ORA Insights: Why internal controls demand a seat at the governance table

After supporting schemes of all shapes and sizes through their first Own Risk Assessment (ORA), one theme is impossible to ignore.

Most trustee boards now have an Effective System of Governance (ESoG) they can feel quietly proud of. Policies are documented. Responsibilities are mapped. Review cycles are diarised with reassuring precision. On paper, governance looks neat, well-defined – almost elegant.

But scratch beneath the surface and things may get a little blurrier.

When it comes to risk management, many schemes are still finding their feet. Internal controls exist, certainly – but evidence of whether they actually work may often be thinner than trustees might expect, and can often not be documented clearly or held accessibly. Risk management, in practice, can feel less like a system and more like a collection of well‑intentioned parts.

The General Code is unambiguous on this point. An ORA must assess not just the existence of governance arrangements, but their effectiveness—including internal controls*. In other words, having internal controls but not testing them is the governance equivalent of owning a smoke alarm but never checking the batteries. It might work…but that’s hardly a reassuring strategy.

*Ref: The Pensions Regulator, General Code – Own Risk Assessment module

The delegation dilemma

A common stumbling block may be delegation.

Trustees quite rightly lean on advisers, administrators and third parties to operate many of their controls. But The Pensions Regulator has been clear: delegation doesn’t dilute accountability. Oversight doesn’t disappear just because delivery sits elsewhere.

That doesn’t mean trustees need to turn into auditors or drown themselves in paperwork. For most schemes, a full internal audit function would be disproportionate. The smarter move could be to build on what already exists, evolving the risk register into something more dynamic and more useful.

A well designed Internal Controls Framework (ICF) does exactly that. It connects risks to the controls that mitigate them (including those operated by third parties) and, crucially, captures evidence that those controls are working in practice. It turns risk management from a static document into a living system that satisfies regulatory expectations whilst genuinely strengthening risk management – less paper map, more sat‑nav.

Proportionality in practice

“Proportionality” is one of the most overused—and misunderstood—words in pensions governance.

It doesn’t mean doing nothing. Unless a scheme has fewer than 100 members, some level of internal control assessment is mandatory. But it does mean making conscious, strategic choices about where depth really matters.

For example…

A large scheme approaching buy-out might quite sensibly keep its ORA focused on high‑level controls, recognising that detailed operational risk will soon transfer to an insurer. But a smaller scheme planning to run on, by contrast, may need a far sharper lens on day‑to‑day operational resilience.

Proportionality isn’t about scheme size. It’s about the journey plan, complexity, and risk exposure. It’s the difference between choosing trainers for a park stroll and hiking boots for tackling Ben Nevis.

From compliance exercise to strategic tool

When internal controls are properly embedded, the ORA stops being a periodic and cumbersome compliance burden and starts to function as a strategic lens.

Supported by a credible ICF, the ORA becomes a concise, forward-looking narrative that clearly sets out what controls are in place, how effective they’ve been, what’s improved since last time, and where trustee attention should focus next.

That clarity benefits everyone. Trustees gain confidence. The Pensions Regulator gains assurance. And the scheme gains resilience. Governance shifts from being decorative to genuinely protective.

If your ORA deadline is looming…

Don’t panic.

The ORA is not a final exam with a pass–fail grade. The Pensions Regulator expects it to evolve. Gaps aren’t governance failures – they’re opportunities to enhance how you do things. Identifying them, assigning ownership, and committing to improvement is not just acceptable; it’s exactly what good governance looks like.

Ultimately…

Robust internal controls aren’t about ticking boxes or appeasing regulators. They’re about trustees sleeping better at night—knowing risks are understood, controls are doing what they’re meant to do, and governance is operating as a system, not a façade.

If your internal controls still feel like the forgotten drawer beneath an otherwise pristine governance setup, now might be the time to open it and order the contents.

Need support with your ORA, internal controls, or governance strategy? Get in touch.