From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management

Pension funds today operate in an increasingly complex landscape of regulatory reform, emerging risks, and heightened societal expectations. Many still manage key governance and risk management processes through spreadsheets — a method that, while long embedded in operations, is becoming harder to scale in an environment that demands continuous oversight, transparency, and responsiveness. 

The Evolving Landscape for Pension Fund Risk Management 

A Sector Under Pressure — and Playing Catch-Up 

Dutch pension funds are entering a transformational period, marked by the transition to the new pension system (Wet toekomst pensioenen). Meanwhile, regulatory frameworks such as IORP II, guidance from DNB, and the growing emphasis on ESG and digital resilience — including  EU Digital Operational Resilience Act (DORA) — are rapidly expanding the scope and urgency of risk and compliance management.. 

While the financial sector has seen faster adoption of new risk and compliance technologies, pension funds have traditionally taken a more measured approach. This reflects the sector’s long-term orientation, multi-stakeholder governance, and deeply rooted public-sector culture — where stability and careful consensus-building are rightly prioritized. 

As noted by ING, some of the largest funds, including ABP, are postponing their system transitions until 2027 — while simultaneously ramping up risk hedges to stabilize coverage ratios. But caution comes with its own risks: delayed transitions increase pressure on already stretched compliance and risk teams. 

Common Challenges: Risk Fragmentation and Manual Processes 

Key Challenges Highlighted by DNB 

Recent supervisory reviews by DNB have exposed several weaknesses in risk management practices across the pension sector: 

• Slow remediation of high-risk audit findings 

• Overreliance on manual controls, rather than automated safeguards 

• Insufficient oversight of outsourced functions, particularly in data quality and information security 

These challenges are amplified during the current pension transition, where accurate participant data and operational continuity are mission-critical. Risk management is no longer a static function — it’s a dynamic capability that needs to adapt in real time. 

Many of these challenges are often linked to fragmented processes and limited digital support — particularly where key risk activities are still managed through spreadsheets. 

The Limits of Spreadsheet-Based Risk Management 

Despite growing complexity and regulatory expectations, many pension funds continue to manage their risk frameworks through Excel files spread across departments or outsourced partners. However, this approach presents several limitations for modern governance, risk and compliance (GRC) requirements: 

• Fragmented data and unclear ownership 

• Lack of version control and audit trails 

• Manual reporting burdens that slow decision-making 

• Difficulty aligning with supervisory frameworks, such as DNB’s ATM model 

In an ecosystem where oversight is shared between boards, operations, and external service providers, this fragmentation creates not only inefficiency — but exposure. 

Integrated Risk Management: A Smarter, Structured Approach 

Building a Foundation for Integrated Risk Management 

Regulators and sector bodies are increasingly advocating for a shift toward Integrated Risk Management (IRM). As DNB emphasizes, effective risk management must be embedded in a coherent and continuous framework — one that balances risks and controls against organizational objectives. 

An IRM framework allows pension funds to: 

• Clearly define risk categories, including strategic, financial, operational, and outsourcing risks 

• Set and monitor risk appetite per category 

• Map risks to fund objectives and scenarios 

• Continuously assess control effectiveness and improvement actions 

• Align with regulatory expectations like the Own Risk Assessment (ORA) under IORP II and DNB’s ATM supervision model 

IRM is more than a methodology — it’s a maturity journey. Implemented gradually, it transforms risk from a reactive obligation into a proactive, embedded discipline that enhances organizational resilience. 

Integrated Risk Management for Pension Fund Organizations

Empowering governance, audit, compliance teams in the Dutch pension sector

Download whitepaper

Strategic and Operational Risk: Two Sides of the Same Coin 

While financial risk (e.g., market, interest rate, liquidity) continues to dominate board agendas, strategic and operational risks are becoming equally important. 

For instance, understanding the impact of future risk scenarios — such as market volatility or demographic shifts — is crucial for long-term capital planning. At the same time, operational risks tied to IT, process design, outsourcing, and continuity require clear ownership, documentation, and controls. 

To manage this complexity, pension funds need: 

• A robust risk taxonomy that captures all relevant categories 

• The ability to map risks to strategic objectives and track performance indicators 

• Regular risk assessments that reflect both internal and external developments 

From Awareness to Ownership: Creating a Risk-Aware Culture 

Being “in control” isn’t just about having policies — it’s about building a culture of risk ownership at all levels. This includes: 

• Engaging boards and committees in scenario-based discussions 

• Ensuring that improvement actions are visible, tracked, and completed 

• Periodically evaluating the cost-of-control vs. risk exposure across processes 

Modern risk platforms can enable this by automating workflows, embedding controls, and visualizing risk profiles through dashboards — but the foundation is always strategic intent and governance maturity. 

In Practice: How Pension Funds Are Applying IRM with GRC Software 

Several Dutch pension funds — including Pensioenfonds Detailhandel, ABN AMRO Pensioenfonds, and Blue Sky Group — have begun translating Integrated Risk Management (IRM) principles into practice using modern GRC software such as CERRIX. The platform is designed to support key regulatory frameworks such as IORP II, the DNB ATM supervision model, and more recently, DORA. 

CERRIX provides: 

• A flexible risk taxonomy aligned with pension sector needs and supervisory standards 

• Support for regulatory frameworks including ISO 27002, ISO 22301, and Norea Privacy 

• Capabilities to manage strategic, financial, operational, and outsourcing risks in an integrated way 

• Workflow automation for activities such as risk assessments, incident tracking, and control testing 

By embedding these processes into one environment, pension funds are able to strengthen their control frameworks, increase transparency, and gradually raise their risk maturity level — all while ensuring compliance with sector-specific and European requirements. 

To dive deeper into how pension funds can structure their risk management approach — and see how Integrated Risk Management aligns with supervisory frameworks like IORP II, DORA, and the ATM model — download the full whitepaper