Most pension scheme trustees look after scheme assets worth millions (and sometimes billions) of pounds. They are also responsible for paying benefits to individuals, often thousands of them. It is not a responsibility to be taken lightly. Trustee decisions have a direct impact on people’s lives.

The big responsibility alone might not be too daunting, but unfortunately:

  • the pension scheme world is extremely complicated; and
  • pension schemes can be affected by matters outside the control of the trustees.  

If something can potentially go wrong, whether due to error, malicious behaviour or just bad luck, it is a risk to the scheme. Such risks are of great concern to The Pensions Regulator as they could result in benefits from a scheme being compromised or even a call being made on the Pension Protection Fund.

To help protect schemes against potential risks, the law requires that “the trustees or managers of an occupational pension scheme must establish and operate internal controls which are adequate for the purpose of securing that the scheme is administered and managed:

  1. in accordance with the scheme rules, and 
  2. in accordance with the requirements of the law”.

Internal controls are not precisely defined but The Pensions Regulator has taken the view that they are “procedures and arrangements relating to the administration and management of the scheme, the monitoring of those items and the safe custody and security of the scheme assets”.

Our view is that all schemes should have a risk register. It is essential that this is kept up to date - the effectiveness of any controls must be monitored and new risks must be added as they arise. It may also be necessary to overhaul the risk register from time to time. 

Each risk needs an “owner” who is responsible for its control and/or monitoring. For larger schemes, sub-committees may feed their risks into an overall board risk register. 

The following are examples of the policies and documents in addition to the risk register that schemes might have in place to assist with risk management:

  • A conflicts of interest policy and register covering trustee and adviser conflicts
  • A log of specific conflicts which have occurred
  • An integrated risk management policy and monitoring approach which looks at the interrelationships between funding, covenant and investments and related triggers for action
  • Various governance policies e.g. cyber security and data protection
  • Various administration policies e.g. member complaints handling and death benefit discretions

This list is by no means exhaustive.

Trustees need to understand what makes up their risk management framework, and ensure that it gets enough time on meeting agendas. Each scheme policy needs to be reviewed on a regular basis. Having policies and registers in place is essential but agreeing them must be much more than a box-ticking exercise. The value of such documents and processes lies in the thought behind them and the challenges they provide. They must be best practice for the scheme.