Your 11 Mandatory Written Policies
Policies as Active Governance Tools
The Pensions Authority has explicitly criticised trustees who treat written policies as a compliance box-ticking exercise — adopting templates without engaging with their content, and filing them away until the 3-year review clock runs out. Policies are not a filing exercise. They are the formal record of how your scheme is actually governed. The test the PA applies is not “do you have 11 policies?” — it is “do your policies reflect the decisions your board has actually made, and is that visible in your board minutes?” What good policy governance looks like:- Scheme-specific content: Each policy reflects decisions the trustees have actually made — investment objectives in the IPS, actual risk appetite in the Risk Management Policy, real outsourcing arrangements in the Outsourcing Policy
- Board discussion, not just adoption: When a policy is reviewed, the board discusses it. The minutes record what was considered, what changed (or why nothing changed), and who approved the final version
- Living documents: Policies are updated when circumstances change — not just on the 3-year cycle
Having the policies isn’t enough — they must be actively reviewed, kept up to date, and formally adopted by the trustees. PensionPortal.ai tracks your review cycle and prompts you when policies are due.
The 11 Mandatory Policies
1. Risk Management Policy
What it covers: How the scheme identifies, assesses, monitors, and manages risks. The framework within which the Risk KFH operates. Must align with the ORA.2. Internal Audit Policy
What it covers: The scope, methodology, and independence of the internal audit function. How audit findings are reported to trustees and how management responses are tracked.3. Actuarial Policy
What it covers: How actuarial advice is obtained and used, including the scope of the Actuarial KFH’s role and the frequency of actuarial reviews.4. Investment Policy Statement (IPS)
What it covers: The scheme’s investment objectives, asset allocation, risk tolerance, and the investment strategy approved by trustees. One of the most important policies — members’ retirement savings depend on it.5. Remuneration Policy
What it covers: How the scheme ensures that remuneration of trustees, KFHs, and service providers does not create incentives for excessive risk-taking. For most occupational schemes, trustees are unpaid, but the policy must still be in place.6. Conflicts of Interest Policy
What it covers: How conflicts of interest (actual and potential) are identified, declared, and managed. Covers trustees, KFHs, and key service providers.7. Outsourcing Policy
What it covers: The framework for selecting, monitoring, and managing outsourced service providers. Includes due diligence requirements, contract terms, and exit arrangements. Required by IORP II Article 31.8. Data Protection Policy
What it covers: How the scheme handles members’ personal data in compliance with GDPR. Covers data minimisation, retention, security, and member rights.9. Communication Policy
What it covers: How and when the scheme communicates with members, the PA, and other stakeholders. Covers both required disclosures and discretionary communications.10. Business Continuity Policy
What it covers: How the scheme would continue to operate in the event of a disruption (IT failure, key-person loss, natural disaster). Covers both the scheme’s own administration and its key service providers.11. ICT / Digital Operational Resilience Policy (DORA)
What it covers: ICT risk management, digital operational resilience, and compliance with the Digital Operational Resilience Act (DORA). Required from 2025. Covers ICT incident classification, third-party ICT risk, and resilience testing.Policy Review Cycle
| Timing | Required action |
|---|---|
| Every 3 years | Full review of all policies |
| After significant change | Review affected policies before implementation |
| On PA request | Provide any policy within the timeframe specified |
| On adoption of new policy | Formal trustee approval required |
What Genuine Review Looks Like
The Pensions Authority checks board minutes against policy adoption dates. A one-line minute — “The Risk Management Policy was reviewed and adopted without change” — does not demonstrate governance. It demonstrates that the board went through the motions. A genuine review includes:- The board discussing the policy content — what it covers, whether it remains accurate, whether it reflects current practice
- Noting any changes since the last review: new regulatory requirements, scheme events, PA guidance updates
- Where the policy is adopted without change, the board should minute why no change was needed — not just the fact of no change
- Any dissenting views or concerns raised by individual trustees
Adopting Policies Through the Platform
Review the current status
The Policy Library shows all 11 policies with their current version, last review date, and next review due date.
Review and edit a policy
Click on any policy to open it. The platform provides a template for each policy, pre-populated with appropriate language for an Irish occupational pension scheme. Edit to reflect your scheme’s specific circumstances.
Trustee adoption
Once the policy is finalised, submit it for trustee adoption. The trustees review and formally approve the policy — this is recorded with a timestamp in the compliance record.
What to Do If a Policy is Out of Date
If a policy hasn’t been reviewed in over 3 years:- Prioritise reviewing it — the ACS asks about policy currency
- Make any necessary updates to reflect changes in the scheme, regulation, or practice
- Formally re-adopt it through the platform
- The new adoption date restarts the 3-year review clock