Harrow Council is taking proactive steps to safeguard its pension fund against potential cyber security threats, as highlighted during the Pension Fund Committee meeting on Monday 17 November 2025. The committee and the Pension Board regularly review the Pension Fund Risk Register.

The committee reviewed the updated Pension Fund Risk Register for Q2 2025/26, which identifies key risks and outlines controls and contingencies. Among the key risks identified is the potential for a major cybersecurity incident affecting the fund or an external supplier, which could result in service failure and a significant breach of the Data Protection Act. Controls are in place including contractual data security and backup with third parties, and assurance is sought and obtained on third party supplier business continuity plans that they are in place and have been tested.

The Review of Pension Fund Risk Register report sets out the updated Pension Fund Risk Register Q2 2025/26. The Appendix 1 - Pension Fund Key Risks document updates the presentation of the key risks to set out a description of the risk, causes, controls, consequences and contingencies. Each risk also provides details of further actions underway, or actions expected to occur in near future.

According to the report, there have been no changes to any of the risk scores since the last update in June 2025. However, work is underway to refine the current risk register methodology, intending to refine how risk probability is scored via the introduction of a process to identify early warning signs (if applicable).

Other key risks identified in the register include:

  • A significant fall in asset values.
  • Investment portfolio fails to perform in line with expected returns.
  • The Fund's liabilities move by a much greater amount than fund assets.
  • Failure by fund managers to achieve benchmark (passive) or performance target (active) returns for their given mandates.

The committee also received an update on compliance with the new Pensions Regulator (TPR) Code of Practice, which came into force in March 2024. The TPR Code of Practise Compliance Update report notes that the new General Code of Practice (GCOP) consolidates and refreshes previous Codes into a single Code for all pension schemes, replacing Code of Practice 14 (Governance and Administration of Public Service Pension Schemes).

Fund officers worked with consultants from the Hyman Robertson Governance team to assess the fund for compliance with the new code, using their GCOP checker tool. The report sets out the results of compliance testing across 14 chapters, with percentages reflecting compliance against checklist items, split into full and partial compliance. Actions to bring the Harrow Pension Fund into compliance with GCOP are detailed, including policy reviews and updates to procedure notes. Specific actions are detailed in Table 2 of the TPR Code of Practise Compliance Update report, such as reviewing the Terms of Reference of the Pension Board and Pensions Committee, updating the PF Training policy, and developing a risk management policy.

The TPR Code of Practise Compliance Update report also mentions updating the breaches policy and carrying out training for the committee and board so that all are aware of the duty to report. The Draft Responsible Investment Policy also states that the Committee will incorporate the RI policy and approach into member communication and engagement.