Risk management is a fundamental part of corporate governance, which has become central to modern regulation of most types of financial institution. This paper argues for risk management to be considered as a vital component of the governance of social security institutions and explores some of the features of a risk management structure and some of the risks to which a social security scheme is subject.

Risk is defined as the possibility of something going wrong which will have unfortunate consequences, will undermine the institution’s plans or will make it less likely that the institution’s objectives will be achieved. Effective risk management requires corporate objectives to be clearly articulated. The management of risk can then be seen as a fundamental element of governing the institution so as to achieve its objectives within an acceptable level of risk.

Risk management of a social security institution includes having in place adequate arrangements for audit and an Audit Committee or similar dedicated structure to monitor and manage both internal and external audit activities. Regular actuarial reviews of the financial situation also form an essential part of risk management.

There needs to be a formal process of identifying, quantifying and managing the risks of the organization. Generally this will best be carried out under the control of a Chief Risk Officer or some other senior official with clear responsibility and accountability for risk management. Once a comprehensive list of risks has been drawn up, risks should be allocated into categories according to whether they can be tolerated and managed, terminated, transferred or transformed.

Social security institutions are subject to some very long-term risks in respect of their liabilities, such as real earnings growth, structural changes in the economy, unemployment, disability, the future growth in the costs of health care and general improvements in longevity for the whole population. Some broad areas of risk for a social security institution are operational risk, liquidity risk, liability risk, economic risk, investment risk, catastrophe risk and political risk.

Each organization needs to develop its own processes for evaluating, monitoring and managing risk, but the process needs to be a formal, regular and ongoing one, supplemented by special studies and investigations into particular risk exposures from time to time. Consideration should be given to making public on a regular basis a summary of the risk evaluation and a report on the steps being taken to manage the risks.