Corporate Governance: FRC publishes its updates to the UK Corporate Governance Code

CONTENTS

• What are the changes to the current corporate governance code?
• A guide for what the announcement means for you, and what boards should be thinking about

Having consulted extensively the FRC has published a much lighter update to the UK Corporate Governance Code, from the draft proposals it published last summer, but what are the key changes and what do they mean for business, boards and other leaders tasked with, and accountable for, the sustainable success of UK plc?

What are the changes to the UK Corporate Governance Code?

True to the FRC’s press statement in November 2023, the key change to the Code relates to internal controls, however there are a smaller number of other changes that will also give boards cause to reflect.

Most significantly the board no longer only has responsibility for establishing an effective risk management and internal control framework, but in accordance with the new Code it now also has responsibility for maintaining its effectiveness. This is no small ask.

The Code remains Principles based and applicable on a “comply or explain” basis. In announcing the updated Code the FRC emphasised the confidence that compelling explanations gives to stakeholders, and this is now captured by a new Principle, C. Other changes relate to board culture, diversity and inclusion, and malus and clawback provisions in Directors’ contracts. With the exception of Provision 29 relating to risk management and the internal control framework, which becomes effective 1 January 2026, all other changes become effective 1 January 2025.

The key changes are:

The Code’s structure and sections; Board Leadership & Company Purpose, Division of Responsibilities, Composition, Succession & Evaluation, Audit, Risk & Internal Control, and Remuneration, are unchanged.

A guide for what the announcement means for you, and what boards should be thinking about

Whilst the updates are lighter than initially anticipated, the proposed changes will still require consideration and work by boards, and management, to implement and to ensure that these elements are appropriately captured within their reports. Boards should be taking prompt action to assess their governance gaps in relation to the updated Code.

Top of the list are risk and internal control. Whilst none of the updated Principles and Provisions are quickly fixed (hence the longer implementation date), effective risk management and internal control require a whole systems approach with input from your businesses most senior leaders. A robust framework cannot be fully embedded without the will and understanding of your people and, depending on the maturity of existing arrangements, a significant shift in culture and behaviours may also be required.

In the sections below we explore the key update areas of the Code and the things boards should be thinking about.

Risk

Effective risk management empowers your organisation to achieve its strategic objectives, manage uncertainties and understand the threats and opportunities it faces. It helps your business to understand, evaluate and take action in relation to your risk profile - protecting assets, reducing the likelihood and impact of losses, and enhancing your decision-making to unlock potential business opportunities.

However, there is no one-size-fits-all for risk management and it can only be effective and successful when set up to align with your business structure, model and strategic objectives. Key questions to ask are:

• Do you proactively consider risk in strategy setting and decision making?
• Have you identified the key risks that could most impact your business objectives?
• How do you align risks and opportunities to strategic objectives?
• How do you assess your risk exposure?
• How is risk governed and owned in your company?
• How do you ensure your systems pick up early warning signs of risk events and how do you respond?
• How do you learn from “near misses” and crystalised risk events? Both within and beyond your business?
• How do you embed risk in operations?

Controls

A robust control environment drives increases in quality, efficiency and insight into your business processes through increased risk visibility, control awareness and management information. Data analytics can drive deeper insights and shared learnings, whilst also enabling you greater transparency and accountability across the business. A reduction in manual control activities has the benefit of improving the resilience of your finance and IT systems and in turn frees up time to focus on value add and insightful initiatives.

Experience speaks for itself; almost 80 per cent of CFOs of US-listed companies said the overall quality of information in audited financial statements improved after SOx was introduced. However it is important to remember that the Code also includes operational, reporting and compliance controls. Bribery and corruption, fraud, trade compliance, modern slavery and human rights, health and safety, data privacy, AML and competition all present a risk to your business, and it is sobering to think that the UK’s Serious Fraud Office has levied fines of c. £2bn over a two-year period.

Operational controls address the material risks linked to your strategy and an effective risk management framework will include an assurance regime that gives the board confidence over the effectiveness of these controls.

Boards should be thinking about:

• What are the key material controls across the organisation?
• How mature is the current internal control framework and what needs to happen to move to a maturity level that is acceptable to the board and stakeholders?
• What level of assurance is required to enable the board to effectively provide an internal controls declaration?
• Who in the organisation is responsible for maintaining the internal control framework?
• How can technology be leveraged and is there the opportunity to align to any existing or planned transformation programmes to maximise benefits, synergies and value?

Culture

A healthy culture is fundamental to business success and brings competitive advantage to those who get it right. But it is no simple task to build healthy behaviours and embed them throughout an organisation. Culture needs to align to your business strategy and purpose, will be influenced by your leaders’ behaviours and actions, and is influenced by the business environment, systems, and processes. It is not difficult to recall examples of where business behaviours have caused significant reputational harm, or worse, to UK Plc.

As a good board and business, you will know what you want your culture to be, engage your people in defining this and embark on a focussed transformation with measured outcomes and feedback on how it is being embedded. Things for you to think about are:

• What is your current culture? How do you evaluate this?
• What is your desired culture? For example the culture required to support your business objectives
• How effective is your approach to developing and/ or enhancing your culture?
• How can you change and transform your culture?
• How does the board get assurance there is a healthy organisational culture? That is what measurements are used, and what monitoring and management information is in place?

Board Performance

A subtle change in the Code’s wording to reference board performance rather than board effectiveness, draws attention to the importance of how the board goes about its business. Having the right leadership, skills, behaviours, knowledge, relationships, and diversity of thought on your board to reach decisions, is as important as the decisions themselves in delivering sustainable success. Has your board taken time to reflect on:

• How well board members can articulate the organisation’s strategic aims, purpose and values?
• How effective are board members in applying a strategic lens to discussions and decision-making?
• What are board relationships and board dynamics like including the impact of any changes in board membership and the relationship between the board and the executive?
• How effectively does the board exercise oversight and challenge, in relation to the executive and its sub-committees?
• Whether the board has the right balance of skills, experience and diversity of backgrounds?
• How effective the board’s communication is with its stakeholders, including shareholders and regulators?

Audit Committee

Provisions 25 and 26 of the Code have been updated to reflect the ‘Minimum Standard: Audit Committees and the External Audit’, which focuses on the relationship with external audit, including tendering and oversight. Given this, and the significant changes to the Code (to now include maintaining the effectiveness of the risk management and internal control framework and providing a description of how it has done this, of any material control weaknesses and a declaration of the effectiveness of material controls at the balance sheet date) it is time for the Audit Committee to reflect on the skills, capabilities and processes needed for it to be able to fulfil its responsibilities. The Audit Committee should be thinking about:

• Its augmented role, including a gap analysis against responsibilities set out in the Standard
• Processes it has in place for the tendering and selection of auditors
• How it exercises oversight of its auditors and the audit process
• What measures it has in place to assess the effectiveness of the external audit and the auditor
• How it ensures it can meet the reporting requirements of the Standard and the Code, including the attestations relating to the risk management and internal control framework

Diversity and Inclusion

The wording of the Code has been amended to remove reference to specific groups when promoting diversity and inclusion. This is in line with the anticipated broadening of UK law regarding protected characteristics. Businesses should be thinking about diversity in its widest possible sense, and tailoring policies, procedures and controls to reflect this.

Directors Contracts

As noted above, in the context of remuneration, the key change to the Corporate Governance code relates to a toughening of the position relating to the insertion of Malus and Clawback provisions in directors’ contracts and related agreements. This is accompanied by an increased disclosure and reporting obligation related to the adoption and use of such provisions.

In terms of actions required by companies, it will be important to review your existing Malus and Clawback provisions, in order to ensure these are sound (and compliant). And to plan for the new reporting provisions – including a clear explanation of why the period the provisions apply for is the best fit for your organisation. Deciding to opt for non-compliance with these revised Malus and Clawback provisions is unlikely to be a battle worth fighting.

It is also worth noting the numerous remuneration related changes which were proposed but were ultimately shelved. For example, we were concerned as to how companies would show compliance with the provision which stated, ‘Remuneration outcomes should be clearly aligned to company performance, purpose and values, and the successful delivery of the company’s long-term strategy including environmental, social and governance objectives). Whilst this statement is broadly clear in its intention, our view was that it would be lot more difficult in practice to showcase compliance and progress against such aims. Whilst the provision has been shelved, we do suspect it will re-emerge at some stage, and so would recommend organisations seek to take some (voluntary) steps to consider how they would comply with something of this nature – ready for when it (inevitably) reappears.

Reporting

There is no change to the expectation that companies ‘comply or explain’. The FRC stresses that this gives companies the opportunity to communicate salient and pertinent information to their stakeholders. Put another way, boilerplate statements are not decision useful and describing the impact or outcome of activities; the ‘so what’, adds far greater insight and value to stakeholders. This is captured by the new Principle C which refers to companies reporting focusing on board decisions and outcomes in the context of the company’s strategic objectives.

The FRC reviews a sample of listed companies’ annual reports each year and publishes its findings. In 2023 it noted that more companies were providing genuine insights and transparency in reporting departures from the Code and there was less use of ambiguous language. However, the majority of the sample selected failed to demonstrate sufficiently robust systems, governance and oversight that are operating effectively.

Additional guidance

The FRC has published additional guidance to support the revised Code.  The guidance is not prescriptive or mandatory but will support boards in implementing the new Code.  The FRC has also announced an intention to revise the Stewardship Code.

In conclusion

The new Code sets out an expectation that directors will have to take increased responsibility for stronger internal controls, including review of risk management and internal controls annually. The FRC’s intention is that the new Code increases transparency on internal controls but in a way that is proportionate and minimises reporting burdens on businesses thus maintaining UK competitiveness.

Some of the updates will likely require fundamental change in how companies are governed. Demonstrably effective risk management and internal control systems will take time and cultural change is typically achieved by evolution not revolution. However, the changes are also about giving stakeholders decision useful information about the good governance practices needed to achieve sustainable success.