Regulator’s General Code sets out new governance standards

News Alert 2024/01

At a glance

The Pensions Regulator’s new General Code of Practice was laid before Parliament today.  As well as re-expressing 10 of the Regulator’s 16 existing codes of practice into one document, the Code sets out the Regulator’s expectations regarding the governance of occupational pension schemes (both DB and DC). This includes, for the first time, the detail of the effective system of governance (ESOG), the risk management function, the own risk assessment (ORA) and the remuneration policy – all four of which derive from EU law. We examine these four aspects in this News Alert.

Key actions for trustees

Effective system of governance

• Evaluate the current governance system, identify gaps and weaknesses and implement and document solutions, liaising with the sponsor as necessary

Risk management function

• Evaluate current risk management approaches and establish a compliant risk management function, liaising with the sponsor as necessary
• Consider the constitution of the risk management function – would a trustee sub-committee be best, should the function be outsourced, or should some other structure be used?

Own risk assessment

Start planning for the first ORA

• Consider frequency, scope, key personnel, documentary requirements and budgets

Remuneration policy

• Implement a compliant remuneration policy

The detail

Legislation

In October 2018 the Government laid regulations that started the process of implementing in the UK an important part of “IORP II” – the 2016 EU Pensions Directive.

The Occupational Pension Scheme (Governance) (Amendment) Regulations 2018 (SI 2018/1103) amended the Pensions Act 2004, from 13 January 2019, by introducing a requirement for trustees of occupational pension schemes to “establish and operate an effective system of governance [ESOG] including internal controls”, such a system of governance to be “proportionate to the size, nature, scale and complexity of the activities of the occupational pension scheme”.

The regulations also required the Pensions Regulator to issue a Code of Practice setting out:

• The detail of the effective system of governance (ESOG)
• The “key functions” of an occupational pension scheme, being the risk management function, a function “which internally evaluates adequacy and effectiveness of the system of governance” and the actuarial function
• Outsourcing of activities
• Written policies for the ESOG and key functions, including their prior approval and review every three years
• Remuneration policies
• The detail of the own risk assessment (ORA)

Despite this ESOG duty having been in operation since 13 January 2019 no guidance has been provided to trustees as to how they should go about this and their other duties required under EU law as set out above. This all changes with the publication of the Code.

The Code

On 10 January 2024 the Pensions Regulator announced that the Code had been laid before Parliament and is intended to come into force on 27 March 2024.

The Code is an ambitious project that has been underway at the Regulator for a number of years.  The rationale for it goes way beyond the need to provide guidance on the EU-originated governance requirements.

The legal status of a Code of Practice is that it does not generally have the force of law.  However, a Code is admissible as evidence in any legal proceedings, including legal proceedings involving the Regulator.  It may be best to think of a Code as having a status higher than Regulator guidance but lower than regulations.  In practice one would need good reasons to diverge from Code requirements, but it is not like statute law where compliance is a legal requirement.

Our viewpoint

We expect the Regulator to take a balanced and proportionate approach to compliance. The Regulator will expect most schemes to be doing many of the things that are specified in the Code already, but it will not expect trustees to be fully compliant on 27 March 2024.

However, the Regulator will expect trustees to be working towards compliance and may react if there is a governance failure which adversely affects the security of members benefits if it cannot be shown that the trustees were active in putting the new governance standards in place.

1. Effective system of governance (ESOG)

The ESOG requirement applies to all schemes.  The 2018 regulations provide that the Code must specify in relation to the ESOG, how it:

• Provides for sound and prudent management of activities
• Includes an adequate and transparent organisational structure with a clear allocation and appropriate segregation of responsibilities
• Includes an effective system for ensuring transmission of information
• Includes an effective internal control system
• Ensures continuity and regularity in the performance of its activities, including the development of contingency plans
• Includes consideration of environmental, social and governance (ESG) factors related to investment assets in investment decisions
• Is subject to regular internal review

The Code duly provides that schemes need to have a system of governance and internal controls that:

• Provide the trustees with oversight of day-to-day operations of the scheme
• Include any delegated activities for which the trustees remain accountable
• Provide the governing body with assurances that their scheme is operating correctly and in accordance with the law

This is achieved in the Code across a number of modules.  The Code specifies that an ESOG should include processes and procedures to ensure compliance with 18 specified modules of the Code under the headings below:

• Management of activities (seven modules)
• Organisational structure (four modules)
• Investment matters (six modules)
• Communications and disclosure (one module)

The ESOG should be subject to regular internal review to assess whether each element is functioning as intended.  How the trustees do this is up to them and it may be done as part of the own risk assessment (see 3. below).  There must be a process from implementing changes to the ESOG resulting from review and each ESOG element must be reviewed at least every three years.

Our viewpoint

The scope of the Regulator’s requirements and expectations relating to the ESOG as set out in the Code is extremely wide and deep, representing a material step-up in standards.  The extent to which trustees will need to change their existing way of doing things to comply will vary from scheme to scheme.  Some will already be doing most of what is specified while others may have a way to go to come up to scratch.

Even schemes with sophisticated governance structures in place will need to benchmark them against the Code modules specified and make any necessary modifications to their existing system of governance.

2. Risk management function

The Code provides that trustees of schemes with more than 100 members should have in place a risk management function proportionate to the size, nature, scale, and complexity of the activities of the scheme.

This function should be “structured in such a way as to facilitate the functioning of a risk management system for which the governing body should adopt the strategies, processes and reporting procedures necessary to:

• Identify, evaluate and record risks; and
• Monitor and manage risks.”

The key risks to which the scheme is exposed should also be regularly reviewed at an individual and aggregated level along with the interdependencies between them.

Risks to be identified

Elsewhere the Code states that trustees “should identify risks, record them, and regularly review and evaluate them.  The evaluation of risks will help [the trustees] determine which risks require internal controls to be put in place to reduce their incidence and impact” before going on to specify the following risks in particular that should be identified:

• Scheme investments, including asset liability management (if applicable)
• Risks affecting operational resilience, including where those risks belong to service providers
• Insurances, compensation funds and other risk mitigation techniques
• Environmental, social and governance risks (if applicable)
• Scheme funding and the strength of the employer covenant (if applicable)
• Fraud
• Failure to comply with the law and/or scheme rules
• Poor record-keeping, poor administration, and IT and database failures
• Cyber security risks
• Governance and decision-making, or existing controls not operating to the standard required by pensions legislation
• Actual or potential conflicts of interest

Evaluating risks

The Regulator expects trustees to establish a process for evaluating risks.  This should cover objective setting, documentary requirements and the functions and activities involved in the running of the scheme.

The likelihood and impact of the risks occurring should be evaluated as should the likelihood and impact of separate risks coinciding and the interdependencies between such risks.

Trustees should be prepared to monitor, challenge, and review their risk evaluation process and outputs.

The Regulator expects the risks identified to be recorded in a risk register and to be reviewed regularly.  Key indicators and triggers for action should be defined, and documented steps should be taken to manage or mitigate risks.  Plans with target dates for mitigating or closing risks should be developed and implemented.  Contingency plans should be in place for actions to be taken if risks materialise.  “After action” reviews should be undertaken and lessons learned incorporated into the risk management process.

Written policies

The written policies of the risk management function should only take effect after approval by the trustees and they should be reviewed every three years.

Our viewpoint

The risk management function is another material step-up in expected standards from the Regulator.  Even trustees that already have sophisticated risk management approaches will need to review them against the new expectations.  For example, a process for establishing the risk management function will likely be needed even if there are existing procedures in place and will need to line up with existing internal controls systems.

There will also need to be decisions made about the structure and composition of those tasked with operating the function, how reporting lines will work and links to other related governance structures and processes – for example, the ESOG, ORA, and existing investment or climate governance committees.

3. Own-risk assessment

The Code provides that trustees of schemes with more than 100 members must carry out and document an own risk assessment (ORA).

The Code states that the ORA is an assessment of how well the ESOG (see 1. above) is working and the way potential risks are being managed.  Failure to complete an ORA may be seen by the Regulator as an indicator of poor governance.

The ORA documentation should cover how the trustees have assessed the effectiveness of each of the policies and procedures covered by the ORA.  It should also cover whether the trustees consider the operation of their policies and procedures to be effective and why.

The ORA should include consideration of the effectiveness of, and risks arising from the specific (and extensive) elements in the Code as set out in the list below:

General

• How the trustees are integrating risk assessment and mitigation into their management and decision-making processes
• How the policies relating to the role of the trustees, knowledge and understanding and the governance of knowledge and understanding are operating

Risk management

The operation of policies to identify and assess risks facing the scheme
The internal control policies and procedures for the scheme

• Management of potential internal conflicts of interest, and those with participating employers and service providers
• The prevention of conflicts of interest where the employer and trustees use the same service provider
• Continuity planning for the scheme and, where applicable, how it has performed

Investment

• The scheme’s investment governance processes
• How investment performance is reviewed and monitored
• How investment risks relating to climate change, the use of resources and the environment are assessed
• How social risks to the scheme’s investments are assessed
• How the potential for depreciation of assets arising from regulatory or societal change is assessed
• How the security of assets and their liquidity when they are required are ensured
• How the protection of member benefits in the event of the insolvency of a sponsoring or participating employer, or a decision to discontinue the scheme is assessed

Applicable to DB only

• How the scheme’s funding needs with reference to its recovery plan are assessed
• How the specific risks relating to the indexation of benefits provided by the scheme are assessed

Administration

• How the risks associated with the scheme’s administration are assessed, with particular reference to financial transactions, scheme records and receiving contributions
• Action the trustees take to manage overdue contributions, considering the degree to which they represent material amounts or delays
• Risks posed by legal and regulatory change and court decisions

Payment of benefits

• How operational risks are assessed, focusing on the risk to members and beneficiaries relating to record-keeping and payment of benefits
  The trustees’ management of risks relating to circumstances where accrued pension benefits may be reduced, under which conditions and by whom
• The trustees’ management of the risk of member benefits being reduced or altered, including on the insolvency of a sponsoring or participating employer or the cessation of the scheme
• Scams and the risk of members making poor choices

The documentation should be in writing, provided to all members of the trustee board and signed off by the chair.  The date on which the ORA was prepared or revised, the date when this will next happen and details of any interim reviews or updates carried out or planned should be recorded.

The trustees must consider what information about the ORA should be provided to members of the scheme.

Timing

The Code and the Governance Regulations operate together so that scheme’s first ORA should normally be prepared and documented within twelve months beginning with the last day of the first scheme year that begins after the Regulator has issued the Code.  So, a scheme with a 31 December year end will need to prepare and document its first ORA by 31 December 2026.

Thereafter, each element covered by the ORA should be assessed according to a timetable set by the trustees.  It is not necessary for all of the ORA elements to be assessed at the same time, but the ORA should be completed every three years.

New ORAs should be carried out where elements of the ESOG, or risk management function are new or updated and whenever there is a material change to the ESOG or the risks facing the scheme.

Our viewpoint

As can be seen, even if a light touch approach to carrying out an ORA is adopted it will be a non-trivial task given the scope and importance of matters to be assessed.

Initial activity will likely be focused on developing the ESOG and risk management function, but planning for the first ORA should not be far behind.

The Regulator’s statement that it will regard failure to complete an ORA as an indicator of poor governance means that the ORA requirement ranks not far below a full legal requirement as the Regulator has quite strong powers to compel or even replace trustees who it regards as not up to scratch.

4. Remuneration policy

The 2018 regulations provide that the Code must cover a remuneration policy that has to be operated by occupational pension schemes with 100 or more members.

All the following is as set out in the Code.

Trustees are required to establish a remuneration policy that sets out the basis and means for remunerating those undertaking activities in relation to the scheme paid for by the trustees.  The policy should support the sound, prudent and effective management of the scheme and be aligned with the scheme’s long-term interests.

The policy should apply to all persons or corporate bodies including service providers who effectively run the scheme, those who carry out key functions or whose activities materially impact the scheme’s risk profile (stated elsewhere to include consideration of the scheme’s membership demographics, funding, asset allocation and sponsor covenant).

The policy should also include measures to mitigate potential conflicts of interest and focus on ‘in-house’ roles, such as trustees, trustee secretary, administrators and sub-committees.  An explanation of the decision-making process for the levels of remuneration, and why these are considered to be appropriate should also be included.

The policy should be in writing, reviewed at least every three years (although the Code states that in most cases it will be appropriate to do so annually or immediately following any significant changes to the scheme’s governance arrangements).

Our viewpoint

The remuneration policy is a distinct element of the EU governance provisions now being implemented.  It should not be especially onerous for trustees to adopt.

Conclusion

In conclusion, we broadly welcome these reforms, which have been a long time coming.  While not underestimating the work that will be involved our overall view is that, if implemented properly, we will see better run, nimbler trustee boards more able to handle the challenges that they may encounter in future.

This News Alert does not constitute advice, nor should it be taken as an authoritative statement of the law. If you would like any assistance or further information on the issues raised, please contact the partner who normally advises you at LCP via telephone on +44 (0)20 7439 2266 or by email to enquiries@lcp.uk.com.