ILY. BRB. LOL. Life is full of three letter acronyms. PPF. TPR. LTA. Pensions is full of them too.
But there’s a new one on the scene. ORA. Own Risk Assessment. Three little (ish) words but what do they mean?
In the next few months, the first schemes will be required to complete their Own Risk Assessment. In the last year or so since TPR’s General Code of Practice was published in March 2024, trustees (supported by their advisers and providers) have been working away on their homework – ensuring that they have in place an effective system of governance. For most schemes, this has involved work such as a gap analysis, drafting new policies and reviewing and updating existing policies and risk registers. Now it’s time to mark their work – the own risk assessment.
The Code requires that an ORA must be in writing and it should consider the effectiveness of the trustees’ policies and procedures and why they consider them to be effective (or not!)
To help with this, take each letter in turn – the O, the R and the A.
Own
No two ORAs will be the same. TPR has quite deliberately not provided a template for an ORA – they should be individual to and “proportionate to the size, nature and complexity” of each scheme.
Some schemes with a complicated governance structure or complex history may have a lengthy ORA. Others may be shorter and not contain as much detail and analysis. They must, however, cover all of the essential items of the ESOG and be worded in a way that makes it clear that they are tailored to the relevant scheme.
Risk
The focus of the ORA (and the Code, more generally) is on risk. Schemes, in carrying out their ORA, must consider how they are “integrating risk assessment mitigation into its management and decision-making processes.”
Policies and procedures should, at the outset, consider what risks they are trying to address and also note the implications of what happens when they are not followed or something goes wrong (as well as any potential mitigations). Key points relating to risk should then be reflected in the ORA.
Assessment
TPR has been clear that the ORA is not a ‘tick-box’ exercise. It is not enough for trustees to say that they have a policy or procedure in place for each item of the ESOG and call it a day.
Trustees must properly “assess” how each of the policies and procedures work and consider whether they are effective. Do they cover what they set out to achieve? Are they effective in mitigating risks and do they provide a process or procedure for trustees to follow if things go wrong? If there is room for improvement, this should be reflected in the ORA.
Evidencing whether these questions have been asked and considered will form the basis of the ORA. Trustees should use examples of when a policy was referred to or a procedure followed. Did the policy ‘work’ in the way that it was intended to? Did the process dictated make sense for the scenario it had to deal with? Whilst trustees would like for the answer to these questions to always be “yes”, that may not always be the case. As with any assessment, rarely does anyone achieve perfect marks. In marking this homework, TPR welcomes trustees’ critical eyes on these items and, if something is not working well, the best approach is to note how and what the trustees have done or will do to rectify and improve upon on it.
Similarly, there may be some policies and procedures which did not come into play in the 12 months immediately preceding the scheme’s ORA. In this context, trustees reflect on what was done. For example, were updates made following governance reviews or was a wargame run to test how the scheme would respond?
It’s also worth thinking ahead and not just looking back. There may also be areas where risks have been evolving (cyber security and AI) or where there is now greater focus than there has been in the past (administration). It may make sense to call out these areas as ones to focus on next.
Given guidance on what an ORA should physically look like and the form it should take is short and not prescriptive, trustees have scope to approach this task as they see fit. For many, this will be an extension of the documents that trustees have put in place to demonstrate the ESOG. However, trustees must bear in mind that their ORA should be individual to their scheme, proportionate in approach and be a critical assessment focused on risk.
SOS? Not when we bear in mind the O, the R and the A.
