- Set up a process to identify, evaluate and manage risks on an ongoing basis.
- Establish and operate adequate internal controls that enable you to manage risks that relate to your defined benefit (DB) scheme.
You must set up and operate adequate internal controls that enable you to manage your scheme according to the scheme rules and the law. Internal controls are arrangements and procedures for:
- scheme administration and management
- monitoring that administration and management
- safe custody and security of scheme assets.
Risk management process
You should set up a process that enables you to identify, evaluate and manage risks, and to monitor risk management controls.
You must identify the risks that are critical to the scheme and which are likely to have a significant impact on the scheme’s ability to provide member benefits if they are not managed effectively.
You should use sources of information such as audit reports, service contracts, complaints and administration reports to help identify areas of governance which may be exposed to unnecessary levels of risk.
Areas of risk that are likely to have a significant impact on your DB scheme include:
- existing controls not operating effectively
- strength of the employer covenant
- investment strategy
- corporate changes and transactions relevant to the scheme
- legal requirements
- operational procedures and technical systems
- scheme management (including costs) and delegated responsibilities.
You should record risks you identify in a risk register.
You should develop a process for evaluating risks. This should consider the impact and likelihood of a risk occurring.
Your evaluation process should enable you to direct resources to priority areas, starting with risks that have a high impact and a high likelihood of occurring. Areas of risk that you may need to prioritise include:
- lack of trustee knowledge and understanding
- deterioration of the employer covenant
- poor investment governance
- poor record-keeping
- conflicts of interest
- ineffective relations with advisers.
Assess which risks your scheme can absorb without the need to take further action, and which risks you need to manage.
You must have adequate internal controls that are suitably designed and implemented to enable you to take appropriate action.
You should consider certain issues including:
- how the control is performed and the skills of the person performing the control
- the level of reliance on information technology solutions
- whether the control will stop something happening or detect something that has already happened
- the frequency and timeliness of a control process
- the process for reporting errors or control failures.
Monitoring risk management controls
You must continually review exposure to new and emerging risks. This includes significant changes to or affecting the scheme.
You should review your risk register at least annually and evaluate risk assessment arrangements, procedures and systems to ensure that they are still fit for purpose, taking account of any significant changes.
Integrated risk management
Trustee toolkit online learning
The ‘Running a scheme’ module contains a tutorial on ‘Risk management and internal controls’. You must log in or sign up to use the Trustee toolkit.