Pension scheme risk management is a key part of the General Code. Whilst it is something that Trustee Boards will have been doing for many years, some of the new requirements around the risk management function (RMF) and controls assurance reporting may require some additional thought. In this article we share some insights from an ongoing project, led by our colleague Josh Ford, to help those that are starting down this path.
The client’s risk management process, while functional, was somewhat reactive. The introduction of the new General Code, which emphasises the importance of robust risk management, served as a catalyst for the client to undertake a comprehensive review, with the intention of introducing a greater degree of dynamism. Recognising the need for improvement, the trustees formed a dedicated working group, including trustees with corporate risk management experience, a member of the pensions team, an investment and funding specialist, and Josh as their governance and risk management adviser.
The first step for the working group was to outline the scope of the review and agree on the process. The primary objective was to create a risk framework that was not only efficient and effective but also compliant with the new Code. The review was structured into three main parts:
01
The initial review focused on the pre-existing risk framework, including the trustees’ risk appetite, the risk register and the key touchpoints with the trustees. The existing register was an Excel-based tool using a simple red-amber-green (RAG) rating system. While functional, it was relatively static and it was agreed that a more dynamic and automated approach would improve engagement and efficiency, and help drive the crucial link between risk identification and risk mitigation action.
Having considered alternatives to their existing risk management framework, the working group transitioned to a more nuanced and robust scoring system, rating each risk on a scale of one to five for both impact and likelihood. This allowed for a clearer comparison between risks and also against the trustees’ individual risk tolerance for each risk. The new system automatically flags risks that exceed those agreed tolerance levels, prompting immediate action.
02
A key part of the process was a risk scoring workshop, aimed at refining the risk list and scoring each risk. Preliminary work involved a review to ensure good coverage in the initial risk list, including specific cyber risks. The workshop that followed was energised and collaborative, with a consensus-based re-test on each risk score, an evaluation of the effectiveness of controls, and discussion on tolerance thresholds. Although thorough, this process was highly valuable, resulting in a refreshed and robust risk register as the starting point for a proactive RMF, and the further development of a genuine ‘risk mindset’ amongst the members of the working group.
03
The project is still underway, with discussions ongoing about how to ensure that emerging risks are captured in a timely fashion by integrating regular risk horizon scanning into trustee agendas and adviser input. This will be an important part of keeping trustees engaged in ongoing risk management and is a critical part of an effective and useful framework. As well as horizon scanning, maintaining a dynamic and integrated approach to reviews of curated risk shortlists will help make risk management a regular – and interesting! – agenda item at trustee meetings.
Another key element of the risk framework involves documenting the controls assurance framework. This involves a process of periodic checking that existing (risk) controls remain effective and appropriate, that the right assurances are sought from the appropriate parties at the right times and that engagement with the Trustee Board is timely and appropriate.
With a robust draft risk framework and an updated risk register in place, the next step for this client will be to determine the structure and remit of the RMF. Naming the RMF will be a relatively easy step, though a more practical division of the constituent parts of the role, by resource type and skillset, will require more detailed thinking and will depend on specific scheme features—for example, the use of working groups and sponsor or third party resources, and the connections and information flows between them.
Finally, documenting the entire risk management approach in a formal framework document is essential for transparency, robustness and ongoing review. Continuous improvement is emphasised, with incremental changes tweaking and enhancing the framework’s effectiveness and compliance.
Throughout the process, the working group has been mindful of the new Own Risk Assessment (ORA) requirements, ensuring their approach aligns with these expectations, even though the first ORA report will not be due for another two years. This forward-thinking strategy not only saves time in the long run, but also ensures efficiency, allowing for the relevant elements to be ‘appended’ within the ORA, without reworking the entire framework. The ultimate goal is a streamlined, compliant, and effective risk management system.
Josh Ford’s insights provide a comprehensive look into the meticulous process of enhancing pension risk management. Through structured reviews, dynamic engagement, and continuous improvement, the client is well on the way to successfully navigating the complexities of risk management, setting a robust framework for the future.
