ESOG: outsourcing activities, remuneration policies, proportionality and the ORA
25th August, 2021
Continuing on from Aimee’s first blog on this subject, we know that SI 2018 / 1103 amended provisions under the Pensions Act 2004 thereby mandating the establishment and operation of an ‘effective system of governance (ESoG) including internal controls’ in January 2019. It also required The Pensions Regulator (TPR) to provide a Code of Practice (CoP) to detail the processes, procedures and documents that pension schemes should have in order to be compliant with the new duties.
However, rather than update CoP No.9, TPR intends to include the requirements in its ‘Super Code’, the final version of which is expected to come into force in spring 2022. Importantly, the Super Code contains significant additional requirements, which pension schemes should start planning for now.
In addition to the requirements covered in Aimee’s blog, the Statutory Instrument is very helpful in stating that TPR’s Code must also include:
- Outsourcing of activities;
- Written policies in relation to the three key functions and outsourcing activities;
- The prior approval of the written policies by the Governing Body (Trustees);
- Remuneration policies; and
- The carrying out and documentation of an Own Risk Assessment (ORA) for schemes with 100 members or more.
For its outsourcing activities, the Governing Body will need to assess what should be outsourced, why and by whom, e.g. scheme administration. The Governing Body will then need to document its procurement process, selection, appointment, management and contingency plans for its outsourced service suppliers.
And don’t forget, the Governing Body needs to evidence an ESoG.
To demonstrate that its system of governance is effective, the Governing Body will also need to document an assessment and evaluation of its outsourced service suppliers, and the frequency of these assessments. Provider contracts will need to be up to date and the Governing Body will need to be assured on the effectiveness of certain specific aspects, such as data protection, cyber security, business continuity and disaster recovery.
Written policies, key functions and conflicts of interest
The above actions will then help with the next requirement; to have written policies in relation to the three ‘key functions’ and outsourcing activities. As a reminder, the three ‘key functions’ are the Actuarial, Risk Management and Internal Evaluation functions. Here, the first main question is not what the written policies need to include but who can actually undertake the three ‘key functions’.
The Statutory Instrument requires that the ORA includes: ‘How the Governing Body prevents conflicts of interest with the employer, where the occupational pension scheme outsources key functions to the same person as the employer or to any person employed by the employer’.
Importantly, this requirement is to prevent, not manage, conflicts of interest with the employer. This, therefore, loops back to the outsourcing of activities and the written policies. For example, accepting that the main way to prevent any conflict would be to abstain from involvement in the key functions, any in-house Scheme Secretary and/or Pensions Manager, who are ‘employed by the employer’, would need to recuse themselves from any involvement in the three key functions.
Having then determined who will be undertaking the three key functions, the Governing Body will have started to shape its written policies in relation to the key functions and outsourcing activities.
Once complete, the Governing Body will then need to document its prior approval of the written policies and review them at least every three years.
The Governing Body’s written remuneration policy should cover anyone who is involved in running the scheme, carries out key functions or whose activities materially impact the scheme’s risk profile. The contents of the remuneration policy should include an explanation of how the remuneration was determined and why it is appropriate. Cost and value comparisons will, therefore, be important, to evidence the effectiveness of the system of governance.
The Statutory Instrument has updated the Pensions Act 2004 requirements such that ‘The system of governance must be proportionate to the size, nature, scale and complexity of the activities of the occupational pension scheme’. The members of the Governing Body will then need to use their own judgment as to what is a reasonable and proportionate method of ensuring compliance for their scheme.
The question of proportionality is subjective and, in many cases, will be a challenge, as most lay trustees only serve on the Governing Body of one scheme, so have no other experiences to compare. In these circumstances, lay trustees will be particularly reliant on their advisers which, as this is a risk management activity, loops back to the outsourcing of activities and the written policies. Here, professional trustees can be particularly helpful with appropriate impartiality, in order to ensure that the system of governance is effective.
Own Risk Assessment (ORA)
This is not the Risk Register. This is an assessment of the effectiveness of the system of governance, incorporating how the results of the assessment are then integrated into the management of the scheme and decision-making processes. It is a progressive activity documenting milestones of continued governance improvement, rather than a certificate determining adequacy at a single point in time.
The timing of the ORA, as proposed by TPR in its Super Code consultation, is for the first assessment to be completed within 12 months of the Super Code being published and annually thereafter.
However, before we get to our first ORA (which we will cover later in this series), the key question is, where do you start? In fact, that’s the easiest question, which we will cover in our next blog.