Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Scheme governance and controls

You must establish and operate internal controls that enable you to manage the risks that relate to your pension scheme.

Set up a process to identify, evaluate and manage risks on an ongoing basis.

Internal controls

You must set up and operate adequate internal controls that enable you to manage your scheme according to the scheme rules and the law. Internal controls are arrangements and procedures for:

  • scheme administration and management
  • monitoring that administration and management
  • safe custody and security of scheme assets

Risk management process

You should set up a process that enables you to identify, evaluate and manage risks, and to monitor risk management controls.

Identifying risks

You must identify the risks that are critical to the scheme and which are likely to have a significant impact on the scheme’s ability to provide member benefits if they are not managed effectively.

You should use sources of information such as audit reports, service contracts, complaints and administration reports to help identify areas of governance which may be exposed to unnecessary levels of risk.

Areas of risk that are likely to have a significant impact on your scheme include:

  • existing controls not operating effectively
  • strength of the employer covenant (defined benefit (DB) schemes only)
  • investment strategy
  • fraud
  • corporate changes and transactions relevant to the scheme
  • legal requirements
  • administration
  • operational procedures and technical systems
  • scheme management (including costs) and delegated responsibilities.

You should record risks you identify in a risk register. See an example risk register (PDF, 238kb, 1 page).

Evaluating risks

You should develop a process for evaluating risks. This should consider the impact and likelihood of a risk occurring.

Your evaluation process should enable you to direct resources to priority areas, starting with risks that have a high impact and a high likelihood of occurring. Areas of risk that you may need to prioritise include:

  • lack of trustee knowledge and understanding 
  • deterioration of the employer covenant (DB schemes only)
  • poor investment governance 
  • poor record-keeping 
  • conflicts of interest 
  • ineffective relations with advisers

Assess which risks your scheme can absorb without the need to take further action, and which risks you need to manage.

Managing risks

You must have adequate internal controls that are suitably designed and implemented to enable you to take appropriate action.

You should consider certain issues including:

  • how the control is performed and the skills of the person performing the control 
  • the level of reliance on information technology solutions 
  • whether the control will stop something happening or detect something that has already happened 
  • the frequency and timeliness of a control process 
  • the process for reporting errors or control failures

Monitoring risk management controls

You must continually review exposure to new and emerging risks. This includes significant changes to or affecting the scheme.

You should review your risk register at least annually and evaluate risk assessment arrangements, procedures and systems to ensure that they are still fit for purpose, taking account of any significant changes.

Integrated risk management

In a DB scheme you should take an integrated approach to managing employer covenant, investment and funding risks. Go to integrated risk management.

Further detail

Trustee Toolkit online learning

The ‘Running a scheme’ module contains a tutorial on ‘Risk management and internal controls’. You must log in or sign up to use the Trustee Toolkit.

Go to the Trustee Toolkit