Lay trustee, professional trustee, administrator, advisor, actuary or lawyer we’ve all done it.
That dreadful, dire, moment usually just before AOB, close to the end of the trustee meeting, keeping you from the lunchtime sandwich your stomach is rumbling after, or the earlier train that could get you home on time for the first time in months. It’s usually the chair that announces it, followed quickly by his dismissal of it and then, reluctantly delivered by the consultant or secretary who knows that if they looked up they’d be met with bored glazed stares or the tops of peoples’ heads as they, not too discretely, fiddle with their phones under the table. It’s time to review the risk register.
Risk registers are deadly dull. Lines of risks and mitigants, scoring systems and colour coded outputs. No one enjoys wading through these things.
It shouldn’t be like this but we are where we are, arguably, because of a small misinterpretation of the rules.
The Pensions Act 2004 required us to establish and operate adequate internal control mechanisms. As a consequence of this the Pension Regulator published a code of practice (Code 9, Internal Controls) that, amongst other things, said “The extent to which internal controls are documented will be a matter for the trustees to consider.” For whatever reason this proportionate statement has been converted, like some sort of regulatory urban myth, into a far more dogmatic “you must have a risk schedule and it must be as dull as possible”.
This creates two problems.
Firstly, if something is dull, we don’t give it our full attention - once again, just think about your and your colleagues’ reaction to the risk register when it came up. This means that the risk register itself is causing us to neglect the act of risk management.
Secondly, the risk register is misleading us. By its existence it gives the mirage that we have controlled risk. This is not the case. A risk register per se is not risk management. It is just the documentation of risk management.
Risk management, in fact, is nothing to do with risk registers. It is far more organic. It is a simple process of asking yourself “what are the consequences and how can the negatives be mitigated” when ever we take or fail to take a decision or action. Risk management should be as natural and unconscious as breathing.
We are stuck in a mire though. I’d like to try and change this.
If anyone would like to get together to refresh the process, to share ideas, to compare lists of risks or controls then please get in touch - email@example.com
Let’s see if we can’t think of a fresh way of doing this.