It is just over a year since The Pensions Regulator’s (TPR) general code of practice came into force. In the last year, our clients have made good progress towards compliance, with trustees working with internal teams and external advisers to review and update their practices and procedures, and to ensure that these are documented, leading to strengthened governance frameworks.

Many schemes have a year-end date of 31 March or 5 April, meaning that trustees of these schemes now have 12 months until the date on which the first Own Risk Assessment (ORA) must be carried out in spring 2026.

As a reminder, an ORA must be carried out if a scheme has more than 100 members. It is an assessment of how well a scheme’s Effective System of Governance (ESOG) is working and the way that potential risks are managed. The ORA must be documented. In our latest video, commemorating the first birthday of the general code coming into force, my colleague Matthew Giles suggests that trustees should count backwards from the date of their first ORA, to ensure that compliance plans are on track. Trustees should rework their timetable if there have been any changes of circumstances since it was first formulated.

If progress has slowed, try to identify why this has happened. Is there a weak link in the chain? Have all advisers delivered what they promised? Is the pensions manager overloaded with other priority work? Try to agree sensible timescales for progress, or consider reallocating the work.

Changes to the scheme, or to key personnel involved in the running of the scheme, will result in different risks emerging. Trustees should reassess their governance needs to make sure that the ESOG remains proportionate to the size, nature, scale and complexity of the scheme’s activities and takes account of the specific circumstances that the scheme faces.

Many schemes are still on the pathway to making sure their scheme’s ESOG complies with the general code. The next step is to plan for the first ORA. Start considering how the ORA will be carried out and by whom. The ORA should be seen as a good opportunity to challenge how the scheme functions and there will be learnings along the way.

After the first ORA has been undertaken, trustees need to consider how this fits into “business as usual” arrangements (rather than a one-off “compliance project”). ORAs do not have to be repeated at set points in time, but all elements must be completed within a three year cycle. Trustees can plan the scheme’s subsequent ORA in a way that best aligns with their objectives and key scheme activities. For some schemes, the ORA may look like a continuous assessment, with elements being separated out over the three year cycle – others may set aside a dedicated period of a few months to undertake all aspects of the ORA. It is important to remember that any material changes to the scheme’s ESOG or risk profile also triggers the need for a reassessment.

If your scheme is on a 12 months countdown to its first ORA, does the outstanding work feel manageable?