TPR’s final code of practice is published: is your scheme prepared?

Insight shared by:

Gateley Legal

The Pensions Regulator (TPR) has published its much anticipated new general code of practice which combines and updates 10 of its 15 existing codes of practice (the others will follow) and sets out its expectations on governance, administration, investment and risk management. The new code is expected to come into force on 27 March 2024. TPR’s final consultation response can be accessed here.


“Our new general code is an opportunity for governing bodies to make sure their schemes meet the standards of governance we expect, and savers deserve. It means there is no excuse for failing to know what TPR expects of them.” [Source: TPR]

What does the new code do?

Not only does the new code update existing requirements and TPR expectations, it also introduces completely new content particularly around the three significant ‘new’ governance concepts that were introduced by the Occupational Pension Schemes (Governance) (Amendment) Regulations 2018: (1) the effective system of governance (ESOG); and a requirement for schemes with 100 or more members to (2) complete an own risk assessment (ORA); and (3) to have a risk management function.

How is it different to the current codes?

The presentation and style of the new code is different with 51 much shorter and ‘focused’ modules but many of the standards remain the same. Being able to locate TPR’s expectations should be more straightforward which in turn should make it easier for governing bodies (the new term in the code for trustees and managers) to determine whether they meet them. In many ways it is a guide for trustees as to how their scheme should be run.

What changes have been made to the draft version?

The final version of the code is not substantially different from the March 2021 draft. However, TPR has listened to respondents and introduced various changes including welcome clarity on the remuneration and fee policy (a new requirement for schemes with 100/+ members) and risk management aspects of the code and an easing of the ORA timing requirements which should go some way to easing the burden of this process.

What does it cover?

The new code is split into five main areas covering the governing body, funding and investment, administration, communications and disclosure and reporting to TPR.

Which schemes does it apply to?

The new code applies to occupational defined benefit (DB) and defined contribution (DC) schemes, as well as personal and public service pension schemes. However, the provisions sometimes differ depending on scheme type.


TPR says the ESOG “is predominately a rebadging of things that the governing bodies of well-run schemes should be doing already. For other schemes, it may highlight aspects of governance that they do not currently meet …”. [Source: TPR final response to new code]


All occupational pension schemes (subject to limited exceptions).

What is a system of governance?

A system of governance covers all parts of a scheme’s operation. All schemes should have systems of governance and internal controls that provide effective operational control of the scheme, include delegated activities and provide comfort that the scheme is being run properly and in line with the law.

What does TPR say is an ESOG?

An ESOG must have documented processes and procedures (and documented review policies) that, as a minimum, comply with 18 modules in the new code (covering management of activities, organisational structure, investments and member communications) and 8 internal control modules.

Existing policies and procedures can form part of the ESOG.

TPR’s expectations are ‘broadly the same’ for all schemes but ‘the standard required to meet’ them will often vary according to scheme type and size.


It should be proportionate to the scheme’s size, scale, nature and complexity.

The role of internal controls

The Regulator believes that internal controls are perhaps the “single most important aspect of establishing” an ESOG. They cover the administration and management of a scheme and how a scheme ensures the safe custody and security of its assets and should operate to give the governing body comfort that the scheme is meeting legal and scheme rule requirements. They are central to both an ESOG and risk management (see below). They will typically cover matters such as governance, investment, funding, employer covenant, regulatory and legal compliance, and administration.

Review requirements


  • Regular internal review required – review ESOG and policies for reviewing ESOG at least every three years (not every element has to be considered at the same time).
  • Can be in line with ORA.
  • Can be internal or external review.

Internal controls

  • Regularly consider performance as part of maintenance.
  • Review in line with ORA requirements and when substantial change occurs or control not working to legislative standard.

Risk management

Internal controls

A key part of having effective internal controls is identifying and assessing risks. All schemes need to have adequate internal controls.

Risk register

All schemes should capture key risks in a risk register that is reviewed regularly.

Risk management function (100/+ members/ other schemes can do as good practice)

Schemes with 100 members or more must have a risk management function which is proportionate to the scheme’s circumstances with written policies regarding its operation which are approved by the governing body. It sits separately to the ORA.

Exactly how this function will be carried out has not been prescribed. However, its primary aim is to assist with the effective operation of the scheme’s risk management system. It must regularly review key risks and report to the governing body about the risks.

Various people/ entities could carry out this function, for example, a key service provider or a sub-committee of the trustees.



  • Risks should be reviewed regularly.

Risk management function

  • The risk management function policies must be reviewed at least triennially.

The ORA is also relevant to risk management – see below for details.

THE ORA (100/+ members – other schemes can do as good practice)

TPR “… may consider failure to complete an ORA as an indicator of poor governance.” [Source: TPR]

What is it?

The most noteworthy requirement of the new code, albeit TPR’s initial comment that the ORA will be “a significant piece of work” has been clarified to have been a reference to poorly governed schemes – TPR’s final consultation response refers to the ORA being “a more straightforward project for any well-run scheme.”

The ORA is a documented assessment of how well the ESOG is operating and how risks are being managed. It will work out what the key governance risks are and then how well these are being managed – it is an opportunity to then assess whether changes need to be made.

It should cover: (1) how the governing body has assessed the effectiveness of each policy and procedure covered; (2) whether the policies are working effectively; and (3) why.

Helpfully, the final version of the code confirms that other documents that a scheme already has as regards relevant risk assessment processes can form part of the ORA where these tie in with the timings for the ORA. Seeing what assessments are already carried out and how these comply with the ORA requirements is a sensible first step in the process.

The ORA no longer needs to be provided on request as was suggested in the draft code, but schemes need to decide what they should tell members about their conclusions.

What is covered?

Twenty-two policies are covered relating to: risk assessment and mitigation; governing body and knowledge and understanding; risk management; investment; administration; and payment of benefits.


The ORA should be proportionate to the scheme’s size, nature and complexity.


TPR has relaxed the timings of the ORA.

1st ORA

  • To be completed within 12 months of the end of the first scheme year after the new code comes into effect (with the potential to extend this to the completion date of the next valuation or the next chair’s statement if this is later).

Subsequent ORAs

  • At least every three years. ORA also needed when: (1) ESOG elements or risk management processes are new or updated; and (2) ESOG or risks materially change.

Not all parts of the ORA need to be assessed at the same time – as long as the ORA is finished at least triennially.

Other key takeaways


TPR has confirmed that it has decided against producing templates for things such as the ESOG, risk management function or ORA due to the difficulties around scheme variations and the potential for this to lead to a box ticking mentality.

Remuneration and fee policy (100/+ members – other schemes can do as good practice)

TPR has modified its expectations for this new requirement. It has clarified that the written policy only needs to cover those costs that the governing body pays for and that it does not need to set out remuneration levels or be published.

The policy should set out the “basis and means for paying those undertaking activities in relation to the scheme” and should include principles for setting remuneration, details of the decision-making process and provide enough detail to assist the governing body in determining if “they are getting value for money”.

At least triennial reviews are required (albeit, annual ones will be appropriate in most cases and immediate reviews are required where there are material governance changes).

Meetings and decision-making

Although TPR has replaced the reference to trustees meeting quarterly to spending an appropriate amount of time running the scheme, it still believes this should be quarterly for most schemes.

Unregulated investments

The wording that no more than a fifth of a scheme’s investments should be in unregulated markets in the draft code has been changed to 100/+ member schemes investing “mainly in regulated markets” given the potentially adverse impact this could have had on certain well governed schemes.

Investment monitoring

The new code now talks of regular investment reviews rather than prescribing quarterly ones but still refers to monitoring information being prepared quarterly.

Reviews of advisers and service providers

Adviser and service provider policies will need to be reviewed triennially rather than every two years as previously proposed.

Trustee indemnity insurance

Although professional trustees on TPR’s trustee panel must hold indemnity insurance, the expectation that all professional trustees should have this has been deleted.


Trustees should consider publishing the scheme accounts, their conflicts of interest policy/ register, the internal dispute resolution procedure and “information about their activity”.

The latter has been changed from a reference to publishing documents such as trustee minutes due to confidentiality concerns from respondents.

Knowledge and understanding

The expectations around professional trustee accreditation have been strengthened with reference to such trustees being able to evidence progress towards or compliance with accreditation.

Diversity and inclusion

Certain parts of the new code now reference diversity and inclusion although there is not a separate module on this.

So, what are the key compliance steps?

Step 1: Knowledge and understanding

Governing bodies should familiarise themselves with the new code and what it means for their scheme.

Step 2: Audit and gap analysis

Audit current arrangements, policies and procedures to see if they comply with relevant requirements and, where not, determine what action is needed.

Check any previous work done on audit and gap analysis to see if it needs adjusting for any changes in the final iteration of the code.

A useful starting point will be checking that the scheme has an ESOG which will include:

  • making sure there are documented policies and procedures for each ESOG element;
  • checking that the systems for running the scheme including time spent meeting and on trustee duties are effective;
  • evaluating whether the governing body has sufficient knowledge, understanding and skills and relevant records of training and development;
  • analysing the systems in place for investments including governance, how decisions are made, monitoring, stewardship and ESG; and
  • considering the internal controls of the scheme and risk management (see also Step 3).

Step 3: Risk management

Consider how risk management is presently carried out and whether improvements need to be made. If required, decide who will carry out the risk management function and how this will be undertaken.

Step 4: Implementation

Update the scheme’s governance policies and procedures etc. For example, many 100/+ member schemes may not have a remuneration and fee policy. Note the general emphasis in the code on having documented governance systems which may mean new and/ or updated documents need to be produced on the scheme’s arrangements, in addition to those produced for the core ESOG matters.

Step 5: The ORA

Prepare for the first ORA if required (or if one is to be adopted as good practice). The first ORA deadline will come around pretty quickly and is likely to be a substantial piece of work, so trustees need to make sure that they build in sufficient preparation and implementation time.

Step 6: Review

Undertake regular reviews of the ESOG, the ORA, and other relevant matters, noting timescales and new developments.

Although a lot of the new code reflects existing requirements and good practice, there is still a significant amount which trustees will need to get to grips with. Many schemes will already have systems in place which meet some but most likely not all the new requirements. Others may find compliance more difficult, for example, smaller schemes with resourcing constraints – such schemes will likely need to think carefully about how to comply in a proportionate way.

Whatever stage you are at, please do contact the pensions team at Gateley if you would like further assistance and we can discuss how Gateley can help you comply with the new code.

We are currently in the process of updating our essential guide to the new code to reflect the final version.

Would you like to receive our pensions updates directly to your inbox? 

For more information regarding the latest developments in pensions law, please contact our experts listed below or visit our pensions regulatory support page for more information on the services that we offer. If you would like to receive these updates directly to your inbox, please subscribe below.

Visit our pensions regulatory support page Subscribe for pensions updates via email

Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.

Got a question? Get in touch.