Financial crises and corporate failures have all contributed to the debate around, and reform of, corporate governance in the UK. The latest debate has been driven by the UK Government’s White Paper on Restoring Trust in Audit and Corporate Governance which followed a series of corporate failures in the UK including those of Patisserie Valerie, Carillion and BHS.
Following a consultation the Government has proposed reforms that will require changes to legislation and to existing standards and guidance, including the UK Corporate Governance Code. These changes cover the respective responsibilities of:
- Directors and their responsibilities for governance, internal control, and corporate reporting;
- Preparers of financial and non-financial information;
- Auditors and providers of assurance services, and actuaries.
The Financial Reporting Council (FRC) will transition to becoming the Audit Reporting and Governance Authority (ARGA), to support the UK Government’s reform.
Restoring Trust in Audit and Corporate Governance
The UK Government’s response to its’ consultation on ‘Restoring Trust in Audit and Corporate Governance’ included a proposal for focussed revisions to the UK Corporate Governance Code, and changes to Corporate Reporting. It also confirmed proposals to introduce new reporting requirements for Public Interest Entities (PIEs) and the development of a minimum standard for Audit Committees.
Public Interest Entities
The definition of a Public Interest Entity will include companies with over 750 employees and a turnover of over £750m. The following new requirements will apply to the so called 750:750 Companies:
- Annual Resilience Statement setting out how a company is managing risk over the short, medium and long term;
- Triennial Audit and Assurance Policy (AAP), explaining how the company proposes to assure non-financial reporting over the following 3 years;
- An Annual Statement about distributable profits and the company’s policy on distributions; and
- An Annual Statement on steps taken to prevent and detect material fraud.
Minimum Standards for Audit Committees
The FRC’s Minimum Standards for Audit Committees and the External Audit sets out requirements for the audit committees of all FTSE 350 companies. Sections of the Standard relating to the role and responsibilities of the Audit Committee overlap with the existing UK Corporate Governance Code. The FRC has proposed that they are removed from the Code and that the Code instead refers to the Standard.
Consultation on the UK Corporate Governance Code
In May 2023 the FRC launched its’ consultation on revisions to the UK Corporate Governance Code.
The changes are not a complete overhaul of the 2018 Code; they instead enhance focus on the areas of the Code that do not currently get the attention they deserve. The FRC is sending a message to Boards that this is about demonstrating their good governance through quality explanations, transparency and by providing stakeholders with decision useful information.
Who does this apply to and when?
The Code is to be adopted by companies voluntarily, or because they are required to do so by the UK Listing Rules. The revised Code will apply to accounting years commencing on or after 1 January 2025.
The FRC has acknowledged the overlap between the UK Government’s requirements for PIEs and the Code (as not all entities covered by the Code will be PIEs) and sets out how Boards should respond. Further details are given below.
What are the key changes?
The most significant proposed changes relate to Audit, Risk and Internal Control, and the Board’s responsibility for establishing effective risk management and internal control, and robustly reporting on their effectiveness throughout the reporting period.
The Code remains Principles based and its’ structure and sections; Board Leadership & Company Purpose, Division of Responsibilities, Composition, Succession & Evaluation, Audit, Risk & Internal Control, and Remuneration, are unchanged.
What does this all mean for Boards?
The proposed changes will likely require some work by Boards, and management, to implement and report on their good governance arrangements. Boards should be taking action now to assess their governance gaps in relation to the proposed revisions. (Further detail on the revisions is provided below).
Whilst some of the revisions may require fundamental change in how companies are governed (since demonstrably effective risk management and internal control systems do not happen overnight) the changes are also about giving stakeholders the information they need about how the company is governed. Boards should also be focussing on how they communicate effectively with their stakeholders through their reporting.
The key revisions given in more detail below:
Risk Management and Internal Controls
This Principle will go further by making the Board responsible not just for establishing but also for maintaining the effectiveness of the risk management and internal control framework. The Board's accountability for monitoring and reviewing the effectiveness of the framework is emphasised by this change.
The scope of this accountability has been expanded to include controls over the quality and accuracy of reporting, for example on strategy, principal risks and ESG matters, and also to include a company’s wider operational and compliance controls. Examples of the application of this expanded scope would include the reporting on the control frameworks for:
- Preventing and detecting fraud and other economic crimes;
- Cyber security including identifying and protecting critical data assets;
- Supply chain transparency and resilience;
- Environmental, social and governance risks; and
- Ensuring compliance with regulatory requirements.
Reporting impact on Boards
Boards will need to:
- Declare whether they can reasonably conclude that the company’s risk management and internal control systems, including material operational, reporting and compliance controls, have been effective. This applies throughout the reporting period and up to the date of the approval of the annual report by the directors;
- Explain the basis for the declaration, including explaining how the Board has monitored and reviewed the effectiveness of these systems; and
- Report any material weaknesses identified in these systems during the reporting period and the actions the Board has taken to address them.
The Board will also need to explain in the Annual Report what procedures are in place to identify and manage emerging risks and to describe these risks.
Audit and Assurance Policy AAP (including PIE’s)
The detailed requirements of the AAP will be set out in Regulations. All companies reporting against the Code should consider producing an AAP on a ‘comply or explain’ basis, using the Legislation as a guide to what should be included. The legislative requirements for an AAP is reflected in the Code by giving the Audit Committee a new responsibility for monitoring the integrity of narrative reporting including any sustainability matters.
It is expected that Legislation will require PIEs to set out:
- Their internal auditing and assurance arrangements;
- What external assurance, if any, the company proposes to seek beyond the statutory auditor’s duties;
- A description of the policy in relation to the tendering of external audit services;
- Whether any external assurance proposed will be ‘limited’ or ‘reasonable’ assurance;
- Whether any external assurance beyond the statutory audit will be carried out according to a professional standard;
- How the AAP has taken account of shareholder and other stakeholder views; and
- Whether and how the company intends to seek external assurance over any part of the Resilience Statement or over reporting of its internal controls in relation to financial reporting.
Reporting impact on Boards
Boards will need to describe the Audit Committee’s work in this area in the Annual Report, together with the assurance of ESG metrics and other sustainability-related information that has been commissioned.
Resilience Statement (including PIE’s)
The requirements of the Resilience Statement will be set-out in legislation which is expected to require PIEs to describe their approach to managing risk and developing resilience over the short, medium and long-term.
The Resilience Statement will also fulfil the Code requirement to explain how the future prospects of the company have been assessed, and replace the existing Viability Statement. Code companies that choose not to have a Resilience Statement will be expected to report in a proportionate way.
Reporting impact on Boards
The main disclosure requirements of the Resilience Statement will be:
- A summary of the company’s strategic approach to managing risk, and building or maintaining resilience, giving regard to internal governance processes;
- Identification of the company’s principal risks, and how these are being managed;
- Summary of why the directors believe the company remains a going concern;
- An assessment of the company’s prospects over the medium-term including with regard to its stated principal risks; and
- A reverse stress test, identifying a combination of circumstances in which the company’s business plan would become unviable and setting out any mitigating action put in place.
A new Principle highlights the importance of executive remuneration outcomes being clearly aligned to:
- Company performance, purpose, and values; and
- Delivery of the long-term strategy, and
- Including a specific mention of ESG objectives.
The existing Principle is made more specific by stating that Remuneration Committees should have regard to company and workforce pay and conditions as a factor in determining executive pay.
Reporting impact on Boards
The proposals for inclusion in the Annual Report include a statement on whether the company has malus and clawback arrangements in place including:
- The minimum conditions in which these would apply;
- The minimum period for applying them and why the selected minimum period is best suited to the organisation; and
- Whether they have been used in the last financial year.
The Chair should now commission, rather than consider, a regular externally facilitated Board Performance Review. The intention is that this exercise is part of continuous programme of Board self-improvement rather than a backwards looking activity.
Reporting impact on Boards
The Annual Report should include how the Board Performance Review has been conducted, the outcomes and actions taken, and how it has or will influence future Board composition.
The Annual Report’s description of the work of the Nomination Committee should now include:
- Succession planning for Board and senior management positions in order to deliver the company’s strategy, including how diversity is factored into the pipeline;
- The appointments for the Board and senior management, including the search and nomination procedures and promotion of diversity; and
- The effectiveness of the diversity and inclusion policy, including how company objectives and initiatives are being met.
Other Revisions Related to Board Reporting
Boards will need also to include the following areas in their Annual Reports:
- Environmental matters, including climate ambitions and transition planning (the introduction of the Resilience Statement and AAP will mean that the audit committee will have new responsibilities to consider wider sustainability-related matters);
- How effectively the desired culture and behaviours have been embedded throughout the business; and
- Information on directors’ other commitments and how they manage these.
The over-riding theme is that there should be increased transparency in reporting, a move away from boilerplate statements and that reporting should demonstrate the impact and outcomes of governance practices.
Associated FRC Guidance:
Separate Guidance will be produced by the FRC to support the revised Code, following the FRC’s engagement with stakeholders:
- Guidance on Audit Committees
- Guidance on Board Effectiveness
- Guidance on Risk Management, Internal Control and Related Financial and Business Reporting
- UK Economic Crime and Transparency Bill
The Economic Crime and Transparency Bill, tabled by the UK Government in June 2023, has confirmed its’ plans to include a failure-to-prevent fraud offence to hold organisations to account if they profit from fraud committed by their employees. Under the new offence it will not need to be demonstrated that company management knew about the fraud.
Only large organisations will be in scope defined (using the standard UK Companies Act 2006 definition) as those meeting two out of three of the following criteria: more than 250 employees, more than £36 million turnover and more than £18 million in total assets.
For further information on the steps Boards and management can take to prepare for the proposed reforms, please get in touch.