Changes to the UK Corporate Governance Code will apply to businesses as early as January 2025. To support you in complying with the changes and maximising the opportunities the updated code can represent, in a series of two Q&A articles, we take a look at what’s changing and how your organisation can respond.
In this second article, we provide further detail on how you can address the specific requirements of the amended code with a view to supporting competitive advantage.
Q: What does the Corporate Governance Code 2024 mean for your approach to reviewing risk management and internal controls?
The 2024 code significantly impacts how you should review risk management and internal controls and will apply to accounting periods starting on or after January 1, 2026.
“Boards must integrate risk management more deeply into their governance practices.”
Sobia Sheikh | Director of Enterprise Risk Consulting
Boards are now required to include a declaration in their annual reports about the effectiveness of their material internal controls, covering financial, operational, reporting and compliance aspects. You’ll need to implement a thorough, documented review process, ensuring you’ve evaluated all-relevant controls and addressed any deficiencies before reporting.
You must provide clear and detailed explanations for any departures from the code, with more comprehensive and transparent disclosures about how you maintain internal controls and any challenges faced. Your declaration should reflect the board’s confidence in its internal control systems and outline the measures it’s taken to ensure their effectiveness.
The amended code means your board must integrate risk management more deeply into its governance practices. It should regularly review and update the risk management framework, ensuring it aligns with your organisation's strategic objectives and addresses principal and emerging risks. The process should include identifying and evaluating material risks, with a clear methodology for mitigating these risks and monitoring their impact.
The Financial Reporting Council (FRC) emphasises a principles-based approach where boards determine what constitutes ‘material’ controls for your specific business context. While this allows for flexibility, it also demands you adopt a tailored and well-justified approach to risk management and internal controls. Your board, therefore, should confirm it scales its control systems appropriately to your operations' complexity and risk profile.
Effective communication with stakeholders about your company's risk management practices and internal controls is crucial. This includes providing stakeholders with a clear understanding of your specific risk landscape and the controls you have in place to manage these risks. Transparent reporting can build trust and confidence among investors and other stakeholders, demonstrating your company's commitment to robust governance practices and differentiating your business from competitors.
Q: What changes will you need to make to adhere to the Corporate Governance Code 2024 requirements on boards around culture?
The revised Corporate Governance Code mandates boards should not only assess and monitor corporate culture but also demonstrate how they have embedded the desired culture. This means you need to implement several specific changes:
Conducting regular assessments to measure the current culture can identify gaps between the existing and desired culture, either through employee surveys, focus groups or other feedback mechanisms.
To establish all employees, from new hires to senior executives, understand and embody the desired culture, you can develop training and development programs focused on your company’s cultural values to ensure all understand and embody the desired culture. You can also include cultural fit as a key criterion in leadership development and succession planning.
Q: How can you assess your readiness to comply with the changes to the Corporate Governance Code 2024?
Make sure you understand the new requirements. Focus on specific areas such as risk management, internal controls, culture assessment and reporting requirements. It’s important to summarise the key changes and their implications for your organisation and share this with senior management and the board to ensure everyone is aware of the new expectations.
Evaluate your current corporate governance framework, policies and procedures. Document how your existing practices align with the previous code and identify the key changes impacting your organisation. Compare your framework with industry best practices and peers to identify any gaps in your governance using gap analysis and maturity assessments.
Assess the effectiveness of your internal controls across financial, operational, reporting and compliance areas. Verify these controls are documented, tested and updated as necessary. Conduct a thorough risk assessment to identify any new risks introduced by the changes to the code. Evaluate the impact of these risks on your organisation and the adequacy of your controls in mitigating them.
Evaluate how well your organisation’s culture aligns with the desired culture outlined in the code. This includes assessing employee behaviour, management practices and overall organisational values. Identify initiatives to embed the desired culture throughout the business.
Review your current reporting practices to make certain they meet the enhanced transparency and disclosure requirements of the new code. Ensure you regularly inform your board and key stakeholders on compliance efforts and any gaps you identify. You can use dashboards and detailed reports for transparency.
Consider engaging external auditors or consultants to provide an independent assessment of your readiness to comply with the code. These insights can help identify gaps you may have otherwise missed. Equally, it’s important to strengthen the internal audit function to ensure it’s capable of conducting thorough reviews of governance practices and identifying areas for improvement.
Q: How can you mitigate risks, including inter-connected risks to adhere to the Corporate Governance Code 2024?
It’s important to recognise risks don’t often exist in isolation and identify how different risks are interrelated and how the impact of one risk can exacerbate another. Practically speaking, this means carrying out scenario analysis and stress testing to understand interconnections.
You should also promote collaboration across departments to foster a comprehensive understanding of interconnected risks, sharing information and insights between finance, operations, compliance and other relevant functions. You can also implement systems for real-time monitoring of key risks and controls and use data analytics and automated tools to detect early warning indicators.
Your board should be actively involved in the risk management process, including setting the risk appetite, reviewing risk assessments and overseeing the implementation of mitigation strategies.
Q: How can you comply with the amended Corporate Governance Code 2024 requirements on the effectiveness of controls on emerging risks?
The code stipulates the same guidance on identifying and controlling emerging risks as for principal risks. Therefore, you must establish appropriate procedures for continuously monitoring emerging risks to develop appropriate actions.
Q: What does the Corporate Governance Code 2024 say about managing cyber risks?
Like any other risk, cyber risks should be incorporated into your overall risk management framework, requiring boards to oversee and regularly review the effectiveness of cybersecurity controls. This means your organisation must establish comprehensive cyber risk management strategies, use advanced monitoring tools, conduct regular audits and ensure transparency in its annual reports.
Your board should be actively involved in cybersecurity oversight, supported by ongoing training and a strong organisational culture of cybersecurity awareness to both comply with the updated code and to protect its revenue and reputation.
For expert support and smarter ways to meet the Corporate Governance Code 2024 requirements, get in touch with our specialists.
