risk management committee documents/board_meeting...the risk management committee of the board of...

Risk Management Committee

December 2016

TEACHER RETIREMENT SYSTEM OF TEXAS MEETING BOARD OF TRUSTEES

AND RISK MANAGEMENT COMMITTEE

(Committee Chair and Members: Ms. Charleston, Chair; Mr. Corpus; Mr. Elliott; Mr. Kelly; & Mr. Moss)

AGENDA

December 1, 2016 – 2:30 p.m.

TRS East Building, 5th Floor, Boardroom

1. Call roll of Committee members.

2. Consider the approval of the proposed minutes of the September 22, 2016 committee meeting – Chair Karen Charleston

3. Review the Enterprise Risk Management Report – Jay LeBlanc and Michelle Pagán

4. Cyber Security Overview – Chris Cutler and Frank Williams

NOTE: The Board of Trustees (Board) of the Teacher Retirement System of Texas will not consider or act upon any item before the Risk Management Committee (Committee) at this meeting of the Committee. This meeting is not a regular meeting of the Board. However, because the full Risk Management Committee constitutes a quorum of the Board, the meeting of the Committee is also being posted as a meeting of the Board out of an abundance of caution.

Minutes of the Risk Management Committee

September 23, 2016

The Risk Management Committee of the Board of Trustees of the Teacher Retirement System of Texas met on September 23, 2016, in the boardroom located on the fifth floor of the TRS East Building offices at 1000 Red River Street, Austin, Texas.

Committee Members present: Ms. Karen Charleston, Chair Mr. David Corpus Mr. John Elliott Mr. David Kelly Mr. Chris Moss Other Board Members present: Mr. Joe Colonnetta Ms. Anita Palmer Ms. Dolores Ramirez Others present: Brian Guthrie, TRS Dr. Keith Brown Ken Welch, TRS Philip Mullins, TSEU Carolina de Onis, TRS LeRoy DeHaven, TRTA Brit Harris, TRS Ted Melina Raab, Texas AFT Jerry Albright, TRS James Nield, TRS Jase Auby, TRS Heather Traeger, TRS Katherine Farrell, TRS Risk Management Committee Chair Ms. Charelston called the meeting to order at 3:00 p.m.

1. Call roll of Committee members.

Ms. Farrell called the roll. A quorum was present. Mr. Corpus arrived shortly after roll call was taken.

2. Consider the approval of the proposed minutes of the June 16, 2016 committee meeting – Committee Chair Ms. Charleston

On a motion by Mr. Kelly, seconded by Mr. Corpus, the proposed minutes for the June 16, 2016 Risk Management Committee meeting were approved as presented.

3. Review the Bi-Annual Risk Report – Jase Auby and James Nield

Mr. Auby stated his presentation will focus on the Trust’s Investment Risk Report. Mr. Auby noted the asset allocation is within the allowable overweight and underweight bands by policy. Mr. Auby reported the absolute risk measure which is value at risk (VaR), is currently at 6.8 percent. He said the relative risk measure, tracking error is 110 basis points, which is 37 percent of the maximum 300 basis points allowed. Mr. Auby stated that tracking error is also close to the neutral of 100 basis points. Mr. Auby reported the various measures monitored according to policy are all within their historical norms. And finally, he said the Trust liquidity, counterparty exposures, counterparty ratings as well as the derivatives exposures are all in compliance. Mr. Auby reported a theme for the risk report is that the Trust was not taking a lot of risk at this point in time, relative to its benchmark. Mr. Auby explained that the reason very much was Brexit. Going into the uncertainty of Brexit, the collective decision making of all of our asset managers and ourselves resulted in a relatively muted risk taking. Brexit occurred on June 23rd, and the report is dated as of June 30th. Mr. Nield discussed the Trust leverage. Mr. Nield reported as of the end of the second quarter, TRS investment exposures are in compliance with policy. TRS was overweight stable value and risk parity and underweight global equity and real return. Mr. Nield stated the value at risk, tracking error, leverage, liquidity and derivatives usage are all within policy and their historical norms. Without further discussion, the meeting adjourned at 3:20 p.m. Approved by the Risk Management Committee of the Board of Trustees of the Teacher Retirement System of Texas on December 1, 2016.

______________________________ _________________

Katherine H. Farrell Date Secretary of the TRS Board of Trustees

Enterprise Risk Management Report

Jay LeBlanc & Michelle Pagán

Teacher Retirement System of Texas Stoplight Report – December 2016

403(b) Accounting & Reporting

Budget Business Continuity Communications & External Relations

Credit Customer Service Cyber Security Employer Reporting Ethics & Fraud Prevention

Facilities Management & Planning

Global Initiatives Governmental/ Association Relations &

Legislation

Health Care Plans Administration

Information Security & Confidentiality

Investment Accounting

Investment Operations Legacy Information Systems

Liquidity/Leverage Market

Open Government Pension Benefit Administration

Pension Funding Procurement & Contracts

Records Management

Regulatory, Compliance & Litigation

Talent Continuity TEAM Program TRS-ActiveCare Affordability

TRS-Care Funding

STOPLIGHT RISK LEVEL (Threat to Achieving TRS Goals & Objectives) EXPECTED RISK LEVEL TREND

(NEXT 12-24 MONTHS)

HIGH ELEVATED CAUTION GUARDED LOW

INCREASE DECREASE REMAIN CONSTANT

1

Stoplight Report Changes

Stoplight Report Changes

Risk Level Color/Trending Changes June 2016 December 2016 403(b)

Employer Reporting


Pension Funding

TEAM Program

Teacher Retirement System of Texas ERM Update

2

Impa

ct

5

Major

Risk Category (Risk Score) 1. 403(b) (3,2) 2. Accounting & Reporting (3,2) 3. Budget (3,2) 4. Business Continuity (4,2) 5. Communications & External Relations (3,2) 6. Credit (4,2) 7. Customer Service (3,2) 8. Cyber Security (4,3) 9. Employer Reporting (4,4) 10. Ethics & Fraud Prevention (4,2) 11. Facilities Management & Planning (3,2) 12. Governmental/Association Relations & Legislation (4,1) 13. Global Initiatives (4,2) 14. Health Care Plans Administration (3,3) 15. Information Security & Confidentiality (4,3) 16. Investment Accounting (4,2) 17. Investment Operations (4,1) 18. Legacy Information Systems (3,3) 19. Liquidity/Leverage (3,1) 20. Market (3,1) 21. Open Government (3,2) 22. Pension Benefit Administration (3,2) 23. Pension Funding (4,3) 24. Procurement & Contracts (3,2) 25. Records Management (4,4) 26. Regulatory, Compliance, & Litigation (4,2) 27. Talent Continuity (4,2) 28. TEAM Program (4,3) 29. TRS-ActiveCare Affordability (4,4) 30. TRS-Care Funding (4,5)

4 Significant

3 Moderate

2 Minor

1 Not

Significant

1 Not Likely

2 Slight

3 Probable

4 Highly Likely

5 Expected

Likelihood

Teacher Retirement System of Texas Risk Heat Map – December 2016

13 12

6 9

15

26 23

25 29

8

27

16

3

4

10 17

28

30

22 1

20

5

11 14 19

2

7 21

24

18

3

3

Risk Category 6/2015 11/2015 6/2016 12/2016 Risk Category 6/2015 11/2015 6/2016 12/2016 403(b) Investment Accounting

Accounting & Reporting Investment Operations

Budget Legacy Information Systems

Business Continuity Liquidity/Leverage

Communications & External Relations

Market

Credit Open Government

Customer Service Pension Benefit Administration

Cyber Security Pension Funding

Employer Reporting Procurement & Contracts

Ethics & Fraud Prevention Records Management



Global Initiatives Talent Continuity

Governmental/Association Relations & Legislation

TEAM Program


TRS-ActiveCare Affordability


TRS-Care Funding

Teacher Retirement System of Texas Risk Level & Trend Summary

4

Risk Profile Updates

Changes made to: Goal/Risk Description

Risk Score

Risk Level/ Trend

Comments Risk Level Trend

403(b) Business Continuity Credit Employer Reporting Ethics & Fraud Prevention Facilities Management & Planning Health Care Plans Administration Information Security & Confidentiality Legacy Information Systems Open Government Pension Funding Regulatory, Compliance & Litigation TEAM Program

Teacher Retirement System of Texas ERM Update – December 2016

5

Teacher Retirement System of Texas Risk Profiles – December 2016

Risk Category Risk Owner Goal Overall Risk Risk Score

Risk Level & Trend

Comments Risk Level Trending

403(b) Rebecca Merrill

Maintain list of both qualified companies and products which meet requirements of law and TRS rule. Adopt fee caps to help ensure fees paid by members are competitive.

Public education employees purchase non-qualified products and/or products from non-qualified companies.

3,2

While the 403(b) program is important to help ensure that members invest with certified companies, it is not a core part of TRS’ mission. If the 403(b) program were to experience problems, TRS’ core functions of delivering benefits and providing access to health care would continue without interruption. TRS has new mitigations in place such as a review of the 403(b) program rules and contracting with a consultant for advice on improvements to the program. The impact and likelihood of a 403(b) program failure seem low; however, as a result of the latest risk assessment, the risk level is guarded.

Legislation impacting the 403(b) program is possible during the 2017 legislative session; however, it is more likely in the 2019 legislative session when TRS is under Sunset Review. New mitigations such as the rule review are planned for fiscal year 2017. While the profile of the 403(b) program is expected to rise during the rule review, the overall risk should trend downward because TRS is entering into a comprehensive review of the program to better understand the complexity of the market and the appropriateness of fee caps.

Accounting & Reporting

Don Green Maintain and monitor the integrity, accuracy, and completeness of financial information and timeliness of reporting.

Materially inaccurate financial information and reports would result in Board of Trustees and Texas Legislature decisions being made on flawed data and adverse or qualified audit opinions.

3,2 Although there are challenges ahead in the implementation of new systems and new accounting pronouncements, there should be adequate and knowledgeable staff to accomplish the tasks.

It is anticipated that staffing levels and experience will remain relatively constant. Any challenges initiated by the implementation of the TEAM Program (TEAM) will be mitigated by sound accounting and reporting processes and procedures.

*Light purple shading indicates risk category had a risk assessment this reporting period.

6



Risk Level & Trend


Budget Don Green Ensure TRS has appropriate budget to provide and sustain resources necessary to successfully carry out TRS’ mission, goals, and objectives to serve our members.

Lack of a sufficient operating budget could jeopardize our ability to effectively serve our members.

3,2 The agency’s operating budget is driven by staffing, membership growth, trust fund balance, and other workload drivers. The agency’s strong organizational governance plays a crucial role in meeting these challenges.

Any risk drivers in the ability to sustain an appropriate budget and available resources are mitigated by a strong strategic planning process and working closely with all divisions to identify funding to achieve goals and objectives in accordance with state statute.

Business Continuity

Rebecca Merrill

Recover and resume operations in the event of a major business interruption.

Members do not receive statutorily required services timely.

4,2 Due to our current co-location environment as well as our preparedness and testing activities, the risk level is guarded.

Over the next 12-24 months the risk level is not expected to change. Until TEAM is fully implemented, the recovery process for older technologies may continue to be a challenge.

Communications & External Relations

Howard Goldman

Maintain effective communication and positive relations with members, retirees, employers, TRS employees, news media, and the public.

Poor communication could lead to confusion resulting in increased calls to TRS, poor or inappropriate decision-making regarding TRS benefits, and incorrect information provided to external parties.

3,2 Due to existing procedures and routine interaction with other departments when responding to media requests, preparing articles for publications and developing information for social media channels and our website, the overall risk level is controlled.

No substantive changes have occurred in the processes and policies followed to warrant an increase or decrease in risk levels.

Credit Jase Auby Maintain effective management of counterparty and securities lending risks.

Unmanaged counterparty and securities lending exposures could result in losses to the investment portfolio.

4,2 All counterparties currently meet required credit ratings; securities lending exposures are well managed and within guidelines.

All counterparty credit ratings are A3/A- or higher by at least one credit agency. Mitigations have effectively identified and responded to the worsening of a swap counterparty’s credit rating. The risk to the Trust is minimal. Other credit ratings are expected to remain stable.

Customer Service Barbie Pearson

Deliver superior service to members and internal/external customers.

Inadequate customer service could result in dissatisfied members or customers and could lead to increased scrutiny and oversight.

3,2 High quality customer service is provided by Benefit Services departments based on internal and external feedback. Overall, telephone customer service measures are meeting and routinely exceeding expectations. The addition of Benefit Accounting increases the number and type of customers served. Tools currently used to measure the quality of service and

Expect increased risk as TEAM requires more subject matter expert involvement while phases are implemented. The implementation of TRUST Phase 1 will increase the need for consistent and managed communication with reporting entities and members. Recent audit findings for reporting entities have unearthed reporting errors that may

7



Risk Level & Trend


customer satisfaction of reporting entities will need to be reviewed and enhanced to ensure we are delivering superior service to these customers.

be increased in volume with full payroll reporting requirements. We expect to see a trend in employment after retirement issues and eligibility determinations resulting in increasing demands for customer service.

Cyber Security Chris Cutler To prevent malicious attacks and unauthorized access of TRS information resources.

Ineffective cyber threat controls could lead to breaches or sabotage of TRS systems.

4,3 TRS’ cautious level reflects the global significance of increased hacking, virus or other malicious activity which compromise systems or diminishes service. Staying informed of the latest tactics and techniques to mitigate these disruptions is key to a sustainable business continuity level for TRS.

Due to the adversarial advances in cyber-criminal activity, as well as the continual defense adjustments being made to account for the inevitability of these attacks against TRS, the trending for this risk category is expected to remain the same for the foreseeable future.

Employer Reporting

Barbie Pearson

Accurately capture and utilize employer reported data to project and calculate future benefits of TRS members and to properly allocate the total pension liability across districts.

• Incorrect reporting could lead to calculated benefits being inaccurate.

• Improperly allocating actuarial liability across districts.

4,4 Current system limitations present challenges to data analysis and verification controls. Risk level has increased due to recent GASB pronouncements requiring greater controls around district data and reports.

The new TEAM LOB system is expected to address most of the risks and challenges surrounding collecting, analyzing and verifying district data. However, the system will not be implemented until at least fiscal year 2018; therefore, the risk will continue to trend up. TRS staff will complete Employer Certification in December 2016. As of October 28, 2016 we have 1,073 Reporting Entities (REs) that have started the certification process and, of those, 564 have completed their certification and 509 are in progress. There are 265 REs that have not yet started the certification process.

Ethics & Fraud Prevention

Brian Guthrie Maintain a culture that upholds ethical behavior and values that contribute and promote the fiduciary duties of prudence and loyalty, and reduces fraud risks.

A lack of ethics could undermine the duties of prudence and loyalty and create fraud risks resulting in loss of assets, credibility, and business opportunities, adverse publicity, violations of law, and

4,2 While the impact of an ethical breach or instance of fraud could be high, the likelihood of a significant event is relatively low. Currently, TRS has a number of mitigations in place such as educating individuals upon hire and annually on the fraud, waste, and abuse policy, the TRS ethics policies, the personal trading policy, and the fraud

The risk of a fraud or ethical breach is trending neither up nor down. TRS continues to maintain mitigations that help prevent incidences of fraud or an ethical breach. This holds the trend line constant.

8



Risk Level & Trend


increased scrutiny and oversight.

and ethics reporting hotline. TRS also emphasizes Ethics in its Core Values. These types of mitigations, along with TRS’ background check policy and annual ethics certifications, operate together to create a guarded risk for a fraud or ethics breach.

In addition, TRS currently is further evaluating the factors that underlie ethics and fraud prevention at TRS.


Don Green Provide a physical work environment that is safe and enhances productivity.

Inadequate facilities management or ineffective space utilization could result in less than desirable conditions for TRS members, visitors, and staff and could jeopardize our ability to continue providing an exemplary level of service to our members.

3,2 An evolving organization with rapidly changing needs for the amount and type of space required can experience negative impacts on service levels and/or moderate business disruptions.

TRS has engaged GSC Architects to assist with space planning and design. With their assistance, we have completed redesign of the fourth and fifth floors of the east building and are working on the second floor of the west building. We have engaged Studio 8 architects for space planning and design on the first, second, and third floors of the east building.

Global Initiatives Ken Welch Ensure employee safety by complying with laws and regulations and providing awareness of challenges when traveling abroad.

Not being aware of safety, compliance, and other challenges when traveling abroad could jeopardize the safety of our employees.

4,2 Global initiatives introduce challenges with foreign travel and our ability to effectively respond to events in foreign locations. Due to current travel coordination and guidance, the risk is guarded.

Over the next 12-24 months the risk level is not expected to change. Ongoing mitigations and future action plans are being pursued to keep the overall risk low for those events that are within TRS’ control.

Governmental/ Association Relations & Legislation

Ray Spivey Maintain effective communications and positive relations with the Legislature, associations, and other public parties.

Poor communications could lead to adverse relations, unfavorable legislation, and restricted funding.

4,1 Our relationship with the legislature is constantly improving and communication has been effective. Our relationship with the public also appears to be positive.

No major issues are expected over the next 12-24 months.


Katrina Daniel

Administer retiree and active member health care programs that are valued by enrollees.

Inadequate administration of the health care programs could possibly affect the health of those who depend on the delivery of TRS health care benefits which would in

3,3 Much of the administration of the programs is outsourced. Contract monitoring and controls mitigate this risk.

The risk level of this category has been elevated to caution, but the trend is expected to decrease over time as HIB builds internal bench strength for contract oversight.

9



Risk Level & Trend


turn increase health care costs.


Chris Cutler Ken Welch

Maintain the integrity, availability, and protection in the storage, use, and transfer of TRS information resources (in any form or medium).

Unauthorized or unintentional release/access of TRS confidential information could result in state or federal law violations, sanctions against TRS or its employees, and harm the best interests of TRS.

4,3 Depending on the scope of an unauthorized or unintentional release of confidential data, this could have a high impact on TRS. With the existing mitigation strategies in place and new strategies being implemented by the newly formed Information Security Department and Enterprise Security Team the likelihood is fairly low; however, due to the broad landscape of cyber threats and nature of information security, we remain aware that this risk is likely to occur.

Trending for this risk category is trending up. This trend reflects the current state, complexity and volume of security attacks worldwide. TRS continues to strengthen focus and organization around information security and the information security program. Positive progress continues to be made in how we identify, classify, and transmit our data as well as how we monitor and defend our online perimeters. With the global state of cybersecurity, we should not get comfortable in assuming we have enough security or mitigating strategies in place.

Investment Accounting

Don Green • Ensure all TRS Investments are properly and completely accounted for

• Ensure investments are valued correctly

• Ensure investment fees are accurately reported and disclosed

• Ensure cash flows into and out of the Fund are complete and properly controlled

• Accurately calculate performance incentive pay (PIP)

TRS investments are not properly accounted for, valued correctly or properly reported, and investment-related cash is not properly controlled.

4,2 The system’s custodian maintains the official investment book of record. Funds are sent and received by custodian bank. Department monitoring and oversight control mitigate the risks for this category.

Statement No. 72 of the Governmental Accounting Standards Board (GASB): Fair Value Measurement and Application becomes effective with the FY 2016 CAFR. The pronouncement puts additional control and reporting requirements surrounding the verification of investment fair value on TRS and Investment Accounting and increased the risk of non-compliance or an adverse audit opinion.

10



Risk Level & Trend


Inve

stm

ent O

pera

tions

Public Market Operations

Sylvia Bell Maintain the integrity of the transaction settlement and position information for optimal investment management decisions.

Inefficient or ineffective transaction settlement or position management process could result in losses to the fund.

4,1 Though these processes are operationally complex, compensating controls make this risk very unlikely. Therefore, the threat to TRS not achieving its investment goals and objectives is low.

IMD performs daily and monthly reconciliations of trade and positions and NAVs via TRS custodian systems. Results are provided to IMD profit centers on a daily and monthly basis. TRS-custody bank relationship is managed through customized Service Level Agreement with key performance indicators.

Private Market Operations

Sylvia Bell Maintain integrity of the transaction settlement and position information for optimal investment management decisions.

Inefficient or ineffective transaction settlement or position management process could result in losses to the fund.

4,1 Though these processes are operationally complex, compensating controls make this risk very unlikely. Therefore, the threat to TRS not achieving its investment goals and objectives is low.

IMD performs monthly and quarterly reconciliations of trade and positions and NAVs via TRS custodian systems. Results are provided to IMD profit centers on a monthly and quarterly basis. TRS-custody bank relationship is managed through customized Service Level Agreement with key performance indicators.

Performance Reporting

Sylvia Bell • Maintain the integrity of investment information - reporting and disclosure, accuracy, completeness and valuation.

• Develop and disseminate customized investment reporting for both management and governance to enhance making better strategic and tactical investment decisions.

Performance reports contain material inaccuracies.

4,1 Though communication of inaccurate information, to both internal and external parties, could result in a threat to TRS investment decisions, compensating controls make this risk very unlikely, indicating that the risk is low.

IMD performs daily, weekly and quarterly reconciliations of investment returns. Investment results are presented to the IMD management committee for review and validation. Third-party calculation and pricing is performed by TRS custodian bank. TRS-custody bank relationship is managed through customized Service Level Agreement with key performance indicators.

Legacy Information Systems

Chris Cutler Provide information systems to meet TRS' business and customer service needs.

Inability to provide adequate and consistent information in a timely fashion via the

3,3 It is complicated for our legacy systems to provide robust, online self-service applications for our members. So there is a moderate impact that the preferred

The legacy systems are still working well and are stable. The functionality that they provide has not and will not diminish in the near future.

11



Risk Level & Trend


preferred delivery mechanism.

delivery mechanism may not be available when desired. The risk is likely because we know that some of our membership would like to do all their business with us online and that desire will only grow over time.

There are some web self-service applications for members and retirees to use, however some functionality will be reduced during the transition to TRUST. The risk trend for this category has increased during this review cycle due to the new extended schedule needed to support the TEAM Program which will require our legacy systems to be needed longer than we initially expected.

Liquidity/Leverage Jase Auby Maintain levels of liquidity appropriate for the support of fund disbursements, anticipated investment funding needs and trust level leverage.

Inadequate liquidity could lead to cash shortfalls.

3,1 Trust is highly liquid and minimally levered.

Trust’s use of liquidity and leverage is monitored daily and is projected to remain stable.

Market Jase Auby Maintain market risk exposures consistent with investment objectives.

Too little or too much exposure to market risk could each lead to undesirable investment outcomes.

3,1 Investment policy asset allocation ranges limit absolute market risk (VaR) appropriately; relative risk (tracking error) is budgeted by IMD.

Limits remain appropriate and risk is well within min/max range.

Open Government Carolina de Onís

Ensure compliance with laws and rules related to open records and meetings.

Non-compliance could lead to penalties and fines or voiding of board actions.

3,2 The number, complexity, sensitivity, and amount of information sought by investment-related open records requests creates precarious challenges for staff in complying with open records laws requiring disclosure and confidentiality laws requiring withholding of information.

Hired new open records specialist who has broad experience handling open records requests and working on a variety of state government matters. Preparation of Board meeting agendas and materials has been consolidated under the Executive Director in the Strategic Initiatives Division, which frequently consults with Legal regarding language for board agendas and other open meetings issues.

Pension Benefit Administration

Barbie Pearson

Accurate delivery of benefits to TRS members, retirees and beneficiaries, including systems monitoring

Ineffective delivery of benefits could lead to inaccurate information, inaccurate benefits/ payments, dissatisfied

3,2 Current controls and monitoring assure accurate delivery of benefits. Accuracy and timeliness of benefit delivery meets or exceeds expectations as evidenced through audits and performance metrics.

Expect trend to increase if major legislative changes are passed, a larger than usual number of members retire, and/or TEAM requires more subject matter expert

12



Risk Level & Trend


and controls related to accurate calculations and benefit payments to others.

members, retirees, or beneficiaries, and loss of credibility, adverse public perception, increased scrutiny, and oversight.

Implementation of TRUST Phase 1 will result in changes for reporting entities and how some services are delivered. Multiple departments will also have competing priorities with testing and participating in requirements gathering activities.

involvement than anticipated. The implementation of TRUST Phase 1 will increase the need for consistent and managed communication with reporting entities and members. Recent audit findings for entities have unearthed reporting errors that may increase in volume with full payroll reporting requirements. We expect to see a trend in employment after retirement issues and eligibility determinations resulting in increasing demands for customer service.

Pension Funding Brian Guthrie Sustain a financially sound pension trust fund.

A lack of sound funding for the plan could lead to insufficient assets to pay for long-term benefits and financial obligations.

4,3 While the impact of a loss of pension funding would be significant, the likelihood of such an event is moderate. The FY 2015 Actuarial Valuation determined the fund had a funding period of 33 years, which does not meet the standard for actuarial soundness. Additionally, the fund is deferring about $4 billion in investment losses that – absent an offsetting gain – will be recognized over the next 5 years. The uptick in funding period, however, was expected given the ramp up in contributions to the ultimate contribution rate in FY 2017. The plan continues to remain on track to achieve full funding over the long term. Achieving full funding depends on the investment assumption being met, the current contribution levels continuing indefinitely, and any benefit enhancements receiving appropriate and timely funding. Finally, there continues to be parties interested in changing the plan’s funding and defined benefit status. Therefore, the risk level is caution.

Currently, the risk of a fiscally unsound pension fund is remaining constant. With the most recent experience study, the Board adjusted assumptions for mortality, interest rates, and pay growth. The result is a higher UAAL and funding period. However, the increases were moderate; therefore, the risk of a fiscally unsound pension fund is not expected to increase or decrease.

13



Risk Level & Trend


Procurement & Contracts

Don Green Maintain effective procurement and contract management systems.

Inappropriate procurement practices could result in purchases of sub-standard products and services, unfavorable pricing or contract terms, and violation of laws. Ineffective contract monitoring could result in contractors not fulfilling their contractual obligations.

3,2 Impact is listed at 3 (moderate) because in the event the overall risk were to occur, it could have a fairly significant impact to TRS ranging from appearance issues, violation of statute, or by not spending TRS funds in a responsible manner (pay too much, contractors not fulfilling obligations, project failures, etc.). Likelihood is listed at 2 (slight) because TRS has good processes and procedures in place, however our contract monitoring system is not adequate. We are unable to determine contract values, monitor deliverables, and report. We must report procurement activities regularly and we are subject to audit by multiple audit entities, both internal and external.

Current contract monitoring and reporting will continue to be inadequate until a contract monitoring system can be developed or procured. The trending will remain stable until this issue is addressed.

Records Management

Don Green Manage the creation, use, maintenance, retention, preservation, and destruction of records to improve efficiency of recordkeeping, ensure access to public information, and reduce cost.

An ineffective records management program could result in loss or accidental release of records, loss of credibility, delays in accessing/destroying records, and increased scrutiny and oversight.

4,4 There is a high growth rate in the volume of e-records. We have silos of files where the retention and disposition is managed manually by individual staff. Due to recent audit findings and succession planning issues, the risk level has been increased to “Elevated” from “Caution.”

The risk level will remain elevated over the next 12-24 months. Activities to mitigate the risk include the following: 1. Realignment was done in June

2015 to the Chief Administrative Officer.

2. An Awareness Campaign is planned to give a higher profile to Records Management in the organization.

3. Department assessments to review where each work team stores their electronic records.

4. Standardized records repositories in SharePoint for short and medium-term retention records, and FileNet for long-term retention records.

5. Increased staffing in Records to handle the projects and for succession planning.

14



Risk Level & Trend


6. Create a cross-functional group to review Records Management policy, and program scope; to coordinate records across the agency.

7. A certification process on exiting employees and contractors.

8. Different levels of training are planned to aid in understanding the importance of records management.


Carolina de Onís

• Adhere to and analyze current laws, rules, and policies (e.g., maintain tax qualification status).

• Render competent advice on legal risk management and awareness, manage litigation risks, and negotiate contracts to address risks.

Non-compliance with laws and rules could lead to penalties, fines, liability and litigation; impaired ability to conduct business; burdensome oversight; third-party investigations/audits; adverse legislation; increased scrutiny; or loss of tax qualification status.

4,2 Changes in regulatory environment (Dodd-Frank, BASEL III) and changes in TRS laws (open government, retirement age, health plans, etc.).

Hired an additional compliance employee to assist the Chief Compliance Officer with regulatory compliance matters; consulting frequently with outside counsel; board policies on procurement and litigation adopted; legal hold policy adopted; additional legal staff assigned to work with new procurement and contracting staff with extensive experience in administering state procurements and contracts; new or updated contract administration procedures being issued by new Procurement & Contracts Manager; updating contract administration manual; enhancing compliance software systems; received IRS tax-qualification determination; monitoring proposed IRS regulations; onboarding new pension benefits attorneys; completed statutory four-year rule review; new investment attorneys have been trained; and retaining existing expertise.

Talent Continuity Janet Bray Attract, retain and develop a highly competent staff.

The delivery of member services and pension fund management could be negatively impacted

4,2 Maintaining a qualified, competent workforce is important for TRS to achieve its goals and objectives. Turnover in the workforce is inevitable, and the loss of

We anticipate overall workforce continuity risks decreasing over the next 12-24 months due to various Human Resources (HR) initiatives.

15



Risk Level & Trend


by turnover, the inability to retain qualified staff, lack of a sufficient knowledge transfer program, and an inconsistent performance management process.

staff may create some delays or reductions in meeting strategic or operational objectives. However, these potential risks are not critical enough to stop TRS from meeting goals or terminate business services. As a result, the overall workforce continuity risk level color is set at Guarded (Blue) because of minimal threats to achieving TRS goals and objectives.

These include implementing new HR technologies; updating all agency job descriptions; identifying core competencies, knowledge, skills and abilities for positions; addressing gaps in those attributes through increased learning and development opportunities; and resolving staffing needs through workforce planning, succession planning and the realignment of job functions as necessary.

TEAM Program Ken Welch Implement cost effective, efficient, and sustainable processes and systems that enable TRS to serve its members, employers, and annuitants.

System design, implementation and functionality of the new processes and systems do not meet the growing demands of TRS in service of its members. Program/ project implementation schedule and cost exceeds original estimates.

4,3 The Impact rating remained at 4. The Likelihood rating was reduced to a 3. This puts the average risk score at a 12.0 versus a 16.0 on the last report. This reflects a lower risk level, thus the risk level has been set to a “Caution” (Yellow) level. The lower risk level can be attributed to process improvements being made to the TEAM Program. These include an overhaul of the TEAM Program Risk Management process, where all risks reported to the ROC are being actively managed; applying lessons learned gathered throughout the TEAM Program and applying them to future work; and the establishing of a new TEAM Program schedule that all parties have agreed is obtainable given the current scope.

With the major changes to the TEAM Program Risk Management process all risks were reassessed and rescored to establish a new baseline going forward. Overall 9 risks were closed and 16 were added. The 16 added as well as the 8 that remained are all of the TEAM risks that are being actively managed. The overall average risk score trend remained constant even with the numerous risk closures, additions and rescoring.

TRS-ActiveCare Affordability

Katrina Daniel

Facilitate financial soundness of TRS-ActiveCare in order to provide affordable health care benefits.

Inadequate funding by the state and participating entities and/or unanticipated external forces could affect affordability.

4,4 Given the static state and district contributions and rising healthcare costs, the risk level remains elevated. Inadequate funding would jeopardize the fund’s ability to provide public school employees with affordable health care.

District and State minimum contribution requirements to the fund have been static since the inception of the plan, while overall healthcare continues to rise. A Joint Interim Committee is reviewing funding and plan design options related to affordability prior to the 2017 legislative session.

16



Risk Level & Trend


TRS-Care Funding Katrina Daniel

Facilitate long-term soundness of TRS-Care in order to provide sustainable retiree health care benefits.

Inadequate funding and/or unanticipated external forces would affect solvency of the program over the current biennium and future years, requiring significant premium increases or benefit reductions.

4,5 The fund is projected to be depleted in the 2016-2017 biennium. The risk level has been elevated to high. Inadequate funding would jeopardize retirees having access to sustainable health care.

The fund is projected to decline each year and become insolvent. House Bill 2 provided supplemental funding for the 2016-2017 biennium. A Joint Interim Committee is reviewing funding and plan design options to improve the solvency of the plan prior to the 2017 legislative session.

17

Risk Assessments

Updated risk assessments

403(b) Accounting & Reporting Budget Credit Cyber Security Employer Reporting Global Initiatives Health Care Plans Administration

Information Security & Confidentiality Legacy Information Systems Liquidity/Leverage Market Pension Funding TEAM Program TRS-ActiveCare Affordability TRS-Care Funding

Teacher Retirement System of Texas ERM Update – December 2016

18

Summary for this Reporting Period

16 Stoplight Report risk assessments completed 2 New Risk Categories (Cyber Security and Global Initiatives)

2 Risk Categories increased their risk levels High Risk Area TRS-Care Funding

Elevated Risk Areas Employer Reporting Records Management TRS-ActiveCare Affordability

Action items to further mitigate higher risks are detailed in the Appendix

ERM Activities for June 2017

Risk Assessments Stoplight Report Ad-hoc Requests

Strategic Planning

Teacher Retirement System of Texas ERM Update – Conclusion

19

PRESENTATION TITLE >>> NAME FEB-09-15

Cybersecurity – An OverviewTRS Risk Committee Meeting – December 2016

Fear, Uncertainty and Doubt

Records Exposed! Exposed records in 2016 on track to exceed 2015 by 56% or over 1 billion total records...

Phishing Scam!An email phishing scam compromised the records of 13,000 patients at Baystate Health in Springfield Mass...

Major Website & Services BreachedMultiple waves of DDoS attacks hit the East Coast on October 21st, rendering many commercial website and services unavailable...

DC Plans Face Threat to Crucial Data

The Chicago Deferred Compensation Plan...$2.6 million taken through unapproved loans from 58 stolen member accounts...

- Breach Level Index

- CNBC

- Pensions & Investments- Report on Patient Privacy

Reality: Fear, Uncertainty and Doubt

49% of all security breaches take place in Public Administration, Finance & Health Care

1,103+ security breaches – 795 in Public, 193 in Finance & 115 in Health Care in 2015

48,771 reported incidences in 2015.

That's a rate of just over 3 security breaches per day!

October 2016: Chicago Deferred Compensation Plan, a $3.6 billion 457(b) plan, in June had $2.6 million taken through unapproved loans from 58 participant accounts accessed with stolen participant identification.

February 29, 2016: The Internal Revenue Service (IRS) announced that the data breach they uncovered in May 2015 was much larger than initially believed. In May, the IRS said over 100,000 American taxpayers had their personal information compromised when the agency’s “Get Transcript” system was hacked. However, in February 2016, those numbers have increased to over 700,000.

January 2015: Anthem lost 80 million patient and employee records including exposing names, dates of birth, Social Security numbers, email addresses, employment information and income data.

Source: Verizon - 2016 Data Breach Investigations Report / Identity Force.com

Threat Vectors for TRS

TRS Risk

Risk

Loss of Confidence

Reputation Damage

Business Disruption

Financial Loss

Litigation

Compliance (HIPAA, HITECH,

TAC 202)

What Is Appropriate Risk?

Lower RiskHigher CostHigher Maturity

There is no such thing as "perfect protection"

Less complex business,less of a target

Growing business, morecustomers and complexity

Larger, more complexbusiness, more of a target

Higher RiskLower Cost

Lower Maturity

Business Model

As TRS expands it’s self-service and online options, we have to continually reassess how much risk is appropriate.

Our goal is to build a sustainable program that balances the need to protect our systems against the service needs of our members,

business partners and stakeholders.

ValueAdded

ValueAdded

ValueAdded

ValueAdded

ValueAdded

Benefits

InvestmentManagement

Economic Impact

Pension

Health Care

Investments

Research

DataQuality

DataPrivacy

DataIntegrity

Data: Privacy, Quality, Integrity

Why Security Matters to TRSAddressing IT and information security risks supports the

achievement of desired outcomes.

ValueAdded

Members

Staff

Information Security Management

Security Architecture

A Layered System of Security ControlsFoundation Controls• Perimeter (network security):

– Firewalls – Intrusion prevention

• Access controls:– User provisioning (role-based)– Access management (two-factor)

• Vulnerability management:– Patching (45-day cycle)– Incident response

• Security awareness:– Training (annual)– Policy

• Organization:– Staff (roles)– Skills (certifications)

• Compliance:– Audit– Requirements management– E-discovery

Good Controls Formal process:

– Measurable– Repeatable

Detection and Response:– Log analysis– User behavior (access logs)– Virtual machine scanning – Data loss prevention

Risk assessment:– IT risk (applications and projects)– Facility risk assessment– Automation

Governance:– Governance committees– Change management– Identity access governance

Advanced/Nice to Have Business alignment:

– Integrate controls with business process Key risk indicator mapping:

– Leading indicators of risk that influence business decision making

Behavior shaping:– Reduce technical controls

Ethical hacking Risk management:

– Enterprise risk– Accountability– Scenario risk assessment

Key: Deployed (green)Gap (orange)Opportunity (blue)

• Our partnering strategy:– Support the security of initiatives to enable partnering

• Human behavioral cultural adjustments:– Awareness training through simulations and seminars

• Business productivity (through IT):– For cloud, mobility and social media, determine whether to accelerate or

brake• Compliance:

– Ensure compliance with HIPAA and HITECH (HHS enforcement program)

TRS Initiatives

• Improve detection and response capabilities through faster in-house monitoring of logs.

• Shore up the possibilities of data ex-filtration transmissions with technologies that understand internal networks.

• Implement policies and procedures specifically centered around our health care status as a covered entity.

• Continue to build IT security for TRS around an industry standard framework.

Next Steps

Summary

• You don’t control the threat, but you do control the organization's readiness.

• Your readiness is good, but beware of a false sense of security.

• There is no such thing as perfect protection. – You are seeking a balance between protection and achieving the

desired outcomes of the organization.

• Understand the connection between IT dependency and critical business processes to guide prioritization, investment and defensibility.

APPENDIX

Risk Report Details

403(b) RISK REPORT

RISK OWNER RISK LEVEL/TREND REPORTING DATE

Rebecca Merrill December 2016

GOAL OVERALL RISK OBJECTIVES Maintain list of both qualified companies and products which meet requirements of law and TRS rule. Adopt fee caps to help ensure fees paid by members are competitive.

Public education employees purchase non-qualified products and/or products from non-qualified companies.

Set fee caps for 403(b) products offered to school district employees.

Ensure that salespeople are properly licensed by their respective governing authority.

Receive and process company certifications and product registrations.

SUMMARY Six risk events have been identified for this risk category. One risk regarding the failure to ensure fee caps are competitive/in line with the market place is an elevated risk and mitigations are in progress to reduce the likelihood of the risk. In addition, management is pursuing mitigations to further reduce the likelihood of the other risks. One notable activity since the last report, the 403(b) website content for active members was improved.

RISK EVENTS

Risk Description Mitigations

A. Failing to educate employers, members and vendors about the 403(b) program

Improved website content for active members TRS Update Research market place Answer questions from stakeholders Contacted charter school association for

participation in training sessions

Inform member of complaint option where appropriate

TRS will communicate issue and resolution where appropriate

Continue to enhance current website as needed

B. TRS fails to maintain an updated and accurate list of both certified companies and registered products

Reviewing submissions Maintain certification/product registration

expiration spreadsheet

Update information Answer questions from companies

TRS Stoplight Report Category 1

403(b) RISK REPORT


C. Failure to ensure fee caps are competitive/in line with the market place

Conducting interviews with stakeholders to gain information about the market

Market analysis to reexamine fee caps and possible rule amendment to lower caps

Educational efforts to educate stakeholders on TRS’ role in the 403(b) market place

D. Members at risk of continuing to do business with vendors against whom TDI/SSB has taken an action

Exploring options to communicate with regulatory agencies

Annuity companies sign form agreeing to notify TRS of TDI actions taken against them

Refer member to attorney general’s office Revoke certification Non-Annuity companies sign form agreeing to notify

TRS of any license revocation E. Vendors charge fees in excess of fee caps Pop-up box in product registration system

Post fees on TRS website Audit review 403(b) program

Reach out to company to request they provide a refund

TRS Stoplight Report Category

2

403(b) RISK REPORT

RISK EVENT DETAILS

CAUSES RISK EVENT A CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Not understanding changes in 403(b) market

place • Workload exceeds staffing availability • Insufficient avenues or opportunities for

communicating with employers, members and vendors

Failing to educate employers, members and

vendors about the 403(b) program

• TRS reputation is damaged • School districts and charter schools are unaware of

requirements for 403(b) products • Salary reduction agreement with company that is

not certified • Member charged fees in excess of the limit • Salary reduction agreement for an unregistered

product • Members do not understand TRS’ role and have

false sense of security about 403(b) products PREVENTION/PREPAREDNESS FUTURE PLANS MINIMIZE DAMAGE

What are we currently doing? What more can we do? What plans do we have in place to minimize the damage if the consequences materialize?

• Improved website content for active members • TRS Update • Research market place • Answer questions from stakeholders • Contacted charter school association for

participation in training sessions • Continue to enhance current website as needed

• Conduct statutory rule review and identify improvements in the education process (Action Item 4)

• Contracting with consultant for advice (Action Item 5)

• Assess need for a part-time FTE to assist with program activities (Action Item 6)

• Inform member of complaint option where appropriate

• TRS will communicate issue and resolution where appropriate


3

403(b) RISK REPORT

CAUSES RISK EVENT B CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Intentional/unintentional erroneous reporting

to TRS • Inadvertent or intentional failure to:

o certify as a company o register products o comply with annual demonstration o update product information

• Workload exceeds staffing availability • Technical problems prevent the timely

updating or accessing of product registration system

TRS fails to maintain an updated and accurate list of both certified companies and registered

products

• Companies remain on list after certification expires

• Inaccurate information on lists • Products remain on list after they are no longer

available • Members confused by conflicting information

PREVENTION/PREPAREDNESS FUTURE PLANS MINIMIZE DAMAGE What are we currently doing? What more can we do? What plans do we have in place to minimize the

damage if the consequences materialize? • Reviewing submissions • Answer questions from companies • Maintain certification/product registration

expiration spreadsheet

• Assess need and ability to initiate Company Clean-Up Project (informal) (Action Item 7)

• Conduct rule review and identify improvements to accuracy of product and fee information (formal) (Action Item 4)

• Internal Audit project to provide assurance on the accuracy of product information (Action Item 8)

• Update information


4

403(b) RISK REPORT

CAUSES RISK EVENT C CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Market changes • Opposition by 403(b) market to lower fee caps

Failure to ensure fee caps are competitive/in

line with the market place

• District employees pay fees that are higher than the market

• Legislature involvement


damage if the consequences materialize? • Conducting interviews with stakeholders to

gain information about the market • Conduct statutory rule review and identify

improvements to fee caps (Action Item 4) • Contracting with consultant for advice

(Action Item 5)

• Market analysis to reexamine fee caps and possible rule amendment to lower caps

• Educational efforts to educate stakeholders on TRS’ role in the 403(b) market place

CAUSES RISK EVENT D CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Regulatory agencies are not required to share

information with TRS • Unaware of complaints made directly to

regulatory agencies against vendors/agents • TRS is not aware of vendors under investigation • Vendors fail to notify TRS of TDI adverse

determinations

Members at risk of continuing to do business

with vendors against whom TDI/SSB has taken an action

• TRS reputation is damaged • Members could be adversely affected


damage if the consequences materialize? • Exploring options to communicate with

regulatory agencies • Annuity companies sign form agreeing to notify

TRS of TDI actions taken against them • Non-Annuity companies sign form agreeing to

notify TRS of any license revocation

• Explore how TDI handles complaints regarding TRS rules and determine if a statutory change is necessary (Action Item 9)

• Strengthen relationships with regulatory agencies (Action Item 10)

• Refer member to attorney general’s office • Revoke certification


5

403(b) RISK REPORT

CAUSES RISK EVENT E CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Companies raise rates on products after initial

registration • Failing to educate employers, members and

vendors about the 403(b) program • Companies fail to calculate aggregated fees

across products

Vendors charge fees in excess of fee caps

• Members’ retirement account balances will be adversely affected

• Vendors unjustly enriched


damage if the consequences materialize? • Pop-up box in product registration system • Post fees on TRS website • Audit review 403(b) program

• Include information about fees in a future edition of the TRS News (Action Item 11)

• Conduct statutory rule review and identify process for recovery of overcharges (Action Item 4)

• Reach out to company to request they provide a refund

Action Items (Future Plans) Owner Target Date Revised Status Comments

1. Explore adoption of a rule that requires companies to annually review fees charged on all contracts and initiate refunds if fee caps are exceeded (Risk 1, 7)

Special Projects 1/2015 8/2016 Closed Closed, combined with Action Item #4.

2. Contact association of charter schools and offer to educate

Special Projects 11/2014 2/2016 Complete Spoke with Paula Moeller, Director of Training Services with the Texas Charter School Association (TCSA). Paula said there are three training opportunities we could participate in: Annual TCSA Conference, Webinars and the TCSA Finance Boot Camp.

3. Explore options for addressing the issue of mutual fund companies having to sign annual demonstration despite the fact that they don’t sell directly to Texas educators

Special Projects 8/2016 Complete TRS Forms 615 and 616 were revised in May 2016 to acknowledge that not all companies have representatives that sell in Texas. The new Annual


6

403(b) RISK REPORT


Demonstration form (TRS Form 616) was sent during the annual demonstration period.

4. Conduct statutory rule review and identify improvements:

• in the education process (Risk Event A) • to accuracy of product and fee information

(formal) (Risk Event B) • to fee caps (Risk Event C) • to include a process for recovery of

overcharges (Risk Event E)

Special Projects 6/2017 In Progress

5. Contracting with consultant for advice (Risk Event A, C) Special Projects 2/2017 In Progress 6. Assess need for a part-time FTE to assist with program

activities (Risk Event A) Special Projects 9/2017 Planned

7. Assess need and ability to initiate Company Clean-Up Project (informal) (Risk Event B)

Special Projects 9/2017 Planned

8. Internal Audit project to provide assurance on the accuracy of product information (Risk Event B)

Special Projects Internal Audit

11/2016 In Progress

9. Explore how TDI handles complaints regarding TRS rules and determine if a statutory change is necessary (Risk Event D)


10. Strengthen relationships with regulatory agencies (Risk Event D)


11. Include information about fees in a future edition of the TRS News (Risk Event E)



7

403(b) RISK REPORT

Monitoring Activities Key Mitigations Monitored By Monitoring Process Comments

Annually demonstrate licensure and qualifications of 403(b) company personnel

Special Projects Contact the companies for annual demonstration.

Each June receive documentation and record compliance on TRS website.

Statutory review of 403(b) Rule Special Projects Rule review every 4 years based on statutory requirements.

Review completed in 2013 and the next review is planned for 2017.

Companies required to certify every 5 years Special Projects Contact the companies for recertification. Ongoing process as company certifications expire.


8

ACCOUNTING & REPORTING RISK REPORT


Don Green December 2016

GOAL OVERALL RISK OBJECTIVES Maintain and monitor the integrity, accuracy, and completeness of financial information and timeliness of reporting.

Materially inaccurate financial information and reports would result in Board of Trustees and Texas Legislature decisions being made on flawed data and adverse or qualified audit opinions.

• Ensure timely and accurate reporting for decision-making purposes

• Obtain favorable or unqualified audit results

SUMMARY The risk owner accepts a majority of the risks. One risk related to labor intensive manual data collection processes has an additional mitigation strategy planned. Key mitigations include quality control processes, policies and procedures, and hiring/retaining experienced personnel. TRS received the Certificate of Achievement for Excellence in Financial Reporting for fiscal year ended August 31, 2015 from the Government Finance Officers Association (GFOA).

RISK DETAILS


1. inadvertent errors, duplicates, or omissions

quality control process documented policies and procedures hire additional staff as needed exception reports

reconciliations audit trails ongoing training

2. missed oversight or regulatory deadline documented policies and procedures hire additional staff as needed

planning schedule Outlook reminders

3. competing priorities supervisory guidance cross-training contract workers delegation documented workpapers

routine team meetings hire additional staff as needed subject matter experts for each team documented policies and procedures FAQs posted on the Intranet

4. inadequate or poorly executed quality control process

hire/retain experienced personnel multiple reviewers when needed

documented policies and procedures checklists


ACCOUNTING & REPORTING RISK REPORT


5. labor intensive manual data collection process (Action Item 2)

automate processes streamline manual processes

hire/retain experienced personnel

6. TRS financial statements not in compliance with the Governmental Accounting Standards Board (GASB) or notes are omitted for significant disclosure items

familiarity and continuous monitoring of accounting standard changes (e.g., GASB requirements)

Government Finance Officers Association (GFOA) checklist

GASB subscriptions

communication with Benefit Accounting and oversight entities

training, conferences and webinars hire/retain experienced personnel

Action Item Owner Target Date Revised Status Comments

1. Enhance time management process (e.g., scheduling appointments to minimize interruptions)

General Accounting

7/2016 Complete To assist with time management, staff has posted a frequently asked questions area on the Intranet to help reduce visits and calls regarding routine Payroll, Leave and Insurance questions.

2. Implement new financial system (Risk 7)

General Accounting

Pending Planned The Financial System Replacement Project is part of the TEAM Program. Cross-reference Budget risk report action item for Risk 5.

Monitoring Activities Key Mitigation Monitored By Monitoring Process Comments

Quality control processes (Risk 1) General Accounting Maintain up-to-date desk procedures. Ongoing supervisory review.

Policies and procedures (Risk 1, 2, 3, 4, 6)

General Accounting Reviewed and updated annually. Provided to the State Auditor’s Office (SAO) during the Comprehensive Annual Financial Report (CAFR) audit.

Hire/retain additional/experienced personnel (All Risks)

General Accounting Job description review, qualifications screening, reference and background checks, and skills-based testing. Feedback during probationary period.


10

BUDGET RISK REPORT


Don Green December 2016

GOAL OVERALL RISK OBJECTIVE Ensure TRS has appropriate budget to provide and sustain resources necessary to successfully carry out TRS’ mission, goals, and objectives to serve our members.

Lack of a sufficient operating budget could jeopardize our ability to effectively serve our members.

To efficiently request, plan, allocate, and control the spending of financial resources.

SUMMARY The risk owner accepts a majority of the risks. One risk related to labor intensive manual processes has an additional mitigation strategy planned. Key mitigations include policies and procedures, quality control processes, and hiring additional/experienced personnel.

RISK DETAILS


1. inaccurate data from systems reconciliations internal and external audits

documented desk and departmental procedures

2. lack of training training through oversight agencies cross-training

documented desk and departmental procedures

3. competing priorities supervisor guidance cross-training routine meetings

prioritize workload intern program ongoing communication

4. lack of support from upper management ongoing communication supervisor guidance 5. labor intensive manual processes (Action

Item 1) automate processes periodic reassessment

streamline manual processes quality control process

6. lack of personnel recruitment intern program contractors

quarterly budget meetings hire additional, experienced staff internal team meetings


BUDGET RISK REPORT


7. lack of cross-communication with departments

quarterly budget meetings divisional budget representatives participatory budget process

monitor ongoing expenses against budgeted estimates and identify changes needed for future budgets

8. not aligning budget plans with agency goals and objectives

clearly defined executive management priorities strong strategic planning process

monitor ongoing expenses against budgeted estimates and identify changes needed for future budgets

9. failure to receive approval for adequate funding, or appropriate statutory authority to determine funding, from the legislature

follow state budget process pursue transparency with state leadership

seek input as appropriate from all stakeholders


1. Implement new financial system (Risk 5) General Accounting

Pending Planned The Financial System Replacement Project is part of the TEAM Program. Cross-reference Accounting & Reporting risk report action item for Risk 7.

Monitoring Activities Key Mitigation Monitored By Monitoring Process

Policies and procedures (Risk 1) Budgeting Reviewed and updated annually. Provided to the State Auditor’s Office (SAO) during the Comprehensive Annual Financial Report (CAFR) audit.

Quality control processes (Risk 5) Budgeting Maintain up-to-date desk procedures. Ongoing supervisory review.

Hire additional/experienced staff (Risk 6) Budgeting Job description review, qualifications screening, reference and background checks, and skills-based testing. Feedback during probationary period.


12

CREDIT RISK REPORT


Jase Auby December 2016

GOAL OVERALL RISK OBJECTIVE Maintain effective management of counterparty and securities lending risks.

Unmanaged counterparty and securities lending exposures could result in losses to the investment portfolio.

Achieve proper diversification of counterparty exposure.

SUMMARY The mitigations in place appropriately reduce risks to a level that the risk owner accepts the risks. No additional mitigation strategies are planned at this time; however, of particular note recently has been the deterioration of Deutsche Bank (DB) as a counterparty. We have limited exposure to DB, and we regard the risk to the Trust as minimal. This experience gives us confidence that our mitigations are working as we were able to identify and respond in a timely and effective way. Key mitigations include Securities Lending Policy, approved list of counterparties and limits, Securities Lending Program reviews, Credit Rating Monitor, and Daily Derivatives Report.

RISK DETAILS


Securities Lending 1. Counterparty/lending agent default

TRS approval required for change in counterparties

and limits (reviewed annually) Current counterparty exposure monitored monthly Securities Lending Policy

Indemnification against losses from counterparty default

Approved list of counterparties and limits

2. Inadequate collateral Security Lending Policy restricts types of collateral, requires minimum over-collateralization (haircut) by collateral type

3. Securities Lending Investment Portfolio suffers declines

Strict Security Lending Policy parameters, monthly reviews and stress testing

Securities Lending Program review

Derivatives 4. Over-The-Counter (OTC) derivative

counterparty default Daily Derivatives Report - monitors counterparty

exposure and creditworthiness Credit rating monitoring

5. Collateral tied up at counterparties Collateral swept daily


CREDIT RISK REPORT


6. Futures clearing merchants (FCM) default

Three FCMs for diversification Daily monitoring

Daily Derivatives Report


No actions required at this time.


Securities Lending Policy (Risk 1, 2, 3) Investment Compliance Sets parameters for Securities Lending Program, includes limits to type of collateral, minimum over-collateralization (haircut) required, etc.

Approved list of counterparties and limits (Risk 1) Investment Compliance Reviewed monthly and updated annually

Securities Lending Program review (Risk 3) Investment Compliance, Asset Allocation, Risk

Group

Monthly call to review performance

Credit rating monitor (Risk 4, 6) Risk Group Periodic review of credit ratings (both long and short term) by various rating agencies

Daily Derivatives Report (Risk 4, 6) Risk Group Reports daily derivative exposure by derivative type, strategy, and counterparty (includes credit ratings)


14

CYBER SECURITY RISK REPORT


Chris Cutler December 2016

GOAL OVERALL RISK To prevent malicious attacks and unauthorized access of TRS information resources.

Ineffective cyber threat controls could lead to breaches or sabotage of TRS systems.

SUMMARY Three risk events have been identified for this risk category. One risk regarding data breaches is an elevated risk and mitigations are planned or in progress to reduce the likelihood of the risk. In addition, management is pursuing mitigations to further reduce the likelihood of the other risks.

RISK EVENTS


A. Permanent data loss Anti-virus software Firewall Software updates Education and awareness (e.g., policies and

procedures, training) Contractual terms

Hard copy of policy and procedures Off-site replications (tape backups, co-location) Security monitoring Incident Response Plan Business Continuity & Disaster Recovery Plans Criminal history background checks

B. Data breach Anti-virus software Firewall Software updates Education and awareness (e.g., policies and

procedures, training) Contractual terms Criminal history background checks

Self-insured Hard copy of policy and procedures Off-site replications (tape backups, co-location) Security monitoring Incident Response Plan Business Continuity & Disaster Recovery Plans Exercise Incident Response Plan

C. Data inaccessible Anti-virus software Firewall

Self-insured Hard copy of policy and procedures




Software updates Education and awareness (e.g., policies and

procedures, training) Contractual terms Criminal history background checks Exercise Incident Response Plan

Off-site replications (tape backups, co-location) Security monitoring Incident Response Plan Business Continuity & Disaster Recovery Plans Redundant equipment

RISK EVENT DETAILS

CAUSES RISK EVENT A

CONSEQUENCES What would cause this event to happen? What would the consequences be if this event

occurs? • Data breaches • Credentials and authentication compromised • Exploited system vulnerabilities • Malicious insiders • Inadequate diligence • Cloud service abuses • Systems of external parties with whom TRS does

business are compromised

Permanent data loss

• Reputational risk • Financial loss • Line of business would stop


damage if the consequences materialize? • Anti-virus software • Firewall • Software updates • Education and awareness (e.g., policies and

procedures, training) • Contractual terms • Criminal history background checks

• Enhance usage of Intrusion Prevention Systems (IPS) (Action Item 1)

• Strengthen System Information and Emergency Management (SIEM) (Action Item 2)

• Hard copy of policy and procedures • Off-site replications (tape backups, co-location) • Security monitoring • Incident Response Plan • Business Continuity & Disaster Recovery Plans


16


CAUSES RISK EVENT B


occurs? • Credentials and authentication compromised • Exploited system vulnerabilities • Malicious insiders • Inadequate diligence • Cloud service abuses • Inadequate training and awareness • Employees or non-TRS workers accidentally or

intentionally expose or disclose data • Systems of external parties with whom TRS does

business are compromised

Data breach

• HIPAA breach • Member identity theft • Reputational risk • Financial loss • Possible system outage • Lose critical business partners



procedures, training) • Contractual terms • Criminal history background checks • Exercise Incident Response Plan



• Enhance scenarios for Incident Response Plan (Action Item 3)

• Research Cyber Response Insurance (Action Item 4)

• Self-insured • Hard copy of policy and procedures • Off-site replications (tape backups, co-location) • Security monitoring • Incident Response Plan • Business Continuity & Disaster Recovery Plans


17


CAUSES RISK EVENT C


occurs? • Denial of service attacks (DoS) • Exploited system vulnerabilities • Malicious insiders • Inadequate diligence • Cloud service abuses • Inadequate training and awareness • Cyber extortion • Systems of external parties with whom TRS does

business are compromised • Equipment failure

Data inaccessible

• Financial loss • Line of business could stop • Reputational risk • Possible system outage • Lose critical business partners



procedures, training) • Contractual terms • Criminal history background checks • Exercise Incident Response Plan • Redundant equipment



• Enhance scenarios for Incident Response Plan (Action Item 3)

• Research Cyber Response Insurance (Action Item 4)

• Self-insured • Hard copy of policy and procedures • Off-site replications (tape backups, co-location) • Security monitoring • Incident Response Plan • Business Continuity & Disaster Recovery Plans

Future Plans (Action Items) Owner Target Date Revised Status Comments

1. Enhance usage of Intrusion Prevention Systems (IPS) (All risks)

Information Security

11/2017 Planned

2. Strengthen System Information and Emergency Management (SIEM) (All risks)


11/2017 In Progress


18



3. Enhance scenarios for Incident Response Plan (Risk Event B, C)

Information Security, Risk Management

1/2017 In Progress An Incident Response Plan tabletop exercise is currently being developed and is scheduled for December 5, 2016.

4. Research Cyber Response Insurance (Risk Event B, C) Risk Management

1/2017 In Progress Two of three market indications have been received and are being evaluated.


19

EMPLOYER REPORTING RISK REPORT


Barbie Pearson December 2016

GOAL OVERALL RISKS OBJECTIVES Accurately capture and utilize employer reported data to project and calculate future benefits of TRS members and to properly allocate the total pension liability across districts.

• Incorrect reporting could lead to calculated benefits being inaccurate.

• Improperly allocating actuarial liability across districts.

• Improved electronic reporting and auditing through TEAM.

• Supplement with additional staff to prepare for TRS staff retirements.

SUMMARY Risks for this category relate to eligible and ineligible member reporting; unreported, underreported, and ineligible member salaries; unreported surcharges for retirees; revoking retirement due to inaccurate reporting; years of service credit manipulated; annuities not forfeited; external fraud; and inability to provide appropriate customer service. Key mitigations include employer audits, internal and external training and ongoing communication with reporting entities. Additional mitigations are in progress or planned to further reduce the risks related to full payroll reporting.

RISK DETAILS


1. ineligible members are reported (Action Item 2, 4)

internal and external training ongoing communication TRS Update newsletter State Auditor’s Office (SAO) audits

maintain current TRS webpage for employers mass emails internal audits employer audits

2. not all eligible members are reported (Action Item 2, 4)

internal and external training ongoing communication TRS Update newsletter SAO audits

maintain current TRS webpage for employers mass emails internal audits employer audits

3. member salaries paid from miscellaneous funds are unreported (federal, private, statutory minimum, non-educational/general local,

internal and external training ongoing communication TRS Update newsletter follow-up with reporting entities that do not report

miscellaneous funds

maintain current TRS webpage for employers mass emails internal audits SAO audits employers audits




educational/general local, new member) (Action Item 2, 4)

4. underreported salaries (used in final average salary calculation) (Action Item 2, 4)

internal and external training ongoing communication maintain current TRS webpage for employers SAO audits employer audits

mass emails TRS Update newsletter annual statements sent to members internal audits

5. ineligible/overreported salaries (used in final average salary calculation) (Action Item 2, 4)

internal and external training ongoing communication maintain current TRS webpage for employers SAO audits employer audits

mass emails TRS Update newsletter annual statements sent to members internal audits

6. pension and TRS-Care surcharges for retirees are unreported (Action Item 2, 4)

internal and external training ongoing communication TRS Update newsletter mass emails

maintain current TRS webpage for employers internal audits self-audit tool for reporting entities employer audits

7. retirement is not revoked when retirees return to work without a break in service due to inaccurate reporting (Action Item 2, 4)

internal and external training ongoing communication automated system edits/ reports employer audits

maintain current TRS webpage for employers mass emails TRS Update newsletter internal audits

8. years of service credit is manipulated (overreported/ underreported service credit) (Action Item 2)

internal and external training ongoing communication automated system edits/ reports mass emails SAO audits employer audits

maintain current TRS webpage for employers TRS Update newsletter internal audits annual statements sent to members TRS Laws & Rules

9. annuities are not forfeited when retirees work in excess of limits provided by the law (Action Item 2)

internal and external training ongoing communication automated system edits/ reports SAO audits employer audits

maintain current TRS webpage for employers mass emails TRS Update newsletter internal audits


21



10. external fraud (i.e., eligibility, compensation, service credit) (Action Item 2)

internal and external training automated system edits/ reports maintain current TRS webpage for employers internal audits employer audits SAO audits

mass emails TRS Update newsletter sample testing criminal investigations and prosecution ongoing communication

11. inability to provide appropriate

customer service due to increased number of reporting entities

internal training cross-training

additional FTEs


1. Employer audits Internal Audit Ongoing Complete This is now an ongoing mitigation and has been added to relevant risks.

2. Implement TEAM Program Phase 1 of TRUST (Risk 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)

CMT, Executive Management

9/2015 9/2017 In Progress

3. Hiring additional FTEs to support the collection of full payroll from reporting entities

Benefit Reporting 1/2016 8/2016 Complete

4. Update Payroll Reporting Procedures Manual for employers (Risk 1, 2, 3, 4, 5, 6, 7)

Benefit Reporting 12/2016 In Progress


Employer audits (Risk 1, 2, 3, 4, 5, 6, 7, 8, 9, 10) Internal Audit Includes in-person audits and desk audits.

Internal and external training (All Risks) Benefit Reporting Scheduled and ad-hoc training as needed.

Ongoing communication with reporting entities (Risk 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)

Benefit Reporting Communicate with reporting entities via phone calls and email.


22

GLOBAL INITIATIVES RISK REPORT


Ken Welch December 2016

GOAL OVERALL RISK Ensure employee safety by complying with laws and regulations and providing awareness of challenges when traveling abroad.

Not being aware of safety, compliance, and other challenges when traveling abroad could jeopardize the safety of our employees.

SUMMARY Six risk events have been identified for this risk category. Two risks related to medical issues and loss of documentation/mobile devices are moderate risks and mitigations are planned or in progress to reduce the likelihood of those risks. In addition, management is pursuing mitigations to further reduce the likelihood of the other risks.

RISK EVENTS


A. Civil unrest, terrorism, or natural disaster

Monitor media and state department sources Communicate awareness, educate employees, and

provide travel guidance (e.g., IMD portal) Contact or register with the local U.S. embassy or

consulate Frequent communication with employee Use landline

Seek assistance from business partners Utilize foreign travel insurance Use personal transportation options Have cash on hand, direct bill, or remote payment

options Seek assistance from TRS and/or U.S. embassy

B. Kidnapping and/or extortion (employee, family)



consulate Frequent communication with employee

Seek assistance from TRS and/or U.S. embassy Seek assistance from business partners Utilize foreign travel insurance Include TRS Communications department Cultural awareness guidance

C. Injury/illness, medical emergency while traveling

Communicate awareness, educate employees, and provide travel guidance (e.g., IMD portal, hotel reviews)

Utilize foreign travel insurance Require employee to return home, if applicable Frequent communication with employee




Vaccine requirements Seek assistance from TRS and/or U.S. embassy D. Noncompliance with foreign laws Employee/management relations



consulate

Seek assistance from TRS and/or U.S. embassy Seek assistance from business partners Have cash on hand or alternate sources of funds Frequent communication with employee Cultural awareness guidance

E. Employee gets detained/arrested Monitor media and state department sources Communicate awareness, educate employees, and


consulate

Seek assistance from TRS and/or U.S. embassy Seek assistance from business partners Have cash on hand or alternate sources of funds Frequent communication with employee Cultural awareness guidance

F. Loss of employee identification, travel documents/approval and mobile devices (e.g., visa, passport, e-documents)

Communicate awareness, educate employees, and provide travel guidance (e.g., IMD portal)

Contact or register with the local U.S. embassy or consulate

Cultural awareness guidance

Seek assistance from TRS and/or U.S. embassy Seek assistance from business partners Have cash on hand or alternate sources of funds Duplicate copies of travel documents


24


RISK EVENT DETAILS

CAUSES RISK EVENT A CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Political change • Religious/ethnic conflict • Immigration laws • Radicalization • Geographic location • Acts of God • Political upheaval • Fire, riots

Civil unrest, terrorism or natural disaster

• Employees/contractors injured or killed (e.g., physical violence, accidents and injuries)

• Physical violence against family members (e.g., injured, killed)

• Transportation issues • Employee can't adapt to travel/working abroad • Unable to communicate (e.g., no internet access/cell

service) • Increased travel/hotel costs due to emergency

events • No access to funds • Medical services or other resources are not available • Evacuations may be difficult • Employees not having access to legal representation

or embassy services PREVENTION/PREPAREDNESS FUTURE PLANS MINIMIZE DAMAGE


• Monitor media and state department sources

• Communicate awareness, educate employees, and provide travel guidance (e.g., IMD portal)

• Contact or register with the local U.S. embassy or consulate

• Frequent communication with employee

• Personal preparedness plan (Action Item 1) • Research satellite phone options (Action Item 2) • Establish communication path (e.g., distribution

list to share issues/incidents) (Action Item 3) • Create emergency contact card for travelers

(including insurance info.) (Action Item 4) • Develop training sessions for travelers (i.e.,

lunch and learns) (Action Item 5) • Provide power bank (Action Item 8)

• Seek assistance from TRS and/or U.S. embassy • Seek assistance from business partners • Utilize foreign travel insurance • Use personal transportation options • Use landline • Have cash on hand, direct bill, or remote payment

options


25


CAUSES RISK EVENT B CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Americans/TRS could be targeted while

abroad • employees traveling alone • Flaunting of valuables or wealth • Corruption (e.g., police corruption) • Lack of awareness of surroundings • Lack of good judgment • Victim by association • Wrong place, wrong time

Kidnapping and/or extortion (employee, family)

• Physical violence against persons (e.g., injured, killed)

• Becomes hostage • Publicity/crisis management • Distraction from TRS mission • Reluctance to travel in the future for TRS • Workforce continuity • Financial impact due to ransom • Future travel policy implications


damage if the consequences materialize? • Monitor media and state department sources • Communicate awareness, educate

employees, and provide travel guidance (e.g., IMD portal)

• Contact or register with the local U.S. embassy or consulate

• Frequent communication with employee • Cultural awareness guidance

• Personal preparedness plan (e.g., comprehensive safety guidance; how not to draw attention to yourself) (Action Item 1)

• Formalize cultural awareness resources (e.g., capture lessons learned, best practices) (Action Item 6)

• Develop training sessions for travelers (i.e., lunch and learns) (Action Item 5)

• Create emergency contact card for travelers (including insurance information) (Action Item 4)

• Consult and visit insurer (Action Item 7)

• Seek assistance from TRS and/or U.S. embassy • Seek assistance from business partners • Utilize foreign travel insurance • Include TRS Communications department


26


CAUSES RISK EVENT C CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Employees not complying with TRS guidance or

not utilizing resources for foreign travel (e.g., state dept. guidance, vaccine recommendations, travel guidance, reporting requirements, etc.)

• Traveling to an infected area • Airline travel • Traveling with children • Lack of health/medical regulations • Overwork, fatigue, excessive travel • Loss of medication/accidental overdose • Pre-existing conditions or ongoing medical

issues • Unauthorized physical access • Infectious diseases

Injury/illness, medical emergency while traveling

• Can spread illness to co-worker/family member • Employee contracting epidemic/pandemic illness • Quarantine • Medical services or other resources are not

available • Cost of work arounds • Loss of employee • Requires long-term or ongoing treatments/ therapy • Physical violence against employees, contractors,

and family members • Unable to conduct TRS business


damage if the consequences materialize? • Communicate awareness, educate employees,

and provide travel guidance (e.g., IMD portal, hotel reviews)

• Vaccine requirements • Frequent communication with employee

• Personal preparedness plan (e.g., dealing with jet lag, food selection, resources for medical assistance) (Action Item 1)

• Establish communication path (e.g., distribution list to share issues/incidents) (Action Item 3)



• Seek assistance from TRS and/or U.S. embassy • Utilize foreign travel insurance • Require employee to return home, if applicable


27


CAUSES RISK EVENT D CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Not aware of foreign countries' laws and rules • TRS does not provide sufficient

resources/training for employees traveling abroad

• Employee not understanding TRS employment limitations

• Not being aware of the cultural environment and foreign social norms (e.g., chewing gum in Singapore)

• Employee engages in criminal activities • Language barriers

Noncompliance with foreign laws

• Employee gets detained/arrested • Employee can't adapt to travel/working abroad • Personal or TRS liability • Employees not having access to legal

representation or embassy services • Increased expenses • Unable to conduct TRS business • Reputational risk


damage if the consequences materialize? • Employee/management relations • Monitor media and state department sources • Communicate awareness, educate employees,

and provide travel guidance (e.g., IMD portal) • Contact or register with the local U.S. embassy

or consulate • Frequent communication with employee • Cultural awareness guidance





• Seek assistance from TRS and/or U.S. embassy • Seek assistance from business partners • Have cash on hand or alternate sources of funds


28


CAUSES RISK EVENT E CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Not being aware of the cultural environment and

foreign social norms (e.g., chewing gum in Singapore)

• Traveling with prescription drugs • Corruption (e.g., police corruption) • Funds not available to pay entrance and exit fees • Employee engages in criminal activities • Language barriers • Loss of employee identification and travel

documents (e.g., visa, passport) • Americans/TRS could be targeted while abroad • Travel documents are not properly credentialed

(e.g., passport not stamped properly) • Employees not having access to legal

representation while abroad • Mistaken identity • Misrepresentation by the employee

Employee gets detained/arrested

• Unable to conduct TRS business • Increased expenses • Potential termination of employment • Personal or TRS liability • Conviction/imprisonment • Not allowed to leave the country • Injured while being detained • Added to no fly list • Travel documents confiscated or revoked • Reputational risk • No access to funds


damage if the consequences materialize? • Monitor media and state department sources • Communicate awareness, educate employees,

and provide travel guidance (e.g., IMD portal) • Contact or register with the local U.S. embassy or

consulate • Frequent communication with employee • Cultural awareness guidance







29


CAUSES RISK EVENT F CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Theft • Left behind in cab, hotel, etc. • Political upheaval • Fire, riots • Overwork, fatigue, excessive travel • Traveling with children • Human error, neglect • Failure to prepare for international travel • Unauthorized physical access

Loss of employee identification, travel

documents/approval and mobile devices (e.g., visa, passport, e-documents)

• Employee gets detained/arrested • Identity theft • Not having access to funds • Unable to travel • Difficulty in getting support or resources • Increased business costs


damage if the consequences materialize? • Communicate awareness, educate employees,

and provide travel guidance (e.g., IMD portal) • Contact or register with the local U.S. embassy

or consulate • Cultural awareness guidance • Duplicate copies of travel documents

• Personal preparedness plan (e.g., duplicate copies of travel documents) (Action Item 1)





• Provide power bank (Action Item 8)



1. Personal preparedness plan (e.g., comprehensive safety guidance; how not to draw attention to yourself, country

IMD, Risk Management,

6/2017 Planned


30



specific computer and phone connections, dealing with jet lag, food selection, resources for medical assistance, duplicate copies of travel documents) (Risk Event A, B, C, F)

Human Resources, Legal Services, IT,

Information Security 2. Research satellite phone options (Risk Event A) IMD 12/2016 Planned 3. Establish communication path (e.g., distribution list to

share issues/incidents) (All risks) IMD, Risk

Management, HR, Legal Services, IT,


2/2017 Planned

4. Create emergency contact card for travelers (including insurance information) (All risks)

IMD, Risk Management

4/2017 Planned

5. Develop training sessions for travelers (i.e., lunch and learns) (All risks)

IMD, Risk Management

8/2017 Planned

6. Formalize cultural awareness resources (e.g., capture lessons learned, best practices, identify country specific consulate and airline contact information) (Risk Event B, D, E, F)

IMD 4/2017 In Progress

7. Consult insurer (Risk Event B) Risk Management 2/2017 In Progress 8. Provide power bank (Risk Event F) IMD 12/2016 Planned


31

HEALTH CARE PLANS ADMINISTRATION RISK REPORT


Katrina Daniel December 2016

GOAL OVERALL RISK OBJECTIVE Administer retiree and active member health care programs that are valued by enrollees.

Inadequate administration of the health care programs could possibly affect the health of those who depend on the delivery of TRS health care benefits which would in turn increase health care costs.

Provide health care benefits in compliance with the statutory requirements for TRS-Care and TRS-ActiveCare.

SUMMARY Two risk events have been identified for this risk category. One risk regarding over reliance on and inadequate oversight of external vendors is a moderate risk and mitigations are in progress to reduce the likelihood of the risk. In addition, management is pursuing mitigations to further reduce the likelihood of the other risk.

RISK EVENTS


A. Inability to deliver health care benefits that are valued by participants

Modernizing Legacy systems with sound transitioning process

Departmental policies and procedures Adhere to TRS laws/rules Information sharing Staff training Quality control Supervisor oversight Ongoing communication and training with

designated district benefit administrators (BA) Consumer and stakeholder education

Proactive and ongoing communication with stakeholders

Identify root causes and work with stakeholders on solutions

Restricted/secure access by BAs to vendors enrollment systems

Ongoing stakeholder communication Interdepartmental communication Review and refine workflow processes as needed Prioritize workload/activities Workforce management




B. Over reliance on and inadequate oversight of external vendors

Sound procurement process Financial/contractual performance penalties Independent healthcare consultants & auditors Warnings/suspensions Monthly reporting Quarterly meetings

Financial performance penalties, suspension, termination of contract

Replace vendor Enhance monitoring to address ongoing and potential

issues Continue to build internal bench strength


33


RISK EVENT DETAILS

CAUSES RISK EVENT A CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Inadequate information systems • Failure to comply with laws/rules/

regulations/policies and procedures • Inadequate staffing and resources (i.e.,

succession planning) • Ineligible participants due to reliance on districts

to determine eligibility (TRS-ActiveCare) • During transitional phase of TEAM Program

implementation: o disruption of or interruption in customer

service levels o disruption with accuracy, processing

productivity, turnaround times and timely reporting of participant data to third party administrators

Inability to deliver health care benefits that

are valued by participants

• Member dissatisfaction • Reputational risk • Service interruption • Penalties • Increased legislative oversight • Remedial actions consuming additional resources


damage if the consequences materialize? Modernizing Legacy systems with sound

transitioning process Departmental policies and procedures Adhere to TRS laws/rules Information sharing Staff training Quality control Supervisor oversight Prioritize workload/activities Workforce management

• Enhance data analytics (Action Item 5) • Enhance direct communication to

members and stakeholders such as electronic newsletter (Action Item 8)

• Proactive and ongoing communication with stakeholders

• Identify root causes and work with stakeholders on solutions


34



damage if the consequences materialize? Ongoing communication and training with

designated district benefit administrators (BA) Consumer and stakeholder education Restricted/secure access by BAs to vendors

enrollment systems Ongoing stakeholder communication Interdepartmental communication Review and refine workflow processes as needed

CAUSES RISK EVENT B CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Lack of adequate internal resources • Not hiring or developing internal expertise

Over reliance on and inadequate oversight of

external vendors

• Violation of contract terms by vendors • Vendor/provider fraud • Member dissatisfaction • Not meeting regulatory requirements • Reputational risk


damage if the consequences materialize? • Sound procurement process • Financial/contractual performance penalties • Independent healthcare consultants & auditors • Warnings/suspensions • Monthly reporting • Quarterly meetings • Enhance monitoring to address ongoing and

potential issues • Continue to build internal bench strength

• Researching the capacity to administer TRS-ActiveCare enrollment and eligibility in-house (Action Item 9)

• Financial performance penalties, suspension, termination of contract

• Replace vendor


35



1. Develop interim processes and internal system reporting for Phase I (Risk Event A)

Health & Insurance Benefits

Core Program Team

5/2015 9/2017 Planned

2. User acceptance testing for Phase 1 (Risk Event A) Core Program Team 6/2015 4/2017 Planned For Phase 1 only.

3. Business Procedures and Training Project (TEAM) (Risk Event A)

BPT Project Team 9/2015 8/2017 Planned

4. TEAM-related Training (Risk Event A) Health & Insurance Benefits

9/2015 8/2017 Planned

5. Enhance data analytics (Risk Event A) Chief Health Care Officer

10/2016 10/2017 In Progress

6. Expanded and enhanced independent claims audit Chief Health Care Officer

11/2015 Complete

7. Enhance contract oversight to include but not limited to site visits

Chief Health Care Officer

2/2016 Complete

8. Enhance direct communication to members and stakeholders (e.g., electronic newsletter) (Risk Event A)


12/2016 In Progress

9. Research the capacity to administer TRS-ActiveCare enrollment and eligibility in-house (Risk Event B)


12/2017 Planning


Contract/vendor monitoring (Risk Event B)

TRS staff and GRS Quarterly/annual vendor reviews and other periodic ad hoc reports.


36

INFORMATION SECURITY & CONFIDENTIALITY RISK REPORT

RISK OWNER RISK LEVEL/TREND REPORTING DATE Ken Welch/Chris Cutler December 2016

GOAL OVERALL RISK OBJECTIVE Maintain the integrity, availability, and protection in the storage, use, and transfer of TRS information resources (in any form or medium).

Unauthorized or unintentional release/access of TRS confidential information could result in state or federal law violations, sanctions against TRS or its employees, and harm the best interests of TRS.

Comply with laws, rules, policies, and fiduciary duties regarding the security and confidentiality of information, including TRS participant records, personal health information, investment information, and other categories of information classified as high risk.

SUMMARY Risks to information security and confidentiality include non-compliance with laws and regulations, accidental or intentional exposure or disclosure of confidential information to unauthorized parties, external parties gaining unauthorized access, and inappropriate modification of critical information maintained by TRS. Key mitigations include policies and procedures, records management program, system security, data encryption, physical security, criminal history background checks, annual review of user access, training and awareness, and contract agreements. Planned actions to mitigate risks to an appropriate level include developing departmental HIPAA1 training and method for tracking completion, enhancing the Records Management Program, and completing the Data Protection Project.

RISK DETAILS


1. non-compliance with federal or state laws and regulations result in civil or criminal penalties imposed on TRS or TRS employees (Action Item 1, 2)

training and awareness policies and procedures audit and system security review criminal history background checks legal review

physical security system security corrective action Records Management Program

2. employees or non-TRS workers accidentally

or intentionally expose or disclose confidential information to unauthorized

training and awareness policies and procedures monitoring compliance

management/supervisor oversight/review employer reference checks criminal history background checks

1 Health Insurance Portability and Accountability Act of 1996 (HIPAA)


37



parties (e.g., theft by contractor, kickback for disclosing) (Action Item 1, 3)

corrective action physical security system security vendor contract agreements

annual review of system access non-disclosure agreements non-TRS worker policy

3. external parties with whom TRS does business expose or disclose confidential information to unauthorized parties

system security communication vendor contract agreements policies and procedures non-TRS worker policy training and awareness cloud computing policy

business associate agreements criminal history background checks IT audit of key vendor controls Information Security validation of third-party

contracts physical security non-disclosure agreements

4. external parties with whom TRS does business gain unauthorized access to confidential information electronically or physically

system security (authorization) vendor contract agreements non-disclosure agreements policies and procedures non-TRS worker policy Information Security validation of third-party

contracts

communication business associate agreements physical security criminal history background checks cloud computing policy IT audit of key vendor controls

5. natural disaster or accident exposes TRS confidential information

vendor selection for disaster recovery services training and awareness policies and procedures vendor contract agreements vulnerability assessments annual Incident Management Team (IMT) plan

review business associate agreements

vendor’s mitigation/ remediation plan maintain electronic copies non-TRS worker policy criminal history background checks encryption contracting process business continuity plans

6. employees or external parties with whom TRS does business inappropriately modify (accidentally or intentionally) critical information maintained by TRS

restrict privileged access used for critical data files using owner-defined access criteria

audit and system security review annual review of system access reconciliations training and awareness

confirm appropriate use of systems and data control validity of work processes in system

development (and during program changes) criminal history background checks policies and procedures


38



7. systems of external party with whom TRS does business are compromised (Action Item 4)

use different data providers (e.g., contract provisions, biometrics authorization, business associate agreements)

communicate expectations and standards for protecting TRS information

internal audit vendor review

cloud computing policy collaboration/validation of system security periodic contract reviews encryption criminal history background checks

8. TRS systems are compromised internal system security IT perimeter security information security policy internal audit review managed security services (third party

monitoring) training multiple encryption methods

staying abreast of industry standards security monitoring non-TRS worker policy criminal history background checks policies and procedures cloud computing policy change management

9. improper use of technologies to communicate, create, and maintain TRS records (e.g., mobile devices, cloud-based storage, removable media, etc.)

updating policies and procedures training and continuing education on records

management policy and information security policy

encryption

cloud computing policy awareness and appropriate use of emerging

technologies in the workplace specialized expertise

10. TRS participants’ systems are compromised hard copy confirmation of mailing address

changes sent to participant participants’ communication response plan e-signature policy


1. Develop departmental HIPAA training and method for tracking completion (Risk 1, 2)

Management, Legal Services,

Information Technology,

Human Resources

12/2015 12/2016 In Progress Departmental HIPAA training has been developed for six departments/divisions. The remaining five divisions/departments are in progress of drafting their departmental HIPAA training. Implementation will be completed before the revised target date. Cross-reference the Open Government risk report.


39



2. Records Management Program enhancements (Risk 1)

Records Management

8/2017 Planned

3. Data Protection Project (Risk 2)

Risk Management 6/2016 12/2016 In Progress The Data Protection Project was initiated to help individual business units complete the following: • Identify data created, received or transmitted as part

of their key processes • Classify the data based on TRS’ information

classification criteria • Document the location of the data • Identify security-related controls for the data • Develop, document, and implement security-related

controls for the data, including creating/updating procedures and departmental HIPAA training

Twenty business units have completed the project and the remaining division is drafting their policy and procedures.

4. Review and amend contract language to include Texas State Library rules for electronic records (Risk 7)

Records Management

8/2017 Planned


Policies and Procedures (All Risks)

Management Review/update policies and procedures according to the normal review cycle or update them if significant changes are needed.

TRS’ Confidentiality Policy and related procedures and standards were approved in April 2012; the next review is due April 2017. The Information Security Policy was last updated July 2013; the next review is due July 2018. The Information Security Manual was reviewed and updated on February 20, 2015.


40



Records Management Program (Risk 1)

Records Management, Records Liaisons

Records Analyst coordinates agency-wide records purge on an annual basis to ensure departmental information, which may contain confidential records, is destroyed in accordance with standard procedures.

The annual disposition cycle covers records regardless of media. Departments respond relatively well in processing their paper files; however, the deletion of electronic records is a concern. Individual electronic file deletion is labor-intensive due to volume and lack of standard filing procedures.

System Security and Physical Security (All Risks)

Information Technology, Staff Services, Information Owners

Information Security Officer conducts annual: o Security risk assessments and makes

recommendations. o Vulnerability assessments and penetration

testing. Security staff monitors both West and East

buildings 24 hours a day. Routine security patrols ensure critical areas are secured.

Staff Services coordinates the pick-up and delivery of bins for confidential materials to be shredded offsite by the contracted vendor. The contractor is required to ensure that the bins are locked while in transit to and from TRS facilities. Staff Services also provides oversight of the contractor responsible to convey locked confidential bins to and from the individual department locations within TRS.

System security is effective and enhancements have been made to vulnerability scanning, encryption, and security monitoring. Physical security to secure the computer room and confidential shred bins is working. Routine security patrols help to deter any suspicious activity.

Criminal History Background Checks (All Risks)

Human Resources

Human Resources conducts or requires state and federal criminal history background checks on all new employees, applicants, consultants, contractors and workers. Employees are also responsible for self-reporting incidents. If the contractor conducts the criminal background check, then the contractor shall inform the TRS HR Director as soon as possible as to all

The background check done through HR is very thorough and provides TRS with information to determine future employment or continued employment based on the type of incident.


41



relevant facts and circumstances surrounding the surrounding the charge or indictment.

Annual review of user access by managers and information owners (Risk 2, 6)


Access criteria are continually reviewed and adjusted to match changes/modifications in automated performance of job functions.

Training and Awareness (e.g., use of applications) (Risk 1, 2, 3, 5, 6, 8, 9)

Human Resources, Information Security, and Management

Human Resources staff in collaboration with IT use SharePoint to provide and document policy acknowledgment and training for TRS employees and non-TRS workers. Training related to information security and confidentiality includes HIPAA/Confidentiality-General, Fraud, Waste, and Abuse Prevention, and Ethics.

Completion of policy and training acknowledgments by non-TRS workers will be confirmed by the contract sponsor and a signed acknowledgment form will be forwarded to Human Resources.

Information Security provides and documents annual Information Awareness training.

TRS staff is provided individual specialized departmental training and instruction on HIPAA/confidentiality requirements prior to beginning their new job duties and as needed. Completion of annual departmental training will be documented and reported to Human Resources once a method has been determined.

Supervisory oversight by department manager.

Training is conducted as outlined in the Procedures for Compliance Training; to ensure attendance can be validated for web-based training, electronic signatures for online participation is being captured.


42



Vendor contract agreements; non-disclosure agreements; and business associate agreements (Risk 2, 3, 4, 5, 6, 7)

Procurement & Contracts

Procurement & Contracts staff requests non-disclosure and business associate agreements as part of the contracting process.

Procurement & Contracts staff follows a standard process to request completion of these agreements during contract negotiations.


43

LEGACY INFORMATION SYSTEMS RISK REPORT


Chris Cutler December 2016

GOAL OVERALL RISK Provide information systems to meet TRS' business and customer service needs.

Inability to provide adequate and consistent information in a timely fashion via the preferred delivery mechanism.

SUMMARY The risk trend for this risk has increased during this review cycle due to the likely schedule changes needed to support the TEAM Program (for both LOB and FSR) which could require our legacy information systems to be needed longer then we initially expected. Mitigations are appropriate to address the level of risk for this risk category and the risk owner accepts all risks. No additional mitigation strategies are planned at this time. Key mitigations include additional personnel and/or contractors, purchasing and implementing software tools to aid in modernization, focused project management, approving/disapproving and prioritizing work requests, and having open communication with stakeholders.

RISK DETAILS


1. insufficient number of personnel with appropriate skill sets

justify additional personnel and/or contractors hire retirees with special skill sets cross-training fill vacant positions outsourcing

workforce continuity plans seek solutions that do not require new staffing or that

do fit our current skill sets prioritize work requests

2. inability to support aging application infrastructure

TEAM Program modernize applications where feasible within

constraints posed by ongoing business demands for maintenance and enhancement of existing system

train backups

contractors brought on board purchase and implement software tools to aid in

modernization contract for extended support

3. lack of strategic analysis and development of system due to too much focus on tactical changes

approve/disapprove and prioritize work requests freeze changes to existing systems unless critical to

TRS’ goals and objectives IT strategic plan

strategic direction from the Board of Trustees, executive management, Core Management TEAM (CMT), and the Information Systems Architects




4. business and technical changes that require implementation on legacy information systems that will be retired

justify additional personnel and/or contractors hire retirees with special skill sets cross-training outsourcing

if possible, implement in TEAM influence timing of changes prioritize work requests

5. complexity of decommissioning legacy information systems

focused project management open communication with stakeholders testing and quality assurance Decommissioning Legacy Systems Project seek simplest solutions

maintain buy-in for TEAM Program maintain extensive inventory and system

interdependencies TEAM Program governance

6. challenge of running legacy

information systems in parallel to TEAM

continue to actively manage the legacy information system infrastructure

maintain appropriate capacity seek simple and common methodology for

interdependent processes between new application and legacy applications

open communication with stakeholders

justify additional personnel and/or contractors implement automated solutions to verify consistent

results focused project management outsourcing leverage existing tools (e.g., Informatica) maintain buy-in for TEAM Program

7. competing priorities within the decommissioning project

open communication with stakeholders reallocate workload extend schedule more resources utilize the decommissioning core project team to

prioritize work

clear direction willingness to negotiate be aware of legislation and planning approval to backfill positions board/management support

8. issues with TEAM application interfaces after go-live (new risk)

open communication with stakeholders testing make staff aware of this risk

additional reporting Interface Testing Team (PMO)




45


Monitoring Activities Key Mitigation Monitored By Monitoring Process Comments Additional personnel and/or contractors (Risk 1, 2, 4, 6, 7)

Information Technology

Backfill positions as needed due to existing resources needed for the TEAM Program.

Contracted programmers to backfill key positions.

Purchase and implement software tools to aid in modernization (Risk 2)


Research and analyze solutions to facilitate modernization.

Evaluated and decided upon tools.

Approve/disapprove and prioritize work requests (Risk 1, 3, 4)


As part of the IT governance process, the Core Management Team (CMT) approves and disapproves work requests. CMT prioritization meetings are bi-weekly.

Decided that all projects related to the TEAM Program will be given a high default value to expedite the approval process. Some work requests have been disapproved.

Focused project management (Risk 5, 6)


Assign experienced project managers to critical projects.

Project managers have been assigned to the critical projects including Data Management, Line of Business, Website Redesign, Reporting Entity Outreach, Decommissioning, and Enterprise Security.

Open communication with stakeholders (Risk 5, 6, 7, 8)


Maintain ongoing communication with stakeholders through status reports, meetings, and presentations.

Weekly status reports on TEAM Program and projects, weekly executive briefings, board presentations, multiple meetings, detailed level requirement discussions, ad hoc reports and show and tell presentations.


46

LIQUIDITY/LEVERAGE RISK REPORT



GOAL OVERALL RISK OBJECTIVE Maintain levels of liquidity appropriate for the support of fund disbursements, anticipated investment funding needs and trust level leverage.

Inadequate liquidity could lead to cash shortfalls. Keep trust liquidity at necessary level to support trust objectives.

SUMMARY The mitigations in place appropriately reduce risks to a level that the risk owner accepts the risks. No additional mitigation strategies are planned at this time. Key mitigations include Daily Liquidity Report and Hedge Fund Leverage/Liquidity/Concentration (LLC) reports.

RISK DETAILS


1. Trust does not have enough cash to meet its obligations (benefits, capital calls, etc.)

Daily Liquidity Report Conservative cash management guidelines in place

Low net leverage High trust liquidity

2. Unexpected Hedge Fund losses due to excessive leverage

Limited Partnerships (LP) Structure Hedge Fund Leverage/Liquidity/ Concentration (LLC) monthly reports



Monitoring Activities

Key Mitigation Monitored By Monitoring Process

Daily Liquidity Report (Risk 1) Risk Group, Asset Allocation

Monitors the daily sources and uses of liquidity.


LIQUIDITY/LEVERAGE RISK REPORT


Hedge Fund Leverage/Liquidity/ Concentration Report (Risk 2)

Risk Group Monthly reporting and review of Hedge Fund Leverage, Liquidity, and Concentration.


48

MARKET RISK REPORT



GOAL OVERALL RISK OBJECTIVE Maintain market risk exposures consistent with investment objectives.

Too little or too much exposure to market risk could each lead to undesirable investment outcomes.

Sustain appropriate level of risk necessary to meet investment objectives.

SUMMARY Market risk is being appropriately monitored and mitigated such that the risk owner accepts all risks. No additional mitigation strategies are planned at this time. Key mitigations include the Investment Policy Statement (IPS), Risk Signals, Value at Risk (VaR) Report, and Risk Budget.

RISK DETAILS


1. Improper asset allocation Strategic Asset Allocation (SAA) study sets policy (every 5 years)

Tactical Asset Allocation (TAA) over/underweighting within +/- 5% bands (continuously monitored, rebalanced monthly)

Monthly risk signals (Bubble, Environmental, Valuation, Political Risk, etc.)

Daily monitoring of market returns and volatility (both implied and realized)

Investment Policy Statement (IPS) 2. Inadequately considering tail risk Monthly VaR reports - assess predicted VaR versus benchmark and its history 3. Active portfolios deviate inefficiently from

benchmark, resulting in material underperformance

Tracking error guidelines in IPS

Risk Budget

4. Private Markets fundings happen slower than anticipated, resulting in Trust underweight to those asset classes, and potential underperformance in an up-market

Quarterly floating weights since 2014


MARKET RISK REPORT




Investment Policy Statement (Risk 1, 3, 4) Asset Allocation, Investment Compliance

IPS sets asset allocation (reviewed every 5 years) and investment guidelines.

Risk Signals (Risk 1) Risk Group Monthly monitoring of economic environment, asset class bubbles, valuations, etc.

VaR Report (Risk 2) Risk Group Monthly monitoring of historic and predicted VaR versus the benchmark.

Risk Budget (Risk 3) Risk Group Monthly budgets and tracks historic and predicted tracking error by profit center and asset class.


50

PENSION FUNDING RISK REPORT


Brian Guthrie December 2016

GOAL OVERALL RISK Sustain a financially sound pension trust fund. A lack of sound funding for the plan could lead to insufficient assets to pay for

long-term benefits and financial obligations.

OBJECTIVES • To manage an actuarially sound retirement system that maintains an amortization period of less than 31 years and achieves full funding over the long-term. • Maintain and implement an evolving investment policy capable of achieving the trust’s actuarial assumed rate of return as measured on rolling 20-year

periods. • Develop, maintain and implement a sound, professional and systematic risk management and capital allocation system. • Develop and maintain a highly capable and diversified external network of global investment, trading and consulting relationships.

SUMMARY The risk owner accepts a majority of the risks. One risk related to inadequate contribution rate over the long-term has an additional mitigation strategy planned. Key mitigations include:

• Reviewing liabilities annually and mid-year during legislative sessions to assess financial status of the fund; • Conducting periodic experience studies; • Reporting and monitoring investment performance on a quarterly basis; • Performing asset allocation studies and asset liability modeling (ALM) studies at least every 5 years and positioning TRS’ portfolio accordingly; and • Educating Texas Legislature on importance of increased contribution rates, impact of any additional Cost-of-Living Adjustments (COLAs) and any

increases in benefit calculations.



RISK DETAILS


1. actual benefit payouts over the long-term exceed actuarial assumptions on a system-wide basis (actual liabilities greater than actuarial projections)

review liabilities annually to assess financial status of the fund

conduct periodic experience studies to ensure that assumptions are still reasonable

obtain actuarial audit every 5 years

ensure quality of actuary (Request for Offer process, board selection)

ensure all new benefit changes are properly costed verify that actual benefit payments are accurate internal audit of COLA payments

2. long-term investment returns below the actuarial assumed rate of return (currently 8.0%)

report and monitor investment performance on a quarterly basis

perform asset allocation studies and ALM studies at least every 5 years and position portfolio accordingly

actively manage fund assets both internally and externally to add value over passive benchmarks

perform tactical allocation adjustments periodically for short-term changes to the market

maintain a dedicated risk management and monitoring team within Investment Management Division

independent general investment consultant monitors and verifies returns

monitor dialogue regarding investment authority and educate stakeholders and legislators as necessary on the impact of investment authority changes

3. inadequate contribution rate over the long-term (Action Item 1)

educate Texas Legislature on importance of increased contribution rates, impact of any additional COLAs and any increases in benefit calculations

verify the “Actuarially Required Contribution” (ARC) rate annually

TEAM Program will result in full payroll being reported in addition to members eligible which could increase surcharge amounts due to the system

communicate regularly with stakeholders regarding the contribution rates

reductions in state rate automatically trigger reductions in member and district rates which guards against reductions

state rates and member rates are set to increase through 2017

school districts that don’t participate in OASDI1 are contributing to the pension fund

reporting entity audits 4. significant changes in plan structure

that increase unfunded liability (e.g., moving to a 401(K) type plan for new

educate and communicate with stakeholders regarding impact of potential changes

educate and communicate with stakeholders on actual impact of Governmental Accounting Standards Board (GASB) 67 and 68

1 Old-Age, Survivors, and Disability Insurance (OASDI)


52



hires or benefit increases that negatively impact the plan)

participate and provide leadership in national dialogue on the value and risks of defined benefit plans and share TRS’ research and experience

examine benefit design study

educate Texas Legislature on importance of increased contribution rates, impact of any additional COLAs and any increases in benefit calculations


1. Consider the adoption of a plan management policy (Risk 3)

Executive Director 9/2017 Planned

Monitoring Activities

Key Mitigation Monitored By Comments Review liabilities annually and mid-year during legislative sessions to assess financial status of the fund (Actuarial Valuation) (Risk 1, 2, 3)

Executive Director

Fiscal year 2015 Actuarial Valuation as of August 31, 2015; valuation was reported to the Board in November 2015.

Conduct periodic experience studies (Risk 1, 2, 3) Executive Director

Experience study for the five-year period ending August 31, 2014 was completed September 2015. Reporting will be done in fiscal year 2020 for five-year period ending August 31, 2019.

Report and monitor investment performance on a quarterly basis (Risk 2)

Chief Investment Officer

Reported to the Board on a quarterly basis including reports on individual investment units to the Investment Management Committee.

Perform asset allocation studies and ALM studies at least every 5 years and position portfolio accordingly (Risk 2)


Conducted in fiscal year 2014; reported and approved by the Board in September 2014 with minor adjustments to the current allocation. Implementation of strategic asset allocation is underway.

Monitor dialogue regarding investment authority and educate stakeholders and legislators as necessary on the impact of investment authority changes (Risk 2)


Educate Texas Legislature on importance of increased contribution rates, impact of any additional COLAs and any increases in benefit calculations (Risk 3, 4)

Executive Director


53

TEAM PROGRAM RISK REPORT


Ken Welch December 2016

GOAL OVERALL RISK OBJECTIVE Implement cost effective, efficient, and sustainable processes and systems that enable TRS to serve its members, employers, and annuitants.

System design, implementation and functionality of the new processes and systems do not meet the growing demands of TRS in service of its members. Program/project implementation schedule and cost exceeds original estimates.

Implement modern pension and benefit information systems that allow TRS staff to serve our members and deliver accurate benefits effectively and timely by August 2018.

SUMMARY Risks identified for the TEAM Program involve people, processes, project management, and change. As a result of this risk assessment, five risks are elevated and 11 are moderate risks. Management is actively pursuing mitigation plans for all the risks. A summary of activities since the last board report in June 2016 include the following:

• Completed the Website Redesign Project Implementation. • Completed Phase 1 B (Membership) Business Function Testing (BFT). • Reviewed all lessons learned to date and developed action plans to incorporate them into Phase 2. • Completed Reporting Entity (RE) Portal training sessions. • Supported REs during certification when 1,073 REs submitted reports for the first time to the Certification Environment and, of those, 564 have completed

their certification and 509 are in progress. There are 265 REs that have not yet started the certification process. • Configured second end-user training room. • Completed the development of the new website. • Completed development and BFT of Decommissioning project software. • Handed over the Legacy test environment to the Quality Assurance Project (QAP) for system-level. • TRS took several steps to reduce risk in Phase 2 of the Line of Business (LOB) Project including removing Health Care and Contact Relationship

Management/Workflow functionality from Hewlett Packard Enterprise.



RISK DETAILS


1. At least 90% of Reporting Entities (REs) or 90% of TRS membership as of the 2016 Comprehensive Annual Financial Report (CAFR) aren't certified to use the new LOB system on the go-live date (i.e., RE doesn't get certified before the go-live date) (Action Item 4)

Communications plan Training

Testing/certification

2. An impactful number of data issues and anomalies may not be identified for critical data in a timely manner (Action Item 4)

Communication of changes to Data Conditioning Team

Executive decision to exclude conditioning of service credit

Members validation of service credit through review of annual statements

Iterative Data Quality Check Point (DQCP) process Validation of data migration Data cycle log Data conditioning analysis team's effort to review

tables and files

Quality Assurance testing of loading after TRS Unified System Technology (TRUST) changes

Informatica load process Team is working with HP to identify additional

critical data that could cause the Hewlett Packard (HP) Clarety Solution to stop working

Process of working with data and migrating data is helping to identify data issues

More experience with data management methodology

Data conditioning log 3. No automation options for large amounts of

data that requires conditioning Reprioritization and reorganization Clear delegation of responsibilities for decision-

making Flag member records for just in time cleansing

(contingency) Data conditioning analysis team's effort to review

tables and files Informatica load process

Researching options to automate population of unknowns

Formation of the data conditioning management and the data conditioning teams to make policy decisions

Planning to use LexisNexis tool More experience with data management

methodology 4. Difficulty reconciling data from legacy systems

to TRUST (Action Item 4) $$$ reconciliation Thorough data mapping from Legacy to Target

Staging Database to new LOB database 5. Ineffective decision-making (i.e., decisions not

made timely, decisions made too swift which Decision log Escalate issues, if needed


55



causes us to revisit, and/or made at inappropriate level) (Action Item 4)

6. Lack of resources (i.e., people, skill sets, or knowledge bottlenecks) (Action Item 2, 3, 4)

TRS/TEAM staffing plans Evaluate and add/reallocate resources

Review functional areas to identify knowledge bottlenecks

7. Internal TEAM governance structure operating inefficiently (e.g., inability to manage conflicting requirements between user departments) (Action Item 4)

Weekly CMT and Executive Steering Committee (ESC) meetings

Committee assignments Organizational Change Management (OCM)

Project Continue to review “lessons learned” from other

pension systems Independent Project Assessment (IPA) vendor

oversight CMT regularly attends Executive Briefing meetings

Program/project management action/decision logs

Risk assessments at program and project level Program management services from Provaliant Weekly TEAM dashboard Clear direction Responsible, Accountable, Consulted, Informed

(RACI) Chart Effective communication Status reports

8. Plan changes (e.g., legislative, rule, regulatory, federal, etc.)

Plan changes are largely outside the control of the CMT and Program Management; therefore, we accept this risk

Governmental relations

Be aware of legislation and planning Board/management support Change control process Communication of upcoming changes

9. Miscommunication between vendors, IT staff, business staff, and TRS project management staff in all or any combination (Action Item 4)

Data management communications plan Open meetings TEAM repository Training Program manager involvement Program manager liaison between TRS & vendors Decision/action logs Documentation of project management process DQCP process Meeting minutes


Project interdependency schedules and meetings Data cycle log Data conditioning log Including combination of IT and business staff in

meetings More experience with data management

methodology 10. Inability to cleanse data through the quality

gate threshold prior to migration to new LOB (Action Item 4)

Data management communications plan Open meetings TEAM repository Training


Data cycle log


56



Program manager involvement Program manager liaison between TRS & vendors Decision/action logs Documentation of project management process DQCP process Project interdependency schedules and meetings Decisions to not migrate selected data

Data conditioning log Including combination of IT and business staff in

meetings Planning to use LexisNexis tool More experience with data management

methodology Data conditioning business core team

11. Lack of qualified HP experts HP is working on retention strategies for key personnel

HP boot camp training for new Business Analysts

HP is going to spend every other week on the project until DLR sessions are complete

12. HP's rolling 6-month plan does not provide enough visibility for TRS to plan (Action Item 4)

Early identification of high-level milestones and key dates

Aggregate resource estimates beyond 6 months

Consultation with TRS in development of the rolling wave

13. External interface organizations don't meet the schedule

Coordinating teams to plan and test Communication with external agencies

Single point of contact for each interface to coordinate

14. Data and application design, development and testing are not sufficiently coordinated for Phase 2 (Action Item 4)

Share requirements and resources between application and data

Application tests are done with converted data

Application data milestones are communicated in the project plan

15. Multiple new technologies within LOB impact implementation schedule (Action Item 4)

Identify and develop specific proof-of-concept plans for each technology to demonstrate how they can work

16. Detailed Level Requirement (DLR) methodology may not follow a consistent business-process driven approach per Request for Offer (RFO) commitment 1238 and could for result in extra review cycles, gaps in requirements and unnecessary customization (Action Item 4)

TRS suggests a checklist to track DLRs for each functional area

17. Not making realistic estimates, resulting in schedule delays (Action Item 4)

This risk has been partially mitigated by resource leveling the DLR2 schedule to fit within the RFO resource constraints. TRS has reviewed and approved this.

Monitor progress against the project plans Good review cycle of timeline Frequent lessons learned Prioritize

18. Critical path could be extended because some artifact reviews could take much longer than

Monitor for any sign of slippage Quality deliverable expectation document (DED) Awareness of schedule


57



expected, causing missed due dates (Action Item 4)

Continue to carefully examine the deliverable schedule to determine which artifacts will take more time than usual to review

Realistic review timeframe

Weekly project management meetings Early inspection of deliverables

19. Loss of key resources or lack of engagement due to employee burnout (Action Item 4)

Monitor OCM metrics Periodic employee interviews Consultations with management

Employee appreciation activities Wellness activities

20. The Functionality Gap between base Clarety and TRS Requirements may be greater than anticipated, leading to the need for greater customization. More customization could result in greater resource needs, schedule impacts or greater TOC (Total Cost of Ownership) for TRS once the new system is in production

This risk will be monitored by performing additional Gap Analysis after completion of design for each Phase; An Action Item (#1381) has been logged in SharePoint to perform the Gap Analysis at the end of Phase 1 DLR sessions.

21. REs cannot timely complete reports because of the number of validations (Action Item 4)

Consider relaxing some edits to make them warnings rather than hard errors

Sufficient time allocated between certification and production roll-out

22. Failure to manage change (e.g., scope, schedule, budget) (Action Item 4)

Communicate, monitor, and enforce the change control process

23. An impactful number of business staff aren't prepared to use TRUST for their post-implementation role (Action Item 4)

Explaining concepts multiple ways Use TRS jargon Business writing training Follow consistent format Address different learning styles (visual, audio,

etc.) Internal team discussions/peer review Share lessons learned Get feedback from participants (class/document

evaluation) Beta training class (guinea pig) Comprehensive review of TRUST training material

when it's received

Power user mentoring FAQs on TEAM Connect site Q&A sessions after training class Email distribution list for questions Contact list with areas of expertise on TEAM

Connect of Subject Matter Experts (SMEs) and power users

Identify key staff to develop procedures Include as much key institutional knowledge in

business procedures as possible Reward end users for identifying gaps Inter-departmental reviewers Offer one-on-one training


58



24. The focus on "happy path" testing may not have included sufficient flexibility in TRUST to be able to accept real world data (Action Item 4)

Include test cases for the data in real world scenarios

Action Items Owner Target Date Revised Status Comments

1. Hire TEAM FTEs as outlined in the staffing plan approved by the TRS Board of Trustees (Risk 6)

TEAM Project Sponsors & Managers

Ongoing

In Progress CMT is currently looking at staffing needs for Phase II. If any additional resource needs are identified, they will be presented to the ESC.

2. Review functional areas to identify knowledge bottlenecks (Risk 6)

Adam Fambrough

May 2016 August 2016 Complete

3. Evaluate and add/reallocate resources (Risk 6)

Adam Fambrough

Ongoing In Progress

4. Identify mitigation owners and develop mitigation plans (Risk 1, 2, 4, 5, 6, 7, 9, 10, 12, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24)

CMT 12/2016 In Progress


59

TRS-ACTIVECARE AFFORDABILITY RISK REPORT



GOAL OVERALL RISK OBJECTIVE Facilitate financial soundness of TRS-ActiveCare in order to provide affordable health care benefits.

Inadequate funding by the state and participating entities and/or unanticipated external forces could affect affordability.

Manage the revenues, expenses, and benefits of TRS-ActiveCare in a way that contributes to its financial soundness.

SUMMARY Two elevated risk events have been identified for this risk category. The risk events are related to inadequate revenue growth and health care cost growth for TRS-ActiveCare. Management is in progress of pursuing a data analytics mitigation to further reduce the likelihood of the health care cost growth risk.

RISK EVENTS


A. Inadequate revenue growth to cover health care cost trends

Proposed legislation reviewed by TRS analysts Alternatives identified by TRS and other

stakeholders Active communication with legislators and

stakeholders Interim select committee on TRS-Care Monitor any changes and/or reductions Educate participants and other stakeholders Adjust premiums Change benefits

Communication with stakeholders Alternatives identified by TRS and other stakeholders Monitor any changes and/or reductions Adjust premiums Change benefits Seek emergency funding under extreme circumstances Continuous monitoring and analysis of actual experience

and trends to ensure adequate funding for a minimum two-year cycle

Maintaining contingency reserves B. Health care cost growth exceeds

revenue growth Request emergency appropriation from legislature Seek greater short-term provider discounts Monitor proposed legislation Adjust premiums

Request emergency appropriation from legislature Research options for TRS and vendor transitioning plans Continue to enhance education for participants and

other stakeholders




Continue to enhance education for participants and other stakeholders

Change benefits

RISK EVENT DETAILS

CAUSES RISK EVENT A


occurs? • Change in state or federal policy and funding • Funding shortage due to incorrect assumptions for

cost trends, population, payroll growth, etc., underestimate liabilities when setting premium rates

• Changes in Medicare • Employers provide the minimum contribution as

health care costs continue to rise

Inadequate revenue growth to cover health care

cost trends

• Insufficient revenue • Reduce benefit levels • Reputational risk • Member dissatisfaction • Limit eligibility • Inability to attract and retain quality (member)

workforce PREVENTION/PREPAREDNESS FUTURE PLANS MINIMIZE DAMAGE


• Proposed legislation reviewed by TRS analysts • Alternatives identified by TRS and other stakeholders • Active communication with legislators and

stakeholders • Interim select committee on TRS-Care • Monitor any changes and/or reductions • Educate participants and other stakeholders • Adjust premiums • Change benefits • Continuous monitoring and analysis of actual

experience and trends to ensure adequate funding for a minimum two-year cycle

• Maintaining contingency reserves

None at this time. • Communication with stakeholders • Alternatives identified by TRS and other

stakeholders • Monitor any changes and/or reductions • Adjust premiums • Change benefits • Seek emergency funding under extreme

circumstances


61


CAUSES RISK EVENT B CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Cost inflation • Changes in Medicare • Catastrophic claims due to natural disasters or

pandemic • Funding shortage due to incorrect assumptions for


• Legislative coverage mandates increase costs (including the Affordable Care Act (ACA))

Health care cost growth exceeds revenue

growth

• Insufficient funding • Reduce benefit levels • Reputational risk • Member dissatisfaction • Limit eligibility


damage if the consequences materialize? Request emergency appropriation from legislature Seek greater short-term provider discounts Monitor proposed legislation Adjust premiums Change benefits Continue to enhance education for participants

and other stakeholders

Enhance data analytics (Action Item 1)

• Request emergency appropriation from legislature • Research options for TRS and vendor transitioning

plans • Continue to enhance education for participants



1. Enhance data analytics (Risk Event B) Chief Health Care Officer

10/2016 10/2017 In Progress


62


Monitoring Activities Key Mitigations Monitored By Monitoring Process Comments

TRS board has the authority to change benefits and/or premiums at any time (Risk Event A, B)

TRS staff and Gabriel, Roeder, Smith (GRS)

TRS staff makes recommendation to the board on at least an annual basis.

Some changes may require 60-day participant notification before implementation due to the ACA.

Continuous monitoring and analysis of actual experience and trends to ensure adequate funding on an annual basis (Risk Event A)

GRS, TRS staff, Vendors

1. Claims data is submitted monthly to GRS by the vendors and projections are updated by GRS based on actual claims experience.

2. Quarterly vendor meetings to review plan claims experience.

3. Quarterly fluctuation analysis to detect any abnormal activity/cost trend.

GRS models plan finances with projections several years in advance and provides ad hoc models for any considered benefit changes.


63

TRS-CARE FUNDING RISK REPORT



GOAL OVERALL RISK OBJECTIVE Facilitate long-term soundness of TRS-Care in order to provide sustainable retiree health care benefits.

Inadequate funding and/or unanticipated external forces would affect solvency of the program over the next biennium, requiring significant premium increases or benefit reductions.

Manage the revenues, expenses, and benefits of TRS-Care in a way that contributes to its long-term sustainability.

SUMMARY Two elevated risk events have been identified for this risk category. The risk events are related to inadequate revenue growth and health care cost growth for TRS-Care. Management is in progress of pursuing a data analytics mitigation to further reduce the likelihood of the health care cost growth risk.

RISK EVENTS


A. Inadequate revenue growth to cover health care cost trends

Proposed legislation reviewed by TRS analysts Alternatives identified by TRS and other

stakeholders Active communication with legislators and

stakeholders Interim select committee on TRS-Care Monitor any changes and/or reductions Educate participants and other stakeholders Adjust premiums Change benefits

Communication with stakeholders Alternatives identified by TRS and other stakeholders Monitor any changes and/or reductions Adjust premiums Change benefits Seek emergency funding under extreme circumstances Continuous monitoring and analysis of actual


Maintaining contingency reserves B. Health care cost growth exceeds

revenue growth Request emergency appropriation from legislature Seek greater short-term provider discounts Monitor proposed legislation Adjust premiums

Request emergency appropriation from legislature Research options for TRS and vendor transitioning

plans Change benefits






RISK EVENT DETAILS

CAUSES RISK EVENT A CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Change in state or federal policy and funding • Funding shortage due to incorrect assumptions

for cost trends, population, payroll growth, etc., underestimate liabilities when setting premium rates

• Changes in Medicare

Inadequate revenue growth to cover health

care cost trends

• Insufficient revenue • Reduce benefit levels • Reputational risk • Member dissatisfaction • Limit eligibility

PREVENTION/PREPAREDNESS FUTURE PLANS MINIMIZE DAMAGE What are we currently doing? What more can we do? What plans do we have in place to minimize the damage

if the consequences materialize? • Proposed legislation reviewed by TRS analysts • Alternatives identified by TRS and other

stakeholders • Active communication with legislators and

stakeholders • Interim select committee on TRS-Care • Monitor any changes and/or reductions • Educate participants and other stakeholders • Adjust premiums • Change benefits • Continuous monitoring and analysis of actual


• Maintaining contingency reserves

None at this time. • Communication with stakeholders • Alternatives identified by TRS and other stakeholders • Monitor any changes and/or reductions • Adjust premiums • Change benefits • Seek emergency funding under extreme

circumstances


65


CAUSES RISK EVENT B CONSEQUENCES What would cause this event to happen? What would the consequences be if this event occurs? • Cost inflation • Changes in Medicare • Catastrophic claims due to natural disasters or

pandemic • Funding shortage due to incorrect assumptions for


• Legislative coverage mandates increase costs (including the Affordable Care Act (ACA))

Health care cost growth exceeds revenue

growth

• Insufficient funding • Reduce benefit levels • Reputational risk • Member dissatisfaction • Limit eligibility


damage if the consequences materialize? Request emergency appropriation from legislature Seek greater short-term provider discounts Monitor proposed legislation Adjust premiums Change benefits Continue to enhance education for participants and

other stakeholders

• Enhance data analytics (Action item 2)

• Request emergency appropriation from legislature • Research options for TRS and vendor transitioning

plans • Continue to enhance education for participants



1. Educate participants and other stakeholders Chief Health Care Officer

4/2016 Complete Ongoing mitigation.

2. Enhance data analytics (Risk Event B) Chief Health Care Officer

10/2017 In Progress


66



TRS board has the authority to change benefits and/or premiums at any time (Risk Event A, B)

TRS staff and Gabriel, Roeder, Smith (GRS)

TRS staff makes recommendation to board on at least an annual basis.

Some changes may require 60-day participant notification before implementation due to the ACA.

Continuous monitoring and analysis of actual experience and trends to ensure adequate funding for a minimum two-year cycle (Risk Event A, B)

GRS, TRS staff, Vendors

1. Claims data is submitted monthly to GRS and financial projections are updated based on actual experience.

2. Quarterly vendor meetings to review plan experience.

3. Quarterly fluctuation analysis to detect any abnormal activity/cost trend.

GRS models plan finances with projections several years in advance and provides ad hoc models for any considered benefit changes.


67

risk management committee documents/board_meeting...the risk management committee of the board of...

Documents