Our enterprise-wide approach to risk management involves the board of directors, management and external partners.

The CPP Investment Board develops risk-management policies, procedures, guidelines and other internal controls for application by our professionals and external investment managers and other expert service providers. Our staff monitors compliance by external managers. The board approves all investment and risk-management policies and holds management accountable for complying with them.

Risk management is further supported by our code of conduct and conflict of interest procedures, defined roles and responsibilities, individual and collective performance accountability processes and timely disclosure and communication.

There are two facets to our risk profile. First, risk is an inherent part of investing and our legislated mandate explicitly directs us to manage risk as we deploy the CPP’s assets. Second, there is an array of organizational risks that we face as a business operation.

Our seven major risk categories:

1. Investment risk: We are responsible for prudently and cost-effectively earning capital market returns at a risk level that is consistent with the risk assumptions reflected in the 1997 CPP reforms. Within this risk framework we pursue performance-enhancing investment strategies that can be reasonably expected to increase the fund’s long-term risk-adjusted returns. Our risk/return accountability framework, which includes the CPP Reference Portfolio, provides an effective, robust and dynamic tool for monitoring and managing investment risk. It also ensures accountability for the return and risk of different levels of decision-making. We seek to control the overall level of systematic risk by broadly diversifying the portfolio across asset classes and geographies that have non-correlated investment characteristics. As we do this, particularly in asset classes such as real estate, private equity and infrastructure, we look through their traditional labels to assess the underlying risk of the individual investments.
   
   
2. Strategic risk: If business strategies are not developed, executed or monitored effectively, we may not be able to achieve our mission. To manage this risk, we work to have effective governance, organizational structure and leadership, and effective strategic and business planning processes. Those processes were recently subject to an extensive review.
   
   
3. Fiduciary risk: Any organization must consider the possibility that fiduciary responsibilities may not be respected or appropriately executed. To manage this risk effectively, we must have a clear understanding of roles, responsibilities and authorities at each level of the organization. In addition, through our code of conduct and conflict of interest procedures for directors and employees, we ensure that values and behavioural expectations are well understood and integrated throughout the organization.
   
   
4. Business environment risk: This is the risk of not continuously anticipating, monitoring, understanding and responding to changes in the business environment. To manage this risk we stay abreast of social, cultural, economic and political changes that can affect our ability to achieve our mission.
   
   
5. Legislative and regulatory risk: Actual or proposed changes to legislation and the risk of non-compliance with laws, rules, regulations, prescribed practices or ethical standards can undermine our ability to accomplish our mission. We have a compliance management system that tracks our legislative and regulatory obligations. It requires key individuals to acknowledge compliance with various requirements. The system is administered by our Law department, which reports to the audit committee each quarter.
   
   

6. Operational risk: The organization may suffer direct or indirect loss resulting from inadequate or failed internal processes, technology or human performance. To manage this risk, we have established appropriate controls for information processing, sufficient and appropriate reporting and safeguarding of assets, management of information technology and appropriate human resources systems and practices.

   Further, we are constantly assessing how we can institutionalize elements of our investment capabilities and processes in order to perpetuate them and how to avoid undue dependence on individuals or idiosyncratic investment methodologies, and still maintain the necessary agility and entrepreneurship essential to a successful investment organization.

7. Reputation risk: Internal or external factors could damage the organization’s reputation, image or credibility. Our Communications and Stakeholder Relations department ensures that clearly understandable communications are provided to stakeholders and the general public.

The board of directors is responsible for ensuring that management has identified the principal risks of the business and has established appropriate policies and internal controls. In turn, management is responsible for recommending policies to the board for its consideration and approval, establishing internal controls and procedures to effectively manage the risks of the organization and providing reports to the board and its committees. Internal auditors, in the course of executing their audit plans, also provide input to management and the board on the effectiveness of the organization’s risk management practices.

We continuously review, assess and manage our risk management concepts and other practices to ensure that risk is managed effectively. For example, the board of directors limits the maximum investment risk that management can assume. The board of directors likewise approves maximum allocations to various investment activities and asset classes. It also approves credit risk limits, while the president approves the amount of risk that can be taken relative to passive benchmarks (active risk). We also manage cash liquidity risk. Management presents to the board a quarterly report on our compliance with all risk limits, other constraints and the effectiveness of our risk management controls.