The Good Governance webcast 2024

So we have a Q&A feature, which you'll find on the bottom left-hand side of your screen. That's where you can ask us a question or contact us if you're experiencing any technical difficulties. You can resize all the boxes on your screens using the tools at the top, and on the bottom right-hand side, you'll find our related materials.

Speaker profiles are on the right of the media player. Feel free to reach out to the speakers if you have any questions or want to connect after the webcast. And then the feedback survey is on the right-hand side of the console. You can fill this out throughout the webcast to let us know how we've done and what you'd like to know more information about.

And finally, our refreshed 2024 good governance guide, there's loads of useful information in here on different aspects of the Code and our views on what constitutes good governance. And you can download the guide from the link at the bottom of your screen or find it on our website together with other useful information and contact details.

So back to today's agenda. First up, we're going to have my colleague, Catherine Ryder, who's going to walk us through the key results from our hot off the press 2024 governance survey on views, trends, and activity on the Code and on wider governance areas.

We'll then go to a session that I recorded with Ann Rigby of BESTrustees and two of my colleagues, Abby Currie and Pam Sohi, which borrows its format from Blind Date and which focuses on the slightly opaque topic of proportionality in the Code and what this might look like in practice.

And then our final session is an interview with one of my colleagues, Josh Ford, on how one of his clients has worked their way through a review of their approach to risk management and what is to follow. A slight warning that the second and third of these sessions were recorded over the last couple of weeks as I was recovering from a cold.

So you'll see a progression in the croakiness of my voice in those recordings. But hopefully my voice is going to hold up better for today. Interspersed between the three sessions that I've just mentioned, we're going to have some polling questions, which we'll share the results of live for your interest.

And I'm hoping that we're going to have time to take some questions at the end too. So please feel free to use that Q&A function as we go along. If we don't have time to get to your question today, then we will undertake to get back to you individually on it. So, without further ado, I would like to hand over to Catherine to set the scene with our survey highlights.

CATHERINE RYDER: Thanks, Jenny. And good morning, everyone. As Jenny mentioned, I'd like to share with you some key highlights from our 2024 governance survey. This is the fourth year running that we've conducted our survey. And this year, we received 132 responses from trustees, pensions managers, and other stakeholders.

Our survey this year focused on how pension scheme governance is evolving in the current environment, how schemes view the opportunities and challenges posed by the general code, and how schemes are altering their governance strategy in light of their path to settlement.

When we asked survey participants to select their top priorities for the governance of their scheme over the next two years, perhaps unsurprisingly, compliance with the general code came out top. This was cited as a key focus for 4 in 10 schemes. This was closely followed by improving ongoing administration with preparation for buyout and a focus on risk management being the other most frequently cited priorities.

Governance priorities vary significantly by size of the scheme and the scheme's objective. This next slide shows that for schemes targeting buyout in the short-term, there is understandably a noticeable shift in their priorities for governance activities.

Unsurprisingly, preparation for settlement is a key focus. But the emphasis on risk management and compliance with the Code is significantly reduced. While many of the scheme's financial and demographic risks may have been reduced as schemes near buyout, a large number of operational and administrative risks remain.

Some of these risks are arguably exacerbated. For example, the transfer of member data from the scheme to an insurer can lead to additional data and cybersecurity risks. You could also argue that improving trustee board effectiveness is really important in the run up to buyout as crucial and irreversible decisions will be made about the scheme's future.

But this has only been cited as a priority for 5% of schemes in these circumstances. It's really important that schemes continue to focus on these areas in the run up to buyout. And we'll consider in a bit more detail what a proportionate approach to governance might look like for schemes in these circumstances in the next part of the webinar.

But first, let's dive a bit deeper into where schemes stand as they look to address compliance with the General Code. Whilst compliance with the Code is a top priority for schemes, most schemes don't see this as being a significant burden with 63% expecting no or minor changes and only 1% expecting significant changes to be made.

This suggests that most trustee boards are already operating robust governance models, which might only require fine tuning in order to comply with the Code. However, it's clear that there's been significant activity to date, with most schemes making good progress on getting up to speed with the new expectations.

78% have now completed or are in the process of completing a gap analysis to understand where they sit relative to the new Code, and 72% have undertaken or are in the process of undertaking trustee training on the Code. Perhaps unsurprisingly, when we break these results down by scheme size, it shows that larger schemes are generally further progressed on Code actions.

So there could be some lessons to be shared across the industry from experiences of those schemes that are further along in this journey. Beyond training and gap analysis, the next priorities for most schemes are to review their risk management approach and governance policies and to establish their effective system of governance review timetable.

More than half of schemes are already progressing these actions with a further third planning to complete them in the next two years. Interestingly, 23% of schemes have already made a start on their Own Risk Assessment or ORA suggesting a recognition that schemes shouldn't wait until their first ORA deadline approaches to make a start on this work but rather that it should be embedded into a scheme's ongoing governance processes.

It's also encouraging to see that 75% of respondents indicated that a review of the trustee board effectiveness was either complete, in progress, or planned. There are a couple of notable exceptions to this story of progress, which are pointing the risk management function and internal auditor with 56% and 74% of schemes respectively yet to determine their plans in relation to these roles.

Our survey suggests that for now, most schemes think these responsibilities are likely to fall to the trustee board or a subcommittee. However, many are still deciding. And it may be that once schemes get a better feel for the scope of this work that they're more likely to ask others, such as a pensions manager, scheme secretary, or governance adviser to provide support.

The majority of schemes in our survey expect to use a range of resources to cover the assurance framework rather than appointing a single internal auditor with overall responsibility for managing the framework then likely to fall to the board.

Our survey results also suggest a large number of schemes expect the same group or body to take on both the risk management function and responsibility for the internal audit framework. Resourcing constraints and ensuring independence will therefore be key considerations to address in these cases.

Now moving on to risk management, which makes up around 25% of the Code's content, highlighting the importance with which the regulator views this topic. The new expectations represent a shakeup of current risk management practice in pensions, introducing elements that have long been part of risk management in the corporate sector.

So, against this backdrop, how are schemes feeling about their ability to manage the risks they face? Well, our survey results show that schemes are generally positive about their risk management capabilities across most dimensions with over 70% rating themselves as either extremely effective or effective at taking appropriate action once risks are identified, having established roles and responsibilities for monitoring risk, and keeping trustees engaged on the topic.

However, that still leaves plenty of room for improvement for those who rated themselves as only moderately effective or ineffective. There's also a notable lag in relation to considering risk interdependencies, which is an explicit expectation set out by the regulator in the Code with only 10% rating themselves as extremely effective and 18% rating themselves as ineffective.

For many schemes, complying with the risk management expectations in the Code will be a process of evolution rather than revolution. And there are lots of small incremental changes that can be made to risk management processes that can have a material impact when taken together.

This next slide sets out some of the steps that have been taken by schemes in our survey. Nearly 2/3 of respondents state that they've stress tested various investment scenarios or reviewed their business continuity planning in the last two years. And over half have reviewed their risk register and are horizon scanning for risks and opportunities.

The Code specifically prompts schemes to carry out after action reviews and to incorporate any lessons learned. So it's perhaps surprising that only 30% of respondents-- sorry, that 30% of respondents have no plans to carry these out. And they suggest that schemes are still getting to grips with the contents of the Code.

Turning now to cyber risk. Following the first widely publicized major cyber attack on a large pensions administrator, cyber risk is widely recognized as one of the top risks that pension scheme is exposed to. Schemes have made significant progress on how they manage cyber risk with an increase compared to last year's survey in the number of schemes putting in place a cyber framework, taking training on cyber risk, carrying out third party cyber assessments, or carrying out an incident response simulation.

And what has the regulator said on cyber risk? So the General Code includes explicit expectations on cyber risk, noting that governing bodies should take steps to reduce the risk of incidents occurring and appropriately manage any incidents that arise. Around 80% of our survey respondents are confident that they can meet the regulator's expectations on cyber risk, which is similar to the response in last year's survey.

However, there's been an increase in the number of schemes citing that they have appropriate skills and resources to manage this risk from 55% in last year's survey to 65% in this year's survey. The gap between those who believe they meet the regulators' expectations and those who believe they have the skills and resources to manage the risk suggests a recognition that to truly manage cyber risk, more than just basic compliance with the regulator's expectations needs to be done.

Inclusion and diversity continue to be important areas for focus for many schemes following publication of TPR's detailed EDI guidance in March 2023 as well as several references to inclusion and diversity within the General Code, particularly in the context of recruitment of member nominated trustees.

This is reflected in the results of our survey with 58% of respondents seeing it as a priority to increase skills and experience diversity, 56% wanting to improve behavioral diversity, and 49% demographic diversity. This slightly lower focus on demographic diversity could suggest that some schemes feel they've already made progress in this area and are now turning their focus to other aspects of diversity.

Recruitment is key when it comes to making sure a board is diverse. And this is an area that's become increasingly challenging in recent years. The rising complexity of the trustee role and shrinking membership of many schemes is having significant consequences when it comes to recruiting new trustees.

Recruiting trustees who add to the various types of board diversity increases this challenge further. From our survey results, we can see that the majority of schemes are taking action to address recruitment issues with 70% of schemes having taken at least one action and a further 17% looking to do so.

The most common action has been to amend the process from election to selection, a move that's been made by around 4 in 10 schemes. The survey results also show a recognition that simple and accessible communications can have a powerful impact on recruitment.

Nearly 2/3 of schemes have either reviewed or plan to review their recruitment communications in the hope that this encourages a greater range of applicants. Looking forward, the focus seems to be on developing recruitment practices to support a pipeline of candidates with around a third of schemes planning or considering work in this area.

But we know that the benefits of increased diversity can't be realized without also considering inclusion. And our survey highlighted encouraging attitudes towards enhancing inclusivity. Over half of schemes are looking to boost inclusivity by increasing participation in board meetings, increasing collaboration around meetings, and enhancing onboarding programs for new trustees.

That wraps up this summary of some of the trends revealed in our 2024 governance survey. We've built up a great database of governance and trusteeship-related benchmarking, including more detailed cuts from this survey. So please do let us know if you're interested to hear more, and we'll include a tick box at the end of the webcast to allow you to do that. That's all from me. So back to you, Jenny.

JENNY GIBBONS: Thank you very much, Catherine. That was a really interesting session and sets the scene nicely for the rest of our slots today. Our Blind Date video is coming up. But first, let's take a poll where we're interested in some thoughts on proportionality. So the question that I'm going to ask is in respect of whether you feel like you have enough time, budget, and skills to commit to meeting the new Code expectations.

The questioning should be live now. So do please feel free to start giving your answers. But I'll read out the questions as we're going-- the options as we're going along anyway. So option A, yes, we feel we can meet the expectations of the Code within our existing time, budget, and skill sets. Option B, yes, we can meet the expectations of the Code, but we've had to increase the time, budget, or skills that we need to be able to do that.

Option C is no, we don't believe that with our existing time, budget, and skill sets we'll be able to meet the Code's expectations, so it's going to take us longer to do so, or option D, because of those constraints, we don't believe that we're going to fully meet the expectations of the Code. So I'll just give you a moment longer to submit your responses, and then we will have a look at the results.

OK, so it looks like we've got a good number of responses now. So let's have a look at the results. OK, so we can see that the vast majority of people are fully expecting to meet the expectations of the Code and within reasonable time frames with the weight of those having said, actually, we have had to make an increase in the amount of time or budget or skills available to be able to do that.

OK, thank you very much. So now we're going to turn to that exploration of proportionality. It's a term, proportionality, that's used liberally by the pensions regulator but actually which we're finding that clients are finding it quite difficult to interpret in practice. So our panelists are going to help us dive in. Let's play the video.

[VIDEO PLAYBACK]

[MUSIC PLAYING]

- For anyone who's old enough to remember, we're borrowing a format from Blind Date and Cilla Black. So we will have three contestants or panelists. You can picture them for yourselves sitting on stools behind a screen. And I'm going to ask the same question to each of those panelists so that they can answer from their own standpoint and their own perspective on what proportionality means in their context.

And the context that they're inhabiting are, for Pam, those schemes that are larger with a greater degree of resources, for Ann, those schemes that are smaller and have probably fewer resources available, and then for Abby, those schemes that are more mature in their journey in terms of being close to or past the point of buying in. So what does the application of the Code mean in each of those circumstances?

The first question I will do is a, what's your name, and where do you come from. I'm not going to try and do Cilla's accent. And I won't keep up a tortuous reference to Blind Date. But that was just by way of explanation. So here we go. I'm going to ask you, Ann, first, please. Where do you come from? What's your context?

- Thanks, Jenny. So I'm Ann Rigby from BESTrustees. I'm a professional independent trustee and a chair a range of trustee boards. I look after a number of final salary pension schemes ranging from 5 million pounds to just under a billion. And right now, I'm working with a couple of schemes under 10 million pounds assets closed to new members. One's got ongoing accrual for existing actives, and one's looking to transact to buy in in the next couple of years.

- Thank you. And to Pam.

- Hello, everyone. I'm Pam Sohi. I'm a senior consultant within the governance and pension solutions team at WTW and the trustee secretary to a number of large pension schemes. And I'm supporting several trustee boards in their journey to ensure that their scheme is compliant with the requirements of the new Code.

- Thank you, Pam. And finally, Abby.

- So, hi, I'm Abigail Currie. I'm a senior governance specialist at WTW. So following the publication of the Code, I've been supporting a range of clients to assess their gaps and consider their next steps. And as you said, Jenny, that includes a number of what we're calling mature schemes, so schemes that are either fully bought in or will be shortly and are looking to wind up in the next couple of years.

- Brilliant. Thank you very much, everyone, for your introductions. I'm not sure whether I'm playing the part of Cilla or the poor person who's looking for a date, but I'm going to I'm going to push on. So my first question, and I'm going to go, Ann, to you first, please. What does proportionality mean to you in relation to the Code, particularly from your standpoint on small schemes?

- Yeah, thanks, Jenny. So I'm really keen to do what's right for each scheme. And that's going to be different every time. I think the Code brings a positive focus on how schemes are being run. So is governance strong, and are decisions being made efficiently? For small schemes, fees do limit what you can do, though.

And with a limited resource budget, you have to spend it appropriately. So doing less and not more and having that budget constraint can help you focus on what do I have to do? What would add value for members and help manage or reduce risks?

And the flexibility that proportionality brings enables trustees to do what we think is right for each scheme without needing all the bells and whistles. But that said, I think need to be careful that I'm not saving costs now at the expense of maybe creating problems further down the line.

So, for example, I'll be making sure that we're documenting how we're complying with the Code as we go along rather than saving it all up to the end. And then that way, I think it'll make it much easier to pick up their own risk assessment further down the line.

- Yeah, brilliant. Thank you. So make ourselves ORA proof in the way that we're setting things up. Thank you. OK and same question then to Abby in terms of what proportionality means for the schemes that you're speaking about.

- So yeah, so I definitely echo what Ann's just been saying there about focusing on the areas that's going to expect to add the most value or most critical for each particular scheme. But the lens for mature schemes is slightly different. So a key consideration for mature schemes is really that sort of remaining time frame.

Now, that doesn't mean that you can't just, you know, avoid considering the Code. You know, there are actions that schemes should be taking to improve gaps, particularly because wind up time frames can get pushed out. But it means there's an increased emphasis and focus on managing those areas that are potential derailers for the ultimate wind up.

And I think the risk management element also shifts for mature scheme. So I'm seeing cyber risk and sort of admin operational aspects become more dominant considerations whereas areas like succession planning, for example, that's typically relegated down the priority list.

I think the key for me, the key overriding backdrop for schemes that are more mature is that they're facing really quite critical decisions that affect the members. And those decisions are irreversible. You know, once you've done a wind up, those assets have all been distributed. It can't be undone.

So schemes really need to make sure that they've got the right governance in place, they've got the right decision making process in place, documenting everything in the right way, you know, effectively, from a trustee's perspective, really making sure you've done everything you need to do to cover your back at what is a really quite critical junction in a pension scheme's life.

- Thanks. That'd be interesting. And so finally, Pam, proportionality in the context of those larger schemes.

- So I'm typically seeing that so many of our larger schemes, they seem to be taking the Code in their stride, which is great, perhaps because for most time is on their side coupled with the fact that their schemes are already very well run and governed. But even for those with the more sophisticated governance structures, there still seems to be something to do for all of the schemes to help address any gaps that they have in their current frameworks.

So some schemes are also taking a view on how to build this into their business as usual activities rather than it simply being a tick box exercise. Generally, however, we're seeing that larger clients are very accepting of the new changes while taking on board that there is a lot for them to do with support from their scheme secretary and advisors.

- Yeah, brilliant. Thank you, Pam. I do always think in proportionality, it's helpful to remind ourselves that the proportionality pendulum swings both ways, doesn't it? It's not a justification for doing less always. OK, so the second question then. We've mentioned gaps a couple of times. What did our gap analysis show in the specific context of the schemes that you're speaking about? And Pam, I'm going to come straight back to you for this one first, please.

- OK, thanks, Jenny. So from the gap analysis that I've carried out, many of our larger schemes are seeing that their existing governance frameworks already capture many parts of the new requirements. However, I am seeing certain themes arising in the gaps, which do require some additional work.

So firstly, for example, cyber risk management. It seems to have become a standing agenda item for many schemes, which allows trustees to use this opportunity to identify and in some cases even strengthen their existing framework around the policies that they may already have in place, including data protection and cyber. Ensuring that trustees know what to do if their scheme was to be subject to a cyber or a data attack has become a key priority for most.

Secondly, establishing principles around equality, diversity, and inclusion is another area of focus where trustees are suggesting that further action is required, whether that's through consideration of diversity gaps on their board, for example, or testing their existing communications against their own objectives and definition of ED&I.

Most trustees recognize that there is no one size that fits all to implementing EDI. But they do seem to recognize that there is a clearly a strong emphasis from the regulator for more to be done. And thirdly, I'm helping a number of trustees put together action plans for addressing gaps in their policies, which, for most, whilst they know their own working practices and procedures, not all of these are written down.

- Yeah, write it down. There we go, Pam. I've heard that so many times as a theme in response. OK, so same question, what are these gap analysis showing, to Abby, please.

- Thanks, Jenny. So I think first of all, it's probably worth noting that some areas in the Code, so, for example, some of the investment areas effectively kind of fall away once the scheme is fully bought in. So that's a helpful adjustment for those schemes that are bought in. In relation to other areas, as I said earlier, cyber risk is a key focus for most mature schemes as they'll typically now have an extra administrator. So that's introducing additional counterparty exposure.

I think it's worth noting it's probably been less planning for the ORA kind of probably hoping in a little way that first ORA won't materialize for some of those mature schemes. But as I said earlier, it's always worth having an eye on perhaps having to do that as it can take some schemes longer to wind up than initially expected.

So thinking about that as you're building that planning when you're working through your ESOG and risk management function is really useful. And then, you know, as Pam's saying, as for other, you know, the larger schemes, you know, there are some gaps around the governance structure and having it all documented.

I think for more mature schemes, it's probably more around about are you saying writing it down, so what do we do, rather than really kind of thinking more broadly about what could we do? And then I think when we think about the ESOG, it's that remaining time frame that's kind of coming in when people are thinking through the order of priorities and their review timetable.

I think one of the things that I'm seeing sort of schemes, more mature schemes do really quite well is thinking about how do we document things in a more proportionate way. And using our ESOG home space tool to do that can be really quite a useful way of being able to capture some of those areas like what do we do if you haven't quite got it all written down to date.

- Thanks, Abby. And to Ann the same question. And I suspect some of what Abby is saying is going to have been charming for you as well.

- Yeah, and definitely, a lot of the similar themes resonate for small schemes. And even for schemes that maybe have under 100 members, we know lots of the disclosure requirements fall away for them. But there's still a lot of takeaways that are good governance, whatever the scheme size.

For example, reviewing your trustee board performance after making important decisions is a really good practice to get into and just helps improve future decision making. But in terms of the gaps, I'm firstly thinking about how to actually approach the gap analysis, which for a small scheme with a tight budget and you know, you can really make some savings here.

And I'm looking to use tools that are available from advisors at the moment. At a really simple level, these tools will list out all the Code requirements which I'm working through to see what we're already doing and then what's missing. And some areas are going to be key regardless of scheme size.

We've already talked about cyber. It doesn't matter how big or small your scheme is. There's still a big risk facing every scheme. And I'm prioritizing that along with some of the other gaps which are largely the new policies that are introduced by the Code.

So where there are gaps, again, similar to what Pam and Abby have described, I'm planning to write down statements of what we do in practice. And that will become our policy rather than looking to draft a long and full-blown policy that's probably over the top for a really small scheme.

So another good example of that, I think, is the remuneration policy where for some of my small schemes, we've written down that the professional trustees are remunerated by the company. The other trustees are not remunerated. But any out of pocket expenses may be met by the company. And that basically forms our policy.

So it doesn't need to be anything really complicated or long. Then where there's a requirement for the trustees to consider doing something in the Code, for example, putting scheme information and policies on a member website, again, taking a practical approach is key here. So we've discussed this at trustee meetings with my fellow trustees.

We've decided we don't want to publish anything that we don't need to do on the grounds of cost and proportionality. And then we've minuted that this has been discussed, and that's our decision. And then we add a comment about that to our list of the Code requirements, and that document then becomes our effective system of governance.

So it's a process where I'm effectively mapping the requirements of the Code to what's already in place and highlighting where I need to be doing something more, that forms an action plan. And then making sure that's been recorded all in one place becomes your effective system of governance. So it doesn't need to be too burdensome for small schemes.

- Thanks, Ann. Brilliant. OK, so next question is on one of the new requirements of the Code, that is to name a risk management function. So I'm going to come to you first, Pam, in terms of who do you expect will take on the risk management function for your larger schemes, and why is that the case?

- Well, from the discussions I've been having with trustee boards, almost all of them actually have delegated that risk management function to me and my colleagues within the governance team. And, I mean, to a large extent, this doesn't vastly change my remit as a scheme secretary as most clients view this as a natural extension of my existing role, which it actually is.

- Yeah, OK. Ann.

- Yeah, so I think to keep costs down and to take a proportionate approach, I expect this will be managed by the existing trustee board or scheme secretary perhaps with collaboration from the company. But for small schemes, we won't be looking to appoint a third party for this role just on cost grounds.

- Yeah, OK. And Abby, has this been considered yet for your more mature schemes? What's been your theme?

- Yeah, no, I think for the more mature schemes, we're kind of still working it through. I think probably like sort of what Pam and Ann have already said, it's likely to end up with the party that already leads on risk management for the scheme, whether that's the full trustee board, a subcommittee, or a scheme secretariat function.

But I think for more mature schemes, it's just keeping in mind for how will any resources change over time. And I think that will then feed into some of the considerations for who is best placed to take on that risk management function.

- Yeah, good point. OK, and then what about internal audit, Pam?

- So internal audit, it continues to be one of those areas that's still under discussion for many boards. What I'm generally seeing from discussions that we have had to date, though, is that although the requirement to have this internal audit function has been watered down somewhat, some trustees still aren't closin the door on it completely. And they still want to explore assurances around third party controls and how these might be documented.

- Yeah, really important. OK, Ann, what about internal audit for your schemes?

- Yeah, again, similar to the previous comment and to what Pam just said, it's been watered down. And for a small scheme, it doesn't make sense to appoint a third party. So, again, it's going to be something that's picked up by the trustees and maybe with collaboration with the company.

- Yeah, OK. And Abby.

- Yeah, no, similar comments really. I think it will come in as we're thinking through the assurance framework but probably later on down the line, risk management function first, get that working then think about, you know, as part of that process, the assurance framework that goes around that.

- OK, right. Just a slight change of perspective for the final question. So in your introductions, it was clear that as well as being able to talk about these different categories of the scheme, actually, your roles each are different, so Ann as a professional trustee, Pam as a secretariat and outsource pensions manager, and Abby as a governance consultant. What I'd like to ask each of you in respect of your roles, how do you feel about the Code? And will it change your role? How will it change your role? So, Ann, if I could come to you first as a trustee.

- Yeah, thanks, Jenny. So, as a trustee, I do feel really positive about the Code. I think it shines a light on how important good governance is and how this can improve the whole process in terms of good outcomes and timely decisions. I think it's important to recognize, though, that one size doesn't fit all, as I said at the start.

So as pensions professionals, we need to take a sensible view on what's going to make a difference here. And the Code's all about identifying and managing risks. So focusing on what are the biggest risks I think will help channel any change in the right direction.

- Yep, thank you. Pam, as a secretary, what's going to change for you?

- Well, for me, it's a really exciting time in my role. A key focus for me is to keep on doing what I do. There's no real change. It's just to simply try to add value and to help lift that burden from trustees. For someone whose day-to-day role is focused around governance and risk management, it's great to be able to demonstrate how effectively a scheme secretary can support clients and to actually have a seat at the table.

- Yep, thank you. And Abby, in your consulting role.

- Yeah, so for those of you that have done our several wave behavioral diversity assessment, you'll understand it when I refer to myself as a finisher. So I'm somebody that likes to make things happen and get things done. So for me, having something to finally get hold of to be able to work with schemes to implement the Code, make adjustments is really great. So I'm just really pleased to be able to crack on and make the implementation changes as needed.

- Thank you all very much for sharing those perspectives and helping us get into this, you know, actually slightly opaque topic of proportionality. I very much appreciate it. I'm not going to pick a date. I think you're all wonderful. And I really appreciate your responses. So thank you.

[MUSIC PLAYING]

[END PLAYBACK]

JENNY GIBBONS: I hope you found that helpful and that the Blind Date references weren't too clunky for you. Just on proportionality, we've published an article on this, which you can find in the related materials at the bottom right of your console or on our website. So do please feel to take a look-- feel free to take a look to get more deeply into that topic.

So the interview that we've got coming up is on risk management with Josh. And it's not so much about what good risk management looks like, which we've covered elsewhere, including in the good governance guide. But this is about what steps we might take to get from our current approach to something that is fresh and compliant and good practice and ready to go. So let's take a look.

[VIDEO PLAYBACK]

- Good morning, Josh. Thank you very much for being here with us. Would you like to just introduce yourself, first of all?

- Yeah, absolutely. So my name is Josh Ford. I'm a pension consultant at WTW. Been with the company now for around 12 years. And my main role is supporting trustees and sponsoring employers with all aspects of their UK pension arrangements, one of those important aspects being governance and specifically for the conversation today around managing risk.

- Yes, so today, what we're going to spend our time on is the process that you've been through with one of your clients on helping them go along a journey on risk. So do you want to just start us off then with giving us a bit of that client context? How are they set up?

- Yeah, of course. So this is a DB/DC hybrid arrangement. So it's a closed DB section, open DC section, so a mixture of benefits and a broad spectrum of risks to consider. Trustee boards, generally, long-standing trustees with a mixture of skills. A few of the trustees actually have a background in risk, which really has been valuable as we'll come on to later. So it's kind of like really a good solid trustee board with that mixture of skills, you know, being really, really good for this process.

- Yeah, and so to give us a bit of a grounding point, how did they go about doing their risk management before the review started?

- Yeah, so the process beforehand, I guess, was fine on the surface. They had a risk register in place. It was periodically reviewed. They dealt with risks as and when they kind of came up. And they undertook periodic checks to make sure the controls that were set out in the risk register were, I guess, actioned and still valid. But beneath the surface, I suppose it was just a little bit stale.

And it kind of seemed like they were just going through the motions in some cases. So the risk register was included in trustee meeting packs, duly noted, but it wasn't really interrogated and really only considered when something big happens, for example, like the impact of COVID. So it kind of ticked along like that. And I suppose it was, you know, it was OK. But just there's nothing fundamentally wrong with the risk approach, but it was just a bit reactive rather than proactive.

- OK, so that's not an unfamiliar story in terms of what we see out there in the pensions world. So what prompted them to make a change now?

- Yeah, so it was the introduction of the General Code, so in draft form at the time that they really started considering their approach to risk and, you know, and decided to undertake this review. I think to be honest, it was probably on the cards anyway.

As I mentioned before, there are a few trustees with deep experience in risk from the corporate side. So there's that general acknowledgment that actually, there could be improvements made to the risk framework to make it more effective. But it was the Code and the prominence of risk, really, within the Code that was the catalyst for making some changes. So it was agreed at that point that a working group would be formed to take this forward.

- Right, OK, and was it obvious who should be on that working group for them?

- For them, in a way, yes. So the two trustees with more experience in risk management, obvious candidates for the group, also someone from the pensions team with experience in relation to the administration and more operational areas.

Also, having someone fairly close to investment and funding, you know, was very useful too. So a mixture, really, of trustees and people from the company side as well, and of course, WTW as well for our experience in supporting trustees navigate all aspects of risk management as well as coordinating the actual general process as we went through as well.

- Yeah, so having created the risk working group, what was the first job of that group?

- Yeah, so the first job was really to map out the scope of the review, so to think about what the actual process would look like and to, I guess, agree who would be doing what. And I think everyone agreed that the overall objective was to review the risk framework and get something in place that was Code ready, something that was efficient and effective.

So that was kind of everyone had a common goal from that perspective. And it was agreed there would be three parts to the review, first of all, looking at the overall risk framework, second of all, looking at the actual risks themselves, and then thirdly, putting those two things together and actually implementing it in practice, including appointing the risk management function itself.

- OK, and so there are your steps. So how did you proceed from there?

- Yeah, so the first step was really looking at the structural risk framework, and within that, looking at the overall approach to risk, including the trustees risk appetite, the structure of the risk register itself, and then also what the ongoing monitoring process might look like going forwards.

I guess it's quite useful to maybe focus on some of these areas through the lens of the risk register itself because that can be quite useful not only at looking at the different risks but looking at the broader framework as well. And the trustee and the working group kind of looked at their existing risk register.

It's an Excel-based risk register, RAG-rated risks, so Red, Amber, Green on impact, Red, Amber, Green on likelihood of the risk occurring. And they agreed that whilst it was OK, there were certainly improvements that could be made to that.

They kind of like the Excel format because it's, obviously, universally-- pretty much universally used software. But they decided to actually adopt WTW's template risk register as a starting point for their new risk register going forwards. And in doing that, we could then look at the risk register template and use that to formulate some of these more broader overarching structures to the risk management framework going forward.

So, for example, thinking about actually, the RAG-rated system, it was OK but not particularly actionable. So, for example, if you had an amber-rated risk that amber on likelihood and amber on impact, what does that actually mean? Is that good? Is that bad? Is that indifferent? So actually adopting something a bit more meaningful, so looking at 1 to 5 scored risk framework for each risk, so looking at 1 to 5 on impact, 1 to 5 on likelihood, coming up with an overall risk score.

So that's on one side. But then really importantly on the other side looking at actually quantifying the trustees risk tolerance, so having a risk tolerance score. And then what you can do from that is compare each risk against the risk tolerance score. And then if the risk score is underneath the tolerance level, all well and good.

But if it goes above the risk tolerance level at any point, for example, if there is a change from one quarter to the next to suggest that the risk was more likely to materialize and it tips over and goes above that risk tolerance threshold, that would automatically within the risk register prompt a flag, which would then say actually, something needs to be done here. It needs to be reviewed, taken to the trustees and maybe a new control be put in place, for example, as a result of that happening.

- And a risk register must prompt action. If the system isn't prompting action, then what's it doing? So, yeah, that's great. OK, so, so much for step number one. What about step number two, which was your risk scoring workshop? How did that--

- Yeah, absolutely. So that was another really interesting part, actually. So before actually going through that risk scoring kind of workshop, we did a little bit of preliminary work around looking at what the actual risk list might look like and inputting into that from our perspective looking at a number of different risk registers, some of our best practice kind of ones from the past and thinking about whether there are any potentially missing risks and feeding in from that perspective.

So that was really useful to do as a kind of preliminary step. And, you know, as an example of that, we suggested adding in some specific risks around cyber, which weren't in the previous risk register. So I think that kind of preliminary work kind of set up a good foundation for the risk scoring.

So the actual scoring session itself, really interesting. I think everyone found that really interesting and valuable. And as part of that, so we looked at each individual risk, tightened up some of the actual wording around the risk description, looked at whether any of the risks could be aggregated, for example, actually retired some risks that weren't actually relevant anymore and then thought about the controls that are in place, the actual effectiveness of the controls as well.

And then that led towards doing the actual scoring of the risks and thinking about the likelihood of the risk materializing net of controls in place and what the impact of that risk would be. It's a fairly lengthy process. We had to extend the session a few times. But I think the discussions we had were really, really good. And, you know, it was universally agreed that it was valuable to take that amount of time to go through.

So whilst it was lengthy, it was still actually quite quick fire in, you know, at its heart in terms of doing a bit of time in a more detailed going through those first few risks and then actually trying to be quick fire to get that consensus going down the list. And I suppose the group actually came to quite a good consensus around what the relative scores would be. And it actually worked out well taking that approach.

- So like a shared understanding of what risk score means, yeah, OK, that's really interesting. Let's come back to that point about how trustees are engaging with risk. But just before we get there, that's the point we're up to, it sounds like, with this client. So what's next?

- Yeah, absolutely. So I think we're in a really good place now. So we've got a robust draft risk framework there. We've got a really thoroughly reviewed risk register, which is up to date. And we're now ready to take that to the trustee board next month for discussion and approval. But there's still work to be done.

We've got to consider the allocation of the RMF, so the Risk Management Function, whether that will be the kind of working group as it stands, whether that will be outsourced to a third party. But in practice, there's a number of different tasks, really, that are going to be completed by the RMF. So carrying out the role might be divided into various different groups with one party coordinating that and different groups undertaking the sub tasks based on their respective skill sets.

- That's right, because actually, the risk management function demands different types of skills at different points, right?

- Yeah, exactly. That's right. So that's kind of one aspect of what needs to take place next. But then also the other aspect is around kicking the tires on the controls assurance framework, so making sure kind of the controls assurance budget is spent in the right way, the right assurance is sought from the right parties at the right time.

So that's kind of another aspect that we're kind of considering as part of the next steps of the process. And that may include a named internal auditor, but it's more likely that that person would oversee the assurance process rather than actually provide formal assurance across the piece.

And then finally, I suppose, documenting the overall risk management approach in a formal kind of risk framework document itself that then be held viewable to all the trustees and would be reviewed as part of the effective system of governance that's being put in place at the same time.

- So that write it down focus that we've had from the Pensions Regulator?

- Yeah.

- Yeah, OK. This is a huge discussion point for a lot of our clients. Having done some good work to really overhaul the system, get yourself to a good starting point, how do we keep the trustees engaged in this thing that is an ongoing risk management approach?

- Yeah, it's a really important one. So I think the key really is keeping it live and having that real time risk management approach to operating the scheme, keeping risk as a discussion-based agenda item at trustee meetings, but in equal measure, keeping it really focused.

So now, we've got the new process of monitoring risks, having that kind of information and data channels through to the risk management function, which will be taking place going forward, having that process in place and agree to say, well, actually, how do we choose which risks to take to the trustees? How do we know which risk scores might be changing from month to month?

And using that data flow and horizon scanning to get to that place where actually, we've only got a small number of risks being taken to the trustees at each trustee meeting, but they're important risks where there's been a change. And actually, engaging the trustees in that discussion around what's changed from quarter to quarter is really important.

So keeping it live, keeping it on the agenda but having it really focused. There's no need, really, having gone through this process to put the whole risk register in front of the trustees regularly to pore over and look at each risk, because that's been done. As long as we keep that kind of refreshed and kind of live real time approach, it can be really efficient and focused way of using the risk register going forward.

- So do you see a separation between the trustees and the risk register or are you expecting the trustees will have a connection into the risk register at points?

- They definitely will. And I think it's keeping that visibility there. And I think also, it's enabling the trustees and encouraging them to actively go into the risk register and interrogate it. And, you know, with a slightly more intuitive and more user-friendly risk register, it'll be easier for the trustees to go in and see what's changed, see what risks are going to come up for review and be really engaged with that kind of overall process.

- Which feels a bit more dynamic then, doesn't it?

- Yeah, absolutely. And I think also keeping that continuous improvement mindset is important as well around the risk framework. What tweak can be made getting ideas from the trustees? What tweaks can be made around the edges over time on a continual basis to make the risk framework more effective, more efficient, and for it to continue to be compliant and fit for purpose?

- And work, work for that group of trustees. OK, so just to finish, Josh, what about the ORA? I mean, obviously, we're early, so not very many schemes out there will have engaged in detail with the ORA. But what here, what do the trustees hope to get through the process?

- Yeah, I mean, this is a really good point. I've been bearing this in mind during the whole process to make sure that the risk management approach has the ORA in our minds and is effectively ORA proof. And we've incorporated the right elements of the ORA into business as usual kind of risk framework.

And then that kind of I suppose firstly, it's actually better from a time management and efficiency perspective anyway, but also, it will save time as we enter into that kind of ORA preparation. So we'll be able to have the right things documented to then refer to those items within the ORA as appendices rather than necessarily having to rework anything or do things in a slightly different way just to fit the requirements under the ORA.

- OK, brilliant. Thank you. Josh. That has been a really interesting walk through the process that this client has been through. So thank you for your time. Thank you for your insights.

[END PLAYBACK]

JENNY GIBBONS: Great. So thank you to Josh for walking us through that. We do still have a few moments if you would like to submit any questions into the Q&A. But at the risk of asking you to multitask, I think we also have time for a poll question at this point.

So picking up on that theme of helping trustees to be properly engaged on risk management and thinking about that in trustee meeting agendas, the question that I've got for you is, where do you discuss your current and approaching risks within your trustee board agendas? So the options should be open for you to select now. But I will walk through them as we go along as well.

So the five options are that risk is usually a dedicated item near the start of our trustee board meeting agendas, option B, that it's usually a dedicated item that sits near the end of our board meeting agendas, item C, that there is earmarked time during or following other agenda items, so throughout the board meeting agenda, option D is that we don't discuss risk within board meetings at all, and then option E is something else or it varies depending on the agenda.

So I will give you a couple more moments to just give your answers to that question, please. OK, I can see some answers coming in. Do please feel free to keep selecting A to E. OK, I think we've got a reasonable number of results now. So let's have a look at what your answers are.

OK, so quite a spread, actually. So almost all trustees are addressing risk within their board meetings. And presumably, that's irrespective of whether there is separately a risk subcommittee. And then actually probably the highest proportion then are having risk as an agenda item near the end of their board meeting agenda.

Quite a few who are doing it at the start. And actually, I quite like that option because you are then-- you have those themes that then inform your decision making through the rest of the agenda. And actually, I like the third option as well as a specific prompt at least for a period of time as you're kind of establishing risk as a central decision making point, having earmarked time that says, OK, we finished that agenda item.

Let's have a think about whether that changes anything in respect of our risk register. OK, that is very interesting. So thank you very much. We do have a little bit of time for questions. So let's see what we've got that have come in. So I've got one here about the ORA itself.

And I guess it's calling out one of the stats from Catherine's session about almost a quarter of schemes who had already started work on the ORA, what is that work, and what can schemes usefully be doing on that now? So I suppose my view is that we've mentioned a couple of times in the session this point about making sure that the work you're doing now on your ESOG and on your risk framework set you up to be ORA proof.

And a specific example of that is that as you're working through your business as usual ESOG policy reviews, you're remembering to and having the discipline to record your opinion on the effectiveness of that policy and why you reached that opinion because that is specifically what the ORA will ask of you.

So better to record it as you go along on a BAU basis. I think also perhaps, we're working with a number of clients on the idea of an over-the-shoulder risk review, so a bit like the stage one from Josh's interview so that they're starting off on the right foot.

And actually, the things that you're looking at as part of an over-the-shoulder review are the same sorts of elements that you would be going through in an ORA in terms of kicking the tires on the system and looking for maturity updates. So perhaps it's semantics to say we're starting work on our ORA by virtue of doing that review versus actually calling it an over-the-shoulder review or deferring the formal ORA work until the end.

Just I suppose a final point is that at the point that we're approaching those ORA deadlines, you know, maybe even six months out from those deadlines, we're making sure we've got a proper plan so that we're not rushed. And by virtue of not being rushed, we get the best out of an ORA process.

I've got a question here. What are our thoughts on trustee general code of practice training? So I think training is really helpful. There is a requirement in the Code that trustees are to have read and understood the Code itself. But I think training is a useful supplement to that because first of all, the Code is long, and there are lots of points of detail.

Actually, there are a few cross references within the Code that mean you have to keep your wits about you to help you navigate. And so I think having taken training actually possibly in advance of sitting and reading the Code might just be helpful from that orientation point of view and helping you have worked out in your own head what are the key points.

I suppose another thing that it's helpful to think about in training and in reading the Code is what your scheme objectives are and thinking about what are your potential disruptors to those objectives or enablers for those objectives and using that lens to filter in on the key parts of the Code that do the heavy lifting for you. And then for the rest, the name of the game is more so on completing those things efficiently.

OK, so at least time for a couple of questions at the end. But as I say, if you've submitted questions and we haven't had time to get to them, then we will get back to you individually. So that brings us to the end of the webcast for today. It's been an absolute pleasure to host you.

Just to mention, we will be hosting our next pensions perspectives event that's live from the WTW building in London. And it's on the 12th of June. If you click in the link on our related content box on your console, then you can register for that event. And we really hope to see you there.

Please don't forget to fill out our survey on today's webinar if you haven't done so already. And after having done that and having got to the end of your working day, I do really hope you will have a wonderful bank holiday weekend. Thank you, once again, for joining us, and goodbye.