The Good Governance webcast 2023

And I was delighted to introduce an interview with Nick Gannon of the Pensions Regulator as I am today. But also last year I asked Nick about what we can expect to see in the final version of the code that was expected in relatively short order.

We don't yet have the code, though we were so convinced it was imminent that we stood ready to run a live interview with Nick to replace the one that we recorded last week. But that's not to say we haven't all been making forward progress on governance in the last 12 months.

Our survey, which will be introduced by my colleague Catherine Rider gives us an aerial view of the changes that we're seeing across aspects of scheme governance. Well then hear from Nick on his views and some areas where he's able to share more on the final code. And then we'll turn to shining a spotlight on risk management which underlies and is laced throughout the code.

Here my pensions colleague Mat Backus interviews my corporate risk colleague Iain McKenzie on the connections between the risk management journey that corporates have been on over the last 15 years or so, and that being taken by pension schemes.

And, finally, we'll have a short polling session to gather your views on equality, diversity, and inclusion, particularly in light of the pension regulator's recently published guidance. We have a Q&A feature, which you'll find on the left of your screen. That's where you can ask us a question or contact us if you're experiencing any technical difficulties.

If there's time, we'll pick up some of your questions at the end of the webinar. And if not, we will respond to any questions individually afterwards. When we get on to the polling later, the questions should pop up for you automatically.

And then, finally, at the end of the webcast, we'll ask you to fill out a short questionnaire to let us know about your experience today. So to help us with some scene setting then, I'm going to first turn to my colleague Catherine Ryder to share some results from our hot off the press governance survey 2023.

CATHERINE RYDER: This is the third year running that we've conducted our survey. And this year we received 140 responses from trustees, pensions managers, and other stakeholders. We'll start with a few results relating to the general code, and then go into some of the wider themes we're seeing across the pensions industry on governance changes and trends.

This first question from the survey shows that scheme's governance ambitions are high. Most schemes want to add value in their governance, with almost everyone aiming for something more than just basic regulatory compliance. And actually more than 70% aiming for better than average governance standards.

So how do these ambitions translate into actions as schemes prepare for the changes that will come into force with TPR's new general code? Well, many schemes have already started taking steps to prepare for the general code, but progress so far has been slow.

The three main areas of focus to date have been completing a gap analysis, reviewing risk registers, and taking general trustee training on the code. This year's survey revealed that around three in 10 schemes have now completed their gap analysis, up from only one in 10 in last year's survey. But the proportion of schemes that have reviewed their risk registers or carried out trustee training is similar to that indicated in last year's survey at around three in 10.

Almost all schemes plan to complete these activities by the end of the year. But it looks like the majority are waiting for final clarification on the code before doing so. Outside of these three areas there's been little activity to date.

The vast majority of schemes will now look to establish an effective system of governance, review their policies, and carry out an own risk assessment by the end of 2023. So there's a lot on the horizon for many schemes.

Moving on to the risk management function within the code. 65% of schemes expect responsibility for this role to fall to the full trustee board or a subcommittee, which could mean a significant increase in trustees governance burden.

Only 34% of schemes expect the internal audit function to fall to the board or a subcommittee. And you can see that there's a particularly wide spread of results for this latter role with no real front-runner and a significant number of don't knows, which could suggest that there's no obvious best place for this role to sit.

Turning now to cyber risk. Over the last few years, cyber risk has risen to become one of the key risks all organizations face. And pension schemes are no exception. The Pensions Regulator has included guidance around cyber risk in the general code, which suggests all trustees need to take active steps to protect members and assets against cyber risk.

So where does schemes stand on this today? While 86% of schemes are confident that they will meet TPR's expectations on cyber risk, only around half think they have the right skills and resources to manage the cyber risks they face. Suggesting a recognition that to truly manage this risk, more than just basic compliance may need to be done.

So then today most activity from boards has been around establishing roles and responsibilities, assessing third party risk, and establishing a formal cyber risk framework. The survey also suggests we'll see rapid growth in boards taking training on cyber risk, which six in 10 plan to do over the next two years. And cyber incident simulations which nearly four in 10 expect to do over the same time horizon.

So now putting the code to one side, what are the other top governance priorities for schemes? The number two priority was an increased focus on ESG in investment, chosen by 55% of participants. Which will likely have been driven, at least in part, by reporting requirements under the TCFD framework.

With that said, compared to the results of last year's survey, it seems that climate and ESG are rising up the agenda for mid-sized schemes, and are also now a considerable focus for four in 10 smaller schemes where the TCFD disclosure requirements do not apply.

For many schemes, increases in yields over 2022 meant an improvement in their funding position as liabilities fell by more than asset values. This means, for lots of schemes, their planned end game is now that much closer. So preparation for buyout has become a focus for more schemes, with over half now citing this as a key governance challenge.

For many, moving from deficit to surplus has brought a new set of issues to consider, with 43% of schemes naming an improved funding position as one of their top governance challenges. These challenges, as well as many others, mean that trustees are busier than ever, with boards of larger schemes now spending an average of 880 hours a year on their duties.

82% of trustees report a view that the role has become significantly riskier. And 74% think it has become more difficult. So how is schemes alleviating this pressure? The survey results suggests that the presence of an independent professional trustee on the board could help other trustees as those with an IPT on their board were 15% less likely to report that their role as a trustee has become more difficult. And that's, of course, excluding the views of the IPTs themselves.

This next slide shows that some boards are looking to delegate investment decisions, with one in 10 considering moving to a fiduciary manager over the next two years. The survey also shows a number of schemes looking to outsource the pensions manager role or consolidate advisors, which could be a sign that schemes are maturing their governance arrangements and looking to enhance efficiency as they get closer to their end game.

Many boards have also understood that a more effective, more diverse trustee board will be better able to face the rising complexity and risk attached to the trustee role. Our survey results show that over 2/3 of schemes have already reviewed their skills and experience diversity. Half have reviewed their demographic diversity, and around 1/3 their behavioral diversity.

A further 1/3 are planning to look at their behavioral diversity over the coming years, suggesting boards who haven't done so are now turning their focus to this area. We also found that trustee boards are reviewing their effectiveness more frequently, and are advancing from self-assessments to independent reviews.

In our 2022 survey, 66% of schemes assess their effectiveness every year, up from 54% in 2021. And three in 10 are now seeking external input at least every three years. Recruitment is also key when it comes to making sure a board is diverse. And this is another area that's become increasingly challenging in recent years, with the rising complexity of the role and shrinking membership of many schemes.

In 2023, 73% of trustees said it's becoming harder to find members to act as trustees, compared to 64% in 2021. Recruiting trustees who enhance board diversity also increases this challenge. From our survey results, we can see that the majority of schemes are taking action to address recruitment issues, with 2/3 of schemes having taken at least one action and a further 16% looking to do so.

The most common action has been to amend the process from election to selection, which has been adopted by around four in 10 schemes. To combat declining number of employee members, many schemes are also looking to relax the conditions on who can be a trustee.

Around four in 10 now allow pensioner members to replace employee trustees, and 1/4 allow deferred or dependent members to become trustees. Looking forward, the focus seems to be on developing recruitment practices to support a pipeline of candidates, with around three in 10 schemes planning or considering work in this area.

The final area I wanted to touch on today is the survey's findings on trustee board structure. We found that a typical board has seven trustees. And one in seven respondents expect that number to decrease over the next two years. The number of schemes with an IPT continues to rise, with nearly one in five boards without an IPT expecting one to be added in the next two years.

The use of subcommittees has also continued to increase. The average number of subcommittees is still three, which is consistent with the results of last year's survey. But now over one in five large schemes has six or more subcommittees. And medium schemes now more commonly have four or five, compared to three in last year's survey.

This could, again, be a reaction to the increased complexity, risk, and workload of the trustee role. The topics most commonly covered by subcommittees are investment and GNP equalization. For both of these issues, nearly eight in 10 schemes have a designated subcommittee. That wraps up our quick summary of some of the trends revealed by our 2023 governance survey. But if you're interested to hear more, we'll include a tick box at the end of the webcast. So please do let us know.

JENNY GIBBONS: Thanks to Catherine for sharing those results. I'm delighted to take us next to a conversation with Nick Gannon who's Policy Lead on the general code at the Pensions Regulator. In this interview, I play some of the results of our survey back to Nick for his responses. And also take his thoughts on the key features of the code and how schemes are already responding or might begin to. Hi, Nick.

NICK GANNON: Hi, there.

JENNY GIBBONS: Thank you very much, once again, for joining us for our good governance webinar. We all thought we would have the final general code by now, but, of course, the pause must be as frustrating for you as it is for those schemes you've been awaiting the final text. But, nevertheless, we are delighted to have the opportunity to hear from you on the code and also a little further beyond.

And just to say that there are some questions that we feel we need to ask you Nick because it would be amiss not to. Even acknowledging that there's only so much that you might be able to say in some places. But we will try and go a bit broader to-- and, actually, a broad opener from about 10,000 feet. What, Nick, is your greatest hope for what the general code will achieve for schemes?

NICK GANNON: I think my greatest hope is actually just improved governance. I mean, it is a very broad answer I think. But, yeah, I'm hopeful that, actually, the way we've redesigned the code and we've made expectations consistent between all kinds of schemes made it easier to find content.

Just generally made it more accessible and more obvious that, actually, it will get those schemes, those governing bodies thinking more about what it is that they do and how they do it. And thereby just generally incrementally improving the governance of their own schemes.

JENNY GIBBONS: So a general increase in care rather than a specific change in focus from over here to over here.

NICK GANNON: That's right, yeah. Yeah, I think it's all about raising the bottom rather than necessarily building a tower over there.

JENNY GIBBONS: OK. Well, then and now one of those questions that you might be a bit constrained in how you answer. Are you able to give our audience a heads up on what's likely to change in the final version of the code?

NICK GANNON: I think the final version of the code will be very familiar to people who have read the concentration version that we had published about two years ago now. So there will be a lot of similarity. I mean, we started with 51 modules. We finished with 51 modules. But some of those modules have changed along the way.

The expectations are generally the same, but we've made things clearer. So, for example, we've made it much easier for people to identify whether a module applies to them and whether it forms part of the effective systems of governance. For example, that being one of the key phrases that come-- that's come out of this code.

We've also added a bit more flesh on to things where we were a little bit more vague in the past. So I think in terms of clarifying expectation, there's a lot more there. But in terms of new expectations, no, I don't think we've really added anything at all.

JENNY GIBBONS: OK, and I've heard you speak previously about the own risk assessment specifically, and whether there are any changes there. Are you able to say anything on that?

NICK GANNON: Yeah, I think probably the own risk assessment is one of those areas where people will see the greatest amount of change. That's not to say it's a major change. I think what we've done is we've shifted it from being a, sort of, an externally facing document in some respects that collated a lot of papers together to something that is actually much more useful for governing bodies on a practical level, and useful internally as well.

So it's all about identifying those key risks and challenges for the scheme, and exactly how the governing body is going to approach those. So, yes, I think probably more of a useful document than a potentially a compliance document. And possibly a little bit longer to deal with it as well.

JENNY GIBBONS: OK, well, so I was going to reflect that the way that you speak about that, it feels like it's changing the emphasis from this being a document that is produced to being a process that schemes go through that yields helpful output. Does that feel fair to you?

NICK GANNON: Yeah, I think that definitely does feel fair. I think it was always our intention that it should be more of a process. But I think the way it came out, it was sort of a single one-off project that happened to you on a regular basis. And that was never our real intention. So hopefully by changing a few things along the way, it's actually made it a lot easier now to actually turn it into something, as I say, that's actually useful and it can be drawn out over a period of time.

JENNY GIBBONS: OK. And now on timings and your best guesses. Are you able to say anything are you willing to say anything on timings?

NICK GANNON: I think repeating something that I think feels like I've been saying for some time now soon. Everything is done, everything is ready and waiting basically. It's just waiting for the slot in parliament to open up.

JENNY GIBBONS: OK. So then turning to where schemes are at so far. Our governance survey for this year shows that the code is the most important governance challenge that currently is facing schemes. But in terms of progress, only 30% of schemes have done some or all of taken training on the code, undertaken a gap analysis, or looked at how they do risk management.

And that's in spite of your comments just previously in terms of not very much has changed in terms of the comparison with the original consultation version. So on that 30% progress figure, are you surprised, disappointed?

NICK GANNON: A little bit of both I suppose. I mean, I suppose you've got to celebrate the people who have taken the time and the effort. And I don't think that effort is going to be wasted in any way, shape, or form. So I think that's one positive there.

I think, yes, a little disappointed because a lot of the expectations, as we've said previously, are existing expectations. This is an amalgamation and an update of 10 of our existing codes. So, yeah, I mean, there's stuff there that if they're not doing is a great opportunity to have discovered that they're not doing.

But on the other hand, I can understand because there will be people who will be there on a little bit more limited time and resource, and who will be waiting for the final version of the code to come out before they take the plunge.

JENNY GIBBONS: And what does this level of progress so far mean for implementation timescales for schemes? There's still a persistent belief that I hear still that schemes will have a year to meet the requirements. But that's not quite right, is it?

NICK GANNON: No, it's not. And I think the year has probably come out from the original timetable that we set for the own risk assessment. But that's looking at one aspect of it. And, actually, this is lots of different pieces, the modules all effectively stand on their own. And especially as most of those things are already in existence in our codes. You would kind of hope and expect that, actually, they were very compliant with them. So, no, I don't think there is an absolute one year grace period.

On the other hand, if the governing bodies are busy with stuff that they are struggling with, then I don't think we would be unreasonable in a situation where they were limited for time or resource that, actually, they hadn't necessarily met, especially some of the new expectations where they will possibly be more justified in waiting for the fine detail before commencing work.

JENNY GIBBONS: So perhaps at least if there is a prioritized plan in place to meet the things that aren't yet met.

NICK GANNON: I think so. I think you mentioned a gap analysis in the question there. And I think that's probably one of the first places to start, is actually where are our gaps? What things aren't we doing? Where aren't we meeting things quite as well as we could be?

And then leading from there to see where time and resources allow you to do. And then trying to plot that plan. And trying as well to figure out if you think that that plan is actually going to lead to an unacceptable level of delay in anything.

JENNY GIBBONS: Yeah, OK. And then in our survey, again, what we can see is that it's the largest schemes who've made most progress. But, actually, it's the smaller schemes who are asking us time and again about this concept of proportionality.

So we know that there's not to be any kind of exemption from meeting the expectations for schemes that are smaller or have resource constraints, or schemes that are lower risk or have shorter time horizons, even those that are fully bought in. But if not exemptions, can you give us any specific examples of where this principle of proportionality can still usefully be applied in meeting the requirements of the code in practice for these sorts of schemes?

NICK GANNON: Yeah. I think that there's a couple that I've perhaps spoken about in the past. So you get a lot of schemes that are-- especially at the small end-- receiving bundled services from a particular provider. And in those situations, they might be more inclined-- especially if resource constrained-- to take greater face value of the reports they're given from their service providers around assurance and frameworks and put policies and things like that.

Whereas someone with a more disparate group of service providers might ask more questions just by nature of the lack of joined up. But equally, you would-- you can see that on something like assurance, there might come a tipping point where on a particular matter where a governing body says, well, actually, what we want to do is commit a-- is commission our own assurance reporting because we don't necessarily think what we've been given either is right or is it complete as it could be, or doesn't give us the comfort that we want it to have.

So, yeah, I think those are probably a couple of the examples of proportionality. But, equally, simpler schemes have simpler policies to some extent as well. So if you've got a scheme with multiple sections, then I think unfortunately their policies in certain areas are likely to be more complicated than the straightforward bog standard single section scheme.

JENNY GIBBONS: Yeah. And, actually, just thinking about that, the places where additional assurance could be sought. I feel like that brings in this point about scanning the external environment and scanning the horizon for things that are changing that actually might prompt schemes to say, actually, I want to take a bit more care and think a little bit more about challenging in this area.

NICK GANNON: Yeah, I think that's a fair comment. And it might be particular matters that concern them. It might be the investment environment. It might be climate change or anything like that. Actually, they start thinking that, actually, these things might actually have a more significant impact on us than we previously thought.

JENNY GIBBONS: OK, well, so we're edging around then this risk management as a collection of themes from within the code. And for me, I think it's reasonably clear, at least from the draft code, that there's an expectation that schemes will mature the way that they do risk management towards a system that is more regular, more dynamic, as we've been saying, more forward-looking and more controls-focused.

And whereas we've got a slot just coming up which looks more closely at risk management, for now, would you Nick have changed any of the risk management content of the code if you were drafting it now? Including given events and changes that we've seen over the last nine months or so.

NICK GANNON: I think I'm actually relatively comfortable with where we've ended up on risk management. I mean, we very much approached risk management as all the risks facing the scheme, and not just those focused on investment. And I think there is a tendency to focus in on the investment because that's generally where the money is.

But there's lots of other risks that present themselves to the scheme. And I'm, actually, relatively comfortable with where we are. I think with the benefit of hindsight, there is always things where you would say, well, we actually-- we could have put an extra line in here or called something out more clearly. But I think, as I say, whether that would have been in direct reaction to the events of the last year or just natural course of events, would be difficult to say.

JENNY GIBBONS: OK. And then another specific area that's around risk management is with the internal audit function. So our survey showed that almost 1/3 of schemes didn't know where they would be allocating the internal audit function. And another 1/5 expect it to be the full trustee board.

And I wondered if that reflects the various imperfections associated with the different options that there are out there for this role, either in terms of a lack of independence or a lack of knowledge of the scheme or of pensions or of the requirements of the role itself.

And I wondered whether in the final version of the code there will be any additional clarity on the internal audit function. Or if not that, whether you had any expectations on where you think most schemes will find this resource or where they might best find it.

NICK GANNON: Yes. I mean, that is one of the areas where I said we've clarified a few things. So the risk management function, I think, in the consultation draft was quite well buried in the middle of another risk module. So we've actually taken steps to rectify that a little bit.

Again, this is one of those situations where we're writing code for schemes of a few dozen members up to a few million, and trying to find the right balance. So we've settled on a position where it's what works for the scheme. But the crucial thing here is actually that it's got to work.

So it's, actually, got to be proactive and dynamic, and take into account all those things that are emerging as risks and all the risks that are identified. And make sure that they are actually properly reflected in the governance processes. So, yeah, I think it's not so much who and how, as much as making sure that it works.

JENNY GIBBONS: So that's interesting then. That's two places where we've used that word dynamism. Yes, it's with the risk management function, but also here we're talking about that dynamism in respect of the internal audit function matching the dynamism of the way that risk management is looked at. OK.

NICK GANNON: That's right.

JENNY GIBBONS: And then another specific question that's come up from our work with clients so far. And it's about the contradistinction to the extent that there's one recognized within the code between the concept of contingency planning and the concept of business continuity planning. And I wondered whether you broadly see these as two halves of the same activity, or are they going to be covered distinctly within the code?

NICK GANNON: No, I think we've probably been slightly guilty of using both terms more or less interchangeably as well. So we see it as one overarching program, if you'd like. They are similar and related risks. And we have dealt with them in the way that they are similar and related risks.

JENNY GIBBONS: Yeah, OK. Now just a small sideways step into the world of EDI. And we absolutely welcome the timely publication of the Regulator's Guidance on EDI. I wondered, will there be direct references to your expectations here in the code? And also, what next in this sphere?

NICK GANNON: I think it's too early to say exactly what next in this sphere. But, yes, there are nods towards EDI. I don't think we've necessarily called out the guidance as such. But, obviously, along the timescales we've been working to, we've known that we were publishing our work on EDI.

So, yes, there are some sort of EDI related expectations without necessarily saying someone must do something. So what we've got in guidance is still the guidance, but we've emphasized that people should be paying more attention to it.

JENNY GIBBONS: Yeah. OK, that's clear. And then, finally, next, what's next for you Nick? What else is in the pipeline on scheme governance?

NICK GANNON: Well, I think I'm probably going for the big one now. So I'm looking at trusteeship and governance as the next stage. So, yes, I don't think I get to escape the governance sphere for any time soon.

JENNY GIBBONS: Any previews in terms of what you're looking at on trusteeship?

NICK GANNON: I think there has been some speculation in the trade press recently about what it might actually entail. It's been interesting reading that. There's some flights of fancy in there. But, yeah, I think it's all about getting a better picture of trusteeship and how governance is working at the moment. And then who's to say where that leads.

JENNY GIBBONS: Well we await that with interest. It sounds absolutely fascinating. So look, Nick, thank you so much for your time today. It's been really interesting as always to speak with you. And I appreciate the openness and candidness with which you've been willing to answer my questions. So thank you very much.

NICK GANNON: Thank you.

JENNY GIBBONS: Clearly there'll be more to come on the code as we see the final text. We, of course, stand ready to pull out the main changes to the extent they're not already called out by the Pensions Regulator. So schemes who've already started work and hopefully do are relatively simple compare and contrast. And those who've yet to begin can make some good upfront progress.

Now turning to risk management which, as we've just heard from Nick, is one of the central areas of change in the code, but is also an area where other factors are prompting schemes to look again. I'd like us to drop in on a conversation between two of my colleagues.

Iain Mackenzie is a Risk Management Specialist with 30 years working with corporate clients across many different industries to develop their risk management approach. But who recently has turned his focus to pensions. And Mat Backus is a Pensions Actuary with a Chartered Enterprise Risk Actuary, or CERA, additional qualification. Who's long held belief that the theory and lessons of enterprise risk management should be applied more universally and more completely to the world of pensions. So let's hear from Mat and Iain.

MAT BACKUS: Great to see you, Iain.

IAIN MACKENZIE: Yeah, good to see you too.

MAT BACKUS: Now I always find it really interesting when you talk about the real life journey that corporates have been on in evolving, in processing, setting up risk management processes. Would you mind telling us a bit about that?

IAIN MACKENZIE: OK. So enterprise risk management really got established in the UK in the 1990s. And the background to this was that there were a series of events which caused considerable concern in the wider-- in the population, et cetera. And it was perceived that there were a series of failings of corporate governance.

So if you look at the circumstances that people were concerned about, for example, there were a series of transport disasters, Herald of Free Enterprise, the Southall rail crash, the Ladbroke Grove rail crash. And then there were other events. So, for example, there were the big, public overspend on projects, the Scottish Parliament building, the various MODO overspends on Nimrod, and similar circumstances.

And the big one as regards to the pensions world was Robert Maxwell who famously dipped into the pension funds of the Mirror Group, and defrauded many of the pensioners out of their rights there. And, of course, famously disappeared over the side of his yacht and was never seen alive again.

But the clear failings of corporate governance, and it was felt that something needed to be done about that. So what we got for coming forward then was the Turnbull report which has since been wound into the UK code of corporate governance.

What Turnbull said was absolutely critical for risk management because for the first time, risk management was explicitly made a board level responsibility. So now directors had to receive information on risk, how to engage with it, how to report on risk to the company, et cetera. And Turnbull was hugely influential not just in the listed company sector, but also throughout the public sector and the third sector. And basically every organization in the UK now is influenced to a greater or lesser degree by the terms of the Turnbull report.

So in the aftermath of Turnbull, what happened was that now directors had to receive these risk reports, and, therefore, corporates began to implement corporate risk registers. And after a period of time, they began to realize that those risks registered on their own weren't quite enough. And, actually, they had to build corporate risk systems, enterprise risk management systems around it. And gradually over a period of time, corporate got better and better at managing enterprise risk and corporate risk.

MAT BACKUS: So let's look a little bit at what's happening with pension schemes. The draft general code is quite explicit about requiring better risk management systems. It talks about risk registers, and it talks about the risk management function. But even without all that, most pension schemes would benefit from a better structured risk management system. A way to respond faster and more consistently to recent risk events.

I mean, we've had the COVID pandemic. We've had very fast changes in interest rates and the resulting LDI crisis. So something that would help pension schemes, a proper risk management system, a modern risk management system would really help pension schemes better control their circumstances.

IAIN MACKENZIE: Absolutely. So as you say, we're in a kind of risk on environment that just waves of risk events coming forward. We have the example of ERM in the corporate sector, of established practice there. And now the general code is coming around and picking up on those themes, and also pressing for change there.

So you can clearly see that there are synergies between ERM practice and what the general code is asking for. It's asking for board level responsibility. It's asking for agility. It's looking for horizon scanning for new and emerging risks. And it's also looking for a risk mitigation related approach.

So there's a clear acceptance of these common themes. That risk management is not just about identifying risks and sitting there and looking at the risk information and then doing nothing about it. It's really about taking that information and working with it on a practical level to ensure that risk is effectively managed within the relevant organization.

MAT BACKUS: I'd like to pick up on that point of board level responsibility. The code sets up a risk management function. Now, you might think that that involves a certain amount of delegation of responsibility. But that doesn't really quite fit with what we've been saying.

IAIN MACKENZIE: No, I don't think so. I think the responsibility for risk ultimately is still going to stay with the trustees. But trustees in reality can't do all of the elements of risk management. There needs to be some kind of organizational capability, a function which enables all these essential risk management tasks to operate in the background.

And what you ideally want, for example, is an always on risk management function that's able to deal with events and circumstances as they emerge. Rather than perhaps having him to wait for three months for a subcommittee meeting, for example. So risk and risk management doesn't stop in that intervening period.

So there needs to be some kind of capability that can deal with the essential tasks, updating risk information, identifying emerging risks, chasing up on risk mitigation tasks, et cetera. And making sure that risk is actually effectively being managed in between times. So that element there is that's what the prime reason why you need the risk management function.

There is another element to that. And that's a more of a judgment-based approach or concept. So what you get in the corporate sector is you find that there is so much risk information that's out there that if you report up to audit committee or risk and audit committee, you find that there's just too much information for directors to be able to handle.

And so what there is there is what you might call a curation process. So in a corporate there'll be a risk management function or working group, or call it what you will, that will edit out the less significant stuff. And make sure that the really significant material risk information gets to the directors.

MAT BACKUS: Because, of course, it just would not be reasonably possible for a board to agilely and meaningfully consider the entire risk set every single quarter. So we have this concept that you're talking about, this curation where the risk management function can consider. With a little more time and a little more focus, the risks for the board to make it to consider more depth.

So it might consider this on not just the biggest risks, the ones that score most highly, and certainly not just a predetermined calendar going through everything. But also considering the fastest moving risks, the ones that are breaching or approaching risk thresholds, the ones that are-- even just the ones that are increasing.

And as well as those other points of looking at your most significant risks, and making sure that the entire range does get considered on a regular schedule. That kind of intelligent curation needs to be supported by a risk register that is actually able to look at all the different risks in this way.

IAIN MACKENZIE: Yeah. So a risk register, as I say, has to be a functional tool. So there are certain characteristics that need to be there. So one is clear descriptions of risk, which isn't always the case. You need a clear scoring system. It needs the ability to be able to sort on a variety of factors. So, for example, you're able to pull out your top 10 risks by overall risk rating. Absolutely essential if you're going to be doing risk reporting, for example.

And there are other characteristics that you might want to have in there. So, for example, you want to track where you are with your risk mitigation. What are your existing risk controls like, what additional risk controls do you need, and how do you track those and make sure those are implemented within appropriate timescales. So the point is the risk register becomes a working tool and a key part, a cornerstone of driving your risk management process.

MAT BACKUS: So it seems like in a lot of cases there could be a pretty big gap between risk management systems as they exist and where we're trying to get to. In your experience working in the corporate world, how far-- how big do you think that gap is?

IAIN MACKENZIE: OK, so I've worked in the corporate sector on ERM systems virtually since ERM began to get established, so I've seen the whole phase of development over the years. So if I may look at pensions now and compare it to corporates-- I mean, this is a generalization.

I'm not-- I recognize there are some very good schemes out there have done a lot of good work. However, if I look overall, I would say that where pension schemes are now is very similar to what I saw in the corporate sector 10 to 15 years ago.

MAT BACKUS: Wow. OK, but there's, of course, a huge variation both in where companies are at the moment, as well as where the pension schemes are.

IAIN MACKENZIE: Yeah. And the very best corporates these days are exceptionally good at managing risk. And it's not just a top-down process in a small sector of the organization, they've made themselves risk aware organizations so that everybody in the organization understands what the company's expectations are in terms of risk, and everybody follows that ethos. But that's really the very best companies.

There are plenty of organizations there which aren't as good, which haven't fully implemented and need further development. And if you look at the pension sector as well, you've got a similar picture. You've got some schemes which really have very basic implementation. They maybe have some form of risk register, and that's kind of as far as it goes. And they don't have the further development. There's no risk framework, and there are gaps.

MAT BACKUS: But within this variation, we also have the concept of proportionality. For the larger scheme with plenty of resources, there might be a very strong risk management culture coming down from the sponsoring company.

But for a lot of smaller schemes, there might not be the same resources. There might be very low risks if they're already on their path to buy out. There might be a very short time frame. For these ones, there's may be not as much need. You definitely need a basic risk register to be keeping track. But is there really a need for all the more sophisticated elements?

IAIN MACKENZIE: I think you're not going to expect the same levels of organization and resource that you would have in a larger scheme. I think that would be nonsense. But you do need certain key elements. You need this risk register in an appropriate design. You need to have that risk register with appropriate coverage so all the themes that need to be covered are in that register. You need that scoring mechanism. You need the risk mitigation identified. You need that risk register to work correctly.

And then you do need some kind of risk framework document. You need to have a repeatable system which is clearly defined. And perhaps that document is relatively simple, but it's appropriate to the size of that organization. And then you need this third element. You need the resource to be able to actually make sure that system works correctly.

MAT BACKUS: So we're talking about this clear gap between the risk management systems already in place and where ideally we would get to. What can you tell us about how schemes might go about bridging that gap?

IAIN MACKENZIE: Well, firstly, they need to understand what the issues are, where the gaps are. So they need to look at the arrangements, they need to look at the documentation that exist already and see if there are clear gaps, clear elements that are missing. And then the second thing is to look at the people.

You look at the understanding. How much knowledge about risk, for example, do the trustees have, do the pensions team, if one exists, have. That understanding, that need, that desire to actually do things about it, to understand the expectations of the organization in terms of managing risk. So you need that information before actually moving on to the design phase.

What you clearly don't want to do is to have a one size fits all approach whereby you drop this design onto a scheme, and then find that it doesn't fit. I think there is scope for an element of one size fits all. But in most cases, I think there will be a degree of customization to make sure that any measures that are put forward are actually fit and appropriate for that particular scheme.

MAT BACKUS: So the code requires an effective system of corporate governance, including internal controls. It might be helpful to pause for a moment on the various systems that are there in the code. The code requires an effective system of governance we call an ESOG. This is the infrastructure, the bedrock, the systems that run the pension scheme.

It also requires risk management, as we've been discussing. A risk management framework which is how all that is put together. And sets out the responsibilities of the trustees, the risk management function that we've also talked about, as well as any other parties involved. Whatever form it takes, the risk management policy has to be there, perhaps including an appetite statement. Represents the guidance and rule book for the risk management approach.

IAIN MACKENZIE: Yeah, so the risk appetite or risk tolerance is something which is not, I think, that well understood by schemes. So the assumption is that most schemes, most pension schemes are quite risk averse. They don't want to take on a lot of risk. I mean, it's not like they're IT startups and they're prepared to take on shared loads of risk because that's the nature of the organization.

So instinctively pension schemes are risk averse. But have they ever defined that? Have they ever set down exactly what their expectations are in terms of risk appetite or risk tolerance? And in general, that's not the case. So the question is, where and how are they going to do that?

My view is that a very good place to start is actually the risk register because you've got your risk register with your numerical risk scoring. OK, so you can set risk tolerance levels within the risk register on a risk by risk basis. So here you have your level. If your risk score exceeds the tolerance level, OK, a red flag pops up. And you know you've got to do something about it to bring that risk back within tolerance level.

MAT BACKUS: Then the final piece of the puzzle is continuity planning. Can you tell us a bit about that?

IAIN MACKENZIE: OK, so we talked about risk management so far. And the nature of risk management is that you attempt to deal with the risks before they manifest. Continuity planning is the other side of the coin. So it deals with events after the risk has occurred. So something serious has occurred, there's been an event, an interruption event which is impacting on the scheme.

And the purpose of planning is to accelerate recovery from that situation. So if you accelerate recovery, then you minimize the impact on the scheme. And I think even where schemes have got continuity planning in place, very often they haven't covered all the elements that should be covered in the continuity plan.

So it's not just about internal within the scheme processes or activities. It's also about where they have dependency, reliance on external providers. So if a critical service provider goes down for some reason, that's going to impact on the scheme. So their plan needs to address these external providers as well.

MAT BACKUS: OK. That's been really interesting, Iain. Any final thoughts on the impact the risk management aspects of the code will have on pension schemes?

IAIN MACKENZIE: So I think schemes have clearly done work on risk management in the past. They understand the principles, and they've got what I would consider in many cases to be partial implementation. I think this further work they need to do to optimize their risk management approach. And with the general code coming in, I think now is the time to kick on and finalize the job.

MAT BACKUS: Great. Thanks very much for that, Iain. That was really fascinating.

IAIN MACKENZIE: It was a pleasure.

JENNY GIBBONS: I hope that you all found those perspectives from Mat and Iain as interesting as I did. Now, on the 28 of March, the Pensions Regulator published two sets of practical guidance-- one aimed at trustees and the other at employers-- to help improve equality, diversity, and inclusion or EDI in trustee boards.

The Pensions Regulator suggests a good starting point for schemes is to establish EDI principles which can be developed into a scheme specific EDI policy that itself covers an agreed definition, aims and objectives of the trustee board, and a training plan.

And the board can then fully integrate its policy into the operation of the scheme. For example, testing policies, procedures, governing documents and communications against the agreed EDI definition, and where helpful, aligning the scheme's policy with that of the employer.

The pension regulator expects the chair to track and record the board's progress on equality, diversity, and inclusion. And trustees are also encouraged to assess their board's diversity of characteristics, life experience, expertise, and skills, to identify gaps and to repeat this assessment regularly. The Pensions Regulator expects the chair to take the lead here, and goes on to comment and make practical suggestions on filling diversity gaps over time from member company and professional trustee resource pools.

I would recommend reading through this guidance if you haven't done so already. As Nick Gannon alluded to just earlier, this is relatively near the start of the journey on EDI for the Pensions Regulator and, of course, for many schemes.

But we just wanted now to take some information from you on the steps you've taken and your views, including views on what's next. So we're going to move into a polling session. All responses will be treated anonymously and confidentially. The questions should pop up for you automatically. And if they haven't, you can find them by hitting the-- if they don't, then you can find them by hitting the purple poll button with the three lines on, which is just underneath the main screen.

So the first poll question then is on your views. On a scale of one to four, how important is it for you to develop your EDI ambitions and practices for your scheme? So this is all about importance. Number one, it's not important to me. Number two, it's nice to have but not currently a priority. Number three, it's important to me, and we expect to review our approach in the next year. Or number four, it's a key area of focus for us right now. So we'll just give you a couple more minutes to submit your response there.

OK, how are we doing with responses to that question on views on this as a topic? So we have a very small number who suggest it's not important to them. That's really great to hear. And then there's a good spread, as we go through those middle two options, of it being a nice to have.

But, actually, there's probably other priorities for us at the moment. Versus it's being important and having it on the near-term horizon to look at. Only 8% of respondents who've said it's a key area of focus for schemes right now. So I think that reflects the point that we were saying about the journey that schemes are on here.

OK, poll question number two is about the steps then that you've taken. So have you already taken or are you taking steps in relation to any of the following as a result of or in advance of the pension regulators EDI guidance? So select as many as apply for you.

Have you taken or are you taking EDI training as a board? Are you developing an EDI policy? Have you set EDI goals? Have you looked at or are you looking at identifying gaps in board diversity? And have you reviewed the way that you recruit trustees in order to promote diversity or other steps? So, again, I'll give you a couple of minutes to select any of those options that apply to your scheme in terms of what you have done or are currently looking at on these steps.

And just while I'm pausing to await those results, just a reminder that there is that general Q&A feature that's available to you. So please do submit any questions that you have in these last few minutes. OK, so the results of the second question in terms of the steps that schemes have already taken.

I think-- I feel like that's really encouraging. So we've got just under 1/3 of schemes have taken training. Same proportion, just under 1/3 are looking at an EDI policy. Fewer yet have got to the point of setting goals, but that's still a reasonable number. A good proportion have looked at identifying gaps in board diversity.

So just thinking back to the survey questions, the annual survey questions that we were looking at earlier, we talked about different areas where there's potential gaps in diversity, including skills and experience and demographic, and then cognitive or behavioral.

But a good proportion of schemes than over half have begun looking at least some of the gaps in their board. Again, nearly half are incorporating, thinking about diversity into the way that they think about recruiting future trustees. And, actually, some schemes there with other activity that they were already undertaking.

OK, and then the poll question to follow is on what you would like to see next from the Pensions Regulator around diversity of trustee boards specifically. So this isn't so much about inclusivity or equality practices. This is about diversity across the trustee board. What next over and above the guidance that we've seen? Again, select any that apply.

So first option, nothing. The current guidance is sufficient on its own. The next one, engagement by the Pensions Regulator with schemes on an individual basis on EDI would be useful. Building on that, should we have reporting to the Pensions Regulator on board diversity, for example, via the scheme return? Building, again, should there be publication to members of anonymized broad diversity data? Or even, again, building wider publication of anonymized broad diversity data.

And then the final option. Do you believe that we should have specific expectations via a code of practice which is obviously stronger than guidance on EDI activity structure or quotas? So just a moment or two further to see those results coming in.

So that's a good chunk of respondents who are saying that, actually, what's out at the moment is sufficient. So that guidance being published is already presumably having the intended impact in terms of influencing activity and then outcomes for members. And then a reasonable spread across the building options that go-- that goes stronger beyond the existing guidance. Plenty expecting that there should be some specific expectations set out that's just under one in five there over and above guidance.

OK, thank you very much for answering those poll questions. Hopefully it's been useful to you to see some insights and hear how other people and peers in the industry are beginning to think about this important topic as we wait to hear more from the Pensions Regulator. And we, of course, are doing some very interesting work with schemes in this area too.

So we're coming to a close now. So thank you to those of you who've submitted questions via the chat button. Actually, we haven't got a huge amount of time to address them in public, but we do undertake to respond individually to anyone who's submitted a chat question.

I hope you've enjoyed hearing from our speakers who've been so kind to share their views and experiences. So that was Catherine who gave us that industry snapshot from our survey. Nick who was willing to be grilled on his own views and what's to come with the general code. And Mat and Iain who are both passionate about risk management and helping schemes to continue to test and mature their own approaches. And thank you to you for submitting your responses in respect of views on EDI.

The code is still expected imminently. And as I mentioned, as soon as it's available, we'll be working through the detail. Then over the coming months we expect clients will review their gap analysis, risk management, and work through their research of libraries, as well as embarking on or continuing their EDI journey.

A passing thought from me. Throughout this whole schedule of work, it's really important to remember that the focus of changes to governance and risk management or EDI with your scheme is, first and foremost, about improving outcomes for members before it's about or motivated by compliance. So just an outcome focus for me.

So thank you very much. Please don't forget to fill out our post webinar survey. It just takes a minute. And we really find your feedback valuable. A box to tick if you want to hear more about the results of our survey or any other areas, and then you'll receive an email shortly with a recording of the session. So thank you, again. And I do hope you all have a lovely rest of the day.