Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact us
home Industries Pension Funds
man and woman with laptop

The Pension Regulator’s single code of practice

With the new code of practice issued for consultation, our Pension Funds specialists address specific areas and the considerations for Trustees.
Explore our Pension Funds services

Latest insight

The Single Code of Practice - how do the requirements compare to our 2019 survey results?

The Occupational Pension Schemes (Governance) (Amendment) Regulations 2018 (the Regulations) came into force in January 2019, setting out how IORP II was to be implemented into UK law. The Regulations set out a framework for Trustees to demonstrate that they have an adequate and effective system of governance, which is proportionate to the complexity and risk profile of their scheme. Following this, The Pensions Regulator (TPR) was to issue a code of practice (COP) on how the Regulations will be implemented by Trustees.

As we are aware, TPR took the opportunity to review the existing code of practices and in March 2021 issued a single COP for consultation, combining some of the existing COPs along with the requirements of the Regulations that were not already covered by the existing COPs.

As part of our 2019 Risk Management Survey we questioned Trustees on their existing system of governance compared to the requirements of the Regulations, and whether this is assessed to demonstrate that it is appropriate for their scheme. In this week’s insight on the COP we revisit the results of that survey and consider these against the actual requirements of the COP.

Effective system of governance

The COP requires Trustees to demonstrate that the scheme has an ‘effective system of governance’ (ESOG) and that this is reviewed at least every three years. In 2019, we asked respondents whether they have a formal assessment of governance in place of their scheme, and if so, how often this takes place as detailed below:

Formal assessment of governance

It was encouraging to see that in 2019, 78% of respondents already assessed the system of governance at least every three years. Based on our experience, we would argue that for a proportion of the remaining respondents, the system of governance at these schemes is assessed on a regular basis but the process is not formally documented.

One of the points identified in an earlier insight was that we believe the challenge for Trustees going forward will be having the appropriate documentation in place to demonstrate that they have an ESOG in place. In 2019, we asked respondents where the ESOG is currently documented, as detailed below:

Where is the ESOG documented?

In 2019, 86% and 82% of respondents confirmed that they use the risk register and Trustee minutes to document areas of the assessment of governance.

The challenge for Trustees going forward will be embedding this assessment of governance into a tri-annual process to assist them in achieving their overall scheme objectives and obligations, and discharge their duty to have an ESOG in place.

Remuneration policies

The COP requires Trustees to have a written remuneration policy that sets out the levels and means for remunerating those undertaking activities in relation to the scheme paid for by the governing body and/or sponsoring employer.

The policy needs to support the sound, prudent and effective management of the scheme and provide an explanation of the decision making process for the level of remuneration. This needs to cover all parties that perform a service to the pension scheme which includes Trustees, outsourced providers and the sponsoring employer where relevant.

The policy should be reviewed at least every three years and made available to members when requested.

In 2019, we asked respondents whether they have a remuneration policy for specific parties and how often this is reviewed, as detailed below:

Do you have a remuneration policy for:

How often is the remuneration policy reviewed?

This shows that there is work to do for Trustees to ensure that they have appropriate remuneration policies in place and that these are reviewed at least every three years.

Conclusions

It was encouraging to see that in 2019, respondents to our survey believed that they already had the majority of the ESOG requirements in place and that this was reviewed on a regular basis. However, the challenge for Trustees going forward is ensuring that there is appropriate documentation in place to demonstrate that this is the case.

Regarding remuneration policies, it is clear that Trustees will need to review all the parties who undertake activities in relation to the scheme paid for by the scheme and/or sponsoring employer to ensure that they comply with the COP.

How we can help

To discuss this or other elements of the draft code further, please contact Judith Hetherington, Stuart Henderson or your usual Crowe contact. Our next insight will provide an overview of our insights and the key areas that Trustees will need to focus on once the final COP is issued.

Previous issues

Your risk register

Wednesday 10 June

The single Code of Practice - your risk register

The Pensions Regulator’s draft code of practice has a requirement for Trustees to establish and operate an ‘effective system of governance’ (ESOG) and to include a review of this to in the yearly ‘own risk assessment’ (ORA). This increases the onus on appropriate documentation to be in place.

In one of our previous insights, we covered the specific elements that are required to be covered by the ORA and some examples of where a pension scheme may already have existing processes or documentation in place to cover these elements. We noted that a significant proportion of the ORA would be covered by the risk register, but this is dependent on the content and format of each scheme’s risk register.

In addition, the risk register should be used to cover the ‘identifying and assessing risks’ section of the code of practice, which states that:

“It is not necessary, nor possible, to eliminate all risks from a pension scheme. Governing bodies should use risk management as a tool to identify risk and develop internal controls. As part of their risk management approach, governing bodies should assess all the risks faced by their scheme and define acceptable parameters for each.

The range of risks will vary from scheme to scheme and may include matters such as investment, employer covenant, funding, administration, communications, fraud and pension or decumulation options. Separately, some investment risks may be accepted by the governing body in their desire to seek greater returns.”

So, to determine whether your risk register is suitable for the different areas of the ORA, Trustees should consider the following:

Gross vs net risks There is no specific requirement to include your gross risk and net risk after the controls are put in place in risk registers. But, will this help Trustees identify increases in gross risk, to ensure that there are appropriate controls in place to reduce this to an acceptable level?
Controls vs processes Is there a description of the controls that are in place to mitigate each risk, or is it just a description of a process that is being followed in your risk register?
Risk appetite Risk appetite was introduced by the Pensions Regulator in 2018. Although this term is not specifically stated in the code of practice, Trustees should define ‘acceptable parameters’ for each risk when assessing the risks faced by their schemes. Are Trustees currently using this concept in risk registers to assist in this process?
Assurance of controls Earlier in this series we highlight the use of assurance in identifying where key controls are operating as expected. The concept for helping to identify, categorise and visualise the various sources of assurance is the 'Three Lines of Defence’ model. Should Trustees use the risk register to identify where and what type of assurance is being obtained for each risk where relevant - and should this be included in the risk register?

Conclusions

The Pensions Regulator specifically states that the ORA will be a substantial process, but should be proportional to the size and complexity of the pension scheme. We envisage that the area where additional resources will be required is ensuring that there is the appropriate documentation in place to enable Trustees to show that they meet the requirements of an ORA.

Therefore, we recommend that Trustees should look at their risk registers to see whether they are still fit for purpose and whether they need to change to assist in Trustees' compliance with the code of practice. However, risk registers need to be a useful living tool to assist Trustees in the management of the scheme; it is important to find a balance between using the risk register to cover elements of the ORA and ensuring that the risk register remains a clear, concise, useful tool.

How we can help

To discuss this or other elements of the draft code further, please contact Judith HetheringtonStuart Henderson or your usual Crowe contact. Our next insight will look at the results of our 2019 risk management survey where we considered the implementation of IORP II for UK pension schemes against the actual content of the draft code of practice.

 
Cybercrime
Wednesday 2 June 

The risk of cybercrime for pension schemes

Cybercrime is one of the problems of our age, together with fraud now representing over 51% of all crime in the UK; we have had a real surge in cybercrime since the advent of COVID-19 in April 2020, with the Office for National Statistics reporting a 91% increase in incidents.

The Pensions Regulator’s (TPR) draft code of practice will require Trustees to assess and manage cyber risk. They should:

Assessing cyber risk

  • ensure the governing body has knowledge and understanding of cyber risk
  • understand the need for confidentiality, integrity and availability of the systems and services for processing personal data, and the personal data processed within them
  • have clearly defined roles and responsibilities to identify cyber risks and breaches, and to respond to cyber incidents
  • ensure cyber risk is on the risk register and regularly reviewed
  • assess, at appropriate intervals, the vulnerability to a cyber incident of the scheme’s key functions, systems and assets (including data assets) and the vulnerability of service providers involved in the running of the scheme
  • consider accessing specialist skills and expertise to understand and manage the risk
  • ensure appropriate system controls are in place and are up to date (for example firewalls, anti-virus and anti-malware products).

Managing cyber risk

  • ensure critical systems and data are regularly backed up
  • have policies for the use of devices, and for home and mobile working
  • have policies and controls on data in line with data protection legislation (including access, protection, use and transmission)
  • take action so that policies and controls remain effective
  • have policies to assess whether breaches need to be reported to the information commissioner
  • maintain a cyber incident response plan in order to safely and swiftly resume operations
  • satisfy themselves with service providers’ controls
  • receive regular reports from staff and service providers on cyber risks and incidents.

The different nature of cyber risk

In doing this Trustees need to understand some key points:

  • Cybercrime is not like other mostly static risks – it evolves and changes very rapidly – and so cybercrime protection needs to be dynamic and focussed on the latest manifestations of the problem rather than what was happening a year or two years ago.
  • Cybercrime is (mostly) undertaken by rapidly growing, highly profitable businesses who make ‘rational’ decisions on who to attack having evaluated which organisations have the greatest vulnerabilities and where there is likely to be the greatest gain.
  • Pension schemes are responsible for rich seams of personal and financial data which will attract cybercriminals; also, because of the urgency of payments continuing to be made to beneficiaries, cybercriminals know that there would be considerable pressure to pay a ransom after a ransomware attack.
  • There is no such thing as 100% protection against cybercrime and no simply technological solution. Pension schemes need to be able to be as well protected as possible BUT also able to manage an attack if it happens and to recover and mitigate any damage. All three aspects of protection are important.

How we can help

Crowe already help many pension schemes to protect themselves. Jim Gee, Crowe’s Head of Forensic Services, is Chair of the PRAG and PASA Cybercrime and Fraud Working Groups and advise TPR on its guidance for Trustees. PRAG and PASA have recently published cybercrime protection guidance. We aim to ensure both that the substance of protection is as strong as it can be, but also that Trustees can show that they have properly considered these issues and, as TPR’s draft Code of Practice says, they have assessed and managed cyber risk.

For further information please contact Jim Gee or on 020 7842 7239.

Assurancemapping and identifying sources of assurance

The Pensions Regulator’s draft code of practice will require Trustees to obtain assurance that their pension scheme’s internal controls are operating effectively.

Our last two weekly insights have focused on how Trustees can obtain assurance from third-party service organisation internal controls reports and from external or internal audit. This week we are looking at other sources of assurance that might be available and how Trustees can assess where assurance is needed.

In order to determine where assurance is required, Trustees should consider the following:

Ensure key controls have been identified

The scheme's risk register should be the starting point, but Trustees should step back and consider whether they have properly identified the controls they expect to be in place to mitigate the risks that face their scheme. It is important to ensure that the controls are clearly identified (i.e. not just a description of a process that is being followed).

Assurance mapping to identify gaps

Once the key controls have been identified, it will be possible to review each one and consider what form of assurance the Trustee receives to confirm that they are operating as expected. A mapping exercise can then be carried out to highlight gaps where the Trustee is not being provided with adequate assurance (i.e. the Trustee believes a control is in place, but does not have sufficient evidence to confirm that it is actually doing what it is supposed to be doing).

Three Lines of Defence

A concept for helping to identify, categorise and visualise the various sources of assurance is the ‘Three Lines of Defence’ model:

 First line of defence Functions that own and manage risks – operational management, responsible for identifying, assessing, controlling and mitigating risks on a day-to-day basis. 
 Second line of defence  Functions that oversee risks – established by management to help build and/or monitor the first line of defence, for example a risk management function that facilitates, monitors and reports on risk management practices or a compliance function that monitors specific risks, such as compliance with legal issues. For many pension schemes this may fall within the remit of an Audit and Risk Committee. While independent from the first line of defence, these functions are management functions and may therefore intervene directly in modifying and developing processes and control procedures.
 Third line of defence Functions that provide independent assurance – for example internal auditors or other independent functions that provide the Trustees with assurance on the effectiveness of governance, risk management and internal controls including the way in which the first and second lines of defence are working. (Note that in some models, external audit and regulators are included separately as a Fourth line of defence). 

Consider the sources of assurance

Categorising the sources of assurance into the Three Lines of Defence model will help show how each contributes to the overall level of assurance provided and how best they can be integrated and mutually supportive. For schemes using an internal auditor, it will help direct resources to where they are needed most.

Not all schemes use an internal auditor, however Trustees will receive assurance reporting from various other sources. This may include:

  • Reports from the actuarial adviser. This may, for example, include reports that monitor the funding levels to ensure asset rebalancing takes place in line with the Trustee’s policy.
  • Reports from the employer covenant adviser, for example regular monitoring against pre-set criteria to alert the Trustees if action needs to be taken where there is a material weakening of the covenant.
  • Legal adviser reports on specific matters that represent a risk to the scheme.
  • Monitoring and testing by cyber security specialists, for example annual penetration testing to confirm the security of the scheme administrator’s IT systems.
  • Investment adviser reports that may highlight action required due to underperformance against defined benchmarks or controls issues arising from the review of fund manager internal control reports or due diligence on proposed investments.

Conclusion

Trustees should:

  • Invest time in ensuring controls that are critical to mitigating the key risks to the pension scheme have been accurately identified.
  • Perform an assurance mapping exercise to assess where assurance over controls is being provided and where there are gaps. Consider categorising the sources of assurance using the Three Lines of Defence model.
  • Take appropriate action to ensure gaps highlighted by the assurance mapping exercise are addressed.

How we can help

To discuss internal audit and assurance services for pension schemes or other elements of the draft code in more detail, please contact Andrew Penketh, Graeme Jefford or your usual Crowe contact.


Assurance from external and internal audit

How external and internal audit can provide assurance

The Pensions Regulator’s draft code of practice includes requirements for Trustees to establish and operate an effective system of governance including internal controls. Trustees will also be expected to obtain assurance that those internal controls are operating effectively.

In our last weekly insight, we covered how internal controls reports prepared by third-party service organisations might be used to obtain assurance about the pension scheme’s operations, but what other options are available for Trustees seeking assurance over their internal controls, particularly schemes which are administered in-house and do not outsource to third party service providers?

External audit

The draft code of practice refers to the annual statutory audit but warns that governing bodies should not solely rely on the output of the audit as a means of assurance reporting. This is because it is designed to provide assurance that the annual accounts are free from material misstatement and the external auditor will not test internal controls that are not relevant to this objective. It may be possible for the auditor to extend the scope of some areas of the statutory audit work at the request of the Trustees, however certain work may be restricted by ethical guidelines.

Internal audit

The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively. An internal auditor can help Trustees to map their existing sources of assurance and identify gaps where further assurance is required.
Trustees may therefore consider it appropriate to use an internal auditor and the draft code highlights the potential benefit of doing so: “The scope and nature of internal audit work can be tailored to meet the requirements of the governing body. The audit may include financial and non-financial processes and controls.”
The internal audit function may be:

  • an in-house function (if resources allow)
  • outsourced to a specialist audit firm
  • co-sourced - a collaborative partnership between in-house resources and an externally appointed provider.

There may also be an opportunity for Trustees to use the sponsoring employer’s internal audit function to carry out specific assurance work for them. The Regulator has however noted in the draft code that not all internal auditors within a sponsoring employer will have sufficient pensions knowledge to perform an adequate assessment of all scheme operations. The Regulator also emphasises the importance of confirming the internal auditor’s independence and identifying any actual or potential conflicts of interest.

Conclusion

Many Trustee Boards are familiar with identifying risks and the internal controls in place to mitigate those risks, however the Regulator will now expect them to obtain assurance that those internal controls are operating effectively.

Trustees should:

  • ensure they understand the scope (and limitations) of the annual statutory audit and, if necessary, whether the scope of external auditor’s work can be extended to provide additional assurance
  • identify gaps where they are not currently receiving assurance that key controls are operating
  • consider whether internal audit could be used to provide independent assurance and strengthen the Trustee’s risk management framework.

How we can help

To discuss internal or external audit services for pension schemes or other elements of the draft code in more detail, please contact Andrew PenkethGraeme Jefford or usual Crowe contact. Our next weekly insight will look at other reports that can provide assurance for Trustees.

AAF assurance reports

The Pensions Regulator (TPR) has set out in the draft code of practice its expectations for pension scheme governing bodies to establish and operate an effective system of governance, including internal controls.

It is important that internal controls are suitably designed to help mitigate risks that arise in the operations of a pension scheme. It is also important for governing bodies to obtain assurance that those internal controls are operating effectively.

There are various reporting frameworks suitable for receiving assurance about pension scheme operations provided by third-party service organisations. The most commonly used in the UK is AAF 01/20 provided by ICAEW.  This is typically adopted by pension scheme administrators, investment managers and custodians which make available annual assurance reports to their pension scheme clients. There are other assurance standards used typically by investment managers and custodians that are based in the US.

Considerations for Trustees

For each assurance report which forms part of the scheme’s effective system of governance, TPR expects the governing body to understand the scope of any assurance process and how each can play a part in the internal controls framework of their scheme. 

TPR expectations Crowe comment 

Consideration of the process for appointing service providers.

 This is important if a pension scheme governing body commissions its own assurance report, in particular to ensure the independence of the report author (the service provider) and avoid conflicts of interest.
Understand the scope, methodology and supporting evidence used in making an assurance report.
 Assurance reports prepared under AAF 01/20 by a service organisation should clearly set out the scope of the work, which control objectives are considered relevant, the control activities tested and the results of the testing by the service auditor.

The assurance report should clearly state the period covered. They are normally carried out on an annual basis.  In some circumstances the pension scheme governing body may need to request a ‘bridging letter’ from the service organisation to confirm that there have been no significant changes to the control environment in between receiving the annual assurance reports. 
Recognise the control objectives that have been included, excluded or modified in any assessment and how the scope is relevant to their scheme.
 The assurance framework reports AAF 01/20 sets out the minimum set of control objectives to be included by a third-party service organisation and requires the assurance report to explain any exclusions or modifications to those control objectives.

It is possible that a pension scheme might require additional assurance about non-standard processes and control activities which are out of scope of a generic assurance report published by a service organisation. 
Understand the level of interrogation that has been carried out in assessing the scheme, for example if a site visit was carried out.  A report prepared under AAF 01/20 should clearly state how the control activities have been assessed. 
Identify and act upon any issues or concerns they consider to be material.  On receipt of an AAF 01/20 assurance report or equivalent, the pension scheme governing body should check to see of there have been any exceptions identified by the service auditor and whether or not there are any qualifications in the service auditor’s report. If so, the governing body should consider the implications for their scheme.

How we can help

To discuss this or other elements of the draft code in more detail, please contact Andrew Penketh or your usual Crowe contact. Our next insight will focus on how both internal and external auditing can help in providing assurance.

Own risk assessment

This week’s insight into the new draft code of practice (COP) covers the requirement to produce an ‘Own Risk Assessment’ (ORA). The Pensions Regulator (Regulator) specifically states that this will be a substantial process, but should be proportional to the size and complexity of the pension scheme.

Pension schemes will need to prepare and document their first ORA within one year of the COP coming into force. Each subsequent ORA should be carried out and documented within 12 months of the last and it will be required to be in writing, signed by the Chair and available on request.

The Regulator believes that the ORA will identify the key governance risks facing the scheme and therefore the findings of the ORA should be incorporated into the management and decision-making processes.

The expectations of the Regulator

The COP states that the ORA is an assessment of how well governance systems are working, and the way potential risks are managed covering elements such as the governing body, risk management, investments, administration and the payment of benefits. We set out below the specific elements shown in the COP and some examples of where we believe a pension scheme may already have existing processes or documentation in place to cover these elements.

Element Covered by
Policies for the governing body
How the governing body is integrating risk assessment and mitigation into its management and decision-making processes. This is an area where there is probably no specific document that covers this policy although some of the areas may be covered by the overall governance structure and terms of references of committees.
The operation of policies relating to the role of the governing body, building and maintaining knowledge and governance of knowledge and understanding.

Covered by a combination of:

  • Trust Deed & Rules
  • terms of reference
  • business plan
  • training plan.

However, we envisage that additional documentation will be required to fully cover this area.
Risk management policies
The operation of policies to identify and assess risks facing the scheme.

Covered by a combination of:

  • terms of reference
  • use of risk register.

However, we envisage that additional documentation will be required to fully cover this area.
The internal control policies and procedures for the scheme. This is an area where there is probably no specific document that covers this policy although some of the areas may be covered by the risk register or TPA agreements.
Management of potential internal conflicts of interest, and those with participating employers and service providers. Covered by conflicts policy.
The prevention of conflicts of interest where the employer and governing body use the same service provider. Covered by conflicts policy.
Continuity planning for the scheme and, where applicable, how it has performed. Covered by business continuity plan.
 Investment
The scheme’s investment governance processes.

Covered by a combination of:

  • Trust Deed & Rules
  • Statement of Investment Principles
  • investment committee terms of reference
  • investment advisor agreements
  • investment manager agreements.
How investment performance is reviewed and monitored.

Covered by a combination of:

  • Statement of Investment Principles
  • investment committee terms of reference
  • investment manager agreements
  • investment advisor agreements.
How the governing body assesses investment risks relating to climate change, the use of resources and the environment. Covered by Statement of Investment Principles.
How the governing body assesses social risks to the scheme’s investments. Covered by Statement of Investment Principles. 
How the governing body considers the potential for depreciation of assets arising from regulatory or societal change.

Covered by a combination of:

  • Statement of Investment Principles
  • risk register
How the governing body assesses the protection mechanisms available to the scheme, including how these might apply and the risks of them not functioning as intended.

Covered by a combination of:

  • Statement of Investment Principles
  • risk register
How the governing body ensures the security of assets and their liquidity when they are required.

Covered by a combination of:

  • Statement of Investment Principles
  • risk register
  • investment manager/custodian agreements.
How the governing body assesses the protection of member benefits in the event of the insolvency of a sponsoring or participating employer, or a decision to discontinue the scheme.

Covered by a combination of:

  • risk register
  • business continuity plans.
Additional investment matters for DB schemes
How the governing body assesses the scheme’s funding needs with reference to its recovery plan.

Covered by a combination of:

  • risk register
  • regular updates provided by actuary.
How the governing body assesses the specific risks relating to the indexation of benefits provided by the scheme. Covered by reports provided by actuary.
Administration
How the governing body assesses the risks associated with the scheme’s administration, with particular reference to financial transactions, scheme records and receiving contributions.

Covered by a combination of:

  • risk register
  • administration reports
Action the governing body takes to manage overdue contributions, considering the degree to which they represent material amounts or delays. Covered by risk register.
Payment of benefits, where applicable
How the governing body assesses operational risks, focusing on the risk to members and beneficiaries relating to record-keeping and payment of benefits.

Covered by a combination of:

  • risk register
  • administration reports
The governing body’s management of risks relating to circumstances where accrued pension benefits may be reduced, under which conditions and by whom.

Covered by a combination of:

  • risk register
  • business continuity plans. 
The governing body’s management of the risk of member benefits being reduced or altered, including on the insolvency of a sponsoring or participating employer or the cessation of the scheme. Covered by business continuity plan.

We know that all schemes are different and there may be further documents that we have not listed above that may cover each of the required elements of the ORA, however we have provided this list as an example to Trustees that there will many existing processes and documentation in place to cover an ORA. From our experience with the governance structures of pension schemes and reviewing the requirements of the ORA, we envisage that the area where additional resources will be required is ensuring that there is the appropriate documentation in place to enable Trustees to show that they meet the requirements of an ORA.

We recommend that Trustees review their existing processes and documentation in place to identify where further work is required to meet these requirements following the issue of the final COP.

How we can help

To discuss this or other elements of the draft code further, please contact Judith Hetherington, Stuart Henderson or your usual Crowe contact. Our next insight will look in detail at assurance reports as described in the COP.

Risk management

Regulations and the Draft Combined Code require Trustees to establish and operate an effective system of governance (ESOG) to meet their requirements. Trustees will therefore need to assess their risk management framework to validate that their systems of governance:

  • provides them with oversight of the day-to-day operations of the scheme
  • includes delegated activities for which the they remain accountable
  • provides them with assurances that their scheme is operating correctly and in accordance with the law.

Why is risk management important?

Trustees should use risk management as a tool to identify scheme risks and develop internal controls. Internal controls are a key feature of any system of governance which can be summarised as:

  • the arrangements and procedures to be followed in the administration and management of the scheme
  • the systems and arrangements for monitoring the administration and management
  • the arrangements and procedures to be followed for the safe custody and security of the assets of the scheme.

Considerations for Trustees

It is not possible to eliminate all risks from a pension scheme. Trustees should consider defining acceptable parameters for each of their risks when reviewing their risk management framework.

The Trustees need to consider who will be responsible for this risk management function. The Draft Combined Code suggests it could be one of the following:

  • Trustee body
  • sub-committee
  • pensions manager
  • Secretary to the Trustee

This function needs to be proportionate to the size of the scheme.

The risk management function should be structured in such a way as to enable the scheme to adopt strategies, processes and reporting procedures necessary to identify, measure, monitor, and manage risk. The function should also regularly review the risks, to which the scheme is or could be exposed to, and the interdependencies of such risks.

Although the range of risks will vary from scheme to scheme, the Draft Combined Code summarises that Trustees should consider risks such as:

  • scheme investments, including asset liability management
  • insurances, compensation funds and other risk mitigation techniques
  • environmental, social and governance risks
  • scheme funding and the strength of the employer covenant
  • the risk that existing controls are not operating as intended
  • the risk of fraud
  • failure to comply with the law and/or scheme rules
  • poor record-keeping, poor administration, and IT and database failures
  • cyber security risks
  • governance and decision-making not operating to the standard required by pensions legislation
  • actual or potential conflicts of interest.

The Draft Combined Code provides a long list of specific items that should be included in effective governance structures which covers:

  • management activities – which includes decision making, Trustee knowledge and understanding and remunerations
  • organisational structure – which includes role of chair, conflicts of interest and managing advisers and service provides
  • investment matters – which includes governance, monitoring and climate change
  • member communications.

Each module in the Draft Combined Code describes what is expected as a minimum from an ESOG and each element should be subject to a regular internal review (at least every three years). There should be policies in place for such reviews.

In conclusion

Schemes do operate with an effective internal control environment and review their risks at least annually. The challenge for Trustees going forward is demonstrating that they have an ESOG in place and reviewing this at least every three years.

Our fourth annual Governance and Risk Management report, following a survey of over 100 UK pension schemes, considers changes to pension schemes’ operational activities and strategic plans and how Trustees can manage their pension governance and risks effectively.

Read more and download a copy here

To discuss this further, please contact Judith HetheringtonStuart Henderson or your usual Crowe contact. Our next insight will look more closely at the role of the governing body.

Overview

Key highlights from the new single code of practice

On 17 March 2021, The Pensions Regulator (TPR) issued the draft content for the first phase of their new code of practice (COP) for consultation. This begins the process of replacing their existing COPs and incorporates changes introduced by the Occupational Pension Schemes (Governance) (Amendment) Regulations 2018 (the Governance Regulations). The new COP comprises 51 modules and represents the content of 10 of their existing COPs. The closing date for responses is 26 May 2021.

It is unclear how soon after the consultation the COP will come into force, but once it does the existing COPs will no longer apply to pension schemes.

Over the coming weeks we will look at the specific areas of the COP, but this issue considers the significant changes compared to the existing COPs and some of the key areas that Trustees should contemplate.

Overview

The new COP is broken down into five main areas:

  • the governing body
  • funding and investment
  • administration
  • communications and disclosure
  • reporting to TPR.

Although a proportion of the new COP is a consolidation of the existing 10 COPs, Trustees need to be aware that this is new content and familiarise themselves with the expectations included for some of these areas, which may require changes to the governance arrangements at schemes.

Further information on the some of these changes in the governing body area are provided below:

Effective system of governance (ESOG)

This term was introduced by the Governance Regulations, however this does build on the requirements laid out by the existing COPs.

An ESOG should include processes and procedures to ensure compliance with the following modules:

  • Management of activities
  • Organisational structure
  • Investment matters
  • Communications and disclosure.

Governing bodies should ensure that the elements of their ESOG are subject to a regular internal review. This should assess whether each element is functioning as intended, and whether changes are required.

The governing body should establish and maintain policies for the review of each element of the ESOG. These policies should be agreed before any review is carried out and reviewed at least every three years.

Remuneration policy

Trustees should have a written remuneration policy that sets out the levels and means for remunerating those undertaking activities in relation to the scheme paid for by the governing body and/or sponsoring employer.

The policy needs to support the sound, prudent and effective management of the scheme and provide an explanation of the decision making process for the level of remuneration. This needs to cover all parties that perform a service to the pension scheme which includes Trustees, outsourced providers and the sponsoring employer where relevant.

The policy should be reviewed at least every three years and made available to members when requested.

Own risk assessment (ORA)

The ORA is an assessment of how well governance systems are working and the way potential risks are managed, covering policies for the governing body, risk management, investments, administration and the payment of benefits.

Pension schemes should prepare and document their first ORA within one year of the code coming into force. Each subsequent ORA should be carried out and documented within 12 months of the last.

The ORA will be required to be in writing, signed by the Chair and available on request. The Regulator states that the ORA is a substantial process but needs to be proportional to the size and complexity of the pension scheme. Trustees may need to expand their risk assessments to fulfil the Regulator’s expectations.

Conclusion

Trustees need to:

  • understand what the governance process required by COP
  • compare the governance processes against what they do currently and consider whether these are appropriately documented
  • identify what changes need to be made to their governance processes
  • agree next steps in which parties will:
  1. establish where additional governance processes are required
  2. confirm who will be responsible for risk management going forward.

How we can help

Our next insight will cover the ‘effective system of governance’ in more detail, but if you wish to discuss this further in the meantime please contact Judith HetheringtonStuart Henderson or your usual Crowe contact. 

Related services

Pension Funds