RISK MANAGEMENT AS A KEY FUNCTION
Conor Daly
LCP Partner
The European Union (Occupational Pensions) Regulations 2021, enacted in April 2021, puts risk management front and centre in the running of a pension scheme. The legislation transposes the requirements of the IORP II Directive. A key objective of IORP II is that all pension schemes adopt a well-functioning, effective system of risk management. The supervisory framework has also been amended to move to a more forward-looking, risk-based approach from the Pensions Authority.
"The Diretive will affect all aspects of scheme governance for all schemes. However, I think the greatest impact on DB schemes will be in the area of risk assessment and management. For such schemes, we will be expecting to see not only better understanding of risk but a better quantitative analysis of risk."
Brendan Kennedy
Pensions Regulator
All pension schemes will be required to appoint a risk management Key Function Holder (KFH)
The risk management KFH will be responsible for the implementation of the risk management strategy including the provision of timely, accurate and sufficiently detailed information for consideration at regular meetings of the trustees.
Given the complex nature of defined benefit pension schemes, it will be important that the risk management KFH has the appropriate experience and skills. Key Function Holders must also have the resources and authority to enable them to undertake their duties effectively in an objective, fair and independent manner.
The risk management KFH is subject to the full “fit and proper” regime outlined in the governance section. Accordingly, the full details of any appointment to risk management KFH, including a copy of the appointee’s CV and the rationale for the appointment, must be documented. Moreover, where such roles are outsourced, the Authority should be advised in advance of any agreement in respect of such outsourcing entering into force. The new, expanded obligations in relation to whistle blowing legislation will also extend to any appointed risk management KFH and it is important that they understand clearly their responsibilities in this area.
The legislation states that the risk management function should be established and maintained in a manner that is proportionate to the size of the scheme, but note there is no derogation for small schemes. Smaller defined benefit pension schemes are in many cases likely to appoint the existing Scheme Actuary to the role of risk management KFH. Larger and more complex schemes are likely to outsource this role to an independent expert.
Action:
Trustees should take steps now to appoint a risk management key function holder. Ask your LCP contact for more detail including an indication of the work involved for taking on this role.
What does an effective risk management strategy look like?
Risk Management Governance and Policy
Pension schemes, by definition, will take investment and demographic risks. It is not practicable or sensible to seek to eliminate all risks in a pension scheme. However, trustees and the risk management KFH should ensure that the scheme is taking on the correct balance of risks and that all key risks are identified, monitored and managed.
A solid governance structure is essential to an effective risk management system. The Risk Management KFH should be reporting directly to the trustees (or risk committee). Risk Management is also supported by “front line” services (the registered administrator, scheme actuary, investment manager). Finally, the appointment of an internal audit function (see governance section) will provide independent oversight on the overall operation of the system put in place.
A key element of a well-functioning risk management system is an effective risk monitoring and reporting structure. Many pension schemes are already operating a Risk Register which may get updated and formally reviewed no more than once a year. The IORP II legislation clearly expects such arrangements to be supplemented by more regular reporting. The legislation also requires that trustees prepare and document a written Risk Management Policy.
Risk Workshop
LCP recommend that trustees establish a risk workshop where the key risks to the scheme are considered and an effective monitoring and reporting mechanism is agreed. A Risk Management Policy document can then be drafted – this document will be reviewed and updated as the risk management system evolves over time. In many cases the existing structures will require some fine-tuning. In some cases, however, more extensive work will be required to ensure compliance. Note the Risk Register would still form a key element in the overall risk management framework and we would envisage it supplementing the ongoing reporting (see below).
Actions:
Allocate time for a Risk Workshop where the key risks to which the Scheme are exposed are considered in some detail and an effective risk management policy is formulated.
Prepare a written Risk Management Policy document. This document (together with the Risk Register and regular risk reports) is available to the Pensions Authority on request.
Risk Monitoring and Regular Reporting
The initial review would help clarify the appropriate framework for monitoring and reporting risks. The workshop would assist the trustees in identifying the key risks for the Scheme and set out appropriate methods to manage such risks. A key output of these initial steps will be the clarification of key risk indicators that warrant regular reporting. The trustees would also need to have regard to the specific risks outlined as requiring attention under the IORPII legislation.
LCP's proprietary online tool LCP Visualise would be a ready resource for the trustees with many risk management indicators monitored already online for the trustees. LCP would collate the agreed indicators for the trustees on a quarterly basis in a Risk Dashboard for circulation in meeting packs. Key trends would be considered and any deterioration in risk indicators called out for more detailed attention.
The report would be bespoke to the trustees with the ability to amend and fine tune in future quarters in line with feedback and any agreed changes to the items to be reported. In our experience, an analysis of the trends of some key risk metrics can also help identify opportunities (e.g a large gap emerging between required return and expected return could suggest an opportunity to accelerate a de-risking programme).
Action:
Identify and monitor key risk metrics regularly through online tools and written quarterly reports. Integrate such risk reporting and analysis as a standing item in regular Trustee meetings.
Own-risk assessment
IORP II has imposed a requirement for the completion of a comprehensive Own-risk assessment at least once every three years. This assessment will need to include a review of the effectiveness of the risk management system and detailed qualitative and quantitative assessment of risks.
The Own-risk assessment is required to include a description of the methods in place to identify and assess key risks. The Own-risk assessment is also required to include the following:
a description of how Own-risk assessment is integrated into the management process and into the decision-making processes of the scheme
an assessment of the effectiveness of the risk-management system
a description of how the scheme prevents conflicts of interest with the sponsoring undertaking
an assessment of the overall funding needs of the scheme, including a description of the recovery plan where applicable
an assessment of the risks to members and beneficiaries relating to the paying out of their retirement benefits
a qualitative assessment of the mechanisms protecting retirement benefits, including, as applicable, guarantees, covenants or any other type of financial support by the sponsoring undertaking
a qualitative assessment of the operational risks
where environmental, social and governance factors are considered in investment decisions, an assessment of new or emerging risks, including risks related to climate change, use of resources and the environment, social risks and risks related to the depreciation of assets due to regulatory change
The Own-risk assessment must also be made be made available to the Pensions Authority. LCP recommend that the initial Own-risk assessment be prepared once the Risk Management Policy and governance structure has been reviewed and updated.
Keep in touch
