeoforganization) concernsaboutprofessionalstanding unclearreportsand/orqualifications DBschemesfundedratio(FR)and/orsolvency ratio(SR)lessthan100%

1 0.5 0.5 0.25to0.5 0.5

0.25to0.5 0.25 0.25

0.5to1 0.5 FR1,SR=0.8to1score1 FR<1,SR=0.8to1score1.5 SR<0.8(irrespectiveofSR) score2 SR1,FR=0.8and1score.75 SR1,FR<0.8score1.25 DEDUCT0.25to0.5ifrecovery planinplaceandbeing implemented 1

Weakvaluationassumptions(e.g.interestrates morethan20%aboveaverage) Lowratesofreturn(e.g.,greaterthan20%below industryaveragefortypeofscheme)

0.25foreachofpastthreeyears

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

3.2 Capital support Employer sponsor

timelyremittanceofemployeeand employercontributions DBschemessatisfactoryactuarial assumptionsforcurrentservice cost Schemeswithunfunded liabilities/solvencydeficits satisfactoryrecoveryplan Contributionholidayswell monitored DCschemesobjectivesandtarget ofschemeswellcommunicated Industryandschemesponsorin goodshapefinancially

Contributiondelinquency

Contributionsbelowthoserecommendedin actuarialreport

Poorornomonitoringofcontributionholidays DCschemespoorcommunicationoftargets Industryand/orschemesponsorinpoorfinancial shape

belowthreshold Ifcontributionsareoccasionally 7daysormoreinarrears,but lessthan30daysscore0.5 Ifcontributionsare persistentlymorethan7days inarrearsscore1 Ifcontributionsareinarrears for30daysormorescore2 Ifthereisapatternoflate paymentscore3 Ifcontributionsarelessthan 90%oftherecommended currentservicecostand amortizationpaymentsscorea further0.5 1 0.5 0.25to1

Note: Apply bullet 1 or 2 (which apply only if there are no significant arrears) or bullet 3 or 4, no both sets.

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

B.

Systemic

The RBA build both top down and bottom up risk analysis into their system, including systemic risk analysisviaindustrysurveys(forexampleofgovernanceissues,suchastestingofboardsoftrustees).

3. RiskIndicators
A. Quantitative

ThemixtureofquantitativeandqualitativeindicatorsusedbytheRBAisshownintheriskmodelabove. TheRBAalsobuildsinitialrulesbasedassessmentsintoitsriskbasedanalysis.ForexampletheRBAstill applies a broad range of investment guidelines to pension funds (including maximum limits in cash, government securities, in regionally listed shares etc.). The rule that these maximum limits may be violatedincasesofassetrevaluationorappreciationforaperiodofnomorethan90daysisalsoapplied. As the authority moves towards as riskbased approach to supervision it has built these limits into its overallriskassessment.Thedegreeofdiversificationofafundsinvestmentportfolioandcompliancewith theinvestmentguidelinescountfor5%oftheoverallriskscore2marksareawardediftheschemehas compliedwithinvestmentguidelines/1markifinvestedinguaranteedfunds(somepenalizationtotake accountofcreditriskinsuchaninvestmentinstrument)and0fornoncompliance.TheRBAalsoconsiders investment income within its onsite inspection guidelines (e.g. recommending consideration of the volatilityanddistributionofincomebyassetclass). Late or nonsubmission of returns is scored negatively as part of the riskassessment systems, with the timelinessofsubmissionofreturnscontributing10%toapensionplansriskscore. B. Qualitative

The RBA also uses a database of complaints as further risk indicator. Legislation (Section 46 of the RetirementBenefitsAct1997)requirestheAuthoritytomaintainadatabaseofcomplaints.Thisiscalled theComplaintsHandlingDatabaseandismanagedbytheAuthoritysComplianceDepartment.Thereisa specific process documented for this purpose and includes provision of information, particularly the identity of both the complainant and the scheme or service provider who would be respondent in the complaint. The Database supplies primary data for the purpose of risk based supervision which captures for each complaintageneralcategory,currently: 1. 2. 3. 4. InterpretationoftheLaw Administrationand/orrecordkeeping Benefitscalculation/payment Other

Itisanticipatedthatthisinformationwouldthenbeusedintwowaysinrespectofeachpensionplan: 1. Onecategoryofcomplaint(s)foraplanmayattractahigherriskratingthananotherasitwould pointtoadifferentlevelofoperationalorlegalandsupervisoryrisk.

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

2.

Anincreasingnumberofcomplaintsinrespectofoneschemeorserviceproviderwouldserveas anearlywarningsignforthepurposeofidentifyingplansthatrequireintervention,asthiscould be an indication of lack of understanding of the trustees, poor operational systems or poorly informedmembers.

Inconsideringtheriskimpactofthisinformation,thesupervisorwouldtakeintoaccountanymitigating factorsarisingfromthequalityoftheboardoftrusteesandprincipalofficer(theirunderstandingofthelaw and other pertinent issues), the internal complaints management system and effective operational managementsystems(includingmanagementofoutsourcedservicessuchasbenefitspayment). While complaints would not generally capture information provided or tipoffs from whistleblowers as providedforinSection40oftheAct,theselattermaybecapturedthroughaseparatedatabasewhichis alsokeptinrespectofenquiriesmadeonvariousissuesrelatingtotheoperationsofspecificschemesor thepensionsectoringeneral.

4. RiskMitigants
TheRBAidentifiedanumberofriskmitigantstobeconsideredintheassessmentprocess.Theseinclude: Quality of the Board of Trustees: Covers their understanding of responsibilities, their experience,competenceandintegrityandthepresenceofconflictofinterest. Qualityofprincipalofficer:His/herexperience,competenceandintegrity. Effectivenessofoperationalmanagement:Includeshumanresourcepoliciesandmanagement ofoutsourcedoperationsbytheBoardofTrustees. A funds information systems and financial controls: Capacity to produce timely and reliable informationforregulatorsandmembers. Adequacy of risk management systems: Quality of arrangements for identifying and measuringrisk,settinglimits,monitoringcomplianceandreporting. Compliance culture and procedures: Compliance with laws and regulations, and involves the assessmentofthefundsinformationsystems. Adequacyofindependentreview:Internalandexternalaudit,actuarialreviews.

As shown in the risk model above, these are broken down into Management and Control (Trustees, Operations,IndependentReview)andCapitalSupport(Fund,EmployerSponsor). Annex 2 shows the guidance provided by the RBA to pensions funds on what their riskmanagement systemsshouldlooklike.

5. RiskWeightings
Scoresaresummedindividuallyforeachofthethreecategories(Inherentrisk,Managementandcontrol, Capital support). The overall risk score is obtained by taking 50% * (1. Inherent risk) + 25% * (2. Managementandcontrol)+25%*(3.Capitalsupport).

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

6. Probability
ProbabilityisnotconsideredseparatelyintheRBAmodelrathertheriskscoreistakenasindicatingthe probabilityofariskoccurring.

7. Impact
Fundsaredividedintothreecategorieslarge,mediumandsmallaccordingtotheirassetvalue,andare treatedaccordingly.

8. QualityAssurance
Thequalityofriskscoringischeckedbyqualityassuranceteams.Specialistteamsareassignedtoeachrisk category i.e. there is a specialist team checking funds placed into the low, medium and high risk categories,withthemostseniormanagersresponsibleforcheckingtheratingofthefundsplacedinthe later.Asystemofpeerreviewsisalsoused,alongwithtechnicalteamchecks,leadingfromdepartment headsrightuptotheRBAboard.

9.

SupervisoryResponse

TheRBAemploythefollowingsupervisoryresponseladder.

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Table3:RBASupervisoryResponseLadder
RiskLevel Indicators Actions

Risklevel0greenlight

Scheme well run, all financial and non No action required, regular filing financial indicators within acceptable continue range

Risklevel1lightamber

Scheme reasonably well run, most Regular filings continue, but more financial and nonfinancial indicators intensive monitoring indicated, until withinacceptablerange,butfewoutside schemereturnstorisklevel0 rangeordeteriorating

Risklevel2darkamber

Scheme generally in acceptable status, Supervisor questions scheme but a number of indicators outside administratorregardingtheissuesraised range,orhavebeendeteriorating by analysis. Monitoring continues until schemeriskreturnsto0

Risklevel3red

Significant number of indicators outside Supervisor requests recovery plan from acceptable range, or have shown Trustees.Recoveryplanisexaminedand significantdeterioration monitored until scheme can be returned toatleastlevel1

Risklevel4ultrared

Scheme is in significant difficulties Intervention needs to be considered, scheme member interests significantly including requirement for additional threatened funding, reduced benefits, placing scheme in trusteeship, or eventually closingscheme,ifallelsefails

The Authority has developed a Compliance Visit Manual which is to be used during the onsite visit,andOnSiteInspectionGuidelinestobeusedasareferencetoolbytheComplianceOfficers during the onsite visit exercise. Annex 1 provides examples of indepth evaluation questionnairesforDBandDCfunds. TheAuthorityproposedthatanoticeperiodofthirty(30)daysbegiventotheschemepriortothe plannedonsite.However,incasesofemergency,thesupervisiondeadlinesshouldbechangedin theinterestoftheeffectivenessofthesupervisionexercise.Therewillbethreetypesofonsite visits:Comprehensive,targetedandfollowup.Dependingontheoutcomeoftheonsitevisit,a concretecontrolplanwillbederived.Theonsitevisitwillbepreferablyconductedinteams.

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

ANNEX1:INDEPTHEVALUATIONQUESTIONNAIRE
Interrogatoriesdefinedbenefitschemes Pleasecompletethisinterrogatorytothebestofyourability.Ifanyresponsetoaquestionneedsfurther elaboration,pleaseprovideanexplanationonthesubsequentsheet. 1. Investmentsrisks 1.1 Haveyoupreparedaninvestmentpolicystatement? 1.2 Hasthisstatementbeenreviewedwithinthepreviousyear? 1.3 Havetheinvestmentsbeenmonitoredregularlybasedonthisstatement? 1.4 Arealltheinvestmentmadeinaccordancewiththeregulations? 1.5 Areanyoftheassetsinvestedbyanoutsideinvestmentmanagerorotherfinancialinstitution? 1.6 Haveyouconductedanassetliabilitymanagementreview? 1.7 Have you prepared an estimate of liquidity requirements and how these will be met over the shortandmediumterm? 2. Insurancerisks 2.1 Doestheschemeprovideinsuranceordisabilitybenefits,otherthansurvivorbenefits(e.g.lump sumdeathbenefits) 2.2 Ifsuchbenefitsareprovided,aretheyinsuredbyaninsurancecompany? 2.3 Ifsuchbenefitsareprovidedandarenotreinsured,hasariskanalysisbeenperformed 2.4 Arepensionspaidfromthefundoraretheyreinsuredwithaninsurancecompany? 3. Nonfinancialrisks 3.1 Istheschemeadministeredinternally? 3.2 Isanypartoftheadministrationoutsourced? 3.3 Hastherebeenanychangetothearrangementsinthepreviousyear? 3.4 Isanelectronicdataprocessingsystemusedforadministration? 3.5 Arethereanyoutsourcingarrangements? 3.6 Weresucharrangementsselectedatarmslengthinatransparentmanner? 3.6 Iftheanswerto3.5isyes,doyouhavewrittendelegations,servicestandardsanddocumentation relatedtotheappointmentoftheoutsourcingcompany(ies)? 4. Boardoversight 4.1 IsthereawrittengovernancedocumentoutliningtherolesandresponsibilitiesoftheBoard 4.2 Haveyoucompletedthegovernanceselfassessmentquestionnaire? 4.3 HaveallmembersoftheBoardofTrusteespassedfitandpropertests? 4.4 HaveallBoardmemberspassedthetestsrequired? 4.5 DoyouhaveacodeofconductforBoardmembers?

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

5. 5.1 5.2 5.3 5.4 5.5 5.6 6. 6.1 6.2 6.3 7. 7.1 7.2 8. 8.1 8.2 8.3

Operationsandcontrols Doyouhaveawrittenproceduremanualfortheoperationofthepensionscheme? Doyouhavewrittenriskcontrolmechanism? Doyouhavespecificqualityandtimelinessstandards,whicharemonitored? Doyouhaveaformalcomplaintsresolutionmechanism? Do you have conflict of interest guidelines and a code of conduct for all members of the management? Areanyofyouractivitiesoutsourced? Independentreview Areindependentprofessionalsengagedtoreviewtheaccountsandactuarialstatements? IstheappointmentoftheseprofessionalsreviewedregularlybytheBoard? Haveyouchangedanyoftheseprofessionalsinthepastthreeyears?Ifso,why? Fund3 Are any assets invested in securities of the plan sponsor, other than through a recognized securitiesexchange? Doyouperformdynamicsolvencytesting? Employersponsor4 Have all employer and employee contributions been made to the fund within the time limits prescribed? Areyoutakingacontributionholiday? Iftheanswerto8.2isyes,doyouhavemechanismsinplacetomonitorwhenthecontribution holidayshouldcometoanend?

Most of the information regarding this risk element will come from filings of financial statements and actuarial results
4

Again,financialdatawillalsobeusedtoevaluatethisriskelement,althoughtherewillbeaconsiderablelag

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Interrogatoriesdefinedcontributionschemes Pleasecompletethisinterrogatorytothebestofyourability.Ifanyresponsetoaquestionneedsfurther elaboration,pleaseprovideanexplanationonthesubsequentsheet. 1. Investmentsrisks 1.1 Haveyoupreparedaninvestmentpolicystatement? 1.2 Hasthisstatementbeenreviewedwithinthepreviousyear? 1.3 Havetheinvestmentsbeenmonitoredregularlybasedonthisstatement? 1.4 Arealltheinvestmentmadeinaccordancewiththeregulations? 1.5 Areanyoftheassetsinvestedbyanoutsideinvestmentmanagerorotherfinancialinstitution? 1.6 Have you prepared an estimate of liquidity requirements and how these will be met over the shortandmediumterm? 2. Insurancerisks 2.1 Doestheschemeprovideinsuranceordisabilitybenefits,otherthansurvivorbenefits(e.g.lump sumdeathbenefits) 2.2 Ifsuchbenefitsareprovided,aretheyinsuredbyaninsurancecompany? 2.3 Ifsuchbenefitsareprovidedandarenotreinsured,hasariskanalysisbeenperformed 2.4 Arepensionspaidfromthefundoraretheyreinsuredwithaninsurancecompany? 3. Nonfinancialrisks 3.1 Istheschemeadministeredinternally? 3.2 Isanypartoftheadministrationoutsourced? 3.3 Hastherebeenanychangetothearrangementsinthepreviousyear? 3.4 Isanelectronicdataprocessingsystemusedforadministration? 3.5 Arethereanyoutsourcingarrangements? 3.6 Weresucharrangementsselectedatarmslengthinatransparentmanner? 3.7 If the answer to 3.5 is yes, do you have written delegations, service standards and documentationrelatedtotheappointmentoftheoutsourcingcompany(ies)? 4. Boardoversight 4.1 IsthereawrittengovernancedocumentoutliningtherolesandresponsibilitiesoftheBoard 4.2 Haveyoucompletedthegovernanceselfassessmentquestionnaire? 4.3 HaveallmembersoftheBoardofTrusteespassedfitandpropertests? 4.4 HaveallBoardmemberspassedthetestsrequired? 4.5 DoyouhaveacodeofconductforBoardmembers?

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

ANNEX2:GUIDANCEONRISKMANAGEMENTTAKINGFROMONSITEINSPECTION GUIDELINES5

Introduction TheobjectiveofundertakingtheonsiteinspectionworkistoimprovetheunderstandingbytheAuthority ofthelevelofrisksinherentintheparticularretirementbenefitsscheme,focusinginparticularonthose areasdeemedtobesignificant. Theonsitevisitwillprovideanopportunitytoclarifyanypointsarisingfromthepreliminaryoffsiterisk assessment and to gain a better understanding of the operation and management of the retirement benefitsscheme. ITSystems To assess whether the IT infrastructure, in place, is appropriate to meet the business needs of the retirementbenefitschemeunderonsiteinspection,theAuthorityshallconsiderthefollowing: ExtenttowhichITsupportsthecurrentuserrequirementsorrestrictsplannedinitiatives, ExtenttowhichITsystemshavebeenassessedintermsofthreatstotheconfidentiality,integrity andavailabilityofkeyinformation, AdequacyandviabilityoftheITstrategyfortheplannedinitiatives, Flexibilitytodealwithexternalevents

InternalControls The objective is to determine the adequacy of the internal control framework and to achieve this, the Authority will assess the decision making framework, the risk management framework, limits and standards, information technology, financial and management reporting, staff policies, segregation of responsibilities,auditandcompliancefunctions. The sophistication of internal controls will depend on the size of the retirement benefits scheme. The Authoritywillthereforeidentifythenatureoftheactivitiestobecontrolledbeforedeterminingwhether theprocesscontrolsinplaceareadequate. Decisionmakingframework Todeterminewhetherthedecisionmakingframeworkisappropriatewithdelegatedauthoritiesandclear accountability at all levels, the Authority will consider; the level of delegation, the adequacy of communication mechanism, means to prohibit individuals without authority from taking decisions or committingtheschemetoatransaction,andtheadequacyofdocumentation.

ThiscasestudyistakenfromtheKenyacountryreportpreparedfortheIOPSWorkingPaperNo.4(IOPS2007)

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Riskmanagementframework TheAuthoritywillassesstheadequacyofsystemsinplacetoidentify,measure,monitor,andcontrolrisk inanappropriateandtimelymanner.TheAuthority,inparticular,shallfocusontherisksassociatedwith theinvestmentsandthesolvencyofthesponsor. The risks that will be assessed shall include, but are not limited to: operational, credit, interest rate, liquidity, strategic, legal, and information technology. In assessing the risk management framework the Authority will consider; the risk identification responsibility, process and regularity; risk measurement policies;riskmonitoringmethodologies;riskcontrolmeasures,andlimitsandstandards Limitandstandards The Authority will focus on assessing the Board of Trustees and Administrators risk tolerance and the adequacyofmethodsusedtoconveythatrisktolerancetotheotherstakeholders.TheAuthoritywill,in particular, assess the experience, background and authority of individuals involved in setting limits; the policyandproceduralguidelines;andtheprocessesforsettingandchanginglimits. Informationtechnology The Authority will also assess whether controls over the IT infrastructure are appropriate. The Authority will consider the following when assessing the information technology; adequacy of IT resources, prioritization,planninganddevelopment;andadequacyofthebusinesscontinuationplan. Financialandmanagementreporting To evaluate the adequacy of the financial and management reporting, the Authority will consider the following: Adequacy,accuracyandtimelinessoffinancialandmanagementreporting, Abilitytoassessthequalityofassetsandmaintainaneffectivelevelofprovisioning, Effectivenessandefficiencyofdistribution,includinginformationsenttoBoardofTrustees Frequencyofbudgetpreparationandappropriatenessofbudgetingprocess,and Explanationofvariances

Staffpolicies In assessing the various staff policies, the Authority will consider the training initiatives to ensure compliancewiththeregulations. Auditandcompliancefunctions Inassessingtheauditandcompliancefunctionsandprocedures,theAuthorityshallconsiderthefollowing: Responsibilityandreportinglines,includingtheirindependence,

IOPS Toolkit for Risk-Based Pensions Supervision

Case Study Kenya

Adequacyofprocessesforaddressingexceptionsorrecommendationsonatimelybasis, Qualityandexperienceofinternalauditandcompliancemanagementandstaff,and Linksbetweenexternalaudit,internalaudit,andcompliance