Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Own risk assessment


Early draft of the code of practice

This code is not in force yet. It is an early version for the new code of practice consultation.

To give us feedback on issues such as the design, usability and navigation of this code, email us at

You can also read more information about the consultation.

Published: 17 March 2021

Under section 249A of the Pensions Act 2004,OW1 governing bodies of certain schemes must establish and operate an effective system of governance including Managing risk using internal controls. However, there are certain exemptions.OW2

Governing bodies of schemes that must maintain an effective system of governanceOW3 should carry out and document an own risk assessment (ORA) of their system of governance. The ORA is an assessment of how well governance systems are working, and the way potential risks are managed. Governing bodies of other schemes may choose to carry out an ORA of their governance as an example of best practice.

The governing body should prepare and document its first ORA within one year of this code coming into force. Each subsequent ORA should be carried out and documented within 12 months of the last. It should also be reviewed whenever there is a material change in the risks facing the scheme or to its governance processes.

The ORA is a substantial process, and the governing body may need to expand its risk assessments to fulfil our expectations. The ORA does not need to document the steps taken to mitigate risks identified. However, the governing body should still ensure that it maintains appropriate records of mitigations as part of its ordinary risk management processes. See Managing risk using internal controls.

Records of the ORA do not need to be sent to us, but we may ask to see it as part of supervisory activity.

Use of the own risk assessment

As the ORA will identify the key governance risks facing the scheme, the governing body should incorporate the findings into its management and decision-making processes. The findings may be used to adjust or create new processes or procedures. They may also highlight areas of work that the governing body needs to undertake, and to prioritise these activities.

Carrying out the own risk assessment

The governing body should carry out an ORA that is proportionate to the size, nature and complexity of the scheme. The areas that should be covered when carrying out an ORA are set out below.


The governing body should:

  • ensure the ORA is in writing
  • provide the ORA documentation to all members of the governing body
  • ensure the ORA documentation is available on request
  • make sure the chair of the governing body signs off the ORA

The governing body should record:

  • the date on which the ORA has been prepared
  • the date on which the next ORA will be prepared
  • details of any interim reviews or updates that the governing body has carried out or plans to carry out

The ORA documentation should cover:

  • how the governing body has assessed the effectiveness of each of the policies and procedures covered by the ORA
  • whether the governing body considers the operation of the policies and procedures to be effective and why

To meet our expectations, the ORA should consider the effectiveness of, and risks arising from, each element listed below.

Policies for the governing body

Risk management policies


  • The scheme’s investment governance processes (see Investment governance).
  • How investment performance is reviewed and monitored (see Investment monitoring).
  • How the governing body assesses investment risks relating to climate change, the use of resources and the environment (see Climate change).
  • How the governing body assesses social risks to the scheme’s investments (see Stewardship).
  • How the governing body considers the potential for depreciation of assets arising from regulatory or societal change (see Stewardship).
  • How the governing body assesses the protection mechanisms available to the scheme, including how these might apply and the risks of them not functioning as intended.
  • How the governing body ensures the security of assets and their liquidity when they are required (see Investment decision-making).
  • How the governing body assesses the protection of member benefits in the event of the insolvency of a sponsoring or participating employer, or a decision to discontinue the scheme.

Additional investment matters for DB schemes

  • How the governing body assesses the scheme's funding needs with reference to its recovery plan.
  • How the governing body assesses the specific risks relating to the indexation of benefits provided by the scheme.


Payment of benefits, where applicable

  • How the governing body assesses operational risks, focusing on the risk to members and beneficiaries relating to record-keeping and payment of benefits.
  • The governing body’s management of risks relating to circumstances where accrued pension benefits may be reduced, under which conditions and by whom.
  • The governing body’s management of the risk of member benefits being reduced or altered, including on the insolvency of a sponsoring or participating employer or the cessation of the scheme.

Glossary and legal references

Protection mechanisms

The mechanisms protecting retirement benefits, including, as applicable, guarantees, covenants or any other type of financial support by the employer, insurance or reinsurance, or coverage by a pension protection scheme

OW1Articles 226A of The Pensions (Northern Ireland) Order 2005

OW2Section 249A(3) of the Pensions Act 2004
[Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

OW3249A of the Pensions Act 2004
[Article 226A of The Pensions (Northern Ireland) Order 2005]