FRC finalises updates to the UK Corporate Governance Code

The FRC has issued the updated UK Corporate Governance Code (“the Code”) following a consultation last year as part of the ‘Restoring trust in audit and corporate governance’ reform package.

The Government had asked the FRC to use a Code-based approach to strengthen boardroom focus on internal control matters rather than introducing a legislative framework and, further to changes in Government policy around other aspects of the reform agenda, this represents the most significant change to the new Code although changes have been made to the proposal which was previously consulted on.

We set out below:

  • The final form of the declaration on the effectiveness of the risk management and internal control framework
  • Other proposals being taken forward which boards should focus on
  • Proposals which have been dropped
  • Timeline for implementation of the updated Code
  • Expectations around the supporting guidance

Final form of the declaration on the effectiveness of the risk management and internal control framework

With the ultimate aim of strengthening board accountability for the effectiveness of the risk and internal control framework, there has been a change to the relevant Code Principle: “The board should establish a framework of prudent and effective controls, which enable risk to be assessed and managed” is replaced by “The board should establish and maintain an effective risk management and internal control framework”.

This amended Principle is reinforced by an extension of the existing Code provision (Provision 29) in relation to the board’s responsibility to monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. Building on this review and monitoring activity, it is proposed that the board provides the following disclosure in the annual report:

  • a description of how the board has monitored and reviewed the effectiveness of the framework;
  • a declaration of effectiveness of the material controls as at the balance sheet date; and
  • a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.

Importantly, we now know that this new declaration will cover, in line with the board’s review and monitoring responsibilities, “material controls” noting that this has been changed from “financial, operational and compliance” to “financial, operational, reporting and compliance”. So including a specific “reporting” control consideration intended to cover controls over both financial and non-financial reporting.

The FRC press notice states that it is for a board to determine what should comprise its material internal controls noting that the needs for each business may vary and that the level of maturity of non-financial controls for some businesses may not be, or need to be, as mature as for their financial controls. Further, the FRC states that it is for the board to determine what level of maturity is right for its business and their own levels of required assurance in relation to the effectiveness of these controls.

The final wording of the declaration also removes any suggestion of a need for “continuous monitoring” of internal controls which had concerned many respondents. The declaration of effectiveness will now be as at the balance sheet date. In addition, reference to identification of “material weaknesses” has been removed to provide further differentiation from language used in other jurisdictions.

The FRC believes that this new approach is a targeted, proportionate and balanced response to meeting enhanced investor and stakeholder expectations for better governance reporting around risk management and internal controls whilst minimising reporting burdens on businesses. Also that this approach, which is principles based and relies on boards making their own judgments on what is material, is better suited for the UK commercial and governance framework than more intrusive and prescriptive approaches required in other jurisdictions.

Other proposals being taken forward which boards should focus on

  • Activities and outcomes - governance reporting should focus on board decisions and their outcomes in the context of a company’s strategy and objectives.
  • Culture – Provision 2 has been amended to include that boards should not only assess and monitor culture, but also how the desired culture has been embedded.
  • ‘Audit committees and the external audit: Minimum Standard’ - to avoid duplication, the updated Code removes those elements covering the work of the audit committee in relation to external audit and instead refers companies to the Standard.
  • Diversity - Principle J has been amended to promote diversity, inclusion and equal opportunity, without referencing specific groups. The list of diversity characteristics has been removed to indicate that diversity policies can be wide ranging.
  • Malus and clawback remuneration arrangements - strengthened reporting on the circumstances for, and use of, malus and clawback.
  • The remuneration policy – existing Provision 40 setting out characteristics of effective remuneration policy and practices has been removed.

Proposals which have been dropped

  • Sustainability matters – the updated Code will not include wider responsibilities and considerations for the board and audit committee in relation to ESG objectives and other sustainability matters.
  • The Audit & Assurance Policy (AAP) and the Resilience Statement – all references to the AAP and the Resilience Statement have been removed reflecting the withdrawal of the Statutory Instrument which would have introduced these statutory reporting requirements (existing Code provisions in relation to the viability statement and going concern reporting are retained).
  • Shareholder engagement – active responsibility for Committee chairs to engage with shareholders has been removed (the current provision “to seek engagement” is retained).
  • Director appointments – proposals to report on all significant director appointments in the annual report together with an explanation of how able to meet those commitments has been removed.
  • Malus and clawback remuneration arrangements – proposed reporting on the use of malus and clawback provisions in the last five years has been removed.

Timeline for implementation of the updated Code

The updated Code will apply to accounting periods commencing on or after 1 January 2025 with the exception of Provision 29 – the declaration on the effectiveness of the risk management and internal control framework – which will apply to accounting years commencing on or after 1 January 2026 to allow sufficient time for implementation. Until then, existing Provision 29 of the 2018 UK Corporate Governance Code applies.

Expectations around the supporting guidance

The updated Code will be supported by updates to all supporting guidance: Guidance on Board Effectiveness, Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and Guidance on Audit Committees. These pieces of guidance are currently three standalone documents but we understand that going forward they will be combined into a single interactive resource which is connected directly to the relevant sections of the Code.

The updated guidance will be issued on 29 January 2024. The FRC stresses that the guidance should not be viewed as part of the Code and should not be seen as a requirement of the FRC. It is aimed at contributing helpful context to a board’s consideration of how they might go about complying with the Code. The FRC explains that, in preparing the guidance, it has drawn on the expert advice of its Stakeholder Insight Group which represents a cross-section of those with a keen interest in the Code such as preparers and investors.

Reporting By Deloitte UK, 22nd January 2024.