Many trustee boards will already be familiar with what the General Code says about the risk management function and controls assurance reporting. The next challenge is how to make this a reality. Our case study walks you through the process one early mover is following.
Pension scheme risk management is a key part of the General Code. Whilst it is something that Trustee Boards will have been doing for many years, some of the new requirements around the risk management function (RMF) and controls assurance reporting may require some additional thought. In this article we share some insights from an ongoing project, led by our colleague Josh Ford, to help those that are starting down this path.
Case Study
The catalyst for change
The client's risk management process, while functional, was somewhat reactive. The introduction of the new General Code, which emphasises the importance of robust risk management, served as a catalyst for the client to undertake a comprehensive review, with the intention of introducing a greater degree of dynamism. Recognising the need for improvement, the trustees formed a dedicated working group, including trustees with corporate risk management experience, a member of the pensions team, an investment and funding specialist, and Josh as their governance and risk management adviser.
Mapping out the review
The first step for the working group was to outline the scope of the review and agree on the process. The primary objective was to create a risk framework that was not only efficient and effective but also compliant with the new Code. The review was structured into three main parts:
- Assessing the existing risk framework
- Re-testing individual risks
- Implementing a new framework, including appointing a RMF - a specific requirement of the Code.
01
Structural framework overhaul
The initial review focused on the pre-existing risk framework, including the trustees' risk appetite, the risk register and the key touchpoints with the trustees. The existing register was an Excel-based tool using a simple red-amber-green (RAG) rating system. While functional, it was relatively static and it was agreed that a more dynamic and automated approach would improve engagement and efficiency, and help drive the crucial link between risk identification and risk mitigation action.
Our ERICA framework includes five best practice elements for any pension scheme risk framework:
- Engagement - The framework should be designed to encourage the trustees to stay appropriately engaged on an ongoing basis.
- Real-time - The framework should be able to operate on a real-time (or at least quarterly) basis, including continually updating existing risks and considering new and emerging risks.
- Interdependencies - The extent to which trustees are prompted to consider risks that are likely to move together, because of overlap, common cause, or 'accidental' co-occurrence.
- Codified - The extent to which the system permits easy, consistent and quantitative comparison, ranking, prioritising and analysing risks, including between categories and over time.
- Action-focused - The job of a risk register is to prompt activity (whether that's notification, escalation, improving of controls, introducing new controls, seeking further information etc.) – making the connection to action a key part of any risk framework.
Having considered alternatives to their existing risk management
framework, the working group transitioned to a more nuanced and
robust scoring system, rating each risk on a scale of one to five
for both impact and likelihood. This allowed for a clearer
comparison between risks and also against the trustees'
individual risk tolerance for each risk. The new system
automatically flags risks that exceed those agreed tolerance
levels, prompting immediate action.
02
Engaging the trustees: The risk scoring workshop
A key part of the process was a risk scoring workshop, aimed at refining the risk list and scoring each risk. Preliminary work involved a review to ensure good coverage in the initial risk list, including specific cyber risks. The workshop that followed was energised and collaborative, with a consensus-based re-test on each risk score, an evaluation of the effectiveness of controls, and discussion on tolerance thresholds. Although thorough, this process was highly valuable, resulting in a refreshed and robust risk register as the starting point for a proactive RMF, and the further development of a genuine 'risk mindset' amongst the members of the working group.
03
Rounding out the elements of the risk framework and appointing the RMF
The project is still underway, with discussions ongoing about how to ensure that emerging risks are captured in a timely fashion by integrating regular risk horizon scanning into trustee agendas and adviser input. This will be an important part of keeping trustees engaged in ongoing risk management and is a critical part of an effective and useful framework. As well as horizon scanning, maintaining a dynamic and integrated approach to reviews of curated risk shortlists will help make risk management a regular – and interesting! – agenda item at trustee meetings.
Another key element of the risk framework involves documenting the controls assurance framework. This involves a process of periodic checking that existing (risk) controls remain effective and appropriate, that the right assurances are sought from the appropriate parties at the right times and that engagement with the Trustee Board is timely and appropriate.
With a robust draft risk framework and an updated risk register in place, the next step for this client will be to determine the structure and remit of the RMF. Naming the RMF will be a relatively easy step, though a more practical division of the constituent parts of the role, by resource type and skillset, will require more detailed thinking and will depend on specific scheme features—for example, the use of working groups and sponsor or third party resources, and the connections and information flows between them.
Finally, documenting the entire risk management approach in a formal framework document is essential for transparency, robustness and ongoing review. Continuous improvement is emphasised, with incremental changes tweaking and enhancing the framework's effectiveness and compliance.
Looking ahead: The Own Risk Assessment
Throughout the process, the working group has been mindful of the new Own Risk Assessment (ORA) requirements, ensuring their approach aligns with these expectations, even though the first ORA report will not be due for another two years. This forward-thinking strategy not only saves time in the long run, but also ensures efficiency, allowing for the relevant elements to be 'appended' within the ORA, without reworking the entire framework. The ultimate goal is a streamlined, compliant, and effective risk management system.
Conclusion
Josh Ford's insights provide a comprehensive look into the meticulous process of enhancing pension risk management. Through structured reviews, dynamic engagement, and continuous improvement, the client is well on the way to successfully navigating the complexities of risk management, setting a robust framework for the future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.