How to make your Own Risk Assessment truly effective

For the past five years, I have been involved in the evolution of the General Code of Practice, starting with responding to the Regulator’s consultation, then helping governing bodies establish their Effective System of Governance (ESOG), and now guiding them through their first Own Risk Assessment (ORA). 

Your ORA should not feel like a burden. Done well, it becomes the central anchor of your ESOG and a tool trustees can use to make better decisions. Amid today’s reform momentum across DB and DC, the ORA is where the whole governance story comes together. It sharpens decisions, clarifies ownership, and turns policies into practice. With many schemes facing ORA deadlines in 2026, here are five practical tips to help you embrace the year of the ORA and create an assessment that strengthens governance and helps you navigate challenges confidently. 

1. Make your ORA evidence-based  

A good governance framework is only as credible as the evidence behind it. Your ORA should show the real picture. It must assess how effectively the ESOG is working and document this clearly based on actual, recent performance, whether from meeting minutes, dashboards, incident logs or review outcomes. It’s not enough to assert that controls exist, the Regulator expects trustees to use ORA’s findings to make decisions and plan improvements. A robust ORA checks that policies work in practice by confirming that the processes you rely on actually happen, and that oversight gives real confidence that the policies are doing their job.  

2. Focus your ORA on Risk   

Your ORA should help you navigate risks and keep governance strong along the way. Your ORA isn’t just a copy of your risk register, though there will be overlap. The ORA should look at the risks that exist within your governance framework, whether the processes and safeguards you rely on are fit for purpose, and how trustees identify, assess and mitigate those risks day-to-day. In short, the ORA should answer the fundamental question: Are we managing governance risks effectively, and is our ESOG delivering what it should?  

3. Stay proportionate  

Proportionality isn’t about doing less; it’s about doing what’s right for your scheme. Your ORA should reflect the scheme’s circumstances and complexity, delivering insight and value. Governing bodies should concentrate on tailored insights and apply judgment to the depth of analysis needed. Smaller schemes can take a streamlined approach, while larger or more complex schemes could show how governance themes join up, such as ESG oversight within investment governance or cyber resilience within operational processes. Keep the emphasis on material risks and scale effort where it matters most, flexing scrutiny up or down depending on the issue.  

4. Write your ORA clearly and practically

When it comes to the ORA, substance matters more than presentation. Focus on how the narrative brings the ORA process and decisions it supports to life. Write your ORA in plain English, with short paragraphs and logical headings, so it’s easy to navigate. Keep it practical and purposeful: provide clarity on what was reviewed, what was found, and what happens next. If your ORA reads like a highly technical manual, it won’t achieve the engagement or clarity trustees need. 

 5. Look ahead, not just back  

The ORA is a point-in-time review, but its real value lies in what happens next. Success isn’t about chasing top effectiveness marks – it’s about continuous improvement and raising the governance bar. Use the ORA to call out emerging risks, and areas where governance needs to be strengthened or tested further. Any actions should have clear owners and be scheduled in a proportionate way, aligned with the scheme’s business plan. A forward-looking ORA helps trustees focus on what matters most for the future, not just what worked in the past.  

The ORA is a key tool for driving stronger governance.  Embrace it as a living framework: keep it proportionate, clear and forward-looking, and use it to prompt meaningful actions that strengthen governance for the long term.