The Pensions Regulator's General Code introduces new requirements for pension scheme risk management. Other sectors have been on similar journeys and pension schemes can learn from their experience.
Precedents in other sectors
The pensions risk management requirements of The Pensions Regulator's General Code should not have come as a surprise. Listed and private companies, the government sector, charities and higher education are all covered by established codes of corporate governance that require effective risk management. Many of these codes have been in place for years, with organisations having had time to adapt to them, try out approaches and then optimise them. The Pensions Regulator (TPR) has simply acted to bring pension schemes into line with risk management practices already established in these sectors.
From the Turnbull report in 1998, which first made risk management a board-level responsibility in listed companies, and the subsequent ‘Orange book' developed by the UK Treasury, which became mandatory throughout the public sector, risk management has undergone a pattern of staggered development as organisations wrestled with, at first unfamiliar, concepts and arrangements. Codes and guidance were revised and made more precise and organisations gradually got on top of ‘Enterprise Risk Management'.
Looking at established listed companies, we see organisations that have, for the most part, well-developed, structured risk management arrangements. Risks are identified and assessed using a rolling ‘always on' approach. Mitigation is applied and tracked through to completion. There is effective internal and external reporting on risk.
Some organisations have gone a step further and developed risk cultures in which personnel have a rounded understanding of risk and a shared ‘risk mindset'. Good risk management is seen as being an enabler; something that is an essential part of achieving corporate aims.
Transferability to the pensions sector
So how much of this is transferable to the pensions sector? Well, actually, quite a bit. Often schemes don't need the complex structures and tools that larger corporates have but the principles remain valid and the practical responses taken in other sectors are instructive:
- Risk registers, check
- Risk management frameworks, check
- Risk management functions, well, yes, not so much because the codes say so, but because that is the practical way to implement.
The Own Risk Assessment (ORA) in the General Code is a little different from the approach in other sectors, but it does support a process of review and reflection similar to that undertaken by corporates when they prepare the principal risks and uncertainties sections of their annual reports.
Learning from the experience of other sectors
It took time for other sectors to get to where they are now, with some false starts made along the way. Gradually, a consensus developed, so pension schemes can learn and avoid some of the pitfalls others have fallen foul of.
One issue that affected these early efforts and which can be seen today in many pension schemes, is ensuring that risk processes are ‘always on' and not operating on an intermittent or occasional basis. Some method is required to enable schemes to be responsive to developing risks; to see risks coming and do something about them in a timely fashion.
A combination of horizon scanning and intelligent curation, underpinned by a work-on-risk mindset, will all be key elements of an ‘always-on' approach. Of course, there's more to it than that, and that's where the Risk Management Function comes in.
Risk management function (RMF), framework and risk registers
Corporates have risk management functions. They might not be called that, but somewhere there is always a team which undertakes the required tasks to make the risk management system operate on an ‘always on' basis. They gather risk information, update risk registers, track risk mitigation, take action (within their delegated authority) and report up to the board. They operate the system, whilst directors are freed up to adopt an oversight role, think holistically, and make the key decisions on risk strategy and resourcing.
The Pensions Regulator has left options open in terms of how the RMF is constituted and has not been prescriptive as to how it operates. However, there are clear learnings from other sectors which suggest how the RMF should operate.
The RMF is an essential enabling factor to make risk management work for pension schemes and is a key link that has been missing for many schemes. It undertakes the tasks necessary to keep the risk management process functioning on an ongoing basis. In particular, we consider that the RMF should be close to scheme activity and active in horizon scanning to identify changes in risk exposure throughout the year and updating trustees in line with developments. Typical tasks might include, updating risk registers, ‘curating' (selecting on the basis of agreed criteria) risk information and reporting on such to board/sub-committee, tracking of risk mitigation actions, and taking actions to support the preparation of the own risk assessment (ORA).
A further consideration is consistency. It's no good having a process that meanders or changes from month to month. Rather, the process needs to be defined, codified and adhered to. This is where the risk management framework comes in. The framework is the rulebook for the system which defines the responsibilities, the activities and sets the timetable.
Risk registers are a topic that most trustees already have long experience of. However, this is an area that may be worth revisiting. Whatever risk register format is used, it will need to efficiently mesh with and do the heavy lifting for the risk framework. That means consideration of a number of factors, including the risk scoring system, risk tolerance, the ability to record and highlight interdependencies between risks, and tracking of risk mitigation actions. It may be better to change the format of the register than to struggle on with an older format that lacks functionality and isn't adapted to the new risk environment.
All of the above elements, taken together, should result in an approach which supports trustee engagement with risk, in a consistent process in which risks are addressed in real time (or as close as can be achieved) with the process leading to positive mitigation action.
For any fans of mnemonics, the above might be summarized by ERICA, who says a modern, effective, Code-compliant risk management framework should be:
- Engaging
- Real-time
- Interdependent
- Codified
- Action-focused
Conclusions and next steps
The General Code moves pension scheme risk management along in a significant way, but the concepts are not trail-breaking. Others have been down this path before. The opportunity is there for schemes to learn from other sectors and to adapt measures to suit their own environment and needs.
So what should schemes look to address either now or in the near future?
Commission an ‘over the shoulder' risk review
This simple review can give a fresh perspective on and highlight desirable changes to current risk management frameworks and tools and provide helpful input into the practical operation of the Risk Management Function.
Prepare and adopt a risk framework document
This needs to be precise enough to lock in and define the risk management system. Preparation requires thought, planning and ideally prior knowledge of similar systems and documents elsewhere.
Identify and appoint a risk management function to undertake required risk management tasks
The role of the risk management function should be designed and specified in the framework document above. There is considerable scope in choosing who or what will undertake (different aspects of) the role, so schemes need to consider carefully what arrangements will work for them. Factors to consider include existing skills and knowledge within existing board, availability of resources and complexity of scheme. What works for one scheme, may not work for another.
Prepare and maintain an effective risk register
Whilst schemes already have risk registers, some may find that their registers are not optimised for the new Code requirements, either in terms of format or content. This is a suitable time to revisit the risk register and consider design and functionality options which would fit well with the new risk framework and risk management function. Schemes should also check that risk information in the register remains accurate and that all relevant risk areas are addressed.
In due course, schemes will have to develop their Own Risk Assessment (ORA). In practice, large parts of the ORA will be formed from the risk framework document and risk register. If either of these are absent or underdeveloped at the time of the ORA, then significant catchup work will be required to prepare the ORA to a suitable standard. We recommend that schemes don't wait until this stage; by following a considered, structured process for setting up the risk framework and RMF, schemes will not only improve scheme risk management but will save time, effort and cost at a later stage when preparing the ORA.
WTW can provide expert professional advice in each of these areas, drawing on our experience in pensions and Enterprise Risk Management and can support schemes with development and implementation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
