Strengthening Governance in a Shifting Risk Landscape
For Professional Clients Only
Aon’s 2025/26 Global Pension Risk Survey showed that operational, governance and cyber risks have become key considerations for schemes, regardless of size or structure. Aon senior consultant, Brian Kinlan, examines the priorities for running a successful pension scheme.
Aon’s 2025/26 Global Pension Risk Survey showed that operational, governance and cyber risks have become key considerations for schemes, regardless of size or structure. Brian Kinlan, senior consultant at Aon, examines the priorities for running a successful pension scheme.
UK pension schemes continue to face rising regulatory expectations, increasing complexity, and an expanding agenda of work, often managing several strategic projects. This growing pressure reinforces the need for robust governance and risk management structures to support efficient operation.
The Pensions Regulator’s General Code of Practice has sharpened focus in this area, by formalising the approach required to manage an Effective System of Governance (ESOG). The introduction of the Own Risk Assessment (ORA), and the appointment of a nominated Risk Management Function, places expectations on governing bodies to take a holistic view of how risks are managed within schemes, and where risk management and governance practices can be strengthened.
How have you strengthened your risk management framework?
Our survey suggests progress on risk management is uneven across the industry. A quarter of schemes had yet to start drafting or planning their ORA at the time of the survey. While a small element of this may be timing, it highlights challenges around capability and capacity.
All schemes should have now made significant progress or completed their ESOG. A critical part of this includes reviewing current risk management approaches, and how these should be adapted to support active management of risk. This will make ORA planning and drafting much easier, ensuring schemes obtain value and tangible actions from the process, including improving scheme governance practices and enhancing operational resilience.
Improving and maintaining operational resilience
Escalation of operational risks is a key reason your current risk management approach must evolve. One in five boards reported experiencing a cyber incident in the past two years, and we saw frequent reports in 2025 of large-scale cyber incidents in the wider world. Exposure to a cyber incident now feels like ‘when’ rather than ‘if’ for schemes, emphasising the importance of a robust operational resilience framework with appropriate cyber measures.
Progress has been made in the cyber space in recent years, with most schemes now assessing the cyber resilience of third-parties. This should be a priority focus for all schemes, with clear business continuity and back-up procedures in place to ensure boards can trust that critical services - and the payment of member benefits - can continue in the face of disruption.
The survey suggests two areas requiring more focus – testing of business continuity and incident response plans, and assessing cyber insurance. Schemes that address these will be better positioned to respond quickly and confidently to operational incidents, supported by dedicated specialist expertise.
Is outsourcing the answer?
Around one in five boards are planning to outsource their risk management function, signalling a shift in how some schemes are approaching governance. This supports wider activity we are seeing in the industry with more schemes considering specialist expertise and outsourcing certain elements of their operating model.
Specialist support can bring deep expertise and independent challenge, helping trustee boards and other stakeholders to focus their time where it adds most value, while maintaining oversight and remaining accountable.
What next for trustees and other stakeholders?
ESOGs and ORAs are not one-off hurdles for schemes to jump, they are the cornerstones of a shift towards higher standards of governance and risk management. Embedding the ORA into a risk management approach will ensure that governance and risk management are enhanced and remain appropriate for a scheme’s evolving risk profile, adding value rather than simply becoming a compliance exercise.
Boards have to consider if their current operating model is appropriate. It is vital that schemes get this right as strong governance supports better decisions, greater resilience and, ultimately, better outcomes for members. In a shifting risk landscape, governance is the foundation on which effective risk management is built.
Aon’s Global Pension Risk Survey can be downloaded here: https://www.aon.com/uk-gprs-2025-26
First published with Pensions Age, March 2026
