Own-Risk Assessment (ORA)
Legal Basis
The ORA requirement derives from Article 28 of IORP II (EU 2016/2341) and is transposed in Irish law as Section 64AL of the Pensions Act 1990 (as inserted by the Pensions (Amendment) Act 2022, implementing S.I. 128/2021). Trustees must conduct and document an ORA at least every three years, or following any significant change in the scheme’s risk profile. The ORA is one of the most substantive governance deliverables under IORP II. It is the primary mechanism by which the trustee board demonstrates that it has conducted a thorough, forward-looking assessment of the risks the scheme faces — and that governance and investment decisions are informed by that assessment.The Pensions Authority has published specific ORA guidance for trustees: Own Risk Assessment — Pensions Authority. Trustees should read this alongside Section 64AL of the Pensions Act and Article 28 of IORP II. PensionsPortal.ie’s ORA workflow is structured to address every element of the Pensions Authority’s guidance.
What the ORA Must Cover
Article 28(2) IORP II specifies that the ORA must cover, at minimum:- The overall risk profile of the scheme, covering all material risks
- The risk tolerance and risk appetite of the scheme
- A forward-looking assessment of risks to members and beneficiaries
- Both qualitative and, where appropriate, quantitative assessment of risks
- The interdependency between different risk categories
- Links to the investment strategy and funding strategy
- The effectiveness of risk mitigation measures in place
The ORA as a Living Document
The ORA is not a one-time filing. It is a living governance tool that must remain current, be revisited at trigger events, and be actively used in board decision-making. The PA has identified ORA quality as a primary supervisory focus for 2025–2029. Trustees must lead the ORA process — not merely sign a document prepared by a consultant or KFH. Where board minutes record only a one-line adoption of the ORA, the PA will question whether trustees engaged substantively with the content.Common Weaknesses Identified by the Pensions Authority
The following weaknesses appear repeatedly in PA supervisory reviews:| Weakness | PA Expectation |
|---|---|
| Viability / sustainability risks absent | ORAs must address the long-term viability of the scheme and the financial sustainability of the sponsoring employer |
| Outsourcing risks generic or absent | Where all key functions are outsourced, outsourcing concentration risk and exit risk must be scheme-specific |
| DORA / ICT risks not reflected | From January 2025, all schemes ≥16 members must address ICT and cyber risks proportionate to digital exposure |
| Risk appetite without current status | The ORA must state whether each risk currently sits within or outside the defined tolerance — not just list appetite levels |
| No member cohort analysis | DC schemes must link risk assessments to the actual demographics and contribution history of the membership |
| Board minutes show no substantive engagement | The PA checks whether board minutes record genuine discussion — not just adoption of a pre-agreed document |
ORA Methodology: What a Quality ORA Looks Like
A quality ORA is not a generic risk assessment. It is a scheme-specific, forward-looking document that demonstrates genuine trustee engagement with the risks facing the scheme and its members. The Pensions Authority can readily distinguish between a substantive ORA and a template document that has been minimally adapted.How an ORA Differs from a Generic Risk Assessment
Generic Risk Assessment
A list of risks with likelihood and impact scores. Applies to any organisation. Does not reference the specific scheme’s investment strategy, funding position, membership profile, or sponsor. Could have been written without any knowledge of the scheme.
Compliant IORP II ORA
A forward-looking, scheme-specific analysis that links each risk to the scheme’s actual circumstances. References the scheme’s investment strategy, actuarial assumptions, sponsor covenant, membership profile, and governance arrangements. Demonstrates that the trustee board has actively considered each risk and the adequacy of existing controls.
- Scheme-specific data: The ORA references the scheme’s actual investment portfolio, funding level, membership profile, and sponsor financial position
- Forward-looking: The analysis considers how risks may evolve over the scheme’s time horizon — not just current conditions
- Integrated: The ORA links to the investment policy and (where applicable) the funding strategy, evidencing that risk appetite is reflected in strategic decisions
- Evidenced: Risk assessments are supported by data and analysis, not just assertions
- Board-owned: The ORA is formally presented to and discussed by the trustee board, with the discussion recorded in board minutes
- Actionable: Where risks are identified as elevated, the ORA specifies the actions the board will take, with owners and timelines
Risk Appetite and Tolerance — What Article 28 Requires
Article 28(2) of IORP II requires the ORA to cover the scheme’s risk tolerance and risk appetite. The PA’s guidance clarifies that this means more than defining a tolerance level — it means assessing whether the scheme is currently operating within that tolerance. The ORA must therefore state, for each material risk category:- Risk appetite — the level of risk the board is willing to accept in pursuit of scheme objectives (qualitative or quantitative)
- Risk tolerance threshold — the boundary at which risk becomes unacceptable
- Current risk status — whether current risk in this category sits within, approaching, or outside the defined tolerance
- If outside or approaching tolerance — the specific actions the board is taking to bring risk back within acceptable levels, with responsible persons and target dates
The 8 Risk Categories Trustees Should Consider
The following risk categories align with the Pensions Authority’s ORA guidance and the requirements of Article 28 IORP II. Every ORA should address each category, with the depth of analysis proportionate to the category’s materiality for the specific scheme.1. Investment Risk
1. Investment Risk
The risk that investment returns are insufficient to meet the scheme’s objectives, including the risk of permanent capital loss. Trustees should assess: asset allocation and its alignment with risk appetite; concentration in any single asset class, sector, or geography; exposure to illiquid assets; currency risk; use of derivatives; and the appropriateness of the investment strategy given the scheme’s liability profile and time horizon.ORA questions: Is the current investment strategy consistent with the scheme’s risk appetite and liability profile? What is the maximum loss the scheme could sustain without jeopardising member benefits? How does the investment strategy perform under stress scenarios?
2. Liquidity Risk
2. Liquidity Risk
The risk that the scheme cannot meet cash flow requirements — contribution inflows, benefit payments, expense payments — without being forced to liquidate assets at unfavourable prices. Trustees should assess: the scheme’s cash flow profile; the liquidity of its investment portfolio; the adequacy of liquidity buffers; and the liquidity implications of any derivative positions.ORA questions: Can the scheme meet projected benefit payments over the next 12 months without forced asset sales? What is the scheme’s exposure to gating or suspension in illiquid fund investments?
3. Concentration Risk
3. Concentration Risk
The risk arising from lack of diversification — concentration in a single asset, issuer, counterparty, market, sector, or geographic region. Concentration risk amplifies losses when a concentrated position deteriorates.ORA questions: Is the scheme’s portfolio adequately diversified? Are there any single exposures (issuer, counterparty, fund) that represent a material proportion of scheme assets? How would the scheme’s funding position be affected by the failure of its largest single exposure?
4. Operational Risk
4. Operational Risk
The risk of loss from inadequate or failed internal processes, people, systems, or external events. For a pension scheme, this includes: errors in benefit administration; data quality failures; IT system outages; fraud; and the failure of key service providers. Operational risk is particularly relevant to OMAs and smaller schemes where governance resources are limited.ORA questions: Are there adequate controls over benefit administration processes? Is the scheme’s data accurate and secure? What would be the impact of the scheme administrator becoming unavailable? Are outsourced providers subject to adequate oversight?
5. Insurance and Other Risk Mitigation Techniques
5. Insurance and Other Risk Mitigation Techniques
Where the scheme uses insurance or other risk mitigation instruments (e.g., interest rate swaps, longevity swaps, insurance policies covering biometric risks), the ORA must assess the effectiveness of these mitigants, their cost, and any residual risks they do not cover. The ORA must also consider the credit risk of the counterparty providing the mitigation.ORA questions: Are existing risk mitigation instruments performing as expected? Is the cost of the mitigation proportionate to the risk being covered? What is the credit quality of the insurer or counterparty?
6. ESG and Sustainability Risk
6. ESG and Sustainability Risk
Environmental, social, and governance (ESG) factors can create financial risks that affect scheme asset values and liabilities. Climate-related risk is a particular focus for regulators. IORP II Article 30 requires the investment policy to address ESG risks. The ORA should assess how ESG risks are reflected in the investment strategy and whether they are adequately managed.ORA questions: How does the scheme’s investment portfolio perform under climate transition scenarios? Is the scheme exposed to stranded asset risk? How are ESG risks incorporated into manager selection and monitoring?
7. New and Emerging Risks
7. New and Emerging Risks
Trustees must consider risks that are not yet fully understood or that may materialise over the scheme’s time horizon. Current emerging risks include: cyber security threats to pension data; AI-related operational risks; geopolitical risks affecting investment markets; and regulatory change risk (new legislative requirements).ORA questions: What new risks have arisen since the last ORA? Are there horizon risks that could materially affect the scheme’s position? How is the scheme monitoring for emerging risk?
8. Sponsor Risk (Employer Covenant)
8. Sponsor Risk (Employer Covenant)
For schemes where the employer (sponsor) is expected to make ongoing contributions, the sponsor’s financial capacity to meet those obligations is a fundamental risk. Sponsor insolvency can leave members with a funding shortfall. Sponsor risk assessment should consider the sponsor’s financial position, industry exposure, and the diversification of the sponsor’s business.ORA questions: How financially strong is the sponsoring employer? How dependent is the scheme on sponsor contributions? What would be the impact on the scheme if the sponsor were to become insolvent? Is there a recovery plan in place?
ORA Documentation Requirements
The written ORA record must contain:- Date of the ORA and the names of the trustees who participated in the process
- Scope confirmation: confirmation that all required risk categories were considered
- Scheme-specific data used as inputs (membership profile, funding level, investment portfolio summary, actuarial data as applicable)
- Risk assessment for each category: risk identification, likelihood/impact assessment, current controls, residual risk rating
- Forward-looking analysis: how each risk may evolve over the scheme’s time horizon
- Links to investment strategy and funding policy: evidence that the ORA informs strategic decisions
- Actions arising: where elevated risks are identified, specific actions assigned to named individuals with due dates
- Board sign-off: formal record of the trustee board’s review and approval of the ORA, including the date of board sign-off
- Version control: document version number, date, and history of previous ORA versions
Who Signs Off the ORA
The ORA must be formally reviewed and approved by the trustee board. While the Risk Management KFH leads the ORA process and drafts the report, the ORA is a board document — not a KFH deliverable. The board’s review and sign-off must be recorded in board meeting minutes, which form part of the compliance evidence trail.Link to the Governance Framework
The ORA does not stand alone. It must be linked to:- The investment policy: risk appetite identified in the ORA must be reflected in the investment strategy
- The risk management policy: the ORA methodology must be consistent with the documented risk management framework
- The risk register: risks identified in the ORA should be captured in the scheme’s ongoing risk register, owned by the Risk Management KFH
The 3-Year Review Cycle and Trigger Events
Trustees must conduct a new ORA at least every three years. However, certain events require an earlier review regardless of when the last ORA was completed:| Trigger Event | Why It Matters |
|---|---|
| Significant change in investment strategy | A new asset allocation or investment mandate changes the scheme’s risk profile materially |
| Major sponsor event | Sponsor restructuring, ownership change, financial distress, or insolvency significantly changes sponsor risk |
| Material change in membership profile | A large bulk transfer, scheme merger, or significant change in active/deferred/pensioner mix affects cash flow and liability profile |
| Significant funding level change | A material deterioration (or improvement) in the funding level alters the risk landscape |
| Regulatory change | New legislative requirements may create compliance risk not captured in the existing ORA |
| Material operational failure | A significant operational incident (fraud, data breach, administrator failure) triggers a reassessment of operational risk |
| Significant market event | An extreme market event that affects the scheme’s investment portfolio may require an updated risk assessment |
How PensionsPortal.ie Automates ORA
PensionsPortal.ie’s ORA workflow reduces the time and effort required to produce a compliant, board-ready ORA — while maintaining the quality and scheme-specificity that the Pensions Authority requires.Data Import
Scheme data — membership statistics, funding level, investment portfolio summary, actuarial data — is imported directly into the ORA workflow. This ensures the ORA reflects the scheme’s actual position rather than generic assumptions.
Risk Category Assessment
The Risk Management KFH works through each of the 8 risk categories using the PensionsPortal.ie structured assessment framework. Each category is assessed for likelihood, impact, and control effectiveness. The framework is aligned with the Pensions Authority’s ORA guidance.
AI-Assisted Narrative Generation
PensionsPortal.ie generates a structured narrative draft for each risk category based on the assessment inputs. The AI-assisted narrative is a starting point — not a final document. Every section requires human review and editing by the KFH to reflect the specific circumstances of the scheme.
Human Review Gate
Before the ORA can proceed to the board sign-off stage, the Risk Management KFH must explicitly confirm that they have reviewed and approved each section of the ORA. This gate cannot be bypassed. PensionsPortal.ie records the KFH’s review confirmation with a timestamp.
Board Presentation and Sign-Off
The completed ORA draft is formatted as a board-ready report and added to the board pack. The trustee board reviews the ORA at a formal board meeting. The board’s approval is recorded in PensionsPortal.ie, creating a timestamped sign-off record that forms part of the compliance evidence trail.
Pensions Authority References
- ORA Guidance for Trustees — Pensions Authority
- Code of Practice for Trustees (Final), Section 6 — ORA requirements
- IORP II Directive, Article 28: Own Risk Assessment
- Pensions Act 1990, Section 64AL: Own Risk Assessment (as inserted by Pensions (Amendment) Act 2022)
- S.I. 128/2021, Regulation 29: ORA implementation