Cracking the Code – What you need to know about the new UK Corporate Governance Code Provision 29
Chris Burt
CGI accredited board reviewer | Risk thought leader | Board advisor - AI/Tech/Cyber | Co-founder, principal author and Executive Chair of the Risk Coalition.
A difficult birth
It’s been several months since the Financial Reporting Council (FRC) published its latest version of the UK Corporate Governance Code.
Delivered under difficult circumstances, the FRC was left holding a rather ugly baby at the end of the public consultation period due to the UK Government’s change of heart on several planned regulatory changes (which the FRC had dutifully reflected in the revised draft Code).
Following an intense period of purdah in which most of the previously proposed changes were dropped, the FRC landed on a final version of the Code that retained the new Provision 29.
It’s clear that consultation feedback to the FRC had been robust regarding the new provision. For example, I chaired a Risk Coalition Risk Committee Chairs’ Forum discussion, with a representative of the FRC present, where a former FRC CEO quietly - but very firmly - suggested the FRC think again.
Recognising the significance and potential unpopularity of the new provision, the FRC made several important changes to the final version in the updated Code. First, they changed from requiring organisations having to disclose any failure of material controls in the accounting period, to a balance sheet date assessment of material control effectiveness. (Audit nerds will recognise this as a big change.)
Second, taking on-board simple backward planning feedback that suggested organisations would need to have started their readiness projects six months prior to the Code being published, the FRC has given organisations an additional 12-month grace period to comply with this provision.
While seemingly helpful, this change essentially removes the ‘comply or explain’ option for Code firms. It is now unlikely that any listed organisation would be willing to disclose to the market that they had been unable to comply with the new provision given the additional 12 month grace period.
As noted by a highly experienced GC/Company Secretary, “UKCGC disclosures tend to be treated by proxy agencies as ‘comply or else’ rather than ‘comply or explain’, leading either to abstentions or votes against because explanations and nuances specific to particular companies are being ignored. This naturally means that companies tend to seek to comply with every provision.”
Provision 29
Provision 29 requires the board, on a comply or explain basis, to, “monitor the company’s risk management and internal control framework and, at least annually, conduct a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The board should provide in the annual report:
While optimistically presented by the FRC as a simple change to disclosure requirements, Provision 29 is far from it – particularly for commercial sector organisations that are unlikely to operate the same level of risk management and internal control maturity as those in the financial sector.
Decoding the Provision 29 text, we note that:
In the accompanying guidance published by the FRC earlier this year, the FRC notes in paragraph 261 that, “The company should have systems in place to carry out ongoing monitoring of the design, implementation and operation of the risk management and internal control framework…”.
Guidance paragraph 263 notes, “The board cannot rely solely on the embedded monitoring processes within the company to discharge its responsibilities. It should conduct its own monitoring, based on the regular reporting and other communication with management, internal audit, external audit and other appropriate functions and units…”.
This suggests that the board will need to agree a framework by which it will independently monitor and periodically assess the overall effectiveness of the organisation’s risk management and internal control systems[1] and cannot simply rely on what it is told by management.
Moreover, paragraph 266 of the guidance tells the board to, “…use its professional judgement and scepticism in considering the reporting received from management in the context of the information and reporting received from other sources.” Or, “trust, but verify” in rather plainer English.
Recommended by LinkedIn
While not providing a definition of material controls, the FRC notes in guidance paragraph 272 that, while it is for the board (not management!) to decide which controls are material, these could include, but are not limited to, controls over:
This will require organisations to have a clear view of these controls, and to have the ability to monitor and report on their continued adequacy and effectiveness (which will presumably mean an extensive programme of controls testing throughout the year) – remembering the board should not rely solely on information provided by management.
So who should perform this testing?
Attestation scope
So what constitutes an organisation’s risk management and internal control framework?
Helpfully, guidance paragraph 218 suggests it encompasses, “…the policies, culture, organisation, behaviours, processes, systems and other aspects of the company that, taken together:
Essentially, pretty much everything an organisation does, with few exceptions, is within scope of the attestation.
Is your organisation ready for this?
Summary
The introduction of Provision 29 marks a step change in the level of effort required of organisations to maintain Code compliance. No longer will boards be able to nod through the annual Code attestation ahead of the coffee break. Instead, boards will need to operate a system of ‘close and continuous’ risk management and internal control systems monitoring throughout the year, supplemented by rigorous periodic effectiveness assessments.
Boards will also need to clearly articulate the purpose of their risk management and internal controls systems in order to judge their effectiveness, no longer being able to rely on the advice of management alone.
Provision 29 aims to foster a culture of greater board (and board member) accountability and organisational transparency around risk and control. Ultimately, the FRC’s aim is to bolster investor trust and confidence in the UK market.
The key to ensuring compliance is to take Provision 29 seriously, start work early and be prepared to seek expert advice where necessary.
#frc #code #provision29 #riskcoalition #companysecretaries # governance #corporategovernance #boards #riskgovernance #risk #riskmanagement
[1] Also as suggested in paragraph 24 of the Risk Coalition’s seminal ‘Raising the Bar’ guidance for board risk committees.
Helping boards improve their performance and effectiveness
7moA great summary - thanks Chris. It's a big and challenging change that will need to be planned for and dealt with for those impacted.