- You are here:
-
- Home >
- Regulatory guidance >
- Internal controls >
- An example of the scheme risk-management process >
- Produce action plan .
Regulatory guidance
Internal controls
 .
|
 .
|
 .
|
 .
|
Produce action plan
Purpose
Having identified the major risks, a decision needs be made how to manage them. The purpose of this stage is to agree controls and to produce a plan setting out the responsibilities and timescales for implementing the controls to ensure that the required changes in procedure do indeed take place.
Description
In the previous stage of the process you assessed the risks for likelihood and impact and classified them as red, amber or green. You will now need to take each risk and, based on the classification, decide whether:
- a control already exists to mitigate the risk;
- any existing control is adequate; or
- a new control is needed.
Generally, if a risk is classified as green a control will not be necessary. If it is amber, although there may not be an immediate risk, some control will be necessary to reduce exposure. Any risk classified as red will require the implementation of one or more controls immediately.
You will need to consider what actions need to be taken to mitigate the red and amber risks. The action you decide to use may reduce the likelihood of the event occurring, or limit its impact if it does. Existing controls may need to be replaced or augmented if they are not thought to be working adequately.
Controls can be categorised in the following ways:
- Preventative: eg segregation of duties, password protection or restricted access
- Detective: eg exception reporting, reconciliations
- Deterrent: eg disciplinary procedure, supervisory checks
- Corrective: eg back-up procedure
An effective control will fit into one of these categories. To be adequate it will need to ensure that the scheme is administered and managed in accordance with the scheme rules and the requirements of the law.
The following are examples of the type of actions that may be needed to implement the controls:
- the risk may need to be avoided by that activity (eg closing the scheme to new entrants);
- the risk could be transferred to a third party (eg a third-party administrator);
- the risk could be shared with others (eg a fully insured scheme);
- the pension scheme's exposure to the risk can be limited (eg in relation to a particular section of the scheme);
- the risk can be reduced or eliminated by establishing or improving control procedures (eg internal financial controls, controls on recruitment, personnel policies);
- the risk may need to be insured against (this often happens for residual risk, eg employers' liability, third-party liability, theft, fire); or
- the risk may be accepted as being unlikely to occur and/or of low impact and therefore will just be reviewed annually (eg earthquake damage in the UK or loss in transit of a one-off contribution).
In assessing actions to be taken, the costs of mitigation or control will generally be considered in the context of the potential impact or likely cost that the control seeks to prevent or mitigate. The cost of mitigating a risk needs to be proportional to the potential impact. A balance will need to be struck between the cost of further action to mitigate the risk and the potential impact of the residual risk.
You will need to produce an agreed action plan to cover all the new controls you intend to introduce as well as any changes you want to make to inadequate existing controls.
The plan will need to be agreed with and communicated to all the risk owners. It acts as a point of reference for them when implementing their controls.
The plan will need to specify the priority order for carrying out the work, the owner of each risk, the accountabilities and responsibilities for action in the plan (ie introducing the controls), timescales for completion, resources and costs.
You will also need to update the risk register to include details of the control relevant to each risk and the risk owner.
Outcomes
All risks have been categorised and the highest risks have an appropriate control identified. Accountability for implementation of the controls has been agreed and outlined in the completed action plan.
|
.
|
.
|
.
|
| Related pages |
|---|
| Code of practice 09: Internal controls |
| Related documents |
|---|
| Codes-related guidance: internal control (PDF) |
| Example risk register (PDF) |
| Legislation |
|---|
| The Occupational pension schemes (internal controls) regulations |