Why trustees should digitise their ESOG and risk management arrangements

1. Lengthy risk registers

From the registers considered, the average number of entries was considerable – over 20 risks, with many examples of risks being poorly articulated. Both observations hinder trustees in effectively managing their risks. This is because it isn’t clear which risks are the most important, due to lack of focus, nor is it clear what the risk is that the scheme is facing. Refining the risks faced and making sure that they are the ‘showstopper’ items helps trustees focus on what is important and better understand how they are or should be managed moving forwards.

2. Inconsistent approaches to risk assessment

Assessing risk can be a subjective exercise, but it’s a key step in effective risk management, allowing trustees to identify priorities and helping inform decision making.

When it comes to methodology, how trustees choose to assess risk is entirely up to them. However, one noticeable consideration absent from our analysis was the use of an ‘inherent’ risk score.

An inherent risk score is where a risk is assessed in terms of impact and likelihood in its uncontrolled state (ie with no controls in place to manage the risk). At its most basic level, this provides trustees with a worst-case scenario view of risk exposure. Then we assess the risk again, this time considering the controls in place. This gives trustees a view of the risk in its ‘managed’ state. The difference between the two scores is a view of the effectiveness of the controls in place. In its simplest terms, it’s expected that if controls are in place to manage a risk, the likelihood of it occurring should reduce.

Our research showed that 61% of the risk population were not assessed from an inherent perspective, as shown in fig.1 below by the ‘unclassified’ area. In contrast, fig.2 shows that all risks were assessed at least residually.

3. Gaps in control and visibility of their effectiveness

A fundamental element of the new General Code will be for trustees to understand how effectively controls operate. We observed many instances where controls had been identified however, there was no indication whether they were having the desired outcome in managing the risks. There are many approaches to capturing and measuring this. For example a simple ‘control effectiveness rating’ or the three lines of defence model, among others. However, the approach adopted must be proportionate to the size of the scheme so that it does not become overburdensome and challenging to maintain. It will be important for the controls to be ‘tested’ or considered from an effectiveness perspective at various intervals, in line with the new General Code. Being pragmatic about this from the outset will be key.

By understanding how controls are performing, trustees’ decision making will be more effective as to where improvements might be required in their ESOG or where their attention should be drawn.

4. Lack of detail surrounding risk improvements

When risks are deemed to be escalating in exposure or controls are identified as ineffective or missing, it’s important that action is taken to overcome the deficiency. A major challenge here for all organisations, not just pension schemes, is to track, monitor and report on the progress and implementation of these actions. To do so effectively, all actions must have an implementation date and an individual accountable for the action.

From our research, it was evident that there was either a lack of scope for actions to be identified within the risk register or there was no reasonable method for tracking their implementation.

5. Static risk reporting

Based upon our research, ‘the risk register’ is typically reported to those charged with governance, often trustee boards or committees. This presents challenges for trustees, as they are then required to run through it line by line, sometimes with a huge amount of information to read, digest and interpret.

The risk register itself should be viewed as a repository of risk information, which informs the risk reporting that trustees receive. Risk reporting should be easy to understand and draw conclusions from, based upon the needs and role of the audience to whom it’s being reported. Visually representing information in real-time, rather than the traditional tabular format is an increasingly popular way to do this, for example through interactive heat maps and dashboards.

Summary

Moving forward, the need for an effective risk management function and the ability to co-ordinate an ‘effective system of governance’ is going to be greater. It will present challenges for trustees when it comes to demonstrating its existence, as well as providing oversight and scrutiny.

This will be more difficult using traditional tools such as Word and Excel documents. A move to digitalising arrangements is necessary to ensure that it can be done efficiently, effectively and with an audit trail of evidence.

Insight4pensions is designed to help trustees and pension schemes overcome the observations above, provide consistency in approach and to ease the administrative burden when it comes to the risk management function and the effective system of governance requirements.

Watch our demonstration video on RSM's Insight4Pensions software platform.

For further information, download our Insight4Pensions 4risk™ guide or contact Karen Tasker and Adam Lickorish.