Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Own risk assessment

General code in force: 28 March 2024

  1. If a scheme required to operate an effective system of governance (ESOG) (see Systems of governance) has 100 members or more, the governing body must carry out and document an own risk assessment (ORA) as part of the ESOG. The ORA is an assessment of how well the ESOG is working, and the way potential risks (see Internal controls) are managed. Governing bodies of other schemes may carry out an ORA as an example of good practice.
  2. Under section 249A of the Pensions Act 20041, governing bodies of certain schemes must establish and operate an effective system of governance (see Systems of governance) including internal controls (see Internal controls). However, there are certain exemptions2. The system of governance must be proportionate to the size, nature, scale, and complexity of the activities of the scheme.
  3. We may consider failure to complete an ORA as an indicator of poor governance.
  4. The governing body should prepare and document its first ORA before the end of the period described in Regulation 3(8)(i) of The Occupational Pension Schemes (Governance) (Amendment) Regulations 2018. Unless specified otherwise in law or code, each element covered by the ORA should be assessed according to a timetable established by the governing body. It is not necessary for all elements forming an ORA to be assessed at the same time, but the ORA should be completed at least every three years.
  5. New assessments should also be carried out where elements of the ESOG, or risk management processes, are new or updated and whenever there is a material change in the ESOG or risks facing the scheme.
  6. The governing body may need to expand its existing risk assessments (see Identifying, evaluating and recording risks) to fulfil our expectations for the ORA. Many governing bodies will already undertake aspects of the ORA and will not need to duplicate this work. The ORA may therefore be a collation or index of other relevant documents recording these assessments. Where services or functions are outsourced, governing bodies may choose to incorporate assurance reporting supplied by service providers into their ORA.
  7. The ORA does not need to document the steps taken to mitigate identified risks. However, the governing body should still ensure that it maintains appropriate records of mitigations as part of its ordinary risk management processes (see Internal controls).
  8. As the ORA will identify the key governance risks facing the scheme, the governing body should incorporate the findings into its management and decision-making
    processes. The findings may be used to adjust or create new processes or procedures. They may also highlight areas of work that the governing body needs to carry out, and to prioritise these activities.

Expectations for the own risk assessment

  1. The governing body should carry out an ORA that is in proportion to the size, nature, and complexity of the scheme. The ORA may be carried out by a sub-committee of the governing body, the risk management function, or a third party. Those carrying out the ORA should effectively manage any actual or potential conflicts of interest between themselves, the governing body, employers, and service providers.
  2. The governing body should:
    1. ensure the ORA is in writing
    2. provide the ORA documentation to all members of the governing body
    3. consider what information to provide to members about the findings of the ORA
    4. make sure the chair (see Appointment and role of the chair) of the governing body signs off the ORA
  3. The governing body should record:
    1. the date on which the ORA was prepared or revised
    2. the date on which the ORA will next be prepared or revised
    3. details of any interim reviews or updates that the governing body has carried out, or plans to carry out
  4. The ORA documentation should cover:
    1. how the governing body has assessed the effectiveness of each of the policies and procedures covered by the ORA
    2. whether the governing body considers the operation of the policies and procedures to be effective and why
  5. The ORA should include consideration of the effectiveness of, and risks arising from each element listed in paragraphs 14 to 19 below.
  6. Policies for the governing body:
    1. How the governing body is integrating risk assessment and mitigation into its management and decision-making processes.
    2. The operation of policies relating to the role of the governing body, knowledge and understanding and governance of knowledge and understanding.
  7. Risk management policies:
    1. The operation of policies to identify and assess risks facing the scheme (see Identifying, evaluating and recording risks).
    2. The internal control policies and procedures for the scheme (see Internal controls and Assurance reports on internal controls).
    3. Management of potential internal conflicts of interest, and those with participating employers and service providers (see Conflicts of interest).
    4. The prevention of conflicts of interest where the employer and governing body use the same service provider.
    5. Continuity planning for the scheme (see Scheme continuity planning) and, where applicable, how it has performed.
  8. Investment:
    1. The scheme’s investment governance processes (see Investment governance).
    2. How investment performance is reviewed and monitored (see Investment monitoring).
    3. How the governing body assesses investment risks relating to climate change, the use of resources and the environment (see Climate change).
    4. How the governing body assesses social risks to the scheme’s investments (see Stewardship).
    5. How the governing body considers the potential for depreciation of assets arising from regulatory or societal change (see Stewardship).
    6. How the governing body assesses the protection mechanisms available to the scheme, including how these might apply and the risks of them not functioning as intended.
    7. How the governing body ensures the security of assets and their liquidity when they are required (see Investment decision-making).
    8. How the governing body assesses the protection of member benefits in the event of the insolvency of a sponsoring or participating employer, or a decision to discontinue the scheme.
  9. Additional investment matters for defined benefit schemes:
    1. How the governing body assesses the scheme’s funding needs with reference to its recovery plan.
    2. How the governing body assesses the specific risks relating to the indexation of benefits provided by the scheme.
  10. Administration:
    1. How the governing body assesses the risks associated with the scheme’s administration (see Planning and maintaining administration), with particular reference to financial transactions (see Financial transactions), scheme records (see Record-keeping) and receiving contributions (see Receiving contributions).
    2. Action the governing body takes to manage overdue contributions (see Monitoring contributions), considering the degree to which they represent material amounts or delays.
    3. Risks posed by legal and regulatory change and court decisions.
  11. Payment of benefits, where applicable:
    1. How the governing body assesses operational risks, focusing on the risk to members and beneficiaries relating to record-keeping and benefit payments.
    2. The governing body’s management of risks relating to circumstances where accrued pension benefits may be reduced, under which conditions and by whom.
    3. The governing body’s management of the risk of member benefits being reduced or altered, including the insolvency of a sponsoring or participating employer, or closure of the scheme.
    4. Scams and the risk of members making poor choices (see Scams).

Glossary and legal references

Protection mechanisms

The mechanisms protecting retirement benefits, including as applicable, guarantees, covenants or any other type of financial support by the employer, insurance or reinsurance, or coverage by a pension protection scheme.

1 Article 226A of The Pensions (Northern Ireland) Order 2005

2 Section 249A(3) of the Pensions Act 2004 [Article 226A (3) of The Pensions (Northern Ireland) Order 2005]