Enterprise risk management

Our purpose is to secure our members’ future. A key part of this is proactively managing risks and implementing measures to safeguard our members’ investments.


Everyone has a role to play in enterprise risk management and this culture is underpinned by our ‘Three Lines of Defence’ model. The key components of our risk management framework are summarised below.

How we define enterprise risk 

Enterprise risks are any non-investment risks that could impact the achievement of our purpose and strategic goals. Enterprise risks can include strategic, operational, legal and regulatory risks. 

How we manage enterprise risk

We have a comprehensive framework to manage the enterprise risks we face. This framework includes policies, processes, tools and governance arrangements designed to identify, assess, monitor, and manage risk across the business. 

The Railpen Board has primary responsibility for the framework and delegates activities to risk committees.  

Our approach to enterprise risk management is embedded throughout Railpen and consists of the following eight interrelated components:

  1. Governance and culture 

Risk governance and culture ensure that everyone understands their roles and responsibilities under our ‘Three Lines of Defence’ risk management model. This is supported by framework, policy and directive documentation and risk committees. 

  1. Strategy and risk appetite alignment 

We define risk appetite as the type and amount of risk we are prepared to take in order to achieve our strategic goals and fulfil our purpose. This ensures that enterprise risk management is aligned with our strategic objectives and risk appetite. 

  1. Risk identification 

Risks to achieving our purpose, strategic goals or objectives are recorded in our enterprise risk management system. They are assigned an appropriate owner, and then mapped to one of our four principal enterprise risk categories of governance, strategic, operational, legal, conduct and regulatory. 

  1. Risk assessment 

We assess how material each risk is to the achievement of objectives by using two criteria; the likelihood of their occurrence and their impact.  

  1. Risk response 

The materiality assessment drives the response and determines how the risk is prioritised and managed in line with our appetite. 

  1. Internal control 

Our robust controls are recorded against identified risks in our enterprise risk management system and appropriately assessed. The adequacy of our controls drives the appropriate level of assurance work. 

  1. Information and reporting 

We use several risk monitoring and reporting tools, including risk registers and risk event logs. This ensures relevant enterprise risk information is identified, recorded, monitored and reported in a manner and timeframe that enables governing bodies and risk owners to take adequate action to manage their risks. 

  1. Review and revision 

Our approach to enterprise risk management continues to evolve to support the ongoing needs of our business and stakeholders, and we commit to at least an annual review of our framework, policy and directive. 

Railpen organisational appetite statement

Railpen Limited and Railway Pension Investments Limited (‘RPIL’) recognises that there are risk exposures inherent in the execution of our strategy and operation of our business. Our internal risk governance framework refers to the risks that we manage in pursuit of our purpose to secure our members’ future, while taking into account the interests of employers and other stakeholders.

To support this:

  • We promote an appropriate risk culture to drive the right behaviours in our people;
  • We have a low appetite for inadequate oversight of our critical services and seek to minimise our risk exposure by operating a strong control environment;
  • We have a low appetite for poor member outcomes and seek to minimise our risk exposure by operating a strong control environment for managing our investments, in order to secure the funding of benefits to pay our members;
  • We have a low appetite for failure to comply with all legislations and seek to respond appropriately to external events outside our control.

Risk exposure against appetite is monitored using a number of metrics, including but not limited to, key risk indicators, risk events and internal audit findings, and we will periodically review our risk appetite statements to proactively meet changes in the organisation and the external environment.

Also in this section...