Anyone who has read the recent TPR consultation on the proposed single code of practice cannot fail to notice that it majors heavily on risk management.
Of course, management of risk has always been an activity of vital importance when it comes to managing pensions – as it should be – as pension professionals we are responsible for safeguarding other people’s pension savings. However, this consultation clearly augments requirements in relation to the identification and management of risk.
Having been a Risk Director in FCA and PRA-regulated entities, I can clearly see that the proposals show more than a passing similarity to those other regimes, and perhaps signal a direction of travel, leading towards increased convergence of regulatory principles.
This is something which has been clearly articulated by both the FCA and TPR in the recent Call for Evidence on Pension Customer Journey, which was jointly published by both regulators, and on the part of the TPR, it followed on from the launch of TPR’s Corporate Strategy “which puts savers at the heart of all that TPR does and looks to rebalance its focus evenly across both DB and DC pensions”. This objective is a key driver of the proposals in the new Combined Code.
At first glance, the proposals in the consultation relating to risk management may appear onerous, but the key thing to remember here is proportionality. Whilst the principles remain the same for all schemes, the solutions will differ as there is no one size fits all.
The concept of a three lines of defence model has been introduced by the consultation. A model which is already very well established in FCA and PRA regulated entities. In my experience, this model has been implemented to varying degrees of effectiveness by organisations, and pragmatism means that the work of the first and second lines can sometimes be slightly blurred, but can still work effectively. The same applies to pension schemes. The key thing to get right is the need to have the third line existing completely independently from the scheme and from the other two lines of defence.
So how would it work in practice? Pension schemes vary greatly in their size and complexity and clearly, large Master Trusts and GPPs have substantial provider internal resources on which to draw, especially in respect of first and second line risk management. They are also sufficiently large to have a dedicated role of Chief Risk Officer (CRO) on the board of the pension scheme, either a fully dedicated CRO or one of the independent Trustees takes on responsibility for those CRO activities.
For smaller schemes, there is a need to be more creative in how the model is implemented. In all schemes, the Trustee or Trustee Board is the first-line defence for risk management. However in the same way that day-to-day management of the scheme is outsourced to third-party providers, then it is sensible to consider those same third-party service providers to be part of the first line of defence for the scheme. There will, of course, be a requirement for Trustee(s) to retain oversight on those providers because this is about outsourcing responsibility for risk management, not accountability, which remains with the Trustee(s).
Overseeing and monitoring third-party service providers should be nothing new to the Trustee(s). But the proposals in the consultation implicitly strengthen and formalise this requirement. And again these proposals appear to subtly mirror the FCA and PRA requirements around third-party oversight, which are enshrined in SYSC 8 principles.
The final rules on the consultation are due to be published later this year. In the meantime, at 20-20 Trustees we continue to develop our thinking on the most effective way in which to structure and implement the risk management requirements into our wider governance proposition for our existing schemes and new clients, and in later blogs, we will cover topics such as risk management frameworks, Own Risk Assessments, and the wider ESOG (Effective System of Governance) included in the Combined Code proposals.