- Create a plan to identify, document, evaluate and manage risks.
- Review and update the risk register and the effectiveness of controls regularly to take account of new and emerging risks.
- Carry out a detailed analysis of your risk management framework at least annually.
Trustee toolkit online learning
The ‘Running a scheme’ module contains a tutorial on ‘Risk management and internal controls’. You must log in or sign up to use the Trustee toolkit.
Managing risk and why this is so important
Good risk management is a key characteristic of a well-run scheme and an important part of your role in protecting members’ benefits. By having an adequate system for managing risk, you will be able to keep scheme assets safe and protect the scheme from adverse risks.
You should have systems to help identify risks in:
- the way the scheme is governed and managed
- the scheme’s investments
- administration processes
- the way you communicate with members
In particular, you should be vigilant to key risks such as pension scams and cyber security threats.
You are legally required to have adequate internal controls in place in your scheme, and this includes managing risk.
If you fail to have proper internal controls in place, we may take action by issuing Improvement Notices, appointing independent trustees or using any other powers that may be appropriate.
How to do it
Use an agreed evaluation process to rate risks based on their magnitude (likelihood of happening against impact).
You should then record the identified risks in a risk register and review this regularly (at least once a quarter). See an example risk register (PDF, 32kb, 1 page).
Develop a process for evaluating risks and prioritising them. Establish mitigation strategies to manage the risks and take advantage of any opportunities that they may also present and regularly review them to ensure they remain effective.
You should also continually review exposure to new and emerging risks including significant changes in, or affecting, your scheme and its membership.
Risk appetite and tolerance
Risk appetite is the amount and type of risk that the pension scheme is willing to take in order to meet its strategic objectives.
Risk tolerance is the amount of risk that a pension scheme can feasibly cope with.
Both should be high on your agenda. You should discuss and review them when you review your risk register, making sure that risk management measures have been put in place.
You should carry out a detailed analysis of your risk management framework at least annually to identify whether your existing systems are still fit for purpose. For example, do they prevent and detect errors in your existing scheme operations, and will they help mitigate new risks?
Governance behaviour examples
Where improvements could have been made
Lack of planning for a cyber incident
The trustees were aware of the increasing risk of a cyber attack to pensions and added this to their risk register. However, they didn’t fully understand what controls their providers had to protect member data and what processes were in place to minimise the impact if an incident occurred.
A cyber incident occurred and because there wasn’t a formal incident response plan or service level agreement in place setting out roles and responsibilities, time to minimise the impact and comply with reporting duties was lost (the administrators identified the incident on a Friday but the trustees were not notified until the following Monday). The trustees realised that members should be notified of the incident but were not clear on who was responsible for issuing the communication. This led to further delays, which could have been avoided.
The trustees could have sought appropriate training to improve their understanding of cyber risk and to improve their confidence in identifying their scheme’s vulnerabilities and emerging risks. They should also have ensured that an incident response plan was in place, which included clear roles and responsibilities, targets for getting critical functions and processes back on track and plans for issuing communications to appropriate parties – including members.
Good working examples
Considering the long term
Many factors can impact investments over the long term. Where you consider these to be financially material, you are expected to factor them into your investment decision-making.
A board of trustees and their advisers realised the need to consider the long term and not just react to what could be considered recent poor performance of their funds. The chair wanted to understand what the advisers’ view was for the next period, as well as how they had performed against other funds.
It was clear from discussions that, while the fund performance was below the benchmark used, the trustees thought the current strategy was still appropriate for the members in the context of the fund’s long-term objectives.
The trustees had embedded risk in their considerations for the scheme. They wanted to understand the short-term and long-term risks and compare them to previous projections, so they could make a decision in the best interests of members.
New and emerging risks
The trustee board spent time analysing current and emerging pension industry developments and considering the potential impact on members and the scheme employer. In this example, they considered the potential for pension tax changes to cause disruption and negative press, and the impact that may have on their long-term savings message for members and the members themselves. They also considered the legislative risk of tax relief changes.
Material risk to the investment strategy
The trustees set an investment strategy to deliver a required level of return over the long term.
When reviewing the statement of investment principles (SIP), they considered market developments and concluded that climate risk is financially material to the investment strategy.
They set out the following investment belief:
‘As long-term investors, we believe climate risk has the potential to significantly affect the value of our investments.’
They developed this belief in the SIP as follows:
- We expect fund managers to have integrated climate risk into their risk analysis and investment process.
- We will try to ensure that we manage all new and existing investment arrangements in a way that takes account of climate risk.
- In monitoring the performance of our fund managers, we will also regularly consider how they are performing with reference to climate risk issues.
In addition, the trustees decided to report annually to members on how the climate risk policy had been applied.
Check your governance
Make sure you do the following:
- Document your scheme’s internal controls.
- Use a risk register to formally log risks to the scheme and record the results. Regularly review your scheme’s exposure to new and existing risks. This includes identifying those risks, evaluating the likelihood and impact of them occurring and taking steps to manage or mitigate them.
- Regularly discuss key risks and issues, including topics on which you must report on the chair’s statement and the extent to which the scheme is meeting the standards in the DC code.
- Risk management guidance
- Internal controls guidance
- Code of practice 9: Internal controls, which provides a high-level risk-based approach for trustees
- Integrated risk management guidance, which forms an important part of good governance (defined benefit schemes only)
- Institute of Chartered Accountants of Scotland guidance for pension trustees on assessing and managing risks
- Pensions Administration Standards Association risk matrix tool, which helps trustees review the operation of scheme administration and carry out a high-level assessment of current risk
- Cyber risk guidance