What is Corporate Governance?
Corporate governance is defined as ‘the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies.
The Code applies to companies with a premium listing on the London Stock Exchange, regardless of where they are incorporated. To comply with elements of the UK Listing Rules these companies must apply the Principles of the Code and comply with, or explain against the Provisions.
Corporate Governance is not only important for the largest companies, but all companies should have appropriate systems, policies, and practices in place, therefore many companies that are not required to follow the UK Corporate Code choose to do so.
The latest update to the Code will provide a stronger basis for companies to evidence the effectiveness of their internal controls, thereby enhancing transparency and investor confidence
Since the publication of the revised Code in 2018, the FRC has been monitoring reporting against the Code by selecting a random sample of 100 FTSE350 and Small Cap companies and assessing the quality of reporting. Assessments cover reporting against both the Principles and Provisions, but the emphasis may change year on year.
The 2023 Review of Corporate Governance Reporting (the 2023 Report) considered the following areas: Audit, Risk and Internal Controls; Code Compliance; Culture, Purpose and Values; Diversity; Environment; Board Evaluation; Remuneration; and Shareholder and other Stakeholders Engagement. One of the key finding includes:
- Little improvement was seen in the quality of reporting on risk management and internal controls. Most companies need more work to demonstrate robust systems, governance, and oversight.
Under Section 4 of the Code – Audit, Risk and Internal Control, Principle O, states the following:
The board should establish and maintain an effective risk management and internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.
Provision 29 (new update) of Principle O provides an expansion as follows:
The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
The board should provide in the annual report:
• A description of how the board has monitored and reviewed the effectiveness of the framework;
• a declaration of effectiveness of the material controls as at the balance sheet date; and
• a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues
Below are some guidance provided by the FRC concerning Provision 29.
Audit, Risk and Internal Control
Will directors have to make a declaration over all internal controls?
No. Directors will not have to make a declaration over all internal controls, they will only have to make a declaration of effectiveness over those controls deemed to be material.
What is a ‘material control’ is for each individual board to determine. ‘Material controls’ will be company-specific and therefore different for every company depending on their features and circumstances, including for example size, business model, strategy, operations, structure and complexity.
What are ‘compliance’, ‘operational’ and ‘reporting’ controls, and why do boards now have to report on their effectiveness in the annual report?
Compliance, operational and reporting controls refer to the internal controls in place over the compliance, operational and reporting aspects of the business. These will be specific to business needs, sectors, jurisdiction, size and complexity of each company.
Provision 29 of the 2018 Code already required that boards monitor, review and report on financial, operational and controls. The 2024 Code asks that the board make a declaration of effectiveness over these controls and extends these controls to include those over reporting, such as narrative and ESG reporting controls.
Will boards have to seek assurance over controls?
Provision 29 of the Code requires that the board should monitor the company’s risk management and internal controls framework and carry out a review of its effectiveness, at least annually. An effective risk management and internal controls framework will include monitoring and review components, and as such, it is possible for information collected internally to be relied upon for the purposes of reporting and making any declaration. It is for individual boards to decide whether external assurance is required over controls, and to what degree.
Why does the Code not specifically refer to cyber risks?
Both the Code and the Strategic Report ask directors to consider the situation of the company and identify its emerging and principal risks (and their materiality to shareholders), and how they are managed and mitigated.
For many companies cyber/IT security will be amongst these risks, but the Code does not provide a list of risks for directors to consider as this is a matter for their judgment and particular to the company’s activities. Of course, having expertise on the board in this area will be one way of mitigating this type of risk.
The purpose of the Code disclosures is to give investors an understanding of the directors’ consideration of risks and the actions that have been taken. Investors can then engage with the company as appropriate.
What are the next steps for organizations to ensure compliance?
The specific changes to Provision 29 will apply to financial years beginning on or after 1 January 2026. The 2024 Code will apply to financial years beginning on or after 1 January 2025
To ensure compliance with Provision 29 by January 2026, organizations should undertake a comprehensive approach that involves reviewing and enhancing their risk management and internal control systems. Here’s a step-by-step guide:
1. Understand the Requirements
- Thoroughly Analyze Provision 29: Understand the specifics of the provision, including the scope of controls and reporting obligations.
- Regulatory Guidance: Stay informed about any guidance or interpretations provided by regulatory bodies regarding Provision 29.
2. Conduct a Current State Assessment
- Evaluate Existing Frameworks: Assess the current risk management and internal control frameworks against the requirements of Provision 29.
- Identify Gaps: Pinpoint areas where current practices do not meet the new standards.
3. Develop or Enhance Frameworks
- Framework Enhancement: Based on the assessment, develop or enhance the risk management and internal control frameworks to comply with the provision.
- Integrate Controls: Ensure the framework covers all material controls – financial, operational, compliance, and reporting.
4. Implement Monitoring and Review Processes
- Establish Monitoring Mechanisms: Set up processes for continuous monitoring of the framework’s effectiveness.
- Annual Review Plan: Create a plan for the annual review of the framework, ensuring it aligns with Provision 29’s requirements.
5. Train and Communicate
- Board and Employee Training: Educate the board and relevant employees about their roles in risk management and control processes.
- Internal Communication: Ensure a clear understanding of the new requirements and processes across the organization.
6. Document Policies and Procedures
- Documentation: Develop clear documentation of risk management policies, procedures, and controls.
- Record-Keeping: Maintain records of monitoring activities and reviews for reporting and evidence purposes.
7. Prepare for Reporting
- Develop Reporting Templates: Create templates for the annual report that include all necessary disclosures as per Provision 29.
- Test Reporting Process: Test the reporting process before the actual requirement to ensure accuracy and completeness.
8. Review and Adjust
- Pre-Compliance Review: Conduct an internal review before January 2026 to ensure all aspects of Provision 29 are being met.
- Adjustments: Make necessary adjustments based on the review findings.
9. Seek External Assistance
- Consult Experts: Consider engaging with external consultants or auditors for expert advice or to validate compliance efforts.
10. Establish Continuous Improvement
- Feedback Mechanism: Implement a mechanism for feedback and continuous improvement of the risk management and internal control systems.
Timeline and Milestones
- 2024-2025: Focus on understanding, assessment, development, and initial implementation.
- Mid-2025: Begin comprehensive reviews and adjustments.
- Late 2025: Finalize preparations and ensure readiness for compliance in 2026.
By following these steps, organizations can ensure they are well-prepared to meet the requirements of Provision 29 by January 2026, thereby enhancing their overall corporate governance and risk management practices.
With this extended timeline, companies have a valuable opportunity to methodically prepare for compliance. Arischio Consulting can play a crucial role in guiding these organizations through the transition, ensuring not just compliance but the establishment of a robust, sustainable risk management culture. This preparation period should be viewed as an opportunity for strategic enhancement rather than merely a regulatory compliance exercise