UK Pensions Briefing: Own risk assessments: the Pensions Regulator’s “super” Code part 2

Introduction

In our July 2022 briefing, “Turning up the heat on compliance: the Pensions Regulator’s “super” Code”, we launched our series of updates on the Pensions Regulator’s draft new Code, which is a rationalisation of 10 existing Codes of Practice. We explained how the Regulator will expect trustees and sponsoring employers to be much more disciplined in their approach to scheme management in future.

Last month, we focused on the new requirement for trustees to develop an “effective system of governance” (or ESOG). This month, we turn to the requirement for all schemes with 100 or more members to prepare an “own risk assessment” (or ORA) within 12 months of the new Code coming into force. We look at the essential elements of risk assessment and give some practical pointers on how trustees can tackle the production of their scheme’s first ORA. 

Own risk assessment

Schemes with 100 members or more are expected to perform “an own risk assessment of [their] system of governance”. The legislation has a shopping list of requirements for your ORA. We’ve set them out below, but the key thing to remember is that in the same way as your ESOG must be “proportionate to the size, nature, scale and complexity of the activities of [your] scheme”, so too should your ORA. 

Core elements of your ORA

• How you integrate the assessment into your management and decision-making processes.
• How you assess the effectiveness of your risk-management system.
• How you prevent conflicts of interest with the employer, where you outsource key functions to the same person as the employer or to any person employed by the employer.
• How you assess your scheme's funding needs for the purposes of investment policies, with reference to any recovery plan.
• How you assess the risk to members relating to benefit payments and the effectiveness of any remedial action.
• How you assess the financial protection for benefits, including the employer covenant, any guarantees or other additional financial support by the employer, plus insurance and coverage by the Pension Protection Fund or Financial Services Compensation Scheme.
• How you assess the scheme’s operational risks.
• Where you take environmental, social or governance factors into account in your investment decisions, how you assess new or emerging risks (such as climate change), the use of resources and the environment, social risks, and stranded assets (where assets are prematurely written down or devalued as a result of regulatory change e.g. on carbon pricing).

Think of it as a major audit and investigation into just how effective you are in running, and protecting, the scheme. That’s probably what it is going to feel like in the first year, although subsequently it should get easier. The Regulator hopes that most well-run schemes should find few real challenges in following the new Code as it says most expectations will be familiar. Its aim is for the Code to make it simpler for governing bodies and their advisers to distinguish between the legal duties they must meet and what the Regulator expects should be done to meet those duties.

The Code puts some flesh on the core requirements in the list above. It boils down to reporting on how the trustee has assessed the effectiveness of each of the policies and procedures required by the Code itself, plus explaining either why you think the way the trustee and the scheme administrator operate those policies and procedures is effective, or what you are doing to fix any gaps identified. 

The one thing we can be sure of is that the Regulator is not going to stand for a self-serving statement along the lines of “we looked at our systems and processes and think they are fine”. This is a path it has already trodden with chair’s statements for DC arrangements. Pending any specific guidance on ORAs to accompany the new Code, you could do worse than look at the quick guide to producing chair’s statements to understand the level at which your report will need to be pitched. 

You don’t actually have to publish or circulate your ORA, but it does need to be in writing and you do have to make it available if the Regulator asks for it. The Regulator expects the whole trustee board to see and own the ORA, and for the chair to sign off on it. The penalties for not satisfying the Regulator are not as automatic as for the chair’s statement regime. However, we expect the Regulator to be showing considerable interest in these assessments while best practice settles, or where something goes wrong. 

Timing of ORAs

The legislation says that ORAs must be completed at least every three years. However, if the draft Code is to be believed, the Regulator expects them to be done annually, and even more frequently where there’s a material change in the risks facing your scheme or its governance processes. We and other industry respondents to the consultation have challenged this frequency, which would increase the administrative burden considerably. We hope for a relaxation in the final Code. 

There is also a tension in the draft Code around when the ORA obligation first bites. The timing in the legislation is much more generous. The earliest statutory deadline is 12 months from the end of the scheme year that starts after the Code is formally approved by Parliament. The scheme year is essentially whatever 12 month cycle you use for trustee accounts. But for defined benefit schemes it can be lined up with the next deadline for delivering a triennial actuarial valuation, if later, and for schemes which have to produce a chair’s statement it could be lined up with your next deadline for a chair’s statement, if later. However the draft Code expects the first ORA to be completed within a year of the Code coming into force. That in itself is a slightly moving target as the Code will come into force 40 Parliamentary “days” after it is presented to Parliament.  That excludes periods of recess and days when Parliament does not sit. A rough deadline for your first ORA on the Regulator’s count might therefore be around the end of 2023. 

However, from an interim response to the initial consultation on the draft Code it looks as if the Regulator is moving to a position that the first ORA should be prepared “in a timely fashion” with “best practice” being a shorter timescale than the statutory deadline. 

How to get ahead on your ORA

The idea of an ORA is not a bad thing. It is good to keep kicking the tyres on your processes and policies and making sure they are fit for purpose. We suggest: 

• Starting with your risk register: break out the risks into categories like trustee governance, risk assessment and mitigation, funding and investment, scheme administration and data handling, IT and cyber security, financial transactions (contributions, switches of investments, payments out), member and employer communications and regulatory reporting.
• Starting to diarise and plan preliminary assessment sessions for each category: you don’t need to do everything at once so spread out your review over several trustee meetings to give adequate time to each element.  A rolling programme of review of segments of activity will do the job once the first ORA is complete. Think about the following: 
  • What policies and procedures are involved for each category?
  • What reports do you need from your service providers to test operational effectiveness? 
  • Would it help to delegate categories to sub-committees? 
  • How do your existing policies and procedures stand up to the new requirements? 
  • Does a gap analysis show any areas that require additional attention? Get a handle on just how much work there is to do, so there isn’t a last minute scramble later on.
• Work with your advisers: get your advisers involved at an early stage of the process and make sure you understand what is appropriate for your size of scheme. Can your advisers provide any practical help with determining benchmarking or qualitative assessment?
• Check your draft ORA against the final Code once it’s published: having already considered the above, you’ll be in good shape to refine your ORA and fill in any gaps.

Unlike legislation, following the Regulator’s Code is not mandatory, and no direct penalties apply for failing to follow it. However, in the event of a scheme governance failure leading to legal proceedings, the Regulator may rely on such failure as evidence of non-compliance, and this could support enforcement action. There is also the risk of increased future scrutiny from the Regulator and reputational damage for the employer and the scheme. 

Next steps towards a value-adding ORA

There’s a lot of work to be done but getting ahead now will stand you in good stead. You may already have a risk review and management process in place. Our last briefing set out the considerations for schemes in developing their ESOG. The ORA is designed to ensure that the ESOG is functioning as intended so thinking about the ORA should help you refine your ESOG and vice versa. Once you’re happy with your ESOG, the ORA (which need not be particularly long) sets out how you manage your governance and risk frameworks and explains why you think the frameworks you’ve chosen are appropriate for your scheme. 

The ORA focuses on the risks that impact on the scheme’s system of governance and the internal processes, (such as the existing risk register), that form part of the overall risk assessment. Trustees will need to ask themselves questions like:

• Is our governance system effective in practice?
• How has it worked?
• Has it helped manage risk?
• Has it operated as expected?
• What are the biggest risks faced by the scheme? 

Producing and maintaining the ORA should help you with ongoing improvement of the scheme’s governance. Trustees should focus on the risks which could affect their scheme now and in the future, and assess the extent to which they can re-use existing governance and risk-management materials in order to save themselves time and additional work.

Don’t forget that the ORA needs to be signed off by the chair of the trustees, so trustee boards without a chair will now need to appoint one. This is something which can be done now and which will have to be done in any event relatively soon to comply with upcoming funding strategy requirements.

…and finally

One final word of warning though: while a good deal of the groundwork can be done ahead, it may not be wise to drill down into the finer points of detail in producing any new governance documents before the definitive Code is available. While the Regulator’s key requirements are unlikely to change, there has been a lot of feedback provided from the pensions industry during the consultation process which may affect some aspects of the final version. 

This may all seem like a daunting amount of work. Don’t forget, your usual Norton Rose Fulbright contact will be happy to help navigate through any necessary personnel training and the development of your scheme’s ESOG and its ORA programme.