In January 2024, the Financial Reporting Council (“FRC”) announced important revisions to the UK Corporate Governance Code (“the Code”) in order to enhance transparency and accountability of UK listed companies and help support the growth and competitiveness of the UK and its attractiveness as a place to invest. Our Risk Consulting team explain the impacts below.
The FRC’s review of the Code was completed with the objective of strengthening the UK’s Corporate Governance, Corporate Reporting and Audit systems following on from three independent reviews on External Audit (Brydon Review), the Statutory Audit Services Market (Competition and Markets Authority Review) and the Regulation of the Audit Market (Kingman Review).
Following the UK Government consultation on Restoring Trust in Audit and Corporate Governance, in 2022, the Government invited the FRC to review and strengthen the Code in specific areas. The Code is applicable to companies with a premium listing on the London Stock Exchange, regardless of where they are incorporated.
Internal Controls
The FRC has made only a small number of changes to the Code – as it is conscious that the expectations for effective governance must be targeted and proportionate. The main substantive changes have been made in one significant area – Internal Controls.
A number of previously signalled revisions to the Code relating to the role of Audit Committees on Environmental, Social and Governance (ESG) matters; significantly expanding diversity and inclusion expectations; and expectations on Committee Chairs engagement with shareholders have not been made.
In relation to Internal Controls, with regards to monitoring and reviewing the effectiveness of Internal Controls (Provision 29) the existing expectations of the Code remain. The Board should monitor the company’s risk management system and internal control framework and at least annually, carry out a review of its effectiveness.
The main substantive change that the FRC is now making is asking Board’s to explain through a declaration in their Annual Report how they have done this and their conclusions. The Board is responsible not only for establishing but also for maintaining the effectiveness of the risk management system and internal control framework.
The Code includes the provision that the monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
It is for the Board to determine what should comprise its material Internal Controls. The FRC is mindful that the needs of each business may be different and that the non-financial controls for some businesses may not be as mature as their financial controls. It is for the Board to determine what level of maturity is right for the business and the levels of assurance that they require in relation to the effectiveness of these controls.
While the Code is clear on where the responsibility lies for Internal Controls, the approach is principles based and relies on Board’s making their own judgement on what is material, which reflects the need for flexibility, balance, and consideration of the particular circumstances of the individual company.
The changes to the Code will apply to financial reporting periods beginning on or after 1 January 2025. However, in response to stakeholder feedback and to allow Board’s more time to develop their approaches to Internal Controls, the Board declaration on Internal Controls will come into effect one year later from 1 January 2026. Further detail on the main changes to the Code are set out below.
Revised Code
The Code has been amended to not only make the Board responsible for the establishment of a risk management system and internal control framework but also for the review and operating effectiveness of the frameworks.
The Code stipulates that the Board should monitor the company’s risk management system and internal control framework, and carry out at a review of its effectiveness, at least annually. This monitoring and review activity should cover all material controls, including financial, operational, reporting and compliance controls.
With regards to the definition of material controls, the FRC has stated that it is for the Board to determine what controls should be considered material. Some direction has been provided by the FRC that companies should focus on those controls that are most vital to the long-term sustainability of the company.
For companies with a US Sarbanes-Oxley (SOX) requirement, the expectation is that the material Internal Controls over financial reporting should already be identified and appropriate governance and assurance structures should be in place. This can be leveraged for the purpose of conforming with these updates to the Code, however companies must also address non-financial controls (operational, reporting and compliance controls) that are not included within the realm of US SOX but are within the scope of these updates to the Code.
The Code now requires that Board’s explain in their Annual Report how they have completed their review and its conclusions. Code Provision 29 now reads: “The Board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The Board should provide in the annual report:
- A description of how the Board has monitored and reviewed the effectiveness of the Frameworks;
- A declaration of effectiveness of the material controls as at the balance sheet date; and
- A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.”
It is important to note that the declaration and description of the effectiveness of material controls pertains to the balance sheet date as opposed to throughout the reporting period.
There is a new Code Principle creating an expectation that governance reporting should focus on Board decisions and their outcomes in the context of the company’s strategy and objectives.
Outcomes based reporting means providing shareholders with information on how decisions taken by the Board have, and will, impact the company’s strategy, objectives, and long- term viability. The Code encourages the use of corporate governance reporting to demonstrate how governance decisions have delivered change.
Provision 2 has been amended to include that Boards should not only assess and monitor culture, but also how the desired culture has been embedded.
Principle J has been updated to reference diversity, inclusion and equal opportunity, without referencing specific groups. The list of diversity characteristics has been removed to indicate that diversity policies can be wide ranging.
Provision 23 has been amended to reflect the fact that companies may have additional initiatives in place alongside their diversity and inclusion policy. References to “Board Evaluation” have been changed to “Board Performance Review”.
In addition to the changes discussed earlier in relation to Internal Controls, Provisions 25 and 26 have been updated to reflect the Minimum Standards for the Audit Committee and External Audit.
Provision 37 has been amended to include that Director’s contracts and / or other agreements or documents which cover director remuneration should include malus and clawback provisions.
Also, there is now an expectation (Provision 38) that companies include in their Annual Report a description of their malus and clawback provisions, including:
- The circumstances in which malus and clawback provisions could be used;
- A description of the period for malus and clawback and why the selected period is best suited to the organisation; and
- Whether the provisions were used in the last reporting period. If so, a clear explanation of the reason should be provided in the annual report.
Comply or explain
Importantly, the well-established principle of Board’s having the flexibility to “comply or explain” will remain. The FRC is encouraging Boards, investors and their advisors to actively support the flexibility within the “comply and explain” approach to ensure governance expectations are better tailored to the specific circumstances of each company.
How KPMG can help
Our specialist Risk and Regulatory Consulting practice advises companies on all aspects of corporate governance, board effectiveness, risk management, regulatory compliance, technology risk and internal control frameworks.
We have the expertise and knowledge to assist companies and their Boards address the changes to the Code in a practical and pragmatic manner.
KPMG has a Board Leadership Centre and Audit Committee Institute that engages directors and business leaders to explore critical Board challenges, deliver practical insights and drive relevant boardroom discussions, including in relation to governance and risk topics.
KPMG has extensive experience in the design and implementation of risk management systems and internal control frameworks, which address financial, operational, reporting and compliance risks and controls. We can help you to enhance your risk management system and internal control framework to address the changes to the Code, in ways that are practical and work for your business.
Our approach blends governance, control, automation, and culture to establish a strong foundation for success in an efficient and pragmatic way. Our team has substantial experience and can empathise with company challenges and demands. We have practical experience as well as technical expertise in the latest methods, regulations, and technologies. We audit and advise on some of the largest UK and US Registrants as well as many more listed national and global companies.
KPMG can help you to understand the extent of work required by performing a gap analysis to understand the work that is required to address the changes to the Code. A significant focus will be on the substantive changes in the Code in relation to Internal Controls.
We can provide a diagnostic and maturity assessment to give you clarity on what is required. Most importantly, we can provide you with insights in relation to the effectiveness of your risk management system and internal control framework and help you to identify and rectify issues early to ensure a “No Surprises”approach.
While supporting the implementation of your refreshed risk management system and internal control framework, we will provide insight into what peers are doing in relation to the changes to the Code. We work closely with our colleagues in the UK to bring companies leading insights and direction, both from an industry and regulatory perspective.
We will leverage the latest models for risk management systems and internal control frameworks, underpinned by functional process designs, technology, and people roles, to implement a full suite of effective Internal Controls with a high degree of automation. Governance and culture is to the fore of our work.
We will get the basis right and lay the foundation for managing risk and embedding a control environment that enables compliant reporting and gives your Board the comfort needed to make the declarations outlined in the updates to the Code.
We provide end-to-end managed services solutions for risk management and Internal Controls in relation to annual compliance and testing activities. This covers scoping, risk assessments, design reviews, selfassessment, testing, reporting, and tracking of annual control activities. We have extensive experience in advising Boards on best practice, including completion of Board Effectiveness Reviews.
At KPMG, we have the requisite knowledge to aid your organisation in navigating these updates to the Code in a smooth and practical way.
The KPMG Board Leadership Centre
The KPMG Board Leadership Centre engages with Directors and business leaders to explore critical boardroom challenges, deliver practical insights, and drive relevant boardroom discussions.
The Centre offers Directors a place within a community of board-level peers with access to topical and relevant seminars, invaluable resources and thought leadership, as well as lively and engaging networking opportunities.
We equip leaders with the tools needed to be highly effective in their roles, enabling them to focus on the issues that really matter to the business.
