Skip to main content

Your Own-Risk Assessment (ORA)

The ORA is a Living Document

The Pensions Authority considers the Own-Risk Assessment one of the most important documents a trustee board produces. It is not a one-time filing or a regulatory checkbox — it is a living governance tool that reflects the board’s current understanding of the scheme’s risk environment. The ORA must be:
  • Trustee-owned — not delegated entirely to a consultant or KFH; trustees must engage with the content, not just sign it
  • Comprehensive — covering all 8 risk categories defined by the Pensions Authority
  • Scheme-specific — genuine analysis of your scheme’s risk profile, not generic template language
  • Current — reviewed at least every 3 years, or whenever a significant change occurs
  • Board-discussed — the ORA must appear as a substantive item in board meeting minutes, not just as a document circulated for signature
The PA actively identifies and pursues trustees who produce ORAs that are not genuinely risk-managed documents. An ORA that reads as a generic template, or whose board minutes contain only a one-line adoption record, will attract scrutiny. The PA expects to see evidence of trustee engagement in the ORA content itself.

What the PA Commonly Finds Missing

Based on the Pensions Authority’s IORP II supervisory reviews, the most common ORA weaknesses are:
Many ORAs focus on investment and operational risk but omit scheme-level existential risks: the long-term financial viability of the sponsoring employer; the sustainability of the scheme’s funding model; the risk that the scheme may need to wind up and what would happen to members if it did. These risks must be addressed — particularly in DC schemes where member contributions depend on employer financial health.
Where all key functions are outsourced — as they commonly are — the ORA must assess the risks arising from that concentration of outsourcing. Generic statements that “service providers are monitored” do not satisfy the PA. The ORA should name the key providers, assess the risk of provider failure or underperformance, and document the scheme’s exit strategy.
From January 2025, DORA applies to all schemes with 16 or more members. The ORA must reflect ICT and cyber risks proportionate to the scheme’s digital exposure. Many schemes still have no ICT risk entry in their ORA, or address it only as “cyber risk is managed by the administrator” — which is not an adequate risk assessment.
IORP II requires trustees to define their risk appetite — how much risk they are willing to accept in pursuit of scheme objectives. But the PA’s threshold is higher: the ORA must also confirm whether each risk currently sits within or outside that tolerance. An ORA that states a tolerance but does not assess whether the scheme is currently within it is incomplete.
For DC schemes, the ORA should reflect the specific characteristics of the member population — age profile, contribution rates, projected retirement dates, default fund exposure. A risk that is tolerable for a scheme with young, active membership may be material for a scheme with a large cohort approaching retirement. Generic risk assessments that ignore member demographics will not satisfy the PA.
The PA checks board minutes to verify that the ORA was genuinely discussed — not just adopted. Where board minutes record only “The ORA was reviewed and adopted”, the PA will question whether the board engaged with the content. Minutes should record the key risks discussed, any disagreements or concerns raised, and any actions arising from the review.

When is an ORA Required?

TriggerAction required
Every 3 yearsFull ORA review and re-approval
Change of investment strategyReview and update ORA before implementation
Significant membership change (>20%)Review and update relevant risk sections
Material outsourcing changeUpdate third-party risk section
Significant market eventConsider whether ORA remains adequate
PA requestProvide ORA within the timeframe specified

The 8 Risk Categories

The Pensions Authority requires the ORA to assess risks across 8 categories:

1. Operational Risk

Risks arising from internal processes, people, systems, or external events. Includes ICT risk, data breaches, fraud, and key-person dependency.

2. Investment Risk

The risk that the investment strategy doesn’t deliver the returns needed to meet member benefits. Includes market risk, liquidity risk, and concentration risk.

3. Actuarial / Funding Risk

The risk that the scheme is underfunded or that actuarial assumptions prove incorrect. Includes longevity risk and interest rate risk.

4. Liquidity Risk

The risk that the scheme cannot meet benefit payments or other obligations when they fall due, due to illiquid assets or cash flow mismatches.

5. Third-Party / Outsourcing Risk

Risks arising from reliance on external service providers (administrators, investment managers, custodians). Includes concentration risk and exit risk.

6. Legal and Regulatory Risk

The risk of non-compliance with applicable law, regulatory requirements, or the scheme’s own rules. Includes changing regulation risk.

7. Environmental, Social & Governance (ESG) Risk

The impact of climate change, social risks, and governance failures on the scheme’s investments and long-term sustainability.

8. Cyber and Technology Risk

The risk of cyber attacks, data loss, system failures, or technology disruption affecting scheme operations or member data.

How to Complete the ORA in PensionPortal.ai

Navigate to Governance → Own-Risk Assessment and click Start New ORA or open an existing ORA.

1. Board Risk Appetite Statement

At the top of the ORA form, complete the Board Risk Appetite Statement — a brief, plain-language statement of the overarching level of risk the trustee board is willing to accept in pursuit of scheme objectives. This is a trustee judgment, not a formula. Example: “The trustee board has a low appetite for investment risk given the scheme’s mature membership profile, a moderate appetite for operational risk where adequate controls are in place, and zero tolerance for regulatory non-compliance.”

2. Per-Category Risk Appetite and Tolerance

For each of the 8 risk categories, the ORA form includes a Risk Appetite & Tolerance section:
FieldWhat to complete
Appetite levelSelect: Low / Medium / High — how much risk the board is willing to accept in this category
Tolerance thresholdDefine the boundary — the point at which risk in this category moves from acceptable to unacceptable
Current statusSelect: ✅ Within Tolerance / ⚠️ Approaching Tolerance / 🔴 Outside Tolerance
Status justificationBrief explanation of why the current status has been assigned — this is what the PA reads
An ORA that lists appetite levels but does not confirm current status (within/approaching/outside tolerance) is incomplete under PA expectations. Every category must have a current status assessment — even where the status is “Within Tolerance”.
Alert banner: If any risk category is Outside or Approaching tolerance, an alert banner appears at the top of the ORA form. These categories must have documented remediation actions.

3. Risk Library

For each category, a collapsible “Common risks for this category” panel provides 32 pre-seeded IORP II reference risks across the 8 categories. Click any risk to pre-fill the mitigation text for that risk in your ORA. Edit the pre-filled text to reflect your scheme’s specific circumstances. The risk library includes IORP II and DORA regulatory references for each entry — ensuring your ORA cites the correct regulatory context.

4. AI-Assisted Narrative Drafting

1

Answer the scheme-specific questions

The tool asks targeted questions about your scheme: membership size, investment strategy, service providers, any known risk events. These answers ground the AI’s output in your scheme’s actual circumstances.
2

Review AI-drafted risk narratives

For each of the 8 risk categories, the AI produces a draft narrative based on your inputs. Each draft includes risk description, likelihood and impact, existing mitigants, and residual risk rating. You review, edit, and approve each section.
3

Complete appetite and tolerance fields

After reviewing the AI narrative for each category, complete the risk appetite, tolerance threshold, and current status fields. The AI draft informs this assessment; the judgment is yours.

5. Sign-Off

  • Chair of Trustees signs off the completed ORA
  • Risk Key Function Holder provides a second sign-off confirming the assessment is adequate
  • The signed ORA is timestamped and stored in the scheme’s compliance record
  • The platform sets a 3-year review reminder automatically
The AI drafts the ORA narrative — but you are responsible for its content. Every section must be reviewed and approved by a trustee before sign-off. Do not sign an ORA you haven’t read.

6. ORA Summary Card

The ORA list page displays a Current ORA Summary Card showing:
  • Your board risk appetite statement
  • 8 per-category tolerance status badges (✅ Within / ⚠️ Approaching / 🔴 Outside)
  • A count of categories currently outside tolerance that require action
This card provides at-a-glance governance oversight and is included in the SRP Evidence Pack export.

Keeping the ORA Current

The ORA review cycle is 3 years — but the ORA should be a living document that is considered at every significant change event. PensionPortal.ai tracks trigger events and prompts you to consider an ORA review when:
Trigger eventORA review requirement
Change of investment strategyReview investment and liquidity risk sections before implementation
Membership change >20%Review relevant risk categories; update cohort analysis
Material outsourcing changeUpdate third-party risk section; assess new provider exit risk
KFH resignation or replacementReview governance risk section
Significant market eventConsider whether investment and funding risk assessments remain adequate
PA guidance updateReview whether guidance changes affect any risk category
DORA implementation changeUpdate ICT and operational risk sections
Where a trigger event occurs, document the review outcome in board minutes — even if the conclusion is that no ORA changes are required.

ORA and the Board Agenda

The ORA should not sit in a document library between sign-offs. It should be an active board governance tool:
  • Annual review item: Include a standing ORA review item on the annual board calendar — even in non-review years, the board should confirm that the current ORA remains adequate
  • Tolerance monitoring: The ORA Summary Card on the list page shows current tolerance status for all 8 categories; any category Outside tolerance should be a board agenda item until remediation is complete
  • Board pack inclusion: Include the ORA Summary Card in regular board packs so trustees maintain visibility of the scheme’s risk position
  • Pre-ACS review: The ACS Wizard references the ORA when asking about risk assessment compliance; ensure the ORA is current before commencing ACS preparation

Tips for a Good ORA

A good ORA is specific to your scheme. Generic text that could apply to any scheme will not satisfy the Pensions Authority. The more scheme-specific detail you provide in the initial questionnaire, the better the AI’s output will be.
Complete the risk appetite and tolerance fields before sign-off — not after. The tolerance status for each category is a trustee judgment that should be made as part of the ORA review, with the board discussing any Outside Tolerance items before agreeing the final document.

Further Reading