The UK Government has released its long-awaited response to the consultation on strengthening the UK’s audit, corporate reporting and corporate governance landscape.
The Government will introduce a new Resilience Statement to improve how organisations identify, manage and report on their resilience risks that are most material to their business. The new Resilience Statement will apply to Public Interest Entities (PIEs) with 750 or more employees and £750 million or more in annual turnover.
The Resilience Statement requirement means companies now need to engage in short and medium-term resilience risk assessment and management, as well as reverse stress testing and reporting for resilience.
What you need to know
There are three key areas that senior management with resilience responsibilities should focus on:
1) Assessing resilience: Companies will need to report on matters that they consider a material challenge to resilience over the short and medium term. Companies will be required to consider a number of specified issues likely to include financial resilience, cyber resilience and third-party resilience amongst others. They will also need to consider any material uncertainties that existed prior to the taking of mitigation actions which help users of the statement to understand the current position and prospects of the business.
In response to this, it may be necessary to update (or design) your resilience controls framework and establish Resilience Board reporting and KPIs to measure this throughout the period ahead of final reporting.
For each resilience issue identified, companies will be required to report on the following in the statement:
- the likelihood of the risk occurring and its impact on the company’s operations or financial health if it were to materialise;
- the time period over which the risk is expected to remain, and potentially crystallise, if known;
- any mitigating action the company has put or plans to put in place to manage the risk;
- the length of the medium-term assessment period.
2) Performing at least one reverse stress test: Companies will be required to perform at least one reverse stress test – beginning with failure, and working back the scenarios which could cause this to materialise. Whilst a regular practice in financial services, this will be a new exercise for many organisations outside of the financial services sector. Companies should ensure they understand their critical business services and processes in order to assess the greatest threats to their resilience. And based upon this, design the scenarios to perform the most relevant reverse stress tests.
3) Reporting and seeking independent assurance: The Resilience Statement will form part of the Strategic Report section of the annual report and it is important to note that information provided by directors will be covered by the existing ‘safe habour’ provision in Section 463 of the Companies Act 2006. The new Audit and Assurance policy (another reform announced by the Government) should set out whether, and if so, how a company intends to seek independent (external) assurance over the Resilience Statement.
In summary, with an evolving resilience landscape companies need to start assessing their resilience now, starting with a thorough risk assessment, understanding critical business services, setting their impact tolerances (the maximum amount of risk the organisation is prepared to accept), and performing at least one reverse stress test to assess resilience against a key threat.
KPMG has a resilience team who can help you prepare for this journey. To learn more about how we can support, please get in touch with our head of corporates resilience, Katie Diacon.