In this webinar we consider some practical steps trustee boards can take in relation to the Single Code. We look at the concept of proportionality, how to link actions to the scheme's strategic goals, how to conduct an 'own-risk assessment', and what 'an effective system of governance' looks like in the real world. While the Single Code has not yet been finalised, we expect it soon and these concepts have been in the law since 2019.
Transcript
Elizabeth Gane: Right we are at a minute's past twelve so I am going to just kick off. First of all afternoon everybody and welcome to the second of our practical governance scheme sessions webinars. Today's session is on making the single code, or perhaps I should say the general code work for you.
I am delighted to be joined today by our speakers, first of all my colleague Maddy Frost who is currently a Legal Director in the Pensions team here, but as from Monday of next week Maddy will be a Partner in the team, congratulations Maddy. I am also joined by Amanda Osborne who is a Trustee Director at IGG formerly Ross Trustees, and Rosanne Corbett who is a Client Director at Muse Advisory.
Just by way of background on our guest speakers. So Amanda has over 40 years' experience in the pensions industry. She has worked both in-house and at a number of third party administrators. She is an experienced operational manager and has a wealth of knowledge and experience in pensions administration. She has worked at IGG for 3 ½ years and currently works on a portfolio of clients for whom IGG are sole trustee. She also chairs a number of trustee boards and sits on a number of risk and admin committees.
Rosanne leads Muse's governance and risk management services and is on the news management team. She advises on risk management, on governance and strategy, and a particular strength of hers is the hands on experience she brings because as well as doing all of that she works as an outsourced pensions manager for part of her time, and at the moment she is spending a lot of time working through general code gap analysis and undertaking the own risk assessments, both for schemes where she works as a consultant where she is advising trustees, and also in her pensions manager role.
Rosanne is also the appointed risk management function holder for one of the largest Irish DC schemes and they are a little bit ahead of us in Ireland so the own risk assessment for that scheme needs to be completed by this time next year, so Rosanne has got a wealth of experience in this stuff and looking forward to hearing from both her and Amanda with their practical experience.
I have got a couple of points of housekeeping before we kick off properly so the session is due to run 12 until 1pm. We are going to aim for about 45 minutes of content to give plenty of time for questions at the end. Your mikes and speakers are going to be switched off throughout, although you will be able to see and hear the speakers. If you do have any questions as we go through, if you could please type them into the Q&A function which you will see at the bottom of your screen. Only the speakers will be able to see your questions and we will pick up as many of those as we can at the end of the session.
We will be recording the session and we will place it on our website, so we will send everybody who has signed up to attend the session a link to the recording once we have finished.
So Maddy is going to start by giving us a brief overview and then we are going to move into a more of a Q&A format to bring out some of the key themes and to get Amanda and Rosanne's real life war stores, or perhaps I should say case studies. So without further ado I will hand over to Maddy. Thank Maddy.
Maddy Frost: Thank you Liz. Good afternoon everyone and thank you very much for joining us today. I think the first thing to say is that in terms of agenda I will only be speaking for a very short time today to set the scene for the discussion. Now the single code, of course now the general code has been around for quite a while, first being published in March 2021, so I expect most of you will be pretty familiar with its content. Therefore, the majority of today's session I will be passing over to Rosanne and to Amanda who are both immersed in work helping trustees to comply with the code in a practical and proportionate manner. So the focus of today's session will really be to get their input on what practically trustees can do to ensure compliance with the code, particularly as it may seem like quite a daunting task for some trustees at a time when there are clearly other priorities. A finite amount of resource in terms of both time and money and also given the activity in the insurance market I am sure a number of trustees are wondering how they ensure compliance in a proportionate way when buyout is on the horizon. So on this slide number 3 just a few headline points from me first.
So the first thing I want to say is about timing. Now although delayed, we are now informed that the code will be final by summer 2023. This delay does not mean that the requirements of the code will go away. A lot of the detail in the code particularly around the ESOG and the ORA which we will be talking about today is taken directly from IORP II and has been introduced into UK legislation by amendments to the Pensions Act. So it is clear that despite the delay the code is here to stay, and coupled with that is the general expectation and an indication from TPR that we are not expecting huge differences in the final version of the code to the draft that we already have, although some guidance around proportionality would be welcome.
So a quick note on what is new and what is not. First of all what is not new? I think it could be helpful for bear in mind that the code was intended to help trustees with scheme governance rather than just being an additional regulatory burden on trustees. Of course there are new requirements which we will talk about today, but a lot of the requirements, particularly in terms of the required policies and procedures, trustees will likely already have most of them in place because of course the code was produced to bring together ten of the existing current codes of practice and in a way that is actually clearer and more accessible for trustees and it will probably also help to remember in fact many elements of the existing codes are out of date, not particularly easy to navigate and how they interact with each other is not always clear. In addition and hopefully again we can bring this out in the discussion today. The code is designed to help trustees in achieving their objectives and assisting with the schemes journey plan, and ensuring effectives in an effective system of governance should it benefit trustees, ensuring that they adequately manage risk to protect scheme benefits and pay benefits as they fall due, which is of course the ultimate goal for all involved in a pension scheme.
But of course there are a few new things, it is not just a consolidation of existing codes, and we have a few new acronyms to add to the many of the pensions industry already. The first is the ESOG or the Effective System of Governance. This is the legal requirement under the Pensions Act for trustees to establish and operate an effective system of governance, and the code sets out what TPR it expects trustees to have in terms of their effective system of governance, and that the trustee should have oversight of the day to day operation of the scheme and ensure that it is accountable for delegated activities, which I think is a really important part and something that trustees would be good to revisit to make sure that their delegations are properly records, and so the trustee can get assurances that the scheme is operating as it should.
Now this concept of a system of governance is quite wide and it can include anything that could reasonably be considered as part of the operation of a pension scheme. So it is really about the trustee having appropriate policy procedures in place. Now the draft code has quite a long list of specific items that TPR expects to see forming part of that ESOG, and I am not going to run through that list, but just to say there is increased focus on things such as contingency planning, you are probably not surprised following the Covid pandemic, also cyber security, climate change risk and of course a new requirement for a remuneration policy.
The second acronym I wanted to mention was ORA the Own Risk Assessment. This is a new requirement for trustees to have a written document setting out how well the trustees system of governance is working and the way in which risks are managed. So this is for trustees to demonstrate that they have fully considered the various risk management processes and how well their policies and procedures address these. The ORA should be in writing, signed by the Chair of trustees and our current expectation is that it should be produced within one year of the code being effective and then must be regularly reviewed. The schemes are not required to publish the ORA or to send to TPR, although TPR can request it, but as the regulator is not reviewing the ORA and there is no template or prescribed format, this has led to some concern about well what on earth should the ORA look like and how does this differ from the risk register, and this is something that we will pick up in today's session.
So just finally from me, TPR has been a pain to say that it will remain a pragmatic regulator. Now although TPR warns that it expects the first ORA to be a significant piece of work, it also recognises that it should be proportionate. Now this concept of proportionality is peppered throughout the code and it is left to trustees to decide what is proportionate in the context of their scheme. The code also actually contains a statement acknowledging that some schemes may meet the expectations in a different way to as it is set out in the code. Now the code itself does not give examples of where or how differences can be accommodated but this does suggest there is some scope for deviation from the code when it is done in a considered way.
So it gives that background I am going to pass back to Liz who is going to kick off our discussion of the practical aspects. Thanks Liz.
Elizabeth: Thank you very Maddy. So yes, I mean I suppose I would like to probably bring in Amanda first of all. Amanda I have got a number of trustee boards that I advise who either have not started the process at all yet or who are right at the beginning of the process. So as an experienced professional trustee you have got a blank piece of paper in front of you, how do you approach the exercise? What is the first thing that you should be doing?
Amanda Osborne: I think Maddy covered a number of those issues. None of us have got a blank piece of paper, we have already got a number of robust governance frameworks in place. So for us as trustees, one of the first things we looked at is obviously one understanding exactly what was in the ESOG, in particular, what those models was included and what policies were required. So as us looking at kind of going, what have we got? What have we got in place already? What can we almost just say yes, yes we have got a tick box, or what we can review, and what are the requirements for the other things that we need to put in place? So it was not quite a blank piece of paper, but it was very much adding to what we have already got with regards to that framework we have got, and we all believe that actually the information that was included within the ESOG in particular was actually really good governance, it is things that we needed and it is things that it required us to look at the policies and procedures we have in place for a number of year which are probably out of date, we probably do not look at them enough. I think it has actually got a sink in of how we can use them, you know, much more in a relevant state in what we do on a day to day or year to year basis.
Elizabeth: Thanks Amanda. I will take myself off mute before I start talking. So effectively you would go through what you have got in place already and carry out a gap analysis I suppose you would call it isn't it.
Amanda: Very much so.
Elizabeth: OK. So Rosanne, just bringing you in here, sort of on a practical level once you have identified those gaps and you have done your gap analysis, what do you do to make sure you are prioritising the key areas? How do you tackle that and how do you make sure that the sort of finite resources that you have got are sort of focussed in the right place I suppose?
Rosanne: It is a really good question and I think it comes back to that point of proportionality that has been mentioned previously. I know we will talk a little bit about what proportionality means in practice but looking at it through the lens of, you know, how much of this do we actually feasibly need to do for our scheme based on where it is at this moment in time and where we want it to get to is kind of the lens I think it is helpful to look through, and that is partly driven by objectives, and I do think linking this work to the objectives is really important as it is a helpful framework. So if your only objective is to be compliant because you are a very small scheme and you do not have the money to spend on the nice to haves, then your bar of proportionality is going to be relatively low. So actually just doing what you need to do and getting the minimum in place to know that you are compliant and doing the right thing by your members will be a satisfactory target. However, if you are a trustee that has more reaching objectives then you might look at it through a lens of, can we do things better?, can we make quicker progress?, are we being as efficient as we can be?, and so the level of proportionality might apply when looking at the gaps that you have could be quite different. So there is a spectrum in terms of how any of the gaps are approached.
I think it is a sensible way in terms of what Amanda is saying tackling it through looking at your documents and the processes that are in place as well as then looking at the specific requirements for a system of governance, and they will identify potentially quite a few different gaps. Some of the things that I am seeing is around particularly in documentation that how that links in practice to governance and ways in working. So for example, discretionary benefit policies are often an example where things are not quite done in practice as they are documented or it might not be documented. So I have got a couple of cases where we have got a policy which is documented, however, the administration practice is not quite following what is in the policy around a standard death benefit. So the trustees are not actually being referred certain member cases when they should be. And then there is another case where a policy is there but it does not actually reflect the trustees and rules in terms of payment of spouses benefits when a member has died in retirement and as a result of that the processes have fallen down and the benefits have been miscalculated over a very long period of time. So this exercise has been really helpful in identifying yes areas for tweaking and improvement but also some potential skeletons in the closet. So actually being able to look at this from that level, you know, how much of this do we need to do to help us work better, more efficiently, and do the right thing by members helps prioritise the actions you take once you have identified those gaps, and of course the red, amber, green, or red, amber, green, blue sort of matrix might be helpful because you can identify the things that you just do not have in place that you need to, which might be red, the things that you have could be tweaked around the edges or actually need to have new things added into them and therefore expanded, which might be amber, and green you would have in place, and there may well be blue things that you do not have, but you feel you do not need to because it is not proportionate to your scheme and the level of complexity, and therefore that gives you a really good starting point to think about what do you do next, and how do you then tackle that because of course everybody is very busy and so it is fitting around an already busy workload, so planning that over a period of time to you to do these things fit in, but also think where can they be tackled as work that is already being done in progress or projects that you can see coming down the line, does not need to be all done at once, and remember the own risk assessment as you have said, is an assessment of the governance that you have in place as well as the management of risks but TPR is not expecting you to be green in everything at that point of assessment, it is expecting things to be done and improved over time.
Elizabeth: I think that is really helpful Rosanne. It is helpful to frame it in that way isn't it because I know sort of a lot of, well probably a lot of trustees and others involved in the industry see a lot of what TPR puts out and is almost, oh gosh you know, another tick box exercise that we have got to comply with and I think probably people would feel better about the time and effort they have to spend on compliance with all of this stuff if they could see well it is not just a tick box exercise, there is actually some benefit coming from this, so I think it is helpful that you have been able to see some benefit in the schemes that you have been working with to actually improve the governance and like you say highlight some areas that perhaps they have not been running so well in the past. I suppose you have got to be careful how far you go haven't you because people do not always thank you for identifying issues.
Rosanne: Yes and I think, well they don't because sometimes there is a cost attached to dealing with them but I think for those schemes that are on a trajectory potentially towards buyouts finding out about this sort of thing now is actually so much more helpful because you can tackle it at a time that you are not under pressure to be making decisions at pace.
Elizabeth: Yes I completely agree. I wonder either sort of Amanda or Rosanne whether you have got any views on how the approach might differ for schemes that are on a slightly different journey plan because you might have a scheme that is running on and it is sort of quite a long way from the end of its journey, it might still have active members in it, versus a scheme that is on a trajectory towards buyout in the next 18 months/2 years. Would you take a different approach if you had a scheme that was closer to the end of the line?
Amanda: I think if I can answer, definitely, you know, I have got a number of schemes that are either going to buy in this year or are in the process of getting all their paperwork and their data and everything ready to do it next year, and we have looked at those very differently. But the things we have pulled out on things like that is around sort of like almost looking as part of that project plan as well, around your member communications, having a plan for that, so there is a number of aspects within the ESOG and the ORA that will pull out somethings you are going to be doing as part of that work as well. So it is looking at the elements that you kind of need to have in place anyway. It is always good to have great governance, you need to have a number of those elements in place full stop, whether it is going into wind up, whether your scheme is staying on or anything else. So it is recognising those bits that you just kind of need to do right at the very end and those bits actually can fall away, and it is that proportionality whereas a scheme that is ongoing it is very much looking at the bits that you really do need to do. I am at a slightly different place for a lot of trustees as well, I have another scheme which are Ross Trustees sole trusteeship and where we do all of the governance, so for us it is very, that was a very easy approach to take because we looked at everything and we looked at the size of the scheme and what they are doing and where they are within their journey plan, and we could look at those quite easily with regards to what we felt was required. So we did very much do that, you know, the red, green, amber approach, you know, we looked at our policies, we made sure they were all OK, we made sure they were compliant and that they were up to date as well. So we have been doing that sort of for the last two years.
Very different to where I am a chair of a trustee board, you know, you have got to bring your lay trustees on that journey with you. As trustees we have so much training as we get to understand and we can literally, you know, lift the bonnet and understand what is happening and what those requirements are. As a lay trustee you just get that training. So I think the approach from me as a Chair was slightly different for the approach I have taken for a sole trusteeship, you know, it is much more of a training, of an understanding, of bringing them along, you know, making those phases and phasing those things in and almost where we decided that we did not want to do a thing or we did not need to do it because of the size of the scheme, we understood that, and actually we all understood it and we made that decision as a group, as a board.
Rosanne: Yes I think if I may just to add to that, some of the trustees in the schemes where they are on a path to buyout and are at different stages of it, this process is either, if they are doing it at the moment in terms of thinking about the ESOG and the ORA is proving helpful from different perspectives and of course we have been challenged, do we even need to do any of this if we are a couple of years off buyout, what is the merit in doing it? It is a very fair question. I think for those schemes that are on a longer path this is actually quite a helpful means of kind of really taking a step back and reflecting on what is it we are trying to do?, what is that end game target? We have a target in terms of a funding amount but we also have a timeframe, and also we have got to think about the sponsors involvement potentially in this, and it is a helpful means of just putting that plan together and thinking about what are we trying to achieve?, how are we going to do it?, how are we going to be resourced?, and that resourcing is not just all the providers in place to do the work because of course there is going to be peaks and troughs in terms of capacity but it is the advisory you support, is it the trustees you have around the table and the composition as well as any in‑house resource you might be lucky enough to have, and what that looks like as you make progress because it will evolve and the risks attached will evolve, they will become very different. The risks that you have now might either fall away or change shape as you make progress year on year, and so being able to understand that now early on is really helpful because it means you put in place the right milestones for your decisions and activities but also it helps that you have a really sensible conversation around what this looks like from a budget perspective as well.
Those nearer to buyout, or potentially buy ins, do find this quite helpful thinking about risk more specifically and it is not just the big risk of what do we do in terms of IRN's, so the funding, the investment, the covenant elements which are obviously critical as part of this, but it is the more specific. One of the things that are really going to bite us we do not know about at the moment and it may be things like track surplus. What is written in the rules about use of track surplus?, distribution of surplus, those are the types of things that can really derail things, or it might be that you have got a particular member case and it might be one member and they have brought something up and you realise that actually something has been done wrong for a whole category of members, and it means you cannot hit buyout at the time you want, and so it is things like that is understanding how that looks and where you might need additional support from the sponsor, you might be fully funded at the moment but as you get closer to buyout there may be pinch points where you need to rectify things and you need additional support from the sponsor and or course any residual risks how you deal with all of those in that period up to buyout but also from buyout to windup, and so there is a lot of things which are more in a detail of risk is actually a very helpful to think through early on.
Elizabeth: It is really interesting isn't Rosanne because I think some of these risks people have not focussed on at all over the last few years and you are quite right, some of the issues that we are coming across now are around track surplus which nobody has ever focussed on. We are seeing other things that people have never focussed on before as well, so rules around discretionary increases nobody has ever focussed on those before and we are looking at rules and suddenly realising that actually people perhaps should have been looking at this once a year for the last goodness knows how many years, but it has only just come up because of the current inflationary environment. And of course the other thing that is coming up at the moment is liquid assets so schemes that are very very close and want to buy in or buyout or transact in some way for residual risks suddenly cannot because they have realised that they are not going to be able to change their asset mix quickly enough in order to be able to take advantage of, you know, current moves in the market at the moment. So I think that is a really good illustration actually of the point that you made about these risks, they do evolve over time, you have got to keep an eye of them haven't you?
I am sort of wanting to move on to talk about the own risk assessment in a little bit more detail. I am sort of conscious that a lot of trustees have risk registers in place at the moment and they spend a lot of time going through risk registers, they have spent a lot of time putting them in place in the first place and they do spend time reviewing them at the moment. This sort of new guidance from Pensions Regulator talks about own risk assessment. I think it might be helpful if we kind of could first of all just talk about how the two are different from each other. So are trustees going to have to start right again from the beginning? Are they going to have to scrap the risk register and do something else to start with?
Amanda: Oh I hope not, my goodness, no, I do not think that is the case at all. I think TPR can correct me on this, I do think the own risk assessment is a follow on from the work that schemes will be doing if they are not already or will soon be doing in terms of looking at the documents that they have in place to support effective governance and scheme operations and looking at the specific requirements of an effective system of governance, because remember the ORA is an assessment of that governance and how effective it is as well as how well the risks are being management within that framework, and so the ORA for me is not about rehashing the risk register, it is using the risk register as a helpful means to really think what are the key risks to us as a set of trustees. For me I think about risk in the context of objectives. A risk is something that can prevent or hinder the achievement of the objective or conversely it can expedite the achievement, so you can think about it from an opportunity perspective, and so you may already have a lot of the risk register that is really helpful but you may well have a very long risk register and you cannot visibly look at 89 to 100 risks in a meaningful way on a regular basis, so the ORA for me is about your key risks, it is those things that are really going to either knock you off course of where you are trying to get to or move the dial to help you make progress, and so I think, and listening to a recent webinar about the code because the expectation for the ORA again are about being proportionate, it may be that a very short focussed high level document is going to help you. I think that it the way I am going in terms of the work I am doing with my Irish client, it is very much a strategic document that will help them think about what they have to do in the year or two ahead, what's coming up is a forward looking document, yes it reflects a little bit on what has happened to get them to that point, what their objective are, how they are going to undertake the activities they need to i.e. project work as well as BAU, one of the key decisions and milestones they have over the year, what is going to help them do that work as well as what are the risk they need to manage now but also looking over the horizon to what might be coming down the line that they need to think about. So using it as that sort of tool is actually so much more helpful and value as than just being a tick box exercise, and in terms of where we might get information or tools from a best practice perspective because it is quite hard to create all of these things from scratch, those schemes that have sponsors that produce ORSA's so own risk and solvency assessments, you might find if the sponsor is prepared to share that document with the trustee that could be a very helpful tool for you to think about how you structure your ORA, what you want to think about in terms of what is in there. Typically those ORSA's are very strategic tools that are used as part of the end of year reporting and business planning process for a business and it looks at lots of different things but the key bits in there are strategy, objectives, risk, risk appetite, activities for the year ahead, and so a similar approach with the ORA could actually be very useful. You can make it as long or as short as you like I think, you can go to town on it, but the other aspects of the own risk assessments is the operational side. For anybody who has looked at the code or the governance regulations that are already in place it is clear that there is a lot which sits within the operational elements of schemes, so the admin of benefits, for example financial transactions, payment of benefit, movement of money, so from trustee bank accounts to members or between trustee bank accounts, if you have more than one or from custodians to trustee bank account, all of that needs to be really looked at in detail and this is where it is taking risk management a little bit of a step forward, so risk management is not just about looking at the risks in the risk register and checking what colour they are. If your controls are not operating as defined and effective your risks will not be well managed and unless you know what those controls are and test them for their effectiveness you will not know if the information you are getting in your management reports and your stewardship reports are answering the questions you have, giving you the right assurance and comfort that your controls are working for you and therefore that you risks are being managed. So there is a little bit more I think coming from the code which is where the assurance reporting comes from and the talk around internal audit have the intent I think to get trustees to think more about how they actually look at and scrutinise the control. So it is not to get into the detail but it is make sure that the reporting and information you receive from those who run the scheme on your behalf is helping you understand that things are being done as they should be and that supports you decision making at a strategic level, it should not get in the way of it, it should support and help it.
Elizabeth: What would you actually do in practice to get under the bonnet then, Rosanne, Amanda, either of you could probably answer this. So you receive a report from your scheme administrators every quarterly meeting to tell you whether they have met the KPI's or not and they will tell you if there has been any breaches of the law, do you need more than that?
Amanda: I think for us, and the one thing we do look it is that we look at all the AAF reports that come out on an annual basis across the board of all of our TPA's. More to understand what controls they are actually looking at, where they have got with them, you know, it is meant for an independent report which it is, looking at the areas which they have been pulled up on, you know, was it the same as last year, you know, the one's that they had problems with or had issues with or were highlighted last year, have those now been resolved and how were they resolved? So for us it is kind of using the information we can actually get from our administrators to find out, you know, how do they control themselves, so that what follows on obviously from our own conversations and our own stewardship reports we get. It is also regular conversations, you need to be in regular conversations with your administrators as well, you know, having regular catch ups with them. I mean obviously in the last year it has been difficult, you could not literally go in and kick the tyres and see how they were working and in everything else, but now things of kind of got, you know, got back to normal, that is one thing, you know, we will at trustees start to do to make sure that, you know, the things that are saying it is happening is actually happening so I am sure Rosanne has also got some great points as well.
Rosanne: Well it is interesting, some of the work we have been doing recently is for a very large scheme that on the face of it you would say is very well governed but in just doing some of the tests around checks and balances in the reporting, one of the things that they report on are member complaints. Now the trustee obviously has on its risk register anything to do with member data benefit calculations and part of the control front for them is around the complaints that they have, the number of complaints, the type of complaints, checking if there is anything systemic in those complaints. But what was being reported in the stewardship report was not quite giving the full picture of what was happening behind the scenes with the administrator and it was not until we lifted the lid and started to ask a few more challenging questions that we realised that a lot of the complaints that had been put through in the stewardship report over the last year or two, over 50% of them were disclosure breaches that had never been reported to the trustee and they definitely had not been reported to TPR. So it was not until we actually lifted the lid and started asking questions that we found out that that was the case. So again it is not a big exercise, sometimes it is just asking the question, how do we know that what we are being told is the right thing?, what are the questions we have as trustees and what are the answers we need to make sure that we can say that we are managing that data risk effectively?
Elizabeth: Yes, and do you tend to go out on site visits and things like that or do you do annual site visits to administrators and things like that because quite often people do them right at the beginning of the process, I do not know whether that is an ongoing process?
Amanda: I think it is definitely something, and we used to do it a number of years ago, even in my previous role we constantly had trustees and advisors coming in to ask us questions and I think that is real value add, I think to get to know both your administration team, the way they work, the systems they are using and everything else. I think that is invaluable for trustees to kind of start doing that especially around the larger schemes as well.
Elizabeth: One of the things the regulators really focussed on in the new guidance around cyber‑security as well isn't it?, so you know there has been one well-known administrator in the last few weeks who has had a cyber-security breach and I think it was possibly in a different part of the business actually than pension's administration, but my experience of that has been that it was very very difficult to get information out of the administrator concerned for several days. So I think trustees were asking all of the right questions but were getting nothing back at all and then TPR has contacted the scheme to say we know that your administered by this particular administrator, you know, what are you doing to manage the risks? So there is a very key focus on that and I think cyber-security is something that is going to become more of a focus going forward. What that brought home to me was no matter what you are told upfront and no matter what you think is going to happen in that situation, the reality of the situation may be different and I suppose what that brings home to me for the purposes of, you know, looking at ESOG's and own risk assessments is again back to the point of you have just got to keep all of this stuff under review. I think certainly on those schemes that I advise have got that particular administrator where they have come unstuck, I think that has brought it home to us. So I think that is something we are going to be addressing as part of this. I mean I do not know whether you had any other thoughts around that sort of area and risk?
Rosanne: I will start first and then Amanda please chip in. Cyber is new in the code in terms of cyber controls but I think TPR's intention is that a cyber incident response plan is probably something that trustees should have had in place for some time because it fits in within business continuity, and of course business continuity has its own module in the draft code and this is about business continuity not just with the administrator, it is overarching ability of a trustee board to act in an event, be it cyber or something else, and be resilient to that in the aftermath, and that is quite a different way of thinking. Business continuity and cyber I am not a cyber expert at all but I think a lot of it is in the prevention because when it happens it is very difficult to do something once the data has gone the horse has effectively bolted and so it is about managing the situation thereafter. I think in some of the cyber related data issue cases it is about making sure that the systems that you have are not vulnerable penetrations and intact and of course most schemes will be doing exercises to ensure that is the case. What we need to manage in terms risks and looking at the controls in places where data is taken out of that system for any reason to do certain exercises that it cannot be compromised because then you are reliant on the data backups that you have in place and if you do not have suitable backups as part of your BCP it can fall down.
Elizabeth: Yes, thank you. We have had a question in which this may be one for you to kick off Amanda. So the question is around how trustees set their long term administration objectives and what those should include. So we have got things like disclosure breaches that we have mentioned but I wondered if there was anything else?
Amanda: Oh gosh. I might need to think about that one now. Rosanne have you got any clues? I mean for us, you know, we work in relationship with our administrators, you have got to, you know, and I think it is reminding ourselves of what the role is, reminding ourselves of what those services they provide for us is, you know, one thing we are doing as part of sort of an ongoing review of all of our things, out of the back of cyber and everything else, is looking at the terms and conditions we have got, looking at those SLA's, you know, having frank conversations, you know, if there are issues, you know, we want for them to be able to come up to the trustees and tell us that there has been some disclosure breaches and not for us to have to go and dig around and ask awkward questions. So I think the objectives for us is probably, you know, to work with our administrators very closely to make sure that they are also aligned with what we want as trustees, you know, it is no good us having conversations around end games and things like that, you know, working in silos. So I think for me as an objective to work with my administrators closely to make sure they are aligned with what we are doing and they are aware of all of our plans, and make sure that we keep a close eye on what they are doing and how they are doing it, and not be afraid to ask these questions, but also be open for them to come to talk to us as well if and when there are any issues.
Elizabeth: And Amanda that has got to be the right approach hasn't it because one of the things that is happening across the industry at the moment is just capacity crunches with advisors and providers and I think it is particularly acute at the admin end of things, and it is just not possible for administrators to do all of the projects that people want to do sometimes is it, so actually being clear and upfront and honest and having that conversation about what is possible, and then prioritising what needs to be done from an admin point of view I think is absolutely key isn't it at the moment in particular?
Amanda: Very much, we are all aware of the resource constraints across the board to be perfectly honest but very much on that admin front, and I think it is having those conversations and its, you know, trustees are not ogres, we are quite happy to kind of sit down and whilst we might have SLA's within our terms and conditions and with our contracts, you know, we can look at them. If there are areas where we need to start to be a bit more lenient on then have those conversations and be upfront and honest and if we are looking to do sort of lots of projects make sure we phase them correctly, make sure that the resource is there and they are fully aware of what we are doing and sort of have that agreement, but we are fully aware of the resource constraints across the board within administration, so I think it is just having that real close contact with your administrators.
Elizabeth: Yes because otherwise you have got other risks coming in haven't you of people trying to rush through stuff that creates risks in itself I think.
Amanda: Yes.
Elizabeth: Thank you. I have a question for both of you and may be there is some self-interest in this. In your experience how far along the track are most trustees with all of this because I think there has been so much going on and people have got so many different focuses as the moment and because we have not got the final version of the code at the moment, I think some people have sort of pushed this to the back burner a little bit, but I will be really interested in hearing your views on that.
Rosanne: I think there is a lot of sitting on the fence and probably rightly so until it is final how do you know for sure what actually needs to be done, you do not want to spend time and precious money on doing something that you might have to unpick, so I absolutely understand why that is the case. Where some schemes have started to make progress it is typically because they have wanted to do a risk management exercise already, or they are thinking about how do we plan our journey to buyout and this has been a helpful way to help them think about it. So those schemes where we are further along the line for work to comply with the code and also undertake the own risk assessment has been stimulated by something else. I think those trustees who see the value in doing this because it is good governance have made progress but I think the vast majority are waiting to see what happens next.
Elizabeth: That gives me some relief.
Amanda: I was going to say from my point of view, probably most of the schemes that we have under Ross Trustees have gone for the ESOG and they have at least as a minimum got that gap analysis and are slowly working through those priority orders of what needs to be done, so, but with regards to the ORA I think we are kind of very much just waiting to see what that final version is.
Elizabeth: Yes, thank you. So I have probably got time for one more question before I go and sort of sum up and close. How strict do you think TPR's going to be with all of this, you know, it has been delayed, there has been, you know, it freely admits that there is a lot of work for trustees to do for the kind of start of the process, do you think it is going to be scrutinising scheme, scrutinising what they have done on this, do you think it is going to be strict and be looking at what people have done and criticising how they have approached this?
Rosanne: That is not the sense I have got from the webinars which I have attended where Nick Gunnan who is the lead on the code has been talking about TPR's expectations, they appreciate I think there is a lot of work to be done, and I think he feels he probably should not have mentioned the words "significant" in the code, in the original draft, because it has probably created more worry and then has been helpful, but I think the intention as he was saying around the own risk assessment is that it needs to be at a level that is going to be helpful and relevant to the schemes when they do it, it is not an exercise in a huge amount of box ticking for the sake of making sure you have gone through the code and have every single thing in place. Yes of course you need to be compliant but again it is being proportionate to what that compliance looks like. If you, you know the remuneration policy, we are still looking at what that might be and I think having seen some of the slides that Nick put out it is more than trustee remuneration, it is the remuneration of the providers, and basically it is a remuneration of anybody who provides a service to the scheme whether that all has to go in the trustee remuneration policy or whether you can have an advisor provide a policy that captures some of those points. It is about how much do you need to put in there, if it is just one line and that does the job for you, then it is one line, some schemes might have a seven page policy because they need to go into that level of detail. So I think again, TPR is going to be very mindful that it is not all going to look the same, it is not comparing apples with apples, it is going to be apples with pears for some time, and I think may be what they will look to do in the future as they have done with some of the other codes is look at what is good in the market and then perhaps guide schemes towards that because they have looked at it and they have seen what they think is most helpful or representative of what they are trying to achieve through the code.
Elizabeth: Yes that makes sense. I am going to ask Rosie just to put up our final slide if I may Rosie. Thank you very much. So these are really just I suppose my key takeaways from the discussion that we have had to day. So my first key takeaway is you need to have a plan, you need to allocate responsibility for who is going to carry out the plan, and you need to prioritise what it is that you actually want to achieve through the exercise.
Next you need to carry out your gap analysis and just identify what might be missing, and then you need to put in place a process for filling in those gaps but in a proportionate way.
And then finally for trustees, I think it is a really good idea to add all of this to the trustee business plan, whether that is things that need to be done to fill in the gaps or whether that is the review of everything in 12 months times after you have done it, just to make sure that nothing is missed and you remain compliant. So for me I think those are the three key takeaways from today's discussion.
So it just remains with me to say thank you ever so much to all of our speakers, Rosanne and Amanda and Maddy, and I hope you have all found this a useful session. If you have any follow up questions please drop myself or Maddy, Rosanne or Amanda a line and we will be happy to pick those up after the session. Thanks ever so much.
Chair -Elizabeth Gane, Head of Pensions at Gowling WLG
Speakers - Amanda Osborne, Trustee Director at Ross Trustees, Rosanne Corbett, Client Director at Muse Advisory and Maddy Frost, Legal Director at Gowling WLG.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
