CONTENTS
Having consulted extensively the FRC has published a much lighter update to the UK Corporate Governance Code, from the draft proposals it published last summer, but what are the key changes and what do they mean for business, boards and other leaders tasked with, and accountable for, the sustainable success of UK plc?
True to the FRC’s press statement in November 2023, the key change to the Code relates to internal controls, however there are a smaller number of other changes that will also give boards cause to reflect.
Most significantly the board no longer only has responsibility for establishing an effective risk management and internal control framework, but in accordance with the new Code it now also has responsibility for maintaining its effectiveness. This is no small ask.
The Code remains Principles based and applicable on a “comply or explain” basis. In announcing the updated Code the FRC emphasised the confidence that compelling explanations gives to stakeholders, and this is now captured by a new Principle, C. Other changes relate to board culture, diversity and inclusion, and malus and clawback provisions in Directors’ contracts. With the exception of Provision 29 relating to risk management and the internal control framework, which becomes effective 1 January 2026, all other changes become effective 1 January 2025.
The key changes are:
The Code’s structure and sections; Board Leadership & Company Purpose, Division of Responsibilities, Composition, Succession & Evaluation, Audit, Risk & Internal Control, and Remuneration, are unchanged.
Whilst the updates are lighter than initially anticipated, the proposed changes will still require consideration and work by boards, and management, to implement and to ensure that these elements are appropriately captured within their reports. Boards should be taking prompt action to assess their governance gaps in relation to the updated Code.
Top of the list are risk and internal control. Whilst none of the updated Principles and Provisions are quickly fixed (hence the longer implementation date), effective risk management and internal control require a whole systems approach with input from your businesses most senior leaders. A robust framework cannot be fully embedded without the will and understanding of your people and, depending on the maturity of existing arrangements, a significant shift in culture and behaviours may also be required.
In the sections below we explore the key update areas of the Code and the things boards should be thinking about.
Risk
Effective risk management empowers your organisation to achieve its strategic objectives, manage uncertainties and understand the threats and opportunities it faces. It helps your business to understand, evaluate and take action in relation to your risk profile - protecting assets, reducing the likelihood and impact of losses, and enhancing your decision-making to unlock potential business opportunities.
However, there is no one-size-fits-all for risk management and it can only be effective and successful when set up to align with your business structure, model and strategic objectives. Key questions to ask are:
Controls
A robust control environment drives increases in quality, efficiency and insight into your business processes through increased risk visibility, control awareness and management information. Data analytics can drive deeper insights and shared learnings, whilst also enabling you greater transparency and accountability across the business. A reduction in manual control activities has the benefit of improving the resilience of your finance and IT systems and in turn frees up time to focus on value add and insightful initiatives.
Experience speaks for itself; almost 80 per cent of CFOs of US-listed companies said the overall quality of information in audited financial statements improved after SOx was introduced. However it is important to remember that the Code also includes operational, reporting and compliance controls. Bribery and corruption, fraud, trade compliance, modern slavery and human rights, health and safety, data privacy, AML and competition all present a risk to your business, and it is sobering to think that the UK’s Serious Fraud Office has levied fines of c. £2bn over a two-year period.
Operational controls address the material risks linked to your strategy and an effective risk management framework will include an assurance regime that gives the board confidence over the effectiveness of these controls.
Boards should be thinking about:
Culture
A healthy culture is fundamental to business success and brings competitive advantage to those who get it right. But it is no simple task to build healthy behaviours and embed them throughout an organisation. Culture needs to align to your business strategy and purpose, will be influenced by your leaders’ behaviours and actions, and is influenced by the business environment, systems, and processes. It is not difficult to recall examples of where business behaviours have caused significant reputational harm, or worse, to UK Plc.
As a good board and business, you will know what you want your culture to be, engage your people in defining this and embark on a focussed transformation with measured outcomes and feedback on how it is being embedded. Things for you to think about are:
Board Performance
A subtle change in the Code’s wording to reference board performance rather than board effectiveness, draws attention to the importance of how the board goes about its business. Having the right leadership, skills, behaviours, knowledge, relationships, and diversity of thought on your board to reach decisions, is as important as the decisions themselves in delivering sustainable success. Has your board taken time to reflect on:
Audit Committee
Provisions 25 and 26 of the Code have been updated to reflect the ‘Minimum Standard: Audit Committees and the External Audit’, which focuses on the relationship with external audit, including tendering and oversight. Given this, and the significant changes to the Code (to now include maintaining the effectiveness of the risk management and internal control framework and providing a description of how it has done this, of any material control weaknesses and a declaration of the effectiveness of material controls at the balance sheet date) it is time for the Audit Committee to reflect on the skills, capabilities and processes needed for it to be able to fulfil its responsibilities. The Audit Committee should be thinking about:
Diversity and Inclusion
The wording of the Code has been amended to remove reference to specific groups when promoting diversity and inclusion. This is in line with the anticipated broadening of UK law regarding protected characteristics. Businesses should be thinking about diversity in its widest possible sense, and tailoring policies, procedures and controls to reflect this.
Directors Contracts
As noted above, in the context of remuneration, the key change to the Corporate Governance code relates to a toughening of the position relating to the insertion of Malus and Clawback provisions in directors’ contracts and related agreements. This is accompanied by an increased disclosure and reporting obligation related to the adoption and use of such provisions.
In terms of actions required by companies, it will be important to review your existing Malus and Clawback provisions, in order to ensure these are sound (and compliant). And to plan for the new reporting provisions – including a clear explanation of why the period the provisions apply for is the best fit for your organisation. Deciding to opt for non-compliance with these revised Malus and Clawback provisions is unlikely to be a battle worth fighting.
It is also worth noting the numerous remuneration related changes which were proposed but were ultimately shelved. For example, we were concerned as to how companies would show compliance with the provision which stated, ‘Remuneration outcomes should be clearly aligned to company performance, purpose and values, and the successful delivery of the company’s long-term strategy including environmental, social and governance objectives). Whilst this statement is broadly clear in its intention, our view was that it would be lot more difficult in practice to showcase compliance and progress against such aims. Whilst the provision has been shelved, we do suspect it will re-emerge at some stage, and so would recommend organisations seek to take some (voluntary) steps to consider how they would comply with something of this nature – ready for when it (inevitably) reappears.
Reporting
There is no change to the expectation that companies ‘comply or explain’. The FRC stresses that this gives companies the opportunity to communicate salient and pertinent information to their stakeholders. Put another way, boilerplate statements are not decision useful and describing the impact or outcome of activities; the ‘so what’, adds far greater insight and value to stakeholders. This is captured by the new Principle C which refers to companies reporting focusing on board decisions and outcomes in the context of the company’s strategic objectives.
The FRC reviews a sample of listed companies’ annual reports each year and publishes its findings. In 2023 it noted that more companies were providing genuine insights and transparency in reporting departures from the Code and there was less use of ambiguous language. However, the majority of the sample selected failed to demonstrate sufficiently robust systems, governance and oversight that are operating effectively.
Additional guidance
The FRC has published additional guidance to support the revised Code. The guidance is not prescriptive or mandatory but will support boards in implementing the new Code. The FRC has also announced an intention to revise the Stewardship Code.
In conclusion
The new Code sets out an expectation that directors will have to take increased responsibility for stronger internal controls, including review of risk management and internal controls annually. The FRC’s intention is that the new Code increases transparency on internal controls but in a way that is proportionate and minimises reporting burdens on businesses thus maintaining UK competitiveness.
Some of the updates will likely require fundamental change in how companies are governed. Demonstrably effective risk management and internal control systems will take time and cultural change is typically achieved by evolution not revolution. However, the changes are also about giving stakeholders decision useful information about the good governance practices needed to achieve sustainable success.