ESOG and ORA: The new architecture for pension scheme governance

11th August, 2021

  • In this series of governance blogs, we’ll look at the requirements for occupational pension schemes to operate an Effective System of Governance (ESOG), the new requirements for an Own Risk Assessment (ORA), and what the Governing Bodies (trustees) of such schemes need to do to evidence compliance.

    We’ll start with the background and architecture. Rather than begin ‘a long, long time ago’, we’ll just go back to January 2019, from when the Governing Body of an occupational pension scheme has been required by law to operate an effective system of governance under SI 2018/1103. However, the Statutory Instrument stated that certain elements would not become fully effective until The Pensions Regulator (TPR) provided more information for Governing Bodies in a code of practice. This information will now be incorporated in TPR’s Supercode, a consultation on which has recently concluded.

    But wait a moment! We’ve been here before and we have all of this already in place, don’t we; i.e. ‘Internal Controls’?

    This is only partly true. The EU Pension Fund Directive IORP I (2003) was transposed into UK law through the Pensions Act (PA) 2004, with supporting regulation provided in TPR’s Code of Practice (CoP) 9, first published in 2006. PA04 and CoP9 required trustees to have internal controls and CoP9 explains that internal controls are systems, arrangements and procedures to be followed in the administration and management of a pension scheme, together with the safe custody and security of the assets.

    However, IORP I, the original PA04 and CoP9, omitted to specify that the internal controls needed to be effective or had to include a requirement to assess the effectiveness of the systems, arrangements and procedures.

    So, at this point Governing Bodies will have internal controls in place: A governance framework incorporating an Integrated Risk Management (IRM) structure, assessing Funding, Investment and Covenant, together with the arrangements and procedures to be followed in the administration and management of a pension scheme; e.g. risk register, conflicts of interest register, list of beneficial owners, adviser performance monitoring etc. I’m sure you know the rest.

    But here’s the thing (well three things actually but I’ve always liked that line):

    • How do you know your internal controls are effective and what evidence do you have to prove it?
    • It’s not just internal controls anymore. The Governing Body must establish and operate an effective system of governance, which includes effective internal controls.


    • The system of governance must be proportionate to the size, nature, scale and complexity of the activities of the occupational pension scheme, with schemes that have 100 members or more needing an ESOG and an ORA and those with fewer than 100 members only needing an ESOG.

    Although TPR has only recently closed the consultation on its Supercode, we have a reasonable insight into what an ESOG requires within SI 2018/1103; and we don’t expect the final Code to be much different from the draft version. In relation to the discharge of the duty imposed by section 249A(1)(5) of the Act (PA04), the Statutory Instrument requires that the CoP must include how an ESOG:

    • provides for sound and prudent management of activities;
    • includes an adequate and transparent organisational structure with a clear allocation and appropriate segregation of responsibilities;
    • includes an effective system for ensuring transmission of information;
    • includes an effective internal control system;
    • ensures continuity and regularity in the performance of its activities, including the development of contingency plans;
    • includes consideration of environmental, social and governance factors related to investment assets in investment decisions; and
    • is subject to regular internal review.

    Additionally and importantly, SI 2018/1103 introduced three key functions to the structure of an effective system of governance: A Risk Management function, the Actuarial function and an Internal Evaluation function. Well, IORP II actually required an Internal Audit, although SI 2018/1103 transposed this into UK legislation as an Internal Evaluation.

    My colleague who helped the DWP transpose the IORP II legislation into UK law has not received a Christmas card from any of the accountancy firms since, but it will undoubtedly reduce the compliance costs for Governing Bodies and sponsors, with due credit to the DWP for facilitating this outcome.

    So, from a macro level, what does it look like? We had the IRM – to which the three key functions have been added.

    In our next blog in this series, we will look at the remaining requirements of SI 2018/1103; the outsourcing activities; remuneration policies; and the ORA.

    Share article:
    • Published bySusan McFarlane

      Susan leads the marketing function for Dalriada Trustees Limited, and our sister company, Spence & Partners.  The marketing team handles all promotional activity for the companies including business development, marketing, events and PR. Susan joined the business in January 2013, having...

  • Get in touch with us

    Call us on 028 9041 2018 or fill out the form below and someone will get back to you.