Risk management in UK occupational pension schemes

In this article we explore how UK occupational pension schemes manage risk, from trustee governance to new reforms in the Pension Schemes Bill aiming to improve value and member outcomes.

The architecture for risk management in UK occupational pension schemes comprises:

• trust-based, where The Pensions Regulator (TPR) has regulatory responsibility; and
• contract-based, where the Financial Conduct Authority is in charge.

There are, no doubt, reasonable contributory factors to this division of responsibility, but we do struggle to see how member outcomes are enhanced by a dual regulatory approach, and we fear the good intentions for the two systems to complement one another may get lost in the weeds of implementation.

Current risk management

On a day-to-day basis, concerning ourselves with trust-based provision only, pension trustees are the central pivotal feature of governance. Increasingly, risk is managed by a slow but sure migration to Professional Trustees (PTs) away from Lay Trustees typically drawn from the workplace associated with the pension scheme. As time has moved on, the connection between today’s workforce and a legacy occupational pension scheme has become more tenuous, with the ability and availability of such a resource becoming constrained. In addition, risk is, in the view of many, best managed by PTs drawn from a professional full-time dedicated staff whose activities are backed up by a professionally monitored process.

Typically, PTs, like Gateley’s PT Entrust Pension Limited (founded 1994), adopt a set of processes and procedures, known as internal controls, which are externally audited:

• for compliance with AAF (which stands for Audit and Assurance Faculty, the specific document being Technical Release 01/20 “Assurance Reports on Internal Controls made available to third parties” published by the ICAEW); and
• in terms of the PTs performance in complying with those controls during the year.

PTs (and other trustees, but clearly PTs are typically best placed to comply) are required by TPR to adopt and maintain:

• an Effective System of Governance (ESOG); and
• undertake their Own Risk Assessments (ORA) into a vast array of risks to which a pension scheme is exposed.

Without wishing to be exhaustive, under an ORA, PTs and other pension trustees are expected to consider some 25 risks under six categories, making the potential multiples of considerations somewhat extensive. 

The ESOG and ORA regimes, in reality, involved some amplification of most pension trustees’ existing processes from their inception towards the end of March 2024. Nevertheless, the requirements for risk management they represent are impressive. Whilst a risk-free environment is to wish for the moon, the regime is thorough and should make for early identification of issues and sensible adjustments to head off a number of problems before they have time to escalate.

Future proofing risk management

Turning again to both trust-based and contract-based pension provision, the future landscape is changing by reference to the Pension Schemes Bill currently (H1 2026) making its way through Parliament. This includes a range of measures to protect member outcomes in Defined Contribution (DC) provision by:

• market fragmentation creating unintended inefficiency; and 
• impairment of Value For Money (VFM).

Market fragmentation due to inefficiency is addressed, very broadly, by way of a £25bn benchmark for scaled up auto-enrolment Master Trusts to ensure efficiency. There is also provision for rationalising the provision of pension from small pension pots, with the threshold set initially at £1,000. In between these two measures, the Pension Schemes Bill is also introducing:

• a VFM framework for DC provision;
• requirements for services which help guide members through the retirement process (known as Guided Retirement); and
• a ‘best interests’ test for contract-based DC pension provision to drive out inefficiencies.