UK Corporate Governance Code Guidance - smarter regulation

Published Date
Jan 30, 2024
Yesterday saw the publication of the Financial Reporting Council’s (the FRC) guidance to the UK Corporate Governance Code (the Guidance). 

See our bulletin from last week on the revised UK Corporate Governance Code (the Code).

In this bulletin, we provide our views on certain aspects of the new Guidance, specifically the guidance relating to risk management and internal controls, as well as board statements on the effectiveness of their material controls. 

Smarter regulation

The Guidance consolidates previous FRC guidelines into a single Guidance note linked to the Code, other FRC guidance and third-party materials, and has been presented in a user-friendly format.

As with the publication of the Code, the FRC emphasises the discretion of boards to (i) “decide on the governance arrangements most appropriate to their company’s circumstances” while applying the Code’s principles and (ii) to coherently explain any justified departures from the Code’s more prescriptive provisions.

The Guidance is “not intended to be prescriptive” or to be used as a “tick-box list of actions”. It has been structured in a way that is intended to “stimulate boards’ thinking”, with helpful cross-references to prior work undertaken by the FRC and to guidelines published by industry bodies (such as The Chartered Governance Institute and the Investment Association) and other initiatives. The Guidance reinforces the need for company reporting to be proportionate and appropriate, based on the size, complexity and maturity of the company being reported on.

The FRC is undertaking a more substantial review of its stewardship code. Having regard to the revised Code and the Guidance, the FRC aims to establish a principles-based framework in which companies and investors should work together to ensure proportionate and appropriate governance and reporting arrangements. It will be the responsibility of companies and investors to engage with each other to make this work. The goal of this engagement is to establish a refreshed relationship between companies and investors built on trust and mutual respect and backed by good disclosure. This should assist with better value discovery and improved price and liquidity on the UK’s equity markets.

Risk management and internal controls

By way of reminder, the Code:

  • Requires a board to monitor its company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness.
  • Requires a board, in the annual report and accounts, to (i) describe how it has monitored and reviewed the effectiveness of the risk management and internal control framework and (ii) include a declaration of effectiveness of its material controls (the Effectiveness Declaration). The Effectiveness Declaration is in respect of a company’s material controls (not in respect of the whole of the risk management and internal control framework). It is a point-in-time declaration, as at the balance sheet date, which applies to all material controls – including financial, operational, reporting and compliance.

Controls include policies, culture, organisation, behaviours, processes and systems that (i) assist a company in achieving its objectives, (ii) identify and mitigate/manage risks, (iii) ensure the quality of information flows, and (iv) help ensure compliance with laws, regulation and conduct of business requirements.

Material controls are company-specific controls that could impact a company, its shareholders and/or other stakeholders if found to be deficient. For example, controls over risks that could threaten a company’s business model, its future performance and/or its reputation. It is for the board to determine what these controls are.

The Guidance:

  • Does not recommend any particular framework, standard or guideline against which to review effectiveness, although COSO, ISO and COBIT are referenced as examples. The Guidance contains direction as to what boards may wish to consider when carrying out a review, but emphasises the need for the board to form its own view.
  • Confirms that there is no requirement or expectation that a Company seek external advice or assurance; it is a board decision whether to do so.

We would, as a practical matter, expect companies to seek guidance from their advisers, especially accountants, regarding the actions and procedures they should follow to maintain and monitor their risk management and internal controls framework. When reviewing the effectiveness of their framework and material controls, they will likely discuss the availability and appropriateness of frameworks, standards and guidelines to design and measure a specific company's framework.

We also think it probable that companies will seek some form of assurance or comfort from external advisers regarding the effectiveness of their material controls. However, to provide such assurance or comfort, the adviser may require a framework (set of standards) against which they can deliver the assurance.

The FRC is clearly leaving it to the market to determine what is appropriate, having previously stated that it does not expect the revised Code and Guidance to result in any significant new burden for companies. If the market does not default to an existing framework, then there may be a need for an industry initiative to create a new framework, for example through an industry body like the ICAEW.

As the Effectiveness Declaration covers all material controls, there may be certain areas that are not (or not capable in the short term of being) covered by a reporting framework. In respect of these areas, boards will need to design a review process that gives them sufficient comfort, including through use of their internal audit functions and third-party professional advice.

Other observations

  • The Guidance has numerous references to evolving risks and technology. If not already the case, boards should ensure that their strategy, risk management framework and internal controls reflect upon technological changes (including AI) and the use of technology. So, assessing AI as part of a strategy, as a risk to consider and in the design of the risk management and control framework.
  • Whilst there is no stand-alone discussion on climate change and other environmental factors, the environment is referred to several times. It is, however, evident that climate and other environmental considerations are very relevant to strategy, opportunities and risk, and should be embedded within a company’s systems and controls, including in information flows and board decision making.
  • There is a new guidance relating to the make-up and general approach of board committees, including the need for committees to have clear responsibilities and for committees to communicate with each other in areas of overlap. 

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger