Own Risk Assessment (ORA) | Frequently Asked Questions

What is the General Code and how does the ORA fit within it?

The General Code is The Pensions Regulator's unified standard for how pension schemes should be governed and managed. It brings together key requirements covering governance, risk management, policies, procedures, and member communications. The Code has three connected elements.

1. The Effective System of Governance (ESOG) sets out the policies, procedures, processes, and controls that ensure a pension scheme is run properly, and in line with regulatory requirements. This includes clear roles and responsibilities, internal controls, ongoing monitoring, and documentation.
2. The Risk Management Function (RMF) sits within the ESOG and focuses on identifying, assessing and managing risks, reviewing controls, and reporting to the trustee board.
3. The Own Risk Assessment (ORA) is a structured review of how effectively the ESOG and RMF operate in practice.

What is an Own Risk Assessment?

An ORA is a structured review, carried out by trustees or scheme managers, to identify and assess the key risks facing their pension scheme and evaluate how well those risks are being managed. It is not a tick-box exercise: trustees should  assess how governance policies and risk management processes operate day to day, not simply confirm that documents exist.

Which schemes need to complete an ORA?

Any occupational pension scheme with 100 or more members that is required to operate an Effective System of Governance must complete an ORA. Governing bodies of other schemes may carry out an ORA as an example of good practice[1].

When does the first ORA need to be completed?

The first ORA must be completed within 12 months of the end of the first scheme year after the General Code came into effect.

For most schemes means a deadline in 2026.

An ORA is required every three years.

Is this a one-off exercise?

No. The ORA should be completed at least every three years.

Trustees should also carry out a new ORA when there is a material change in the risks facing the Scheme.

The ORA does not need to cover a fixed time period, but it is expected to reflect changes  since the previous assessment. 

For schemes completing an ORA for the first time in 2026, it is appropriate to consider the period up to the review rather than limit the review to a specific period.

Does the ORA need to cover everything at once?

No. The ORA does not need to cover all areas at once. Trustees should agree a documented review timetable, ensuring all areas are covered for the first ORA and then reviewed on a phased basis over the three year cycle, with some areas reviewed more frequently

What areas does the ORA need to cover?

The ORA should cover the areas set out in paragraphs 14 to 19 of the ORA module of the General Code. These include:

• The governing body and how risk is integrated into decision-making into decision-making and how policies operate.
• Risk management policies and internal controls  
•  Investments governance, including climate change and asset security  
• Administration, including systems and controls  
• Benefit payment processes and record-keeping 

What does a trustee actually need to do?

Trustees should consider whether their approach to risk management is working well, whether risks are regularly monitored, and whether appropriate mitigations are in place. They should review controls to ensure they are operating effectively, consider whether policies remain fit for purpose and whether any need to be amended, and look ahead to identify anything coming up that could affect scheme governance or the risk profile.

The ORA must be completed in writing and signed by the chair of the trustee board.  

Is the ORA just an extension of the risk register?

No, though it can draw on it.

The ORA must demonstrate how the scheme's Effective System of Governance is operating in practice and whether it is working effectively across governance, administration, investment, and risk management functions.

Existing risk registers and processes can be referenced and linked to rather than duplicated, but the ORA requires trustees to go further and assess whether those processes are genuinely working.

Can existing documents and assessments be used?

Yes. Many governing bodies will already undertake aspects of the ORA and will not need to duplicate existing  work. The ORA may therefore take the form of a structured review that references or links to existing documents. Where services  are outsourced, governing bodies may choose to incorporate assurance reporting supplied by service providers.

What does a realistic ORA timeline look like?

Work on the ORA should start early and a well-structured timeline would typically involve producing an initial draft at least 6 months ahead of the deadline, this allows the draft to be reviewed by a Committee a couple of times before being reviewed and finally agreed by the trustee. Starting early is important: the ORA is not a document that can be produced in a matter of days.

Can the ORA be proportionate to the size of the scheme?

Yes. The ORA should be proportionate to the size, nature, and complexity of the scheme and focused on its current circumstances and objectives. Where appropriate, existing information can be used to ensure the assessment is practical and cost effective.

Schemes with a buy-in in place must still complete an ORA, as risks change and governance arrangements should continue to reflect what is happening in practice and support strategic priorities through to buyout and windup.

Why does the ORA matter beyond regulatory compliance?

Good governance is not simply a box-ticking exercise. The ORA forms the basis for a scheme's governance framework, risk register, and core policies. It guides trustee training, the compliance calendar, and meeting agendas, and drives regular reviews and continuous improvement across scheme activities. It helps ensure the scheme operates in line with best practice, remains compliant, and protects members' interests. The Pensions Regulator may consider failure to complete an ORA as an indicator of poor governance.

Who can carry out the ORA?

The ORA may be carried out by a sub-committee of the governing body, the risk management function, or a third party. Those carrying out the ORA should effectively manage any actual or potential conflicts of interest between themselves, the governing body, employers, and service providers.

How does Law Debenture support schemes with their ORA?

Scheme secretarial services are our core offering. Our close working relationships with inhouse teams mean we understand governance and resourcing pressures in practice, including issues not always visible to trustees. This enables ORA support to focus on whether governance arrangements are effective and aligned with the scheme’s long term objectives, in a way that is proportionate to its size, complexity, and budget.

Who should I contact to find out more?

If you would like to discuss the ORA requirements or how LawDeb can support your scheme, please contact Helen Nguyen, General Code Proposition Lead, at Helen.Nguyen@lawdeb.com, see our handy one-pager