Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Identifying, evaluating and recording risks

General code in force: 28 March 2024

This module forms part of our expectations for trustees of those schemes required to operate an effective system of governance, see Systems of governance.

  1. Under section 249A of the Pensions Act 20041, governing bodies of certain schemes must establish and operate an effective system of governance (see Systems of governance) including internal controls (see Internal controls). However, there are certain exemptions2. The system of governance must be proportionate to the size, nature, scale, and complexity of the activities of the scheme.
  2. Under section 249B of the Pensions Act 20043, scheme managers of public service pension schemes4 are required to establish and operate internal controls, which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules5 and with the requirements of the law.
  3. Before designing internal controls, the governing body should identify risks, record them, and regularly review and evaluate them. The evaluation of risks will help the governing body determine which risks require internal controls to be put in place to reduce their incidence and impact (see Internal controls).

Identifying risks

  1. The range of risks will vary from scheme to scheme and may include matters such as investment, employer covenant, funding, administration, communications, fraud, and pension payment, or decumulation options.
  2. The governing body should identify risks including:
    1. scheme investments, including asset-liability management (if applicable). See Investment governance.
    2. those affecting operational resilience, including where those risks belong to service providers. See Scheme continuity planning.
    3. insurances, compensation funds, and other risk-mitigation techniques
    4. environmental, social, and governance risks (if applicable). See Stewardship and Climate change.
    5. scheme funding and the strength of the employer covenant (if applicable)
    6. the risk of fraud
    7. failure to comply with the law and/or scheme rules
    8. poor record-keeping, poor administration, and IT and database failures
    9. cyber security risks. See Cyber controls.
    10. governance and decision making, or existing controls are not operating to the standard required by pensions legislation
    11. actual or potential conflicts of interest (the module on conflicts of interest sets out the actions that governing bodies should take in relation to these matters)

Evaluating risks

  1. The governing body should evaluate all the risks faced by their scheme to determine the key risks. They should then set acceptable parameters for each key risk with key indicators.
  2. In evaluating risks, the governing body should:
    1. set scheme objectives (for example, to provide pensions benefits)
    2. refer to documents the governing body is required to be familiar with. See Knowledge and understanding.
    3. consider relevant sources of information, such as records of internal disputes and breaches of law consider the various functions and activities carried out in the running of the scheme
    4. evaluate the likelihood and impact of the risks occurring
    5. evaluate the likelihood and impact of separate risks coinciding and the interdependencies between such risks
    6. be prepared to monitor, challenge, and review their risk evaluation process and outputs
  3. In recording and updating risk records, the governing body should:
    1. record the risks identified and ensure that they are reviewed regularly (including identifying new risks, such as significant changes affecting the scheme, employers, and members)
    2. record the key risks in a risk register and keep that up to date
    3. maintain contingency plans for actions to be taken if risks materialise. See Scheme continuity planning.
    4. record and implement plans with target dates for mitigating risks
    5. carry out ‘after action reviews’ and incorporate any lessons learnt
  4. In allocating roles and responsibilities, the governing body should:
    1. have processes that establish ownership and a responsible party for monitoring risk and issues between meetings of the governing body (particularly if the action is the responsibility of a third party)
    2. receive information from relevant parties (for example administrator, investment manager) at least quarterly to enable the risk register to be updated
    3. be able to recognise when professional advice is required.

Glossary and legal references

Asset liability management

The ongoing process of formulating, implementing, monitoring, and revising strategies related to assets and liabilities, to achieve financial objectives for a given set of risk tolerances and constraints.

Internal controls

  • Arrangements and procedures to be followed in the administration and management of the scheme,
  • Systems and arrangements for monitoring that administration and management, and
  • Arrangements and procedures to be followed for the safe custody and security of the assets of the scheme.

Public service pension scheme

Schemes as defined in s318(1) of the Pensions Act 2004, established under section 1 of the Public Service Pensions Act 2013, new public body pension schemes and other statutory pension schemes which are connected to those schemes.

Sponsoring employer

The employer, or employers, responsible for making payments to a pension scheme (see our Statement on identifying your statutory employer).

1 Article 226A of The Pensions (Northern Ireland) Order 2005

2 Section 249A(3) of the Pensions Act 2004 [Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

3 Article 226B of The Pensions (Northern Ireland) Order 2005

4 As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions (Northern Ireland) Order 2005]

5 As defined in Section 318(2) of the Pensions Act 2004 [Article 2(3) of The Pensions (Northern Ireland) Order 2005]