Own Risk Assessment: A Governance Priority for DB and DC Schemes

The Own Risk Assessment (ORA) has moved from theory to reality, becoming a cornerstone of the Pensions Regulator’s (TPR) General Code of Practice, which took effect on 28 March 2024. This requirement applies to occupational pension schemes with 100 or more members, spanning both Defined Benefit (DB) and Defined Contribution (DC) arrangements. Its purpose is clear: to ensure schemes not only have an Effective System of Governance (ESOG) on paper but also put it to the test, regularly and rigorously.

Unpacking the ORA: More Than a Tick Box Exercise

The ORA asks a simple but powerful question: is your scheme’s ESOG working as intended? This involves examining whether risks are being identified, monitored, and managed effectively, and whether the scheme is resilient to both current and emerging challenges.

For DB schemes, the ORA provides a structured way to scrutinise funding strategies, covenant strength, and investment oversight. For DC schemes, the spotlight falls on provider management, member communications, and decumulation options. In both cases, the ORA is more than a compliance exercise, it is an opportunity to strengthen governance and demonstrate accountability to members and regulators.

Who Must Complete an ORA and When?

The obligation applies to all occupational schemes with 100 or more members. The first schemes to complete an ORA will be required to do so within 12 months of the end of the first scheme year beginning after 28 March 2024. To illustrate, a scheme with a year running from 1 July to 30 June will need to complete its first ORA by 30 June 2026. Thereafter, the ORA must be revisited at least every three years, with interim updates required if there is a material change to the ESOG or the scheme’s risk profile. This rolling timetable ensures governance remains a living process rather than a static document.

What Should the ORA Cover?

The ORA is not a 'one-size fits all' assessment, and should be proportionate to the size, nature, and complexity of any relevant scheme. Notwithstanding proportionality, the ORA must address the effectiveness of governance and risk management across several key areas:

• Governance: Role of the governing body, knowledge and understanding, conflicts of interest.
• Risk Management: Identification, evaluation, internal controls, continuity planning.
• Investment: For DB schemes, this includes funding and covenant monitoring; for DC schemes, it covers default strategy governance and ESG considerations.
• Funding and Covenant: For DB schemes, how the governing body assessed the scheme's funding needs and assesses risks relating to the benefits provided by the scheme.
• Administration: Record-keeping, contribution monitoring, benefit calculations, and operational resilience.
• Member Protection: Safeguards against scams, benefit payment risks, and support for informed decision-making.

Emerging risks, such as cyber security, climate change, and regulatory developments, should also be part of the assessment as best practice.

Delivering the ORA

TPR expects the ORA to be documented in writing, signed by the Chair, and shared with all trustee board members. There is no requirement to submit it to TPR or publish it to members, although sharing key findings can build confidence and transparency. The ORA should record the date of preparation, the next review date, and any interim updates. Where functions are outsourced, assurance reports from providers can be incorporated to avoid duplication. The emphasis should remain on assessing effectiveness and identifying improvements, rather than producing unnecessary paperwork.

From Obligation to Opportunity

The ORA is not simply another regulatory hoop to jump through. Done well, it is a strategic tool that can help schemes strengthen governance, sharpen risk management, and deliver better outcomes for members. By embedding the ORA into the governance cycle and adopting a proportionate, evidence-based approach, trustees can turn compliance into a genuine advantage, ensuring that both DB and DC schemes remain resilient in an ever-changing landscape.

If you are aware that your scheme is due to produce an ORA, or you are not sure whether your scheme needs one or what you need to do to prepare, do not hesitate to contact Susannah Young or your usual Burges Salmon contact for information and advice.

Written by Fahmida Rahman, Ben Jonsmyth and Susannah Young.