Bromley Council is taking a proactive approach to safeguarding its pension fund, with a recent review focusing on potential risks, including those stemming from cyber threats. The Bromley Council Local Pension Board convened on 29 July 2025, to scrutinise the fund's risk register, with cyber security being a key area of focus.

The meeting, held virtually via Microsoft Teams, included a review of the Pension Fund Risk Register, which identifies key risks to the fund and outlines control measures to manage or eliminate them. The risk register assesses each risk based on its impact and probability, assigning a risk score and rating. The risk register is reviewed at every Local Pension Board meeting to ensure it remains a live document that reflects the actions being taken to mitigate each risk.

One of the key risks identified in the register is Cyber Risk: The risk of an inability to access records, loss of data, and/or funds. Control measures include penetration testing and disaster recovery plans.

Other risks identified in the register include:

  • Poor Investment Performance: The risk of underperforming investment due to asset types, asset mix, or the performance of individual fund managers. Control measures include anticipating long-term returns on a prudent basis, analysing progress at triennial valuations, and diversifying assets.
  • Actuarial Risk: The risk of miscalculating liabilities or using inappropriate assumptions, which could impact the fund's ability to meet its obligations. Control measures include maintaining close contact with the actuary and adhering to technical actuarial standards.
  • Insufficient Cash: The risk of not having enough cash to meet obligations, such as pensioner payroll and contractor payments. Control measures include updating cashflow requirements every three years and daily monitoring of bank accounts.
  • Sub-funds of London CIV Fail to Perform: The risk that sub-funds within the London CIV do not perform as expected. Control measures include retaining assets outside the pool where cost-effective and monitoring the performance of CIV sub-funds.
  • Pension Contribution: The risk of failing to collect pension contributions from employees and employers. Control measures include monitoring contributions, using iConnect, and conducting quarterly reconciliations.
  • Cost Control: The risk of failing to monitor and control costs for the fund. Control measures include regular reviews of fees and expenses and monitoring performance net of management fees.
  • Fraud Risk: The risk of fraud affecting the fund. Control measures include requiring audits on internal controls, conducting due diligence on new managers, and performing internal and external audits.
  • Knowledge and Experience: The risk of a lack of knowledge and experience among Pensions Committee/Board members. Control measures include providing ad hoc training and making actuarial, investment, and officer advice available.
  • Climate Change: The risk that environmental, social, and governance (ESG) related factors, in particular climate change, reduce the fund's ability to generate long-term returns. Control measures include appointing asset managers who consider ESG issues and monitoring the fund actuary's climate report.
  • Regulatory Changes: The risk of detrimental changes to regulations. Control measures include responding to government consultations and advising the Pensions Committee of upcoming legislative changes.
  • Mandatory Pooling: The risk of high transition costs of assets to pool. Control measures include continuing to participate in any future consultation and raise concerns to the Government.
  • Legal: The risk of failing to comply with legislation or meet statutory deadlines. Control measures include adequately training staff and regularly reviewing and testing the payments process.
  • Conflict of Interest: The risk of conflicts of interest affecting decision-making. Control measures include implementing a code of conduct and conflict of interest policies.
  • Adequate Level of Administration Officer Knowledge and Skills: The risk of a lack of trained staff to undertake the administration of the LGPS. Control measures include continuous on-the-job training and access to specific legislative training.
  • Employers' Data Inaccurate: The risk of inaccurate data from employers. Control measures include liaison with schools, HR, and payroll providers, and the introduction of i-connect.
  • Operational Disaster: The risk of an operational disaster (fire/flood etc). Control measures include hybrid working and daily data backups.

The Pension Fund Risk Register was reviewed, identifying key risks and control measures. This register is a live document that is regularly updated to reflect the actions being taken to mitigate each risk.

The Local Pension Board plays a key role in monitoring the Risk Register and it was important to ensure that effective mechanisms were in place for feedback or to raise concerns about the way that internal controls were functioning in any particular area.