New UK Corporate Governance Code – getting ready for the changes

On 22 January 2024, the Financial Reporting Council (FRC) published its much-anticipated revisions to the UK Corporate Governance Code (the Code) which was followed on 29 January 2024 by revised guidance on the Code. In this client alert we consider what the revisions mean for companies subject to the Code and what actions companies should be taking in preparation for its implementation.

Summary

The revised Code only includes a limited number of changes.¹  In this alert we summarise what the FRC's approach reveals about the current regulatory landscape for corporate reporting. We then focus on the revised Code's new requirements to: (a) provide outcomes-based governance reporting; (b) monitor how the company's desired culture has been embedded; and (c) provide an annual declaration of the effectiveness of material controls.

The regulatory landscape

When applying the new Code it is important to consider the FRC's approach in revising the Code: 

• The FRC has encouraged companies to take a specific outcomes-focused approach to reporting.
• The revised Code upholds the flexibility of 'comply or explain' reporting. The FRC in its communications has repeatedly emphasised that providing a high-quality and transparent explanation in the context of the Code is not weaker or poorer than asserting compliance. (The FCA expressed similar views in consultation paper CP23/31.) Companies should feel free to explain why they have not complied with a particular Provision of the Code where this is appropriate.
• The FRC acknowledges that the appropriateness of applying the Provisions of the Code is dependent on the strategy, maturity and complexity of a company.
• The FRC has acknowledged that certain stakeholders (e.g. proxy advisors) need to be on board with this approach (i.e. that explaining non-compliance is not a failure of corporate governance) and that this will be reflected in a revised Stewardship Code in 2024.
• By design, the FRC has not been prescriptive or provided guidance about what certain terms within the new Code mean (e.g. “material controls” and “effectiveness”). Their view is that it is for companies and boards to determine what these terms mean in the context of their business and design their processes, systems and controls accordingly.

To assist you in navigating the changes, we have set out below what we see as the three key areas of Code changes, when they become effective, our commentary on the changes and suggested actions for companies.

Summary of key changes

For 1 January 2025

1. Outcomes-based Reporting

Under the revised Code, by way of a new Principle C, governance reporting should "focus on board decisions and their outcomes in the context of the company’s strategy and objectives". This new Principle embeds outcomes-based reporting into the Code and companies are now required to report on how the application of the Principles has made a difference to actions taken by their boards, with a focus on a framework of "Objective, Decision, Action, Impact" when reporting.

Action Point: The revised Code Guidance contains a new section setting out what boards/companies should consider in relation to outcomes-based reporting under the framework. Companies should ensure that contributors within the reporting function are aware of the guidance and adopt a narrative style which focuses on outcomes-based reporting.

2. Embedding Culture

Under the revised Code, Provision 2 has been amended such that boards should not only assess and monitor culture, but also assess and monitor how the desired culture has been embedded. This has been introduced by the FRC to ensure that a company’s culture and values have an actual impact on business outcomes (both behaviourally and operationally). The Code Guidance further notes that the board will need periodic assurance from management – either conducted internally or externally, that it has effectively embedded those components in operational policies and practices.

Action Point: Companies must consider what processes (and means to measure them) are in place to provide the board with assurance that the desired culture is effectively embedded. One particular area could be the extent to which talent management and incentives are/can be aligned to culture and desired behaviours, and the values which they underpin.

For 1 January 2026

3. Effectiveness of Internal Controls

The revised Code builds upon the FRC's expectation with respect to the board's role in monitoring and reviewing a company's risk management and internal control framework. In the annual report, the board is now required to make a declaration of effectiveness of the material controls as at the balance sheet date, together with a focus on how it manages emerging risks. 

Specifically, Provision 29 of the Code has been broadened so that, going forward, boards will also be required to provide in the company's annual report:

• a description of how they have monitored and reviewed the effectiveness of the risk management and internal control framework;
• a declaration of effectiveness of the material controls as at the balance sheet date; and
• a description of any material controls which have not operated effectively as at the balance sheet date, together with:
  • the action taken, or proposed, to improve them; and
  • any action taken to address previously reported issues.

Provision 29 of the existing Code already required that boards monitor, review and report on financial, operational and compliance controls. The revised Code now asks that the board make a declaration of effectiveness regarding these controls and, in addition, controls over reporting, such as narrative reporting controls (i.e., non-financial reporting controls). It is important to note the declaration relates to the actual internal controls and not the framework as a whole.

In discharging the new obligations, we do not envisage that companies will report on all weaknesses identified during the reporting period. The FRC’s expectation is that companies who comply with the revised Provision 29 will be transparent about weaknesses considered to be material, such as those events which could have a significant impact on a company’s strategy, operations, reporting or compliance objectives.

It is for a board to determine what should comprise its material internal controls. In the spirit of the Code, the FRC recognises that the needs for each business may vary and that the level of development of non-financial controls for some businesses differ. Accordingly, boards must turn their mind to what level of controls oversight is right for its business and their own levels of required assurance in relation to the effectiveness of these controls.

In addition, Provision 28 has been slightly amended to provide that the board should explain what procedures are in place to not only identify but also manage emerging risks, which we expect will feed into the overall control framework, but not necessarily the annual reporting requirement.

To ensure boards can provide an adequate description of the framework and a balanced declaration of effectiveness in the annual report, boards should consider increasing the frequency of monitoring as well as establish specific direct reporting channels (i.e., with management, internal and external audit and any other areas that may give rise to specific material risks to the overall business such as outsourced business services, cybersecurity and data protection).

While companies are already taking clear steps in developing and maturing their approach to internal controls, a few areas for further consideration are as follows:

• Ensure all material controls are signed off by management as operating effectively on a regular basis. This could be included on the board's agenda.
• Consider what information is required in the identification of a material control (e.g., definition of materiality, quantitatively and qualitatively), the operation of a control (e.g., establishing objective standards) and who is responsible for its operation.
• Have periodic reassessments of emerging risks and whether they necessitate new internal controls from time to time.
• Move from “exception based” reporting to enable boards to properly assess the effectiveness of such controls (with defined levels of effectiveness that include near misses) and, where possible, consider automating internal controls to allow for real-time monitoring and the minimisation of manual errors.

Next Steps

• In our view, the changes to the Code and the messages from the FRC should encourage companies to embrace the flexibility which the Code offers and decide on the governance arrangements most appropriate to their company's circumstances, applying the Principles of the Code and complying or, where appropriate, explaining against the Provisions.
• Companies should proactively undertake a gap analysis (which we can assist with) to understand their current governance environment and build a narrative and strategy around what their future governance environment should look like.
• For more information on the changes to the Code:
  • See 'FRC – UK Corporate Governance Code 2024' available here. 
  • See 'FRC – The UK Corporate Governance Code 2024: Key Changes' available here.  
  • See press release 'FRC Revised UK Corporate Governance Code' available here. 
  • See comparison of the 2024 Code against the 2018 Code (showing all changes in mark-up), available here.

_{1A comparison showing all of the changes made in the revised Code is linked at the end of this alert.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}