The new UK Corporate Governance Code is here: what now?

The new UK Corporate Governance Code is here: what now?

The new UK Corporate Governance Code is here: what now? 

 

The FRC has released its long-awaited and refreshed UK Corporate Governance Code (the Code) applicable to Premium Listed Companies (and others who voluntarily adopt it). It is worth reminding ourselves that other codes, including the Wates Principles and QCA Code tend to follow suit and apply the same principles and expectations so this is important to all companies with a level of public interest.

The revisions are considerably less than were road tested a year ago. There will continue to be debate as to whether this is a proportionate response focused on only those things that really are non-negotiable, or a lost opportunity to improve trust in our largest companies. Further guidance will be released by the FRC on 29th January. We will update this document then.

The most significant change- the requirement for an annual controls declaration – will apply for financial years beginning on or after 1st January 2026.  The other refinements will take effect earlier, for periods beginning on or after 1st January 2025 (primarily due to the increased focus in last year’s document on minimum standards for Audit Committees working with their external auditors).

Assessing the impact

Many commentators, notably the large external audit firms, have produced commentary repeating the details on applying the new internal control requirements. Few have assessed the impact within companies and for their stakeholders. We seek to do this below.

  1. The FRC has reiterated its desire to see companies “comply or explain”. And they ask investors to regard explanations as a positive statement of transparency, provided by companies intent on being responsible with the truth, rather than applying a box ticking approach. The Stewardship Code, intended to reinforce investor responsibilities, should be the vehicle for these discussions. The Code is principles based – something most commentators strongly support. Principles allow for judgement. We should applaud companies that provide considered explanations that help the reader to understand how the company is governed.
  2. The revised Code makes it clear that the annual declaration on the effectiveness of controls should include all material controls – financial, operational, compliance and a new category of reporting controls. This brings into scope all matters that are reported or disclosed, whether they are financial or non-financial. Companies must consider whether they have adequate controls over their statements in areas such as health and safety or the Modern Slavery Statement, as well as carbon disclosures and wider environmental reporting.
  3. The discussion points reference s172 of the Companies Act and the broader definition of stakeholders, including investors. While the primary duty remains to shareholders, it is clear the FRC intends that companies should be well governed in the interest of a broader audience. This means controls must include compliance with regulatory obligations and operational controls over critical commitments made to employees (with a wider “workforce” definition like that in whistleblowing definitions), partners, suppliers and customers.
  4. The requirements emphasise the need to consider “material” controls. This is likely to be the greatest challenge for directors. What is “material”? And to whom? Take an example of controls that are designed to prevent harm to the “workforce” or in a regulatory context. Is it acceptable to apply the definition used for financial materiality of say 5%? What if 5% of the workforce suffer harm? Is harm in this sense determined by the impact on one individual? We can’t shy away from these very real ethical challenges. Similarly, in an economic climate where people are struggling financially what does “material” mean in relation to the green promises made to customers – how accurate do these need to be and how much evidence is required?
  5. The requirement to consider controls on a continuous basis has been dropped in favour of an annual declaration. While this is pragmatic and more realistic, allowing for periodic testing and assessment, companies should not be complacent. Controls need to work when it matters to prevent or detect weaknesses or deficiencies. The consequences will be felt throughout the year. Directors will be responsible for breakdowns whenever they occur.
  6. The annual declaration needs to describe any material controls that have not operated effectively as at the balance sheet date, the action taken or proposed, and any actions taken to address previously reported issues. This creates an opportunity for companies to identify issues prior to the balance sheet date and remediate them. It drives continuous improvement in-year.
  7. The Code requires directors to disclose the basis for their declaration on the effectiveness of controls. In doing so it explicitly requires directors to consider the assurance they require over the system of internal control and risk management, taking into account the internal monitoring and assurance that exists before considering whether any external assurance might be valuable. There are other requirements emerging for external assurance over specific environmental and sustainability metrics. But these take the form of limited or reasonable assurance. Companies are invited to think more broadly about how their internal “Three Lines” provide stronger and broader assurance. The Chartered Institute of Internal Auditors’ web pages are a great place to focus in on for more information.
  8. The increased reporting obligations for fraud risk has not been taken forward – we knew this already from when the secondary legislation was dropped. Relevant obligations are already embedded in the Guidance for Audit Committees. The increased focus on the wider internal control system should be sufficient to make directors consider again whether they have really assessed these risks appropriately.
  9. The requirement for a Resilience Statement and an Audit & Assurance Policy had also already been dropped. There remains considerable parliamentary support for these initiatives. In particular, the Resilience Statement was designed to replace both the Going Concern and Viability analysis currently provided. This must surely represent a strong argument for its inclusion in simplifying reporting requirements while providing more meaningful information. We believe companies should consider resilience and assurance mapping while they are implementing the necessary improvements to internal controls as this will ultimately create efficiency.

What should you do? Practical steps you can take

Firstly, we recommend waiting on the final FRC Guidance – they have promised this next week! So far we recommend the following priorities for companies:

  1. Determine how you will engage your investors in a meaningful discussion about these issues and requirements, including the “comply or explain” requirements. Build trust and permission to be transparent where possible.
  2. Start with understanding the risks you need to address through controls. Determine how those risks address your objectives. Ensure that controls are built and designed with the achievement of objectives front of mind.
  3. Perform an inventory of your reporting disclosures and commitments, to all stakeholders as defined by s172 (and with the extension from employees to workforce).
  4. Clarify your risk appetite and materiality. Determine how tensions (particularly those of an ethical nature) will be managed. Does your enterprise risk process need to be updated? We are passionate about moving toward objective-centric risk focussed on strategic outcomes.
  5. Use a process map to identify how your processes overlay with the critical financial and non-financial commitments you make. In doing so you will identify those commitments that are of an operational or compliance nature.
  6. Identify how the most valuable components of existing control frameworks – financial reporting, ITGC, health and safety, or cyber controls, for example – can be transposed into a common framework applicable to areas that have not typically been subject to a more formal system of internal control. Identify opportunities to standardise existing control frameworks.
  7. Use this information to create an inventory of the “material” controls for the annual declaration. This will be the foundation of a resilient and repeatable approach to your control environment that is pragmatic and proportionate.

Brave Within LLP

AUTHOR.

CAROLYN CLARKE

Share on
Related Posts