The scheme manager must establish and operate adequate internal controls that enable them to manage risks that relate to their scheme.
Your scheme should have a process to identify, evaluate and manage risks on an ongoing basis.
The scheme manager must establish and operate adequate internal controls to enable them to administer and manage their scheme in accordance with the scheme rules and the law.
Internal controls are systems, arrangements and procedures for:
- scheme administration and management
- monitoring that administration and management
- the safe custody and security of scheme assets
Risk management process
You should use a risk-based approach and invest sufficient time and attention in identifying, evaluating and managing risks. You should also monitor controls to ensure that they are effective.
You should use sources of information such as audit reports, service contracts, complaints and administration reports to help you identify areas of risk which could be detrimental to the scheme or members.
You should record the risks you identify in a risk register. See our example risk register:
Evaluating risks and establishing adequate internal controls
You should develop a process to evaluate the risks, in order to identify those that are critical to your scheme.
Your evaluation process should enable you to consider the impact and likelihood of a risk materialising.
The process should then enable you to implement controls to mitigate risks that would have a high impact and a high likelihood of occurring.
You should consider issues such as the following when designing internal controls to manage risks identified:
- how the control is performed and the skills of the person performing the control
- the level of reliance on information technology solutions
- whether the control will stop something happening or detect something that has already happened
- the frequency and timeliness of a control process
- the process for reporting errors or control failures
Monitoring risk management controls
You should continually review exposure to new and emerging risks. This includes significant changes in or affecting the scheme.
You should review your risk register regularly and evaluate risk assessment arrangements, procedures and systems, including where there are significant changes in or affecting the scheme.
Public Service toolkit online learning
You can learn about internal controls and how to identify, evaluate, manage and monitor scheme risks in the 'Managing risk and internal controls' course. You must log in or sign up to use the Public Service toolkit.
Check your internal controls
Use our checklist to evaluate your scheme's internal controls: