Own risk assessment: opportunity or compliance burden?

The General Code is here! We are all getting more comfortable with what an Effective System of Governance (ESOG) is. The main questions I am now being asked are: What will an Own Risk Assessment (ORA) look like? Why should one be carried out aside from the regulator telling us to do so? And when should I start?

I see the combined ESOG review and resulting ORA as golden opportunities. It is all about consciously assessing thoughts and behaviours. What are our biggest risks? What adds the most value in helping us to achieve our objectives? What do we identify as our priorities?

The ORA provides a fantastic chance to provide a snapshot in time of how your controls work for you, but is it more than that? In my opinion, it is.

Barnett Waddingham has developed a clear ORA structure which is easy to follow, suitable for clients of all sizes, and can be tailored to suit the appropriate levels of detail required. It's a methodology that links your ESOG assessment and actions and your risk register through to your ORA process, and the production of the required snapshot report, which, let's face it, is only a few board meeting cycles away.

Met - The policy is operating effectively on the basis that it is meeting the associated success criteria and sufficiently supporting the key ESOG objectives.

• Met with conditions - The policy is operating effectively on the basis that it is meeting the associated success criteria and sufficiently supporting the key ESOG objectives; however, one or more opportunities for enhancement has been identified. Specific actions have been identified and logged accordingly.

• Action required - Further action is required to ensure that the policy is operating as effectively as the trustee board has deemed appropriate. This could be due to a change in circumstances; for example, a new statutory requirement, evolving risks, or even a change to the scheme.

• Priority action required - The board has identified that further, high-priority, action is required to ensure that the policy is operating as effectively as it has deemed appropriate. This could be due to a change in circumstances; for example, a significant new statutory requirement, evolving risks, or a material change to the scheme.

Assessments on specific topics can be happening on an ongoing basis, rather than saving it all until the ORA report is due. Our approach relies on good record keeping and clear audit trails linking the ESOG and ORA. These two fundamental aspects appear altogether straightforward but can often be an Achilles heel.

The ORA, which is part of the ESOG, heavily interlink, and as such it is more of an ongoing, ever evolving and continuously improving system. The ORA while demonstrating how you have assessed effectiveness, should also be a mechanism to ensure that areas of improvement are identified, and recommendations and actions are taken forward.

We have all seen those agendas where the governance section is right at the end of the meeting and has an allocation of 10 minutes, but only if there is sufficient time. Well, those days are long gone, or at least they should be! Good governance, in-depth understanding of how your scheme is run and assessment of risks and controls will drive good decision making.

So, let's banish those things that don't need to happen and that the trustees can control. There are enough unknowns out there without adding to them.  

• Out of date signatory lists that hold up a fundamental investment strategy change.
• A burdensome risk register – gathering dust, with no active engagement or horizon scanning.
• A Chair resigning at short notice – no contingency or succession planning.
• A gap in training for new trustees.

All sounds very simple to avoid, right? Now is the perfect opportunity to focus.

Objectives, risks, priorities, budgets – all considerations for sure. Doing nothing – not an option!