Ethics & Compliance and the UK Corporate Governance Code

On 22 January 2024, the Financial Reporting Council (FRC) announced the long-awaited update to the UK Corporate Governance Code (the Code). This was followed a week later by the publication of the Corporate Governance Code Guidance (the Guidance) which supports companies to apply the Code Principles by providing advice, further detail and examples.

In this article, we explore the key updates to the Code and what they mean for Ethics & Compliance (E&C) teams.
Ethics & Compliance and the Corporate Governance Code
The first version of the UK Code, published in 1992, focussed on the governance systems by which companies were directed and controlled and has continued to evolve to take account of the increasing demands on the UK’s corporate governance framework.
While the UK Code only applies to those companies with a premium listing on the London Stock Exchange, many more companies, across jurisdictions including Jersey and Guernsey, have chosen to follow the UK Code as a standard for best practice giving their boards assurance that the appropriate systems, policies and practices are in place.

Controls frameworks are common in the financial controls arena, particularly following the introduction of US SOX. However, few companies outside of financial services have typically progressed to the point where they have effective mapping and frameworks in place in relation to compliance controls. E&C teams should now be paying much closer attention to this latest Code update.
Changes to the UK Corporate Governance Code
Some of the key changes focus on internal controls and culture and therefore have direct relevance to E&C.
  • Principle O has been amended and now requires the board to not only establish, but also maintain the effectiveness of, the risk management and internal control framework (including compliance controls).
  • A new Provision, number 29, requires the board to monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
  • The 2018 UK Code already required that boards monitor, review and report on financial, operational and compliance controls, however the 2024 UK Code adds the requirement for the board to make a declaration of effectiveness in relation to material controls including financial, operational, reporting and compliance controls.
  • The board should include descriptions within their annual report of how they have monitored and reviewed the effectiveness of the control framework as well as highlighting any material controls which have not operated effectively and include the action taken, or proposed, to improve them and address previously reported issues.
  • Also relevant to E&C teams are amended provisions relating to corporate culture. Within the context of ensuring that the company’s purpose, values, strategy and culture are aligned an amended Provision 2 now requires that boards should not only assess and monitor culture but also how the desired culture has been embedded and report on activities and actions taken within the annual report.
The changes under Provision 29 are significant and the additional requirements around declarations of effectiveness, monitoring and reviewing control frameworks and providing commentary on inefficient controls will likely mean that the board and their 2nd line functional teams across finance, risk, controls and compliance, if mandated under the Code, will need to start planning sooner rather than later. Although the 2024 UK Code updates will not apply until financial years beginning on or after 1 January 2025 (for Provision 29 this is for financial years beginning on or after 1 January 2026) businesses are already starting to consider the key questions. Businesses who already voluntarily chose to comply with the 2018 Code should also start considering these key questions to remain up to date.
The updates to the UK Code will require more detailed focus on compliance controls as part of a wider controls framework and with the additional requirements around organisational culture these changes should be seen as an opportunity for E&C teams to tailor, enhance and further embed existing E&C programmes.
Next Steps for Ethics and Compliance teams
For E&C teams, early planning in relation to the following considerations is recommended as part of the process to build an effective compliance controls framework:

Compliance Controls:
  • Is there an internal control framework and does this address compliance controls?
  • Are the risk registers sufficiently mature as a starting point for both risks and internal controls?
  • How mature is the approach to internal controls and enterprise risk within the organisation – is a shift in culture and behaviours now required?
  • What is the best way to develop a compliance control framework to the level of maturity such that it aligns and can be integrated with other controls across the organisation?
  • Who is responsible for maintaining the internal controls framework and what is the role for E&C?
  • What does material mean in relation to compliance controls – revisit the compliance aspects of principal risks to support this process?
  • How to deliver the right level of assurance so that the board can reach a conclusion on the effectiveness of material controls and to support an internal controls declaration?
  • How are control failures and proposed remediation activities to be reported to the board?
  • How can technology be leveraged to help embed and sustain the controls framework?

Culture:
  • Have you defined the culture and shared values you need to deliver your strategy and purpose?
  • Do you know how to embed your desired culture effectively?
  • Is your culture enabling your commercial success?
  • Do you measure if the culture and values are being embedded effectively?