Whilst the ORA (Own Risk Assessment) is a new requirement for pension schemes in the UK, we are not the first to need to navigate these waters - pension schemes in Ireland were required to complete their first ORAs by April 2024. We set out below key lessons learned from their experiences so far, and consider how these might be applied to UK ORAs to avoid early pitfalls, improve efficiency, and add real value to pension scheme risk management.
The pensions regulator in Ireland, the Pensions Authority, published its Code of Practice on 18 November 2021, which bears some resemblance to the UK's Pension Regulator's General Code of Practice which came into force on 28 March 2024. In particular, both Codes require pension schemes to complete an Own Risk Assessment or ORA to assess the effectiveness of their Effective System of Governance (ESOG).
Our team in Ireland has been supporting defined benefit and defined contribution scheme Trustee Boards with completion of their first ORA and were happy to share some valuable insights.
Our team noted first and foremost that the ORA process (the UK Regulator is keen to emphasise it should be thought of as a 'process' not a 'report') gives trustees a valuable opportunity to step back and review their risk management approach and schemes' other key activities, including spotting gaps and opportunities for process improvement and reflecting on the effectiveness of the management of key risks. And there's a mindset point here too: the ORA isn't a sign-off of a 'perfect' approach, but can and indeed should employ continuous improvement principles to identify and signal further improvement activity that will take place after the report itself is signed.
Further insights from our team in Ireland:
01
The UK Regulator expects trustees to prepare and document their first ORA in almost all cases by their scheme year end in 2026. Our colleagues in Ireland counsel that UK trustees should use the time between now and then wisely, drawing up a clear project plan for completing the ORA that works around other scheduled scheme activity and deadlines. The plan should consider the resources and skillsets available as well as the process that will be adopted and ultimately what the objectives of the process will be.
The UK Regulator has no plans to produce ORA guidance or templates, and is expecting ORAs to be "highly tailored to the circumstances of each scheme." Furthermore, the process of performing an ORA will require the collection, collation, and assessment of quite a large amount of information, so it is important that it is approached in a structured manner.
02
Our colleagues in Ireland found that the most effective information gathering method was conducting discovery meetings with the scheme's key stakeholders. Through these, they were able to gain valuable insights on the scheme's governance processes, since having a conversation rather than filling in a questionnaire helped to promote trust, open dialogue and engagement from all parties. It also laid an effective foundation for the risk management framework's operation, ensuring all parties were aware of their responsibilities and providing clear communication channels for the escalation of risk issues and concerns.
In addition to these discovery meetings, our colleagues found that existing scheme processes and activities could be leveraged to support the delivery of risk insights, for instance through the addition of risk metrics alongside the current financial metrics in regular reports. Building on existing processes also helped trustees and other stakeholders navigate the cultural change towards a more active, integrated and ultimately effective risk management process.
03
None of this (advice to take a step back, discovery meetings) is to say that elements of automation shouldn't be incorporated to support efficiency. For example, ongoing policy and process reviews and assurance activity can be efficiently referenced or re-summarised in an ORA report – our own ESOG management tool in the UK, ESOG HomeSpace, has functionality available to automatically present a 'dossier' of effectiveness evidence from regular reviews to inform each of the areas the UK Regulator has indicated must be covered in an ORA. And if your risk register already covers controls, control effectiveness and risk tolerance (and is used actively in your regular risk management quarterly cycle) then an extract on key risks can simply be 'copied' into an ORA appendix.
Going back to the advice on planning ahead, trustees can therefore usefully use the time until their first ORA deadline to consider opportunities for setting themselves up for an efficient ORA process.
04
As part of complying with Code compliance in the UK and Ireland, Trustees should be able to demonstrate how they integrate risk management into their management and decision-making processes.
Our experience has shown that this should be a two-way process. Not only should the risks and their impact on strategic decisions be considered, but Trustees should also consider the risks arising from those decisions. For instance, a strategic decision around risk mitigation such as introducing a longevity hedge will follow from a risk assessment process looking at longevity risks. On the other hand, a strategic decision to change advisers will result in additional transition risks which need to be carefully considered and managed.
Our colleagues in Ireland were clear, as is the UK Regulator, that Trustees need to assess and set a risk appetite (i.e. the degree of risk they are willing to accept or tolerate, at an individual or aggregate level), in line with their broader strategy. The risk appetite sets the boundaries for risk taking within the scheme (triggering action if risk tolerance is breached) and provides a framework for strategic decision making. So risk management and decision making are fully integrated.
05
Risk professionals, including our colleagues in Ireland, are clear that taking a strategic view and not considering risks in silos is vital to delivering effective risk management. Consider that many pension schemes operate on a primarily outsourced basis. A useful way to effectively capture risk exposures (e.g. strategic risk, compliance risk, concentration and systemic risk) is to start from the journey of identifying different incidents that could arise and thinking about how your scheme would recover from those. This is a crucial step towards building a strong and resilient operational framework that will ensure the scheme can continue to operate even when facing disruptions. Preparing for any remote yet plausible event will ensure you are better prepared for any risk event that occurs.
The ORA is a valuable process that can help trustees better understand the risks faced by their scheme and use this information to inform strategic decisions to deliver their long-term strategy. However, juggling the recent additional governance requirements from the General Code alongside business-as-usual scheme work, trustees might find it difficult to leave enough time to perform an effective review process, thus not gaining as much value from it as they might. To ensure trustees can gain value from the ORA, it is important to have the right procedures and tools which contribute to efficient processes and save valuable time. A streamlined process will help prevent duplication of efforts and free up time for Trustees to focus on the strategic aspect of this exercise.
