Risk management and internal control framework (Provision 29)
Reporting controls
The requirement for the board to monitor and review material controls is not a change. However, the FRC has added “reporting” to the list of material controls to be monitored and reviewed. The FRC’s view is that this “is not an extension of the UK approach” because the requirement has always been that boards are required to monitor and review “all material controls”.
However, this change makes it clear that boards will now need to expressly refer to material controls relating to reporting, both financial and non-financial, including narrative reporting, when describing how the board has monitored and reviewed the effectiveness of the framework and, more significantly, also consider these controls when making the declaration of effectiveness. The Consultation states that this is an important change that recognises that narrative reporting increasingly includes materially important information.
Declaration
A significant change to Provision 29 is the inclusion of a requirement for a declaration from the board of the effectiveness of material controls as at the balance sheet date. The FRC suggests that this is the only substantive change to Provision 29. The Consultation proposed a more onerous declaration relating to the effectiveness of internal controls throughout the whole reporting period and up to the date of publication of the annual report, which would have required continuous monitoring by the board throughout the reporting period. Many commentators felt that such a requirement would be even more burdensome than the Sarbanes-Oxley regime in the US. Following significant feedback on the original proposal, the FRC has limited the directors’ declaration to a single point in time, and only requires companies to disclose material controls that have not operated effectively at that date (as opposed to any material weaknesses or failures identified during the reporting period). The Code Guidance acknowledges, however, that the declaration will cover information collected before and on the date of the balance sheet. There may be circumstances where companies may also wish to discuss issues raised (and dealt with) during the financial year, especially where these have been made public.
The FRC has not provided any good practice examples of what declarations might look like, leaving companies to decide their own approach. The Code Guidance states that the board can “only provide a reasonable conclusion regarding the effectiveness of the controls, based on the work carried out and evidence obtained” (paragraph 296). It also sets out circumstances in which the board may wish to utilise the ‘comply or explain’ nature of the Code, including where a control system is less established or mature or the effectiveness of a new system has not yet been proven (paragraph 298). The Code Guidance also clarifies that when reporting on areas for improvement, or actions that have been or are being taken, “the board is not expected to provide any disclosures which in its professional judgment contain confidential information or any other information that could inadvertently affect the company’s interests if publicly reported” (paragraph 299).
Meaning of ‘material controls’
A key issue for boards will be determining what “material controls” are. The Code Guidance suggests that “material controls” will be company-specific and different for every company depending on their features and circumstances, including size, business model, strategy, operations, structure and complexity. The FRC suggests that the board should consider how a weakness or failure in the controls could impact the interests of the company, shareholders and other stakeholders. It includes a list of examples of material controls in the Code Guidance. These include risks that could threaten the company’s business model, future performance, solvency or liquidity and reputation, external reporting that is price sensitive or that could lead investors to make investment decisions, fraud and information and technology risks including cybersecurity, data protection and new technologies. (See paragraphs 270 to 272 for more information.)
Meaning of ‘effective’
Another key question for boards will be to decide what “effective” means in the context of their material controls. Paragraph 220 of the Code Guidance makes it clear that an effective framework is not intended to eliminate all risk; its role is to manage risk.
External assurance
Concerns were expressed in responses to the Consultation that the directors’ declaration would significantly increase the cost to companies by requiring directors to seek some form of external assurance before directors would be prepared to give the necessary declaration, in addition to any internal assurance that could be provided. The FRC’s position is that it is for individual boards, in conjunction with other committees and management, to decide whether any form of external assurance is necessary, with the type and nature of such assurance being a decision for the board. The FRC explicitly states that there is no requirement or expectation that companies obtain external advice or assurance, especially where they have an effective, appropriately resourced, internal audit function that is able to provide relevant assurance. (See paragraphs 274 to 276 of the Code Guidance for more information.) Respondents to the Consultation expressed concerns about capacity in the audit market to provide external assurance, so where boards decide that external assurance is required, they will need to consider this well in advance of Provision 29 becoming effective (financial years beginning on or after 1 January 2026).
Recognised frameworks and standards
The Code Guidance suggests that a board could use a recognised framework or standard as part of its process for designing and maintaining the effectiveness of the risk management and internal control framework. The FRC includes some examples of frameworks and standards (see paragraph 217) but does not make any particular recommendations.
Description of how the board has monitored and reviewed the effectiveness of the framework
This wording replaces the proposal in the Consultation that boards should explain the basis for their declaration. The 2018 edition of the code already requires boards to report on their annual review of the effectiveness of the framework but with no express requirement to describe how the framework has been monitored. The Code Guidance sets out some considerations relating to monitoring and reviewing the effectiveness of the framework, as well as the related reporting requirement, in paragraphs 261-294.
Timing
Provision 29 applies to financial years beginning on or after 1 January 2026, so we will not see the first mandatory reporting against this provision until 2027. This is a year later than the other Code changes in order to give companies more time to prepare. In particular, the Feedback Statement states that some respondents to the Code Consultation had indicated that while controls over financial reporting tend to be well-developed, other controls (over non-financial reporting) are less mature and still developing (paragraph 51).
Action
Despite the longer period prior to the implementation of these provisions, companies should begin thinking now about any additional procedures and processes they may want to put in place as part of their risk management and internal controls framework, including any additional internal or external assurance that may be required, so that the board is able to make the declaration. This may include changes to record-keeping processes to ensure that the company has sufficient evidence to make the declaration and so that it can report on how it has monitored and reviewed the framework in the annual report.
The Minimum Standard for audit committees (Provisions 25 and 26)
Changes have been made to Section 4 of the Code relating to the Minimum Standard (not set out in the mark-up above). These changes essentially state that audit committees should follow the Minimum Standard and include the matters set out in the Minimum Standard in the annual report. In addition, some text has been deleted to avoid duplication with the Minimum Standard.
FTSE 350 companies have been encouraged to report against the Minimum Standard on a comply or explain basis since May 2023. Adding this requirement to the Code means all premium-listed companies (not just FTSE 350 companies) will have to report against the Minimum Standard. (For details of which companies will have to report against the Code under the new listing regime coming into force later this year see our briefing.) The FRC has stated that it will provide targeted guidance to support audit committees of non-FTSE 350 companies to apply the Minimum Standard (para 48, Feedback Statement).
Little has been said about these changes to the Code compared to some of the other changes, in large part as the Minimum Standard itself is not new. However, reporting on the Minimum Standard will present challenges to audit committees and require preparation for some companies given the expansion of the role of the audit committee reflected in the standard. Some of the provisions in the Minimum Standard will be difficult for some companies to comply with, if not impossible in respect of the provision stating that the audit committee should “ensure” that there is a sufficient number of potential independent auditors to allow for adequate competition and choice. It seems likely that many companies will have to explain rather than comply with this provision, especially given the findings of the FRC-commissioned research into audit firms’ entry, growth and exit from smaller PIE and non-PIE audit markets. This identified a number of barriers to entry and growth which point to a “wider issue for the audit sector as a whole”.
Companies will need to review their audit committee terms of reference, processes and procedures to ensure that they reflect, to the extent appropriate for the company, the Minimum Standard before the new Code becomes effective on 1 January 2025. Any non-compliance with the Minimum Standard will need to be explained in the annual report in line with updated Principle C (see below).
Internal control framework (Principle O)
Changes to Principle O require the board to “establish and maintain an effective risk management and internal control framework” (rather than “establish procedures to manage risk, oversee the internal control framework…”), thus shifting the focus, and related responsibility, to the board.
Other changes to Section 4 (Audit, risk and internal control)
Other changes to Section 4 include:
- an amendment relating to the requirement for the board to explain procedures to identify and manage emerging risks (Provision 28). The Code Guidance contains new guidance on risk appetite, principal risks, emerging risks and risk monitoring (paragraphs 239 to 247); and
- the board should state in all annual and interim financial statements whether it considers it appropriate to adopt the going concern basis of accounting in preparing those statements (rather than in annual and half-yearly statements only) (Provision 30). Although change did not feature in the Consultation draft, the FRC has clarified that this is purely an update to the wording and is intended to refer to half-yearly statements.
Section 5 – Remuneration
Provision 37
Remuneration schemes and policies should enable the use of discretion to override formulaic outcomes. TheyDirectors’ contracts and/or other agreements or documents which cover director remuneration should also include malus and clawback provisions that would enable the company to recover and/or withhold sums or share awards, and specify the circumstances in which it would be appropriate to do so.
Provision 38 (New)
The annual report on remuneration should include a description of its malus and clawback provisions, including:
- the circumstances in which malus and clawback provisions could be used;
- a description of the period for malus and clawback and why the selected period is best suited to the organisation; and
- whether the provisions were used in the last reporting period. If so, a clear explanation of the reason should be provided in the annual report.
|
Malus and clawback (Provisions 37 and 38)
The Code clarifies that directors’ contracts and/or other agreements or documents which cover director remuneration should include malus and clawback provisions. There does not appear to be any need to include these provisions in service contracts as “other agreements or documents” would include plan rules and award documentation that a director has agreed to be bound by (Provision 37). However, remuneration committees may wish to take this opportunity to review their malus and clawback arrangements.
The remuneration report disclosure required by Provision 38 broadly reflects the proposals consulted on by the FRC, although the FRC has dropped the proposed requirement to disclose the use of malus and clawback provisions over the previous five years and has also made other minor tweaks to the language.
The Code Guidance does not contain any new guidance on malus and clawback, although the Technical Q&A on the FRC website states that disclosures under Provision 38 should focus on executive directors and not all those that are subject to malus and clawback.
Other changes to Section 5 (Remuneration)
- The FRC has deleted Provision 40 (which required the remuneration committee to address clarity, simplicity, risk, predictability, proportionality and alignment to culture when determining executive director remuneration policy and practices) as well as a related reporting requirement in Provision 41.
- A minor clarification has been made to clarify that “in normal circumstances” share awards granted under long-term remuneration schemes for executive directors should be released for sale on a phased basis and be subject to a total vesting and holding period of five years or more (Provision 36).
- In addition, the Code Guidance contains a new paragraph 322 on non-executive directors’ remuneration which clarifies that despite Provision 34 stating that share options and performance relating components should not be included in non-executive director remuneration, boards may opt to pay non-executive directors a portion of their fees in shares purchased at market price. The FRC recommends that in such cases there should be a policy describing the rationale and process for permitting such shares in director fees and any associated restrictions on the sale of such shares. While paying non-executive directors in shares is still not that common in practice, those companies who do so should consider adopting a policy in line with these recommendations and disclosing the policy in their next remuneration report.
Section 1 - Board leadership and company purpose
Principle A
A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society. The board should ensure that the necessary resources, policies and practices are in place for the company to meet its objectives and measure performance against them.
Principle C
The board should ensure that the necessary resources are in place for the company to meet its objectives and measure performance against them. The board should also establish a framework of prudent and effective controls, which enable risk to be assessed and managed. Governance reporting should focus on board decisions and their outcomes in the context of the company’s strategy and objectives. Where the board reports on departures from the Code’s provisions, it should provide a clear explanation.
Provision 2
The board should assess and monitor culture and how the desired culture has been embedded. Where it is not satisfied that policy, practices or behaviour throughout the business are aligned with the company’s purpose, values and strategy, it should seek assurance that management has taken corrective action. The annual report should explain the board’s activities and any action taken. In addition, it should include an explanation of the company’s approach to investing in and rewarding its workforce.
|
Outcomes-based reporting (Principle C)
The addition to Principle C on outcomes-based reporting is intended to emphasise that reporting should demonstrate the result of governance activities where possible. The FRC‘s focus on this is not new; it has previously indicated in its Review of Corporate Governance Reporting that it believes improvement is needed in this area and the changes are aimed at helping companies make greater progress and better meet the needs and expectations of stakeholders. Some respondents to the Consultation indicated that it was unclear what is meant by ‘outcomes’ in this context. The FRC has sought to address this feedback in the Code Guidance which contains a new section titled ‘Outcomes’ (see paragraphs 33 to 34 as well as other relevant guidance, for example, paragraph 45). The FRC suggests that boards should “demonstrate how the actions and other observable outcomes of their decisions align with the company’s strategy and objectives”. The FRC acknowledges that not all outcomes may crystallise as expected or may change, and not all decisions will be observable in the short term, with companies encouraged to reflect this in their reporting. The FRC’s intention is to reduce boilerplate reporting and to streamline and focus reporting. Suggested questions are included for the board to consider relating to objectives, decisions, actions and impacts, that may assist with reporting.
Reporting on departures from the Code (Principle C)
The FRC is also asking companies to provide a “clear explanation” where they depart from the provisions in the Code. Reporting on departures from the Code is another area that the FRC has been critical of previously. Some respondents to the Consultation suggested that it was unnecessary to include this wording as it is duplicative of LR 9.8.6(6), which requires companies to set out which provisions of the Code the company has not complied with and the period of, and reasons for, non-compliance. The Technical Q&A on the FRC website states that a meaningful explanation should be understandable and persuasive and “set out the background, provide a clear rationale for the action the company is taking, describe any risks and mitigating actions to address them, and set out when the company intends to comply (timescales)”. The Code Guidance states that a cogent explanation can improve transparency and refers to the FRC guidance, Improving the Quality of Comply or Explain Reporting (2021).
The FRC has stated that it encourages boards, investors and their advisors to “actively support the flexibility” within the ‘comply or explain’ approach of the Code. The FRC has emphasised that “compliance can mean either complying with the Code provisions as set out or providing a cogent and justified explanation” with a good explanation illustrating “better governance” than a board defaulting to compliance with a provision that does not suit its circumstances. Despite this renewed emphasis from the FRC, concerns remain that proxy advisors and others will continue to take a tick-box approach to compliance with the Code, rather than considering reasons for non-compliance (see the joint analytical report on the influence of proxy advisors and ESG rating agencies on voting in FTSE 350 companies published by the FRC, which discusses this point).
Resources, policies and practices (Principle A)
The addition of “practices” to Principle A (in addition to “policies”) might require some thought given that the majority of the board should comprise independent non-executive directors, who are not full-time employees, and might find it difficult to oversee the day-to-day practices of the company’s workforce.
Unlike the changes to the Provisions (where companies can choose to explain rather than comply), the changes to the Principles, including Principles A and C, must be complied with by companies. Companies will need to set out how they have applied these new Principles in a manner that would enable shareholders to evaluate how the Principles have been applied (LR 9.8.6(5)).
Culture (Provision 2)
The FRC has introduced a new focus on embedding culture in Provision 2. This is aimed at encouraging companies to report on embedding their culture in line with the FRC’s findings in its report Creating a Positive Culture – Opportunities and Challenges (2021). The Code Guidance includes a section on culture at paragraphs 19 to 26, much of which is replicated from the existing Guidance on Board Effectiveness but which does include some additions. There are also new questions on embedding culture in the Code Guidance.
Other changes to Section 1 (Board leadership and company purpose)
A new footnote 1 clarifies that where companies receive a significant vote against a resolution, the update required by Provision 4 should be published on the company’s website, the RIS used by the company, or both. In addition, other minor amendments and clarifications have been made to
Principle B and
Provisions 3, 5 and 6.
Section 3 – Composition, succession and evaluation
Principle J
Appointments to the board should be subject to a formal, rigorous and transparent procedure, and an effective succession plan should be maintained for the board and senior management should be maintained. Both appointments and succession plans should be based on merit and objective criteria and, within this context,. They should promote diversity of gender, social, inclusion and ethnic backgrounds, cognitive and personal strengths equal opportunity.
|
Diversity and inclusion
The changes to Principle J are intended to encourage companies to think beyond gender and ethnic diversity but without referencing specific groups. The proposed amendments in the Consultation referred to “protected characteristics and non-protected characteristics including cognitive and personal strengths”. Responses to the Consultation suggested that the meaning of protected and non-protected characteristics may be unclear to some companies, or too broad to be useful, and also that naming certain characteristics may result in others being seen as less important.
The amended provision means companies will have freedom to discuss diversity and inclusion without having to refer to a prescribed list of characteristics. The Code Guidance encourages companies to look beyond gender and ethnicity and companies are encouraged to offer transparency and refer to their relationship with initiatives, accreditations and charter schemes (examples of which are listed in the guidance). The Code Guidance also set out examples of how companies can continually support diversity and inclusion (paragraph 154). Although the Code Guidance incorporates existing guidance on diversity from the Guidance on Board Effectiveness it also includes new guidance at paragraphs 152-154 and 156-157.
Other changes to Section 3 (Composition, succession and evaluation)
- Provision 21 has been amended to state that the chair should “commission” rather than “consider having” a regular externally facilitated board performance review.
- References to ‘board evaluation’ have been changed to ‘board performance review’ throughout Section 3 in order to deal with the erroneous perception that externally facilitated reviews are intended as a backwards-looking assurance function. Companies will need to update their internal policies and procedures (and disclosures in the annual report) to reflect this new terminology. In the Code Guidance, the FRC encourages companies to consider the Chartered Governance Institute Guidance note on Reporting on Board Performance Reviews (paragraph 176).
- Provision 23, which relates to reporting in the annual report, has been amended to refer to “the policy and any initiatives” on diversity and inclusion rather than just “the policy”, to reflect the fact that companies may have additional initiatives in place alongside their diversity and inclusion policy.
- The word “performance” has been added to Principle N, clarifying that performance should be considered as part of the annual evaluation of the board, alongside composition, diversity and how effectively members work together to achieve objectives.
Section 2 – Division of responsibilities
None of the proposed changes to Section 2 in the Consultation relating to overboarding made it into the Code. These would have included additional disclosures relating to director commitments aimed at addressing increased concern from investors about the number of board positions held by directors. However, in its Feedback Statement, the FRC encourages companies to continue to make information about significant other appointments available in director profiles in annual reports and/or on company websites, including committee positions, which it states are not often disclosed (paragraph 29).
The Code Guidance (new, condensed and digitised)
The Code Guidance brings together relevant guidance from the FRC
Guidance on Board Effectiveness (2018), the FRC
Guidance on Audit Committees (2016) and the FRC
Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014) into a single, condensed and digitally accessible resource. As well as including some existing guidance it also includes new guidance on various matters including internal controls, good practice for the successful management of board committees (with new sections on risk and sustainability committees), outcomes-based reporting, the Minimum Standard for audit committees and board performance reviews. The Code Guidance also contains useful questions for boards to consider, many of which are taken from existing guidance, but some of which are new.
The Code Guidance emphasises that it is not mandatory nor prescriptive and contains suggested good practice only (paragraph 3). There is also guidance in the form of a
Technical Q&A on the FRC website. Although the Code Guidance accompanies the 2024 edition of the Code, companies may find some of the new guidance useful in relation to the 2018 edition of the UK Corporate Governance Code.
