Industry experts have highlighted the regulator's General Code of Practice as an "important step-up" in scheme governance, although some have raised concerns around schemes' ability to meet the new requirements ahead of the March implementation date.

The Pensions Regulator (TPR) published the final General Code of Practice today (10 January), challenging pension scheme governing bodies to ensure that their schemes are fit for the 21st century.

Industry organisations have since welcomed the long-awaited code, with Hymans Robertson head of governance consulting, Laura Andrikopoulos, said that the code heralds an “important step-up” in the governance of occupational pension schemes, particularly defined benefit (DB) schemes, which have not been subject to the same regulatory requirements as defined contribution (DC) schemes have seen in recent years.

“After a lengthy delay, during which trustees may have put ‘pens down’ on their projects to ramp up scheme governance, the laying of the General Code means these important projects can now be resurrected,” she continued.

“Delayed effectiveness and governance reviews can now be performed with greater confidence on the actual requirements.”

In particular, Andrikopoulos suggested that the biggest change for schemes will be the ‘Own Risk Assessment’ (ORA) requirement, welcoming the clarification that a report once every three years is sufficient, in line with the underlying legislation.

“This is in line with other major requirements such as the triennial actuarial valuation, and will save schemes from what could have been a substantial annual process,” Andrikopoulos said.

“The clarifications in the final version of the code are also helpful – for example, that the ORA can be a collation of other relevant documents."

Aon associate partner, Michelle Burgess, also highlighted this change as good news, suggesting that trustee boards are more likely to carry out a meaningful ORA on a less frequent basis.

“This is a key part of the code and trustee boards will need to have a robust audit trail of their risk management activity to produce their ORA efficiently,” she said.

“In response to the consultation, trustee boards have already been reviewing their risk management framework to ensure that they have good visibility of the activity to manage risk on an ongoing basis.

“This section of the code has been taxing trustee boards who recognise the importance of enhancing their risk management practice and improving the reporting in order to be able to manage the ORA requirement. It is helpful that the risk management requirements have prominence within the code, given their importance.”

However, Burgess suggested that while most DC schemes and well-run DB schemes are already complying with the requirement to have an effective system of governance, there are concerns around the increased burden and associated costs for smaller schemes.

"Our main concern is the increased governance burden and associated costs this will bring for the smallest schemes, many of which will have adopted a proportionate approach to governance and are now likely facing the largest hurdles," she stated.

Adding to this, Dalriada Trustees head of technical, research and policy, John Wilson, also warned that some schemes that have not already taken steps to prepare could struggle to meet TPR's March implementation date.

“Work should already be well underway in terms setting up risk management committees and carrying out governance reviews and gap analysis," he said.

“Schemes that have not already started may now struggle in terms of meeting requirements and finding resource over the coming months to help get to grips with all 171 pages of the code.”

Specific consideration may also need to be given to cyber issues, as Taylor Wessing pensions partner, Anna Taylor, encouraged trustees to consider whether there is more that they should be doing in particular in relation to cyber controls.

"TPR has recognised in its consultation response that trustees will be reliant on the expertise of third parties in this area, but there are nonetheless steps that trustees can take to put their schemes in the best position to deal with any cyber breach," she continued.

"These include having robust contractual terms in place with administrators and other service providers, adopting policies and procedures for responding to a breach and testing any breach response plan.

"Taking these steps will help to protect trustees from legal and reputational risks. Cyber attacks affecting pension schemes are only likely to become more frequent in 2024 and beyond, but by taking a proactive approach trustees can ensure they are ready to respond."

However, RSM UK head of pensions, Ian Bell, argued that the impact of the code could be “somewhat diluted, as compliance with it is entirely voluntary”.

“Without any mandatory reporting or proactive monitoring of the trustees’ ORA, there will be no motivation for poorly managed schemes to improve their system of governance,” he added.

“If the regulator is not asking for any documentation or monitoring the uptake, and there is no whistleblowing procedure, it’s not clear how this will be policed, or what repercussions there will be for trustees that choose to ignore it.”

---