Managing risk

Our principal risks are the most significant or key risks facing the organisation, including those that may threaten the PPF’s operating model, future performance, solvency or liquidity and reputation. These may be identified from our top-down strategic approach or may be identified through bottom-up risk assessment from risk and control self-assessments and financial risk management metrics.

Each principal risk is owned by a member of our Executive Committee and is assessed in terms of residual risk exposure and position in terms of our risk appetite. The position is routinely discussed and scrutinised at the Risk and Audit Committee. This year, we introduced a new ‘Deep Dive’ agenda item, whereby two principal risks are reviewed in detail by the Risk and Audit Committee every quarter.

Managing risk on a day-to-day basis is embedded in all that we do. Our risk framework extends enterprise wide to ensure a consistency of approach, language, assessment, reporting and escalation. Accountability is paramount and responsibility and oversight for each type of risk outlined in our risk universe is assigned to a member of the Executive Committee, in line with the PPF’s own Senior Managers and Certification Regime (SMCR). In support, our risk teams provide advice, tools and challenge in respect of all risk management.

An essential part of our framework is our risk appetite statements, which communicate the Board’s attitude to risk, so managers know and understand the level of resource we want to put at risk in order to meet our objectives. The risk appetite statements make sure senior managers understand the amount of risk they can actively take or need to mitigate. For example, the business was able to consider our appetite for managing short-term and long-term funding liabilities and take the opportunity to reduce the level of the levy.

At the PPF we seek to ensure that our operations are resilient, both internally and within our supply chain. In practice this means combining the insights and outputs from operational risk, operational resilience and business continuity activities, so that we can both understand the risks and threats which might give cause to operational strain or severe disruption and ensure we have mitigants to prevent or minimise disruption where we can and be well prepared, to respond and recover quickly.

Much of the work we have completed over the last 12 months has been to align ourselves to the FCA/ PRA Operational Resilience Policy Standard. One of the key requirements of which is to identify our Important Business Services – those which, if disrupted, could cause detriment to our staff, members or the viability of the PPF.

Our Important Business Services are:

• Paying members
• Servicing members
• Making investments

For each of these Important Business Services, we have mapped potential dependencies and sources of disruption so that we understand clearly where there is reliance on systems, people, suppliers, facilities and processes. We have identified the relative impacts of disruption and the maximum tolerable disruption period for each of the Important Business Services. To test our assumptions, we have run desktop exercises to play through potential scenarios, alongside our standard business continuity testing schedule, including a full-scale simulation exercise for our Emergency Response Team.

We continually benchmark ourselves against industry good practice for operational resilience and business continuity, and are pleased to say that we are working in line with regulatory timelines. We also align with government good practice, participating in the DWP Cross Government Business Continuity Forum and local Croydon Resilience meetings and exercises.

A third-party that we and many other organisations use for secure file transfer, suffered a cyber-attack in February 2023. Having received assurances that our data had not been affected, we continued to use the product, until we became concerned in March that this may not have been the case. We immediately stopped using the product, stood up our Emergency Response Team and began a detailed investigation, working with our security partners.

Using our well-established business continuity processes and playbooks, we worked tirelessly to understand and minimise the impact of the breach. We were able to provide alternative options to the organisation to ensure none of our Important Business Services were affected and that we continued to provide services to our members, levy payers and colleagues.

Our top priority was to understand what data may have been compromised and contact anyone potentially affected. We can reassure our members and levy payers that none of their data was involved in the breach. Regrettably, some of our current and former employees were affected. We were able to inform them quickly and provide support to help mitigate the risk.

Our own systems were never compromised and we continue to work to the very highest information security standards and certifications including ISO 27001, Cyber Essentials Plus and NCSC 10 Steps to Cyber Security. The incident was reported to the appropriate cybercrime agencies.

We have well-rehearsed processes and teams across the business to deal with such challenges and they performed extremely well on this occasion to investigate and contain the threat, while communicating quickly with those affected. After the incident we evaluated our response and processes to make sure we identified any areas to strengthen our response in future.

Our risk management approach supports the identification, measurement and management of risks that fall under the umbrella of sustainability, including the PPF, our portfolio and the suppliers and partners we work with.

Creating and maintaining a risk culture is essential. We prioritise three core aspects of risk culture, and these are measured and reported to the Chief Risk Officer and the Executive Committee.

1. Acknowledgement and understanding of risks: Risks and emerging risks are identified, assessed and recorded in a timely manner.
2. Transparency, openness and escalation: There is an openness to share risk information, report and escalate threats, concerns, new risks, vulnerabilities and/or control failures promptly.
3. Risk responsiveness: Risk remediation actions are appropriate and completed in a timely manner for material risk exposures and risk incidents.

The Compliance and Ethics team reviews the effectiveness of compliance and conduct activities at the PPF, and reports to the Risk and Audit Committee and our Board. Central to this is the Compliance and Ethics Programme, which includes reviewing our compliance to key areas of legislation, regulations and compliance standards applicable to the PPF.

Our compliance obligations include the Pensions Act 2004 and regulations relating to financial crime (including bribery and fraud), money laundering, data protection, freedom of information and modern slavery. The compliance standards we have adopted are those that align to an asset manager regulated by the Financial Conduct Authority (FCA) and the accountabilities set out under the SMCR as they apply to the PPF.

The programme includes a core set of compliance monitoring activities supplemented by regular in-depth testing and reviews alongside new starter, online and bespoke compliance training to the business. We performed a review focusing on our progress against regulatory aims and objectives within environmental social governance (ESG). At the end of year, a review of the SMCR was conducted and we are satisfied the PPF Regime in place remains appropriate. Our Regime closely resembles regulatory expectations, with the key differences being that our Senior Management Function holders are not directly approved by the FCA and that we are not required to file reports to the FCA.

We are committed to supporting the Three Lines Model, which outlines collaboration between the first, second and third lines. In 2022/23 we’ve been putting an increased emphasis on the first line of defence by training employees in all business areas in how to identify and manage risk effectively.

Our oversight and assurance approach provides appropriate assurance to decision makers and reinforces a ‘Trust and Verify’ approach to risk management.