Preparing for TPR’s new General Code

Complying with the code may sound like an impossible task – here’s how to make it manageable.

Complying with the Pensions Regulator’s (TPR) General Code of Practice sounds like an impossible task when you’re a small scheme, doesn’t it? TPR has been vocal about wanting to raise standards of governance or push for consolidation where that’s not achievable. So where do you begin?

Whichever approach you take, it is important that you plan your code work at a manageable pace to fit in with your resources and meeting cycle.

All pension schemes must operate an “effective system of governance” (ESOG), including internal controls. This is unless your scheme is public sector, a master trust, or collective defined contribution, for example – but even then it’s good practice.

If you have 100 members or more, you should have a risk management function and must complete a triennial own risk assessment (ORA), both of which should be in proportion to the size, nature, and complexity of your scheme. There are also other requirements, such as having a cyber incident response plan in place.

What does that mean in practice?

While you might be inclined to tick boxes, being a small scheme doesn’t mean that’s the go-to approach. Many schemes actually want to get as much value as they can from their code work.

Ask your adviser for training and tools that they already use with other schemes. Any firm providing good outsourced pension management services will have template governance manuals, policies and risk registers.

Start by writing down your scheme’s objectives (one of which probably includes remaining compliant) and making sure you all agree with them. Everything you do and the extent to which you do it should then be considered against this backdrop.

Is what you are doing going to help meet your scheme’s objectives? If it is, then it will bring value. If not, then just meet the compliance requirement as briefly as you can.

Policies and processes

Dotted through the code are references to policies and processes that schemes must have in place, such as a remuneration and fee policy where appropriate, or things schemes should have. For some of these, it’s unlikely small schemes will have them – for example, a trustee resignation and removal policy.

A starting point is to look at what the code requires versus what you have in place. That might look a bit sparse, but that is okay, as this work is about improving your governance. Does what you have help you meet your scheme’s objectives? Could it be rebadged or expanded?

Be proportionate – just document what you do in practice. If you don’t remunerate trustees other than expenses, then say that. You can refer to the contract where provider remuneration is covered.

Implement a policy review schedule so that policies are kept up to date on a rolling, business-as-usual cycle.

ESOG gap analysis

The ESOG requirements should be subject to regular internal review, at least every three years, but not necessarily all at the same time.

Review your current governance arrangements against the code‘s ESOG requirements and your scheme’s objectives, identify gaps and agree a proportionate response to fill them. You can assess whether these things are operating as intended and effectively in the ORA.

Most advisers have gap analysis tools – use something simple that provides a dashboard of your ESOG status and actions required, so you can evidence and monitor progress. Prioritise those that are most likely to help you meet your scheme’s objectives.

You might not perform a skills audit, have a process for appointing the trustee chair, or have documented record-keeping processes. Don’t be disheartened; even the biggest, well-run schemes have gaps. This is the starting point for improving your governance.

Get documenting. Capture your governance arrangements as you go through the gap analysis in a system of governance document, sufficient to set out how you run your scheme. This will help mitigate against key person risk by getting onto paper what’s in people’s heads.

Risk management function

TPR recognises the concerns expressed about the proportionality and practicality of the risk management function for small schemes. Trustees have freedom to design the function to suit their scheme and available resources. What does that mean if you’re starting from nothing?

In reality, this function might be fulfilled by different people, with advisers contributing. It’s important that you have a clear understanding of who identifies, evaluates, records, monitors and manages risks.

Becoming risk experts overnight is not realistic, but you can get a template risk register from your adviser. You can have them help you identify and score risks relevant to your scheme’s circumstances and aligned to your objectives, capture the controls in place and consider how the reports you receive show that controls are working and risks are being managed.

Your first ORA: be pragmatic

The ORA is new for everyone. It’s not as scary as it seems.

The ORA is an assessment of how well the ESOG is working and the way potential risks are managed.

The first assessments will need to be done by the end of 2026. It doesn’t need to be done in one go, provided it is carried out in its entirety at least every three years. It can build on existing processes, pointing to existing material to avoid duplication.

Now you’re meeting the ESOG requirements, you can assess if your system of governance and risk management are effective.

How do you gauge what effective looks like? Your specific circumstances and your objectives will help guide your assessment of what you’re doing and how you’re doing it.

Having an open dialogue, possibly through a workshop format, provides an opportunity to share ideas and concerns. After all, governance is as much about the people sitting round the board table making decisions as it is about how you use the documents and tools you have available. It’s important to have an engaged discussion about what’s working well, what’s not and why.

What does the end point for this work look like? Hopefully, a succinct ORA report – though really it’s about you having confidence in your governance and risk management arrangements.

Your next steps

Compliance is not an impossible task, but it will take resources. It’s feasible to have a practical low-cost solution that will confirm compliance and the actions needed to fill in gaps. Keep proportionality in mind – it has to be a process that makes sense given your circumstances – but do enough that it passes muster. Seek value where you can and: