INTRODUCTION

The Pensions Regulator's General Code of Practice (the Code) took effect on 28 March 2024.

Among other things, the Code sets out the Pensions Regulator's expectations of how pension scheme trustees should meet the statutory requirement to establish and operate an effective system of governance including internal controls(ESOG). This statutory requirement applies to all occupational pension schemes regardless of their size, but there are some exemptions (e.g. for master trusts).

The digital version of the Code is now available on the Pensions Regulator's website, and this is integrated with the remaining 6 Codes of Practice that were not part of the consolidation.

This briefing sets out:

  • Further details on the ESOG.
  • The new expectations that are set out in the Governing Body section of the Code in relation to (1) managing risk, (2) the board structure, and (3) knowledge and understanding.
  • Practical steps that trustees can take to develop their ESOG in these areas.

The Code consolidates and replaces 10 former Codes of Practice, and this briefing forms part of a series which will also cover the other sections of the Code (Funding and Investment, Administration, Communications and Disclosure, and Reporting to the Regulator).

GOVERNING BODY AND THE ESOG

What do the Governing Body modules cover?

The Governing Body section of the Code sets out nearly half of the ESOG requirements, in addition to certain other matters. The key areas relate to risk management, board structure, and knowledge and understanding requirements and we consider each of these areas in this briefing. Some aspects of the ESOG are covered in other sections of the Code too (see below), and we will address those aspects within our other briefing notes in this series.

What is a Governing Body?

This is new terminology adopted in the Code. In the context of an occupational pension scheme, it means the trustees. This general, broader term of "governing body" has been used in the Code as the Code can apply to a variety of pension schemes.

What is an ESOG?

The ESOG is the framework for many of the requirements of the Code.

It consists of the policies and processes that the trustees have in place for governing the scheme, and must be proportionate to the size, nature, scale and complexity of the scheme. The Code does not prescribe what is needed in every case, recognising that different approaches may be appropriate for different schemes.

Under the Code, the ESOG requirements are split into 6 different themes:

  • Management of activities (this includes the modules relating to the new Remuneration and Fee Policy (see below), knowledge and understanding and scheme continuity planning)
  • Organisational structure (this includes modules relating to the appointment and role of the chair and the new Risk Management Function)
  • Investment matters (this includes modules relating to stewardship and climate change)
  • Communications and disclosure (this includes modules on information provided to members and public information)
  • Internal Controls (this includes the module relating to identifying and evaluating risks)
  • Administration and Management (this includes the Regulator's expectations for cyber security measures and procedures)

Different modules of the Code are applicable to each theme, and each module sets out the relevant expectations for an ESOG, as well as the Regulator's expectations on good practice (which do not strictly need to form part of an ESOG).

Actions: Some key practical points for trustees:

  • Carry out a "gap analysis" proportionate to the scheme to check whether the ESOG addresses the expectations set out in the Code – e.g. review existing policies and set a plan to address any gaps identified.
  • Have a policy for the review of the ESOG (and keep this policy under review at least every three years).
  • Review each element of the ESOG at least every three years – this could be carried out alongside/as part of an Own Risk Assessment (see below).

RISK MANAGEMENT: RISK MANAGEMENT FUNCTION

Risk management function

The Code states that trustees should adopt strategies, processes and reporting procedures for their risk management system necessary to identify, evaluate, record, monitor and manage risks. To facilitate the risk management system of the scheme, a key new requirement is for schemes with 100 or more members to have a specific Risk Management Function.

Many schemes will already have (and regularly review) a risk register, but the Code provides an opportunity for trustees to reflect on how effective their existing risk management structures are and where more value might be added. In particular, the Code may prompt a rethink about documenting the risk management process and internal controls in a cohesive way. This may be new for trustees, as schemes may have a combination of different written and unwritten processes and internal controls for risk management in place.

In addition, trustees should approve policies for the operation of the Risk Management Function itself. These policies should be reviewed at least every three years.

How each scheme resources its own Risk Management Function can be determined by reference to the size and complexity of the scheme so that it is suitable for that scheme. For example, it may be appropriate for a sub-committee, or the full trustee board, to perform the Risk Management Function, or perhaps for larger schemes it may be appropriate to appoint or involve third parties (this can include anyone involved in the scheme in any other role).

Regardless of the party performing the Risk Management Function, the core expectations and obligations are the same:

  • Reviewing risks at an individual and aggregated level to which the scheme is or could be exposed (and the interdependencies of those risks), including any risks that members and beneficiaries bear (from their perspectives).
  • Reporting to the trustee board on the risks identified in a timely manner.

The Code includes a specific module on identifying, evaluating and recording risks to help the Risk Management Function to establish the key risks facing the scheme (for example relating to investment, employer covenant, funding, administration, communications, fraud and pension payment, or decumulation options). This will enable the trustees to establish which risks require internal controls to mitigate them (see below).

Actions: Trustees should establish a Risk Management Function appropriate for their scheme and adopt written policies regarding its operation. Some practical points for the Risk Management Function are:

  • Use the principles set out in the Code to refresh the scheme's existing risk register, e.g. ensure risks have been identified and evaluated appropriately, and any plans for mitigating risks are considered.
  • As appropriate, give someone responsibility for monitoring and acting on risks and issues between meetings of the trustee board.
  • Ensure that the risk register is updated at least quarterly to comply with the expectations in the Code, and information is received from third parties as necessary (e.g. administrator, investment manager) to enable this to happen.
  • Be able to recognise when professional advice is required.

RISK MANAGEMENT: INTERNAL CONTROLS

The Code replicates the definition of internal controls that was in former Code 9 (Internal Controls) and generally sets out the same principles for a risk-based approach, with more guidance on designing internal controls (which as noted above, should be considered after the key risks facing the scheme have been identified).

However there are a couple of areas where the expectations on trustees have been strengthened:

  • The Code states that internal controls should be documented, meaning the flexibility in former Code 9 (Internal Controls) allowing schemes to decide the extent to which documentation of internal controls was necessary has been removed. However, the timescales for reviewing a scheme's internal controls have been increased so that they are in line with the timing for the Own Risk Assessment (i.e. at least every three years), which allows more time that the current annual review requirement under former Code 9 (Internal Controls).
  • In relation to maintaining internal controls, the requirements of the Code regarding the assurances that trustees should seek are now stronger and state that:
    • trustees should consider obtaining independent or third-party assurance about controls (including from in-house resources or the participating employer), and
    • should obtain assurance that service providers are meeting their own standards for internal controls: the Code states that trustees should read and understand such assurance reports, and be satisfied that the scope of such reports are applicable to the scheme.

Actions: Some practical points for trustees to consider for complying with the expectations in the Code:

  • Ensure that internal controls are documented.
  • Consider obtaining independent or third-party assurance about controls.
  • Obtain assurance that service providers are meeting their own standards for internal controls.

RISK MANAGEMENT: OWN RISK ASSESSMENT

One of the more significant new developments in the Code is that Trustees of schemes with 100 members or more must now carry out an Own Risk Assessment (ORA) periodically. The ORA is an internal assessment of the risks the scheme faces, how well the scheme's governance systems are working, and the way risks are managed. There is generally a fairly lengthy lead-in time after the Code comes into force before the first ORA needs to be completed.

When should ORAs be completed?

Trustees should set a timetable for completing their ORAs over a triennial cycle: each ORA must be completed no more than three years after the last one.

Broadly, the first ORA must be completed by the end of two complete scheme years following the date on which the Code came into effect (28 March 2024), though in some cases the statutory deadline may be even later.

For example, this means the first ORA should be completed by 31 March 2026 for schemes with a scheme year end date of 31 March 2024.

Next scheme year end date after Code
comes into effect (28 March 2024)		 Standard deadline for completing first ORA*
31 March 2024 31 March 2026
30 June 2024 30 June 2026
30 September 2024 30 September 2026

*The deadline may be later than this, depending on the date for submitting the next statutory actuarial valuation or for producing the first annual chair's statement.

Schemes are, of course free to complete their first ORA ahead of their statutory deadline if they are ready to do so.

What is the purpose of the ORA?

The intention is for the ORA to identify the key governance risks facing the scheme, and for the trustees to take this into account in their management and decision-making processes.

What should the ORA cover?

The ORA must be in writing and assess the effectiveness of the policies and procedures covered by the ORA. It must set out the reasons why trustees consider them to be effective and risks arising from these policies and procedures.

There is some overlap between the policies and procedures covered by the ORA and the ESOG. But it is important to note that in law the requirement to complete ORAs every three years is not the same as the expectation of three-yearly reviews of the ESOG (key differences are outlined below). In practice, however, we expect that trustees may want to use the same process for the ORA and review of the ESOG as far as possible, to make effective use of resources.

The different elements that are required to be considered by the ORA are split up in the Code under the following themes:

  • the policies for the governing body;
  • the risk management policies;
  • investment;
  • administration; and
  • payment of benefits.

In general, the requirements of the ORA are wider than assessing specific policies or compliance with modules of the Code as it also requires the consideration of some broader aspects of risk, including how the trustees integrate risk assessment and mitigation into its management and decision-making process.

For example, in the ORA, trustees are required to assess matters such as their management of potential internal conflicts of interest, scams and the risks of members making poor choices. In relation to defined benefit schemes, trustees must also consider the effectiveness of (1) how they have assessed the scheme's funding needs with reference to its recovery plan, and (2) the specific risks relating to the indexation of benefits provided by the scheme.

Clearly, some of the issues covered in the ORA may need detailed thought or advice so it makes good sense to plan an ORA well in advance.

Further information on the investment matters that should be considered as part of an ORA will be set out in our next briefing on the Funding and Investment modules of the Code.

Who should carry out the ORA?

The ORA may be carried out by a trustee sub-committee, the risk management function or a third party. It is important that any conflicts of interest are appropriately managed (see below). The ORA must be "signed off" by the chair of the trustees.

Does the ORA need to be published?

No, it is an internal document but the Code states that trustees should consider what information they should provide to members about the findings of the ORA. Trustees should keep in mind that there could be more risks than benefits to publishing details of risks facing the scheme (e.g. any risks relating to cyber controls). Depending on the circumstances, trustees might therefore consider providing quite targeted information concerning the findings of the ORA, for example in a section of a member newsletter.

Trustees are not required to submit their ORA to the Regulator, but it could be requested by the Regulator under its general information gathering powers.

Actions: Some practical points for trustees to consider for complying with the expectations in the Code:

  • Identify the deadline for completing the first ORA and assign responsibility for carrying out the ORA.
  • Once trustees have addressed any gaps in their ESOG or risk management system (see above), set a timetable for completing the first ORA and agreed how it will be structured and documented.
  • Identify and obtain any information required from third parties to complete the ORA in sufficient time.
  • Once ready, the finalised ORA should be signed off by the chair of trustees and shared with all members of the trustee board.
  • Consider what information to provide to members about the findings of the ORA.
  • Set a timetable for completion of subsequent ORAs.

BOARD STRUCTURE: REMUNERATION AND FEE POLICY

Remuneration and Fee Policy

The Code now requires Trustees of schemes with 100 or more members to have a written Remuneration and Fee Policy. The Code states that this should support the effective management of the scheme and help assess the value of remunerated services.

The Remuneration and Fee Policy is an internal document for the scheme. Key points are:

  • it only applies to fees paid by the trustees – i.e. it does not apply to fees paid by the employer;
  • where relevant, this can include service providers or advisers (e.g. the administrators, actuaries, lawyers etc).
  • it should set out the principles for determining pay and an explanation of the decision-making process for payment levels and why these are considered to be appropriate – specific amounts of fees do not need to be included;
  • set out measures to mitigate potential conflicts of interest, in particular for any in-house roles; and
  • the policy should be reviewed at least every three years, or even annually if appropriate.

There is no specific form or template for the Remuneration and Fee Policy, and trustees can adopt a proportionate approach with regard to the size, nature and complexity of the scheme's activities.

There is no need to set out specific fee arrangements or remuneration levels in the policy. In many cases, practical and commercial constraints may therefore make the policy quite brief – though it could still provide an opportunity for trustees to refocus their thinking on what matters to them in terms of fees, remuneration, quality and value in some contexts.

Actions: Some practical points for trustees to consider for complying with the expectations in the Code:

  • Agree a written Remuneration and Fee Policy taking account of the guidance set out in the Code.
  • Establish the services trustees pay for out of scheme assets and gather information on the amounts of fees that are paid or any relevant fee arrangements.
  • If any areas are identified where fees do not align with the principles that the trustees have set, this will allow the trustees to review these going forward.

BOARD STRUCTURE: OUTSOURCING POLICIES

There is a new requirement for trustees to have written policies for making appointments (both in-house and third party) to the scheme. These policies should be reviewed every three years, and before commencing a procurement or appointment process.

The Code includes guidance on selecting advisers and service providers, and the Code suggests that trustees should take account of this when next changing adviser or service provider appointments.

Action: Document a trustee policy for making appointments to the scheme, and consider the guidance set out in the Code when changing adviser or service provider appointments.

BOARD STRUCTURE: CONFLICTS OF INTEREST

Much of the conflicts of interest section of the Code derives not from previous Codes of Practice but from the Regulator's detailed and helpful regulatory guidance on conflicts of interest (the "Conflicts Guidance"), originally published in 2008. This means that some expectations that were previously non-binding guidance have now been elevated to the status of a Code. Two important principles that are explained in the Conflicts Guidance and that now feature in the Code are:

  • Some conflicts are so acute and pervasive that they cannot be managed and instead need to be avoided, for instance by the resignation of the conflicted trustee.
  • Delegation to a trustee sub-committee can be a more effective way of managing conflicts than the abstention of a conflicted trustee.

The Code does not require registers of interest to be published. However there is language in the Code that implies there may be an expectation for conflicts policies to be published, although this is not mentioned in the Regulator's consultation response (published alongside the final draft Code) so it is not clear that this is the intention.

The Code also briefly touches on:

  • making applications to Court to address more difficult trustee conflicts (more fully explained in the Conflicts Guidance);
  • advisers and service provider conflicts, which can also be complex for trustees to navigate; and
  • using confidentiality agreements for managing some conflicts (more fully explained, including some important limitations, in the Conflicts Guidance).

Actions: The law on conflicts is not always straightforward and trustees should take legal advice if required.

KNOWLEDGE AND UNDERSTANDING

The knowledge and understanding (TKU) modules of the Code replace former Code 7 (Trustee Knowledge and Understanding). There is a new focus on collective and shared knowledge and understanding, such that the trustees can demonstrate that as a group they possess the skills, knowledge and experience to run the scheme effectively.

The knowledge expectations are nearly the same as those under former Code 7, however there are some new provisions to refer to new requirements under the Code (e.g. knowledge of the ORA and cyber security policies). There is also a new requirement for trustees to have an awareness of "diversity and inclusion on investment decisions", citing the example of whether scheme investments are aligned with member preferences and beliefs. What this means in the defined benefit and defined contribution context will differ, and in our view schemes should also take specific advice about the proper scope for taking member preferences and beliefs on non-financial matters into account before acting.

Separately, the Regulator is encouraging professional trustee accreditation, and states in the Code that as a matter of good practice, professional trustees should be able to demonstrate progress towards, completion of or compliance with a relevant standard for professional trustees or a recognised appropriate qualification (e.g. APPT or PMI). The Code includes the Regulator's expectation that professional trustees should be able to demonstrate a greater level of knowledge than members without specialist expertise.

The Regulator has noted that the knowledge and understanding modules may be reconsidered as part of its general work towards improving governance standards.

Actions: Some practical points for trustees to consider for complying with the expectations in the Code:

  • Consider undertaking trustee training on the updated Code and address any gaps in meeting the Regulator's expectations for TKU as set out in the Code.
  • Regularly carry out an audit of skills and experience and review members' experience to identify gaps and imbalances, which will help inform training and recruitment needs.

COMPLYING WITH THE CODE

Although the Code is not legally binding, it can be used in legal proceedings as evidence in support of a claim of non-compliance with a legal requirement. The Regulator may also cite its expectations, as set out in the Code, when taking enforcement action. Our early experience is that many schemes are therefore actively allocating time and resources to making sure they are complying with Code. Schemes may want to consider the extent to which their existing policies, processes and governance structures already meet the expectations of the Code, and whether there are other areas that may need updating or documenting more fully.

In our briefings, we use the language "should" to refer to the Pensions Regulator's expectations of trustees as set out in the Code. However, the Code states that trustees should "use their judgement as to what is a reasonable and suitable method for ensuring compliance for their scheme". As noted in section 2 above, legislation states that ESOGs must be "proportionate" to the scheme's "size, nature, scale and complexity of [its] activities". Consequently, there is a degree of flexibility for schemes to set their approach to the Code by thinking about what is reasonable and proportionate in their relevant circumstances. We have not included in this briefing the aspects of the Code applicable to public service pension schemes.

The Pensions Regulator's General Code of Practice

  • Governing Body
  • Investment
  • Administration
  • Communications and Disclosure
  • Reporting to the Regulator

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.