Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Identifying and assessing risks

Important

Early draft of the code of practice

This code is not in force yet. It is an early version for the new code of practice consultation.

To give us feedback on issues such as the design, usability and navigation of this code, email us at webfeedback@tpr.gov.uk.

You can also read more information about the consultation.

Published: 17 March 2021

Under section 249A of the Pensions Act 2004,ID1 governing bodies of certain schemes must establish and operate an effective system of governance (see Scheme governance) including internal controls (see Managing risk using internal controls). However, there are certain exemptions.ID2

Under section 249B of the Pensions Act 2004, scheme managers of public service pension schemesID3 are required to establish and operate internal controls which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules,ID4 and with the requirements of the law.

The legal obligations for scheme funding, scheme investment, and environmental, social and governance concerns are different for public service pension schemes.ID5 However, as far as these matters are either set out in the scheme rulesID6 or in the requirements of the law, scheme managers of public service pension schemes must establish and operate adequate internal controls in relation to them.

It is not necessary, nor possible, to eliminate all risks from a pension scheme. Governing bodies should use risk management as a tool to identify risk and develop internal controls. As part of their risk management approach, governing bodies should assess all the risks faced by their scheme and define acceptable parameters for each.

The range of risks will vary from scheme to scheme and may include matters such as investment, employer covenant, funding, administration, communications, fraud and pension or decumulation options. Separately, some investment risks may be accepted by the governing body in their desire to seek greater returns.

Governing bodies should consider risks such as:

  • scheme investments, including asset liability management (if applicable). See Investment governance.
  • insurances, compensation funds and other risk mitigation techniques
  • environmental, social and governance risks (if applicable). See Stewardship and Climate change.
  • scheme funding and the strength of the employer covenant (if applicable)
  • the risk that existing controls are not operating as intended
  • the risk of fraud
  • failure to comply with the law and/or scheme rules
  • poor record-keeping, poor administration, and IT and database failures
  • cyber security risks. See Cyber controls.
  • governance and decision-making not operating to the standard required by pensions legislation
  • actual or potential conflicts of interest

Risk management function

Under section 249A of the Pensions Act 2004,ID7 governing bodies of certain schemesID8 with 100 members or moreID9 should have in place a risk management function. Governing bodies should achieve this in a manner that is proportionate to their size and internal organisation, as well as to the size, nature, scale and complexity of their activities. This is different from the requirements on governing bodies to prepare an own risk assessment, learn more in Own risk assessment.

The risk management function may be a sub-committee of the governing body, or an independent body that facilitates reporting to the whole governing body or the relevant sub-committee. Responsibility for identifying and evaluating risks and/or internal controls and risk management (see Managing risk using internal controls) may be delegated to the risk management function.

The risk management function should be structured in such a way as to enable the scheme to adopt strategies, processes and reporting procedures necessary to identify, measure, monitor, and manage risk. The function should also regularly review the risks, at an individual and at an aggregated level, to which the scheme is or could be exposed, and the interdependencies of such risks.

The written policies regarding the risk management function should:

  • only take effect after they have been approved by the governing body, and
  • be reviewed at least once every three years

In schemes where members and beneficiaries bear risks, the risk management system should also consider those risks from the perspective of members and beneficiaries.

Identification and assessment

Risk identification and assessment processes will detect weaknesses in the governance and operation of the scheme at an early stage. Our expectations for governing bodies are set out below.

Establishing a process for risk assessment

  • Set the objectives of their scheme.
  • Refer to the documents they are required to be familiar with. See Working knowledge of pensions.
  • Consider relevant sources of information, such as records of internal disputes and breaches of the law.
  • Determine the various functions and activities carried out in the running of the scheme.
  • Identify and document the actual and perceived risks facing their scheme, including activities that have been outsourced.
  • Assess the likelihood and impact of the risks occurring.
  • Assess the likelihood and impact of separate risks coinciding and the interdependencies between such risks.

Monitoring and mitigating risk

  • Record the risks identified in a risk register and ensure that it is reviewed regularly.
  • In the case of funded defined benefit schemes, establish any sponsoring employer’s capacity to absorb investment risk.
  • Define tolerance parameters, key indicators and triggers for action.
  • Document and take steps to manage or mitigate risks.
  • Maintain contingency plans for actions to be taken if risks materialise. See Continuity planning.
  • Develop and implement plans with target dates for mitigating or closing risks.
  • Undertake ‘after action reviews’ and incorporate any lessons learnt.

Continually monitor existing risks and identify new ones, including significant changes affecting the scheme, employers and members.

Roles and responsibilities

  • Have processes that establish ownership and a responsible party for monitoring risk and issues between meetings of the governing body, (particularly if the action is the responsibility of a third party).
  • Receive information from relevant parties (administrator, investment manager etc) at least quarterly to enable the risk register to be updated.

Glossary and legal references

Asset liability management

This is the practice of managing risks that occur between the misalignment of asset classes within an investment strategy

Governing bodies

Trustees or managers of an occupational pension scheme which is subject to the requirements under section 249A of the Pensions Act 2004 . In the case of a public service pension scheme subject to the requirements under section 249B of the Pensions Act 2004, governing bodies refer to scheme managers.

Internal controls

  • arrangements and procedures to be followed in the administration and management of the scheme
  • systems and arrangements for monitoring that administration and management, and
  • arrangements and procedures to be followed for the safe custody and security of the assets of the scheme. (Section 249A of the Pensions Act 2004)

Public service pension scheme

A scheme established under section 1 of the Public Service Pensions Act 2013

Scheme manager

Applies to Public service pension schemes, and is the person responsible for managing or administering a public service pension scheme, and any statutory pension scheme that is connected with it. (See section 4 of the Public Service Pensions Act 2013).

Sponsoring employer

The employer, or employers, responsible for making payments to a pension scheme. See our Statement on identifying your statutory employer.

ID1Articles 226A of The Pensions (Northern Ireland) Order 2005

ID2Section 249A(3) of the Pensions Act 2004
[Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

ID3As defined in section 318(1) of the Pensions Act 2004
[Article 2(2) of The Pensions (Northern Ireland) Order 2005]

ID4As defined in Section 318(2) of the Pensions Act 2004
[Article 2(3) of The Pensions (Norther Ireland) Order 2005]

ID5As defined in section 318(1) of the Pensions Act 2004
[Article 2(2) of The Pensions (Norther Ireland) Order 2005]

ID6‘Scheme rules’ as defined in section 318(2) Pensions Act 2004
[Article 2(3) of The Pensions (Northern Ireland) Order 2005]

ID7Articles 226A of The Pensions (Northern Ireland) Order 2005

ID8Unless exempt within section 249A(3) of the Pensions Act 2004
[Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

ID9Section 249A Pensions Act 2004 and Regulations 3(1)(3)(a),(5),(6) and (9) of the Occupational Pension Schemes (Governance) (Amendment) Regulations 2018 (SI 2018/1103)
[Article 226A of The Pensions (Northern Ireland) Order 2005 and Regulations 3(1)(3)(a),(5),(6) and (9) of the Occupational Pension Schemes (Governance) (Amendment) Regulations (Northern Ireland) 2018 (SR 2018 No. 214 N.I.)]