Why trustees should digitise their ESOG and risk management arrangements

19 June 2023

The new ‘General Code’ from The Pensions Regulator (TPR) emphasises trustees of pension schemes having a ‘risk management function’, alongside an effective system of governance (ESOG). These two elements are likely to have increasing levels of overlap, given the focus on control effectiveness, so it’s important that this is recognised and managed with a joined-up approach.

The new General Code will be a step change for pension schemes. To assess where schemes are on their risk management journey and what challenges lie ahead, we have considered some current procedures adopted by trustees assessing over 30 risk registers in 2022 and their suitability against the new code’s requirements.

Our findings showed that many pension schemes are still using Excel spreadsheets to manage their risk management framework. This approach presents several challenges under the new code, not least being able to map the ESOG into the risk register efficiently and effectively report the findings to the trustee board.

Below, we identify five common pitfalls for trustees and pension managers to consider in line with their own risk management framework. We also explain why the Insight4Pensions is the perfect digital solution to overcome these. 

  • The pitfalls
  • Pension scheme case study
  • Insight4GRC key benefits

The pitfalls

1. Lengthy risk registers

From the registers considered, the average number of entries was considerable – over 20 risks, with many examples of risks being poorly articulated. Both observations hinder trustees in effectively managing their risks. This is because it isn’t clear which risks are the most important, due to lack of focus, nor is it clear what the risk is that the scheme is facing. Refining the risks faced and making sure that they are the ‘showstopper’ items helps trustees focus on what is important and better understand how they are or should be managed moving forwards.

2. Inconsistent approaches to risk assessment

Assessing risk can be a subjective exercise, but it’s a key step in effective risk management, allowing trustees to identify priorities and helping inform decision making.

When it comes to methodology, how trustees choose to assess risk is entirely up to them. However, one noticeable consideration absent from our analysis was the use of an ‘inherent’ risk score.

An inherent risk score is where a risk is assessed in terms of impact and likelihood in its uncontrolled state (ie with no controls in place to manage the risk). At its most basic level, this provides trustees with a worst-case scenario view of risk exposure. Then we assess the risk again, this time considering the controls in place. This gives trustees a view of the risk in its ‘managed’ state. The difference between the two scores is a view of the effectiveness of the controls in place. In its simplest terms, it’s expected that if controls are in place to manage a risk, the likelihood of it occurring should reduce.

Our research showed that 61% of the risk population were not assessed from an inherent perspective, as shown in fig.1 below by the ‘unclassified’ area. In contrast, fig.2 shows that all risks were assessed at least residually.


3. Gaps in control and visibility of their effectiveness

A fundamental element of the new General Code will be for trustees to understand how effectively controls operate. We observed many instances where controls had been identified however, there was no indication whether they were having the desired outcome in managing the risks. There are many approaches to capturing and measuring this. For example a simple ‘control effectiveness rating’ or the three lines of defence model, among others. However, the approach adopted must be proportionate to the size of the scheme so that it does not become overburdensome and challenging to maintain. It will be important for the controls to be ‘tested’ or considered from an effectiveness perspective at various intervals, in line with the new General Code. Being pragmatic about this from the outset will be key.

By understanding how controls are performing, trustees’ decision making will be more effective as to where improvements might be required in their ESOG or where their attention should be drawn.

4. Lack of detail surrounding risk improvements

When risks are deemed to be escalating in exposure or controls are identified as ineffective or missing, it’s important that action is taken to overcome the deficiency. A major challenge here for all organisations, not just pension schemes, is to track, monitor and report on the progress and implementation of these actions. To do so effectively, all actions must have an implementation date and an individual accountable for the action.

From our research, it was evident that there was either a lack of scope for actions to be identified within the risk register or there was no reasonable method for tracking their implementation.

5. Static risk reporting

Based upon our research, ‘the risk register’ is typically reported to those charged with governance, often trustee boards or committees. This presents challenges for trustees, as they are then required to run through it line by line, sometimes with a huge amount of information to read, digest and interpret.

The risk register itself should be viewed as a repository of risk information, which informs the risk reporting that trustees receive. Risk reporting should be easy to understand and draw conclusions from, based upon the needs and role of the audience to whom it’s being reported. Visually representing information in real-time, rather than the traditional tabular format is an increasingly popular way to do this, for example through interactive heat maps and dashboards.


Moving forward, the need for an effective risk management function and the ability to co-ordinate an ‘effective system of governance’ is going to be greater. It will present challenges for trustees when it comes to demonstrating its existence, as well as providing oversight and scrutiny.

This will be more difficult using traditional tools such as Word and Excel documents. A move to digitalising arrangements is necessary to ensure that it can be done efficiently, effectively and with an audit trail of evidence.

Insight4pensions is designed to help trustees and pension schemes overcome the observations above, provide consistency in approach and to ease the administrative burden when it comes to the risk management function and the effective system of governance requirements.

Watch our demonstration video on RSM's Insight4Pensions software platform.

For further information, download our Insight4Pensions 4risk™ guide or contact Karen Tasker and Adam Lickorish.

Pension scheme case study


The pension scheme had originally adopted the corporate risk management approach that its employer was utilising. It was designed for large capital projects and required extensive completion and information, much of which was not relevant nor required.


  • The corporate approach was too complicated and overburdensome, causing disengagement as it was not fit for purpose.
  • There was a lack of clarity on what the actual risks were and how these were managed.
  • The monitoring and reporting process was time and resource intensive.
  • No straight forward methodology for prioritising and assessing risk in a meaningful way.
  • There was limited visibility into how effectively the control environment operated.

Our solution

In the first instance, we undertook a risk socialisation session with the pension scheme trustees. This was a short one-hour virtual session to set the scene for risk management, where we discussed the core principles and objectives of effective risk management and an outline of next steps.

Following this socialisation session, we sent a short survey to trustees to get their views on the risk landscape facing the pension scheme.

This survey explored risk from a short, medium and long-term perspective, including emerging risks and opportunities. The results were then analysed, with a set of key risk themes identified as an initial output. These themes were used to drive risk discussions at the next trustee meeting, where we facilitated a discussion to expand upon, agree and assess in terms of the impact and likelihood of the risks. This ensured a working draft risk register was in place.

Following on from this, we worked with the pensions manager to map the control environment to the risks agreed by the trustees. We also obtained a view from a first line management perspective of how effectively those controls performed. At this point actions were identified to close any gaps or address deficiencies, with action owners and implementation time-frames agreed. This was to manage risk exposure to a level trustees were comfortable with.

The pension manager, with the support of the trustees, chose to license 4risk (part of RSM’s Insight4GRC suite), to assist with the capturing, monitoring and reporting of risk management information. These outputs were presented to the audit and risk committee and were well received due to simple, easy to read and understand reporting.


  • Improved trustee awareness and understanding of the risks being faced and how they are managed.
  • Greater clarity and visibility of the risk register and those risks of greatest concern.
  • Much improved line of sight over control effectiveness and where improvements were required.
  • More efficient risk administration, monitoring and reporting – in real time.

Insight4GRC key benefits

Insight 4risk™ is a digital solution for pension schemes to manage their Effective System of Governance ‘ESOG’ and Own Risk Assessment 'ORA'

With the new ‘General Code’ expected later this year, there is a requirement for trustees to have a risk management function and an effective system of governance in place.

The 4risk™ for Pensions software suite is the perfect digital solution, as it provides trustees, pension managers and those charged with governance with:

  • better insight;
  • enhanced real-time reporting;
  • improved security and historic audit trail; and
  • more opportunity for collaboration.

To help ease the growing pressures that pension managers are facing, 4risk™ also reduces the administration burden, with its ability to effectively automate key processes and manage and report on risks, controls and assurance in a cost-effective way.

For further information please contact Karen Tasker, Adam Lickorish or download our Insight4pensions guide.