UK Corporate Governance Code 2024 - Preparing Board Readiness
What is Corporate Governance?
Corporate governance is defined as ‘the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies.
The Code applies to companies with a premium listing on the London Stock Exchange, regardless of where they are incorporated. To comply with elements of the UK Listing Rules these companies must apply the Principles of the Code and comply with, or explain against the Provisions.
Corporate Governance is not only important for the largest companies, but all companies should have appropriate systems, policies, and practices in place, therefore many companies that are not required to follow the UK Corporate Code choose to do so.
The latest update to the Code will provide a stronger basis for companies to evidence the effectiveness of their internal controls, thereby enhancing transparency and investor confidence
Since the publication of the revised Code in 2018, the FRC has been monitoring reporting against the Code by selecting a random sample of 100 FTSE350 and Small Cap companies and assessing the quality of reporting. Assessments cover reporting against both the Principles and Provisions, but the emphasis may change year on year.
The 2023 Review of Corporate Governance Reporting (the 2023 Report) considered the following areas: Audit, Risk and Internal Controls; Code Compliance; Culture, Purpose and Values; Diversity; Environment; Board Evaluation; Remuneration; and Shareholder and other Stakeholders Engagement. One of the key finding includes:
Under Section 4 of the Code - Audit, Risk and Internal Control, Principle O, states the following:
The board should establish and maintain an effective risk management and internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.
Provision 29 (new update) of Principle O provides an expansion as follows:
The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
The board should provide in the annual report:
• A description of how the board has monitored and reviewed the effectiveness of the framework;
• a declaration of effectiveness of the material controls as at the balance sheet date; and
• a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues
Below are some guidance provided by the FRC concerning Provision 29.
Audit, Risk and Internal Control
Will directors have to make a declaration over all internal controls?
No. Directors will not have to make a declaration over all internal controls, they will only have to make a declaration of effectiveness over those controls deemed to be material.
What is a ‘material control’ is for each individual board to determine. ‘Material controls’ will be company-specific and therefore different for every company depending on their features and circumstances, including for example size, business model, strategy, operations, structure and complexity.
What are ‘compliance’, ‘operational’ and ‘reporting’ controls, and why do boards now have to report on their effectiveness in the annual report?
Compliance, operational and reporting controls refer to the internal controls in place over the compliance, operational and reporting aspects of the business. These will be specific to business needs, sectors, jurisdiction, size and complexity of each company.
Provision 29 of the 2018 Code already required that boards monitor, review and report on financial, operational and controls. The 2024 Code asks that the board make a declaration of effectiveness over these controls and extends these controls to include those over reporting, such as narrative and ESG reporting controls.
Will boards have to seek assurance over controls?
Provision 29 of the Code requires that the board should monitor the company’s risk management and internal controls framework and carry out a review of its effectiveness, at least annually. An effective risk management and internal controls framework will include monitoring and review components, and as such, it is possible for information collected internally to be relied upon for the purposes of reporting and making any declaration. It is for individual boards to decide whether external assurance is required over controls, and to what degree.
Why does the Code not specifically refer to cyber risks?
Both the Code and the Strategic Report ask directors to consider the situation of the company and identify its emerging and principal risks (and their materiality to shareholders), and how they are managed and mitigated.
For many companies cyber/IT security will be amongst these risks, but the Code does not provide a list of risks for directors to consider as this is a matter for their judgment and particular to the company’s activities. Of course, having expertise on the board in this area will be one way of mitigating this type of risk.
Recommended by LinkedIn
The purpose of the Code disclosures is to give investors an understanding of the directors' consideration of risks and the actions that have been taken. Investors can then engage with the company as appropriate.
What are the next steps for organizations to ensure compliance?
The specific changes to Provision 29 will apply to financial years beginning on or after 1 January 2026. The 2024 Code will apply to financial years beginning on or after 1 January 2025
To ensure compliance with Provision 29 by January 2026, organizations should undertake a comprehensive approach that involves reviewing and enhancing their risk management and internal control systems. Here’s a step-by-step guide:
1. Understand the Requirements
2. Conduct a Current State Assessment
3. Develop or Enhance Frameworks
4. Implement Monitoring and Review Processes
5. Train and Communicate
6. Document Policies and Procedures
7. Prepare for Reporting
8. Review and Adjust
9. Seek External Assistance
10. Establish Continuous Improvement
Timeline and Milestones
By following these steps, organizations can ensure they are well-prepared to meet the requirements of Provision 29 by January 2026, thereby enhancing their overall corporate governance and risk management practices.
With this extended timeline, companies have a valuable opportunity to methodically prepare for compliance. Arischio Consulting can play a crucial role in guiding these organizations through the transition, ensuring not just compliance but the establishment of a robust, sustainable risk management culture. This preparation period should be viewed as an opportunity for strategic enhancement rather than merely a regulatory compliance exercise