One thing that jumps out at you the more you read the Pensions Regulator’s draft single Code of Practice is that trustees are expected to have a LOT of policies.

We can see the logic: to have an effective system of governance, proper processes need to be in place and trustees will need to think through risks and anticipate problems before they arise, planning for how they will resolve them if and when they do materialise. From the trustee’s point of view, a solid set of policies can help demonstrate that they are being thorough and organised in their approach to governance, should the Regulator ever come knocking.

A lot of schemes will have a good array of policies already, but whether many (any?) will already have the full set recommended by the Code is questionable. It’s also not always clear from reading the Code quite what sort of policy the Regulator has in mind.

Take for example the requirement, in the Cyber Controls section of the Code, to “Have policies to assess whether breaches need to be reported to the information commissioner.” Is this different from the next listed requirement to “Maintain a cyber incident response plan in order to safely and swiftly resume operations”?

In our experience, cyber breaches are very fact-specific. So while we can see the value of a very high level policy (e.g. who will be the key point person/persons at the trustee, where will they go for help and advice, how will decisions be taken in the necessary timeframes, the importance of keeping an audit trail), it is more difficult to see how a policy could give any specific guidance. Any breach will need to be assessed at the time and on its particular facts.

But perhaps the Regulator is only after something high level here. One for the Regulator to clarify in the underlying guidance?