The Pensions Regulator (“TPR”) is consulting on a draft single code of practice.  This consolidates 10 of its existing 15 codes of practice, and also contains significant new content explaining how trustees should comply with the statutory requirement to have an “effective system of governance, including internal controls” (introduced in January 2019).  The code also introduces some new obligations for trustees.  The consultation closes on 26 May.

What does the code mean for trustees?

While schemes will already have many of the requirements for an effective system of governance in place, some changes to schemes’ existing policies and processes are likely to be required as a result of the code.  In addition, the code introduces a number of new requirements for schemes with 100+ members, including the following:

  • Own risk assessment – trustees will need to conduct an annual written own risk assessment. This is an assessment of how well the scheme’s governance systems are working and the way that potential risks are managed.
  • Risk management function – schemes will need to establish a risk management function. Written policies regarding the risk management function must be put in place and reviewed regularly.
  • Remuneration policy – trustees will need to put in place a written policy on the remuneration of those undertaking scheme activities that are paid for by the trustees and/or the employer e.g. the trustees, administrators, advisers, and other service providers.
  • Appointment of advisers and service providers – trustees will need to put in place written policies on the appointment of advisers and other service providers, as well as wider processes for the selection, appointment, management and replacement of advisers and service providers.

The code is unlikely to come into force before this autumn.  However, trustees should start considering now what changes they will need to make to reflect the code’s requirements and start planning a process for implementing those changes.  In particular, trustees should consider if they are fully compliant with existing requirements and start assessing what arrangements they will need to put in place to comply with the new requirements, such as the own risk assessment.


Codes of practice set out TPR’s expectations of the conduct and practice of governing bodies 1 of workplace pension schemes in meeting their obligations under pensions law.  They are not legally binding, but when deciding if a statutory requirement has been met, the Courts and the Pensions Ombudsman must take compliance with any relevant code into account.  To date, TPR has published 15 codes of practice.

In the new single code of practice, TPR has sought to distinguish between legal requirements (what trustees must do), regulatory expectations (what trustees should do) and practical requirements (what trustees need to do).

Consolidated code

The draft code consolidates the following 10 codes of practice:

  • 1 – Reporting breaches of the law
  • 4 – Early leavers
  • 5 – Reporting late payment of contributions to occupational pension schemes
  • 6 – Reporting late payment of contributions to personal pension schemes
  • 7 – Trustee knowledge and understanding
  • 8 – Member-nominated trustees/directors – putting arrangements in place
  • 9 – Internal controls
  • 11 – Dispute resolution – reasonable periods
  • 13 – Governance and administration of occupational trust-based schemes providing money purchase benefits (meaning that there will no longer be a standalone DC code)
  • 14 – Governance and administration of public service pension schemes

Once the draft code comes into force, the codes that are being replaced will be revoked in their entirety.  TPR expects to bring the remaining codes 2 into the consolidated code in due course.  For example, the new DB funding code of practice (which TPR plans to consult on in the second half of 2021) will be drafted in the same style as, and will form part of, the new consolidated code.

The draft code

The draft code has five sections which between them contain 51 short topic-based “modules” based on themes:

  • The governing body
  • Funding and investment
  • Administration
  • Communications and disclosure
  • Reporting to TPR

The intention is for the code to be a web-based “living product” that will go through an ongoing process of review and amendment.  However, any future changes will still need to undergo consultation and be approved by Parliament.

Effective system of governance

The draft code contains new content reflecting the statutory requirement that was introduced in January 2019 for schemes to have an “effective system of governance, including internal controls”.  This requirement arose from the government’s implementation of the second European pensions directive (commonly known as IORP II).  The regulations introducing the new requirement also provided that TPR must issue a code of practice on the new governance requirement and prescribed a range of matters that the code had to cover.

The draft code states that an effective system of governance (“ESOG”) must include processes and procedures that ensure compliance with the 17 modules that are listed in the “Scheme governance” module.  These relate to:

  • The operation of the governing body, including its role, meetings and decision-making, remuneration, knowledge, dispute resolution, and continuity planning.
  • The organisational structure of the governing body, including the role of the chair, management of conflicts of interest, and managing advisers and service providers.
  • Investment matters, including investment governance, decision-making, monitoring, stewardship, and climate change.
  • Communications and disclosure to members.

Some of these modules contain new content, for example in relation to schemes with 100+ members putting in place written policies on remuneration and on appointment of advisers and service providers, as well as wider processes for the selection, appointment, management and replacement of advisers and service providers, and in relation to climate change and stewardship. The remuneration policy must be published on the scheme website or otherwise made available to members.

Once an ESOG is in place, each element should be reviewed at least every three years to assess whether it is functioning as intended (but there is no need for reviews to happen simultaneously).  Trustees should have policies in place for ESOG reviews, and these policies should in turn be reviewed at least every three years.

Internal controls

In relation to the requirement to have “internal controls”, there are eight modules listed in the “Scheme governance” module, detailing the systems, arrangements and procedures that governing bodies should have in place.  Some of these modules feature new content, for example, in relation to IT systems.  There is also a section on the requirement for schemes with 100+ members to have a “risk management function”, which may be a sub-committee or an independent body, to which the governing body delegates responsibility for identifying and evaluating risk and internal controls, and risk management.  The risk management function should regularly review risks at an individual and an aggregated level, as well as considering the interdependencies of certain risks.  Written policies regarding the risk management function should be approved by the governing body, and reviewed every three years.

Own risk assessment

Probably the most significant new provision in the draft code is the requirement for schemes with 100+ members to carry out and document an “own risk assessment” (“ORA”).  This is not the scheme's usual risk assessment process by another name, although it will take account of risks.  The ORA is an assessment of how well the ESOG is working, and how well potential risks are being managed.  Although the ORA should be proportionate to the size, nature and complexity of the scheme, it will need to cover:

  • How the governing body has assessed the effectiveness of, and risks arising from each of the policies and procedures covered by the ORA – there are separate elements that will need to be considered in order to meet this requirement:
    • Policies for the governing body – including integration of risk assessment and mitigation into management and decision-making processes, and policies relating to the role and knowledge of the governing body.
    • Risk management policies – including, internal controls policies, management of conflicts, and continuity planning.
    • Investment – including investment governance processes, stewardship, climate change, investment monitoring and decision-making, protection of member benefits on sponsor insolvency, assessment of protection mechanisms such as sponsor guarantees, and risks relating to indexation of benefits.
    • Administration – including risks associated with financial transactions, scheme records and receiving contributions.
    • Payment of benefits – including how the governing body assesses operational risks such as record-keeping and payment of benefits, and the management of risks relating to potential reductions to member benefits.
  • Whether the governing body considers the operation of the policies and procedures to be effective and why.

The ORA should be in writing, signed by the chair of the governing body, and be made available to TPR on request.

After the draft code comes into force, schemes will have 12 months to carry out their first ORA, which TPR has warned will be a “substantial process”.  Thereafter, TPR expects the ORA to be carried out on an annual basis, or when there is a material change in the risks facing the scheme, or its governance processes (rather than every three years as required by the underlying legislation).  The findings of each ORA should be incorporated into the scheme’s management and decision-making processes, and may result in changes to the scheme’s processes and procedures.


Details of how to comply with the statutory requirement to have an “effective system of governance, including internal controls” have been some time in coming.  Initially this is going to be a significant undertaking for schemes as they get to grips with the new requirements.

As a first step, we recommend that schemes review the code to assess whether they are complying fully with the existing requirements and what is going to be new for their scheme, and start considering whether and how those new requirements could be incorporated into existing policies and procedures.  Once that initial assessment has been completed, we recommend that schemes then start planning implementation of the necessary changes so that the implementation process can get underway as soon as the code is finalised.  Most schemes will be starting from a position of partial compliance, with the most substantial challenge likely to be carrying out the first ORA within 12 months of the code coming into effect.

Given the requirement for the code to be finalised and then approved by Parliament, we do not expect that it will be in force before autumn 2021.

1[1] For occupational pension schemes, this generally means the trustees but can also include the managers of an occupational pension scheme.

2[2] (i) Funding defined benefits, (ii) Notifiable events, (iii) Modification of subsisting rights, (iv) Circumstances in relation to the material detriment test, and (v) Authorisation and supervision of master trusts.