Top 10 tips for Best Practice in Maintaining your Risk Register

As a Trustee you have the responsibility to manage and minimise risks which may arise when running a pension scheme. By maintaining a risk register it enables you to identify risks which are required to be managed. The main focus for Trustees is to ensure that members’ benefits and scheme assets are not put at risk as a result of not having strong internal controls in place.


We’ve listed the 10 most important steps you can take to do this effectively




Procedure to identify and mitigate risks

Agree and formally document procedures to identify and mitigate risks. This reduces the possibility of risk not being brought to the attention of all Trustees.

Focus on your key risks

Begin by understanding the main risks which are critical to the scheme and are likely to have a significant impact on the member’s benefits and stay focused on them.

Identify risk

As a Trustee you will have a clear understanding of scheme operations. Use this knowledge to regularly consider the nature and extent of both internal and external risks which pose a threat to continuing growth.

Evaluate your risks

Your procedure should include a method to evaluate risk-based on the impact that risks may or will have on the scheme operations

Allocate each risk to a key individual for clarity and to allow for full understanding of each risk. Create an action plan within the risk register so everyone is aware on how to mitigate the risk and protect the scheme operations.

Prioritise your risks

Next, it is vital to prioritise your risks, assessing each one on the probability of the risk materialising.

Measure the likelihood of the risk occurring and how detrimental it could be to the running of your scheme. We find it best practice to prioritise your risk through the R-A-G coding system.

Manage your risks

Introducing vigorous internal controls into the scheme will help prevent and detect errors.  However it is imperative to understand that internal controls reduce, but do not fully eliminate, risk and make appropriate plans to manage it.

Regularly review your risk register – Monitor your risks

It is important to review your risk register at least annually. From our experience we find it best practice to review the risk register at each quarterly meeting.  In addition, regularly reviewing the internal controls in place and ensuring they are kept up to date and fit for purpose is vital.


Different types of risks (stages to review risk):

Inherent risk – The level of risk determined at the time of the assessment

Net risk – The level of risk after controls have been implemented

Target risk – The level of risk you are aiming to achieve

Strong communication and getting involved

To ensure best practice guidance, it is vital for all Trustees to be made aware of new and emerging risks and any updated internal controls.

This can be done by ensuring that the Trustee Board meet regularly at a date which is convenient to all and apologies of absence only given when deemed absolutely necessary.

Maintain adequate documentation

It is essential to keep full and detailed records of risks and what controls are in place to cover the risk. We would recommend the risk register being held centrally for all Trustees to have easy access to it. In addition, make sure risk management is given a focused area within each Trustee meeting, to identify and monitor new or existing risks.

Specialised and adequate knowledge and understanding

To carry out tasks to the full potential, legislation states that Trustees are required to have sufficient knowledge and understanding of their legal duties, their scheme, and the legislative and regulatory framework.

Trustees should annually review their own knowledge and understanding. At Assure UK, we recommend each Trustee completes a TKU skills matrix. This matrix should highlight all areas in which a Trustee is required to have a thorough understanding. The Trustee uses this to rate themselves and highlight any gaps which need to be addressed.

Cyber Risk

We have identified cyber-attacks as an emerging risk which should be included and considered when completing your risk register.  These attacks are becoming an increasing worry within the pensions industry. Robust controls are necessary to reduce this significant risk to your business. Actions to have highlighted within your risk register could include two-factor authentication, system restrictions and many more.




For more guidance and to development your knowledge further on Risk management take a look at the module ‘Running a Scheme’ available to complete within the Trustee Toolkit.