On 24 May 2023, the Financial Reporting Council ("FRC") launched a consultation on proposed revisions to the current (2018) edition UK's Corporate Governance Code (the "Consultation" and the "Code"). This follows on from the Government's request for the FRC to look at certain provisions of the Code - specifically, risk management and internal controls reporting and malus and clawback for directors - that were highlighted in the Government's May 2022 Response to its Restoring Trust in Audit and Corporate Governance White Paper ("Restoring Trust").
Responses to the Consultation are requested by 13 September 2023, with a revised Code intended to apply to reporting companies for accounting years starting on or after 1 January 2025.
UK incorporated companies are also subject to significant "governance-related" reporting obligations in their strategic and director reports and those obligations are also to be reviewed by the Department for Business & Trade (the "DBT") and the FRC as part of the Government's "Smarter Regulation" programme (see Non-Financial Reporting review below).
The Consultation is focused more on drafting revisions to the Code than a substantive "relaunching" of the Code which we saw in 2018. Nevertheless, some of these drafting changes are significant and are intended to impose new governance obligations and disclosure requirements on companies and their boards. Key new Code requirements covered by the Consultation, include:
Risk management and internal controls
Perhaps the biggest change that the Government announced in its Response to its original Restoring Trust proposals was to drop a proposed "Sarbox-like" requirement for directors to make an explicit statement in annual reports that they regard their company's internal controls to be effective and why, possibly coupled with a requirement for auditors to provide formal assurance of this statement. Instead, following significant negative feedback on the proposals, the Government announced (#2.1.34 of the Response) that it would be taking "a Code-based approach as the most practical and proportionate way of strengthening boardroom focus on internal control matters" and would invite the FRC to consult - as it is now doing - on including in the Code a new requirement for a statement from the board about the effectiveness of the internal control systems and and the basis for their statement.
The new risk management and internal controls statement
The key revisions to the Code in this area that the Consultation proposes are:
The FRC will be updating its current Risk Management, Internal Control and Reporting guidance to reflect the revised requirements of the Code and sets out in the Consultation a list of matters that the revised guidance will cover.
Resilience, Viability and Going Concern Statements
While the Government dropped its proposed "Sarbox-like" internal controls requirements from its Restoring Trust corporate governance reforms last year, it confirmed that it would be proceeding with its two other new corporate reporting reforms - the production of a Resilience Statement and an Audit Assurance Policy. We discussed what these reforms will involve and how they will apply in our Shearman Corporate Governance & Executive Compensation Survey 2022 (pp.47-50).
The Resilience Statement will be a new statutory disclosure into which two existing disclosures under the Code — the viability and the going concern statements — will be subsumed. The statement will require the board to explain its approach to risk management — showing how risks and resilience issues (including cyber security, supply chain resilience and business continuity) are being addressed — over the short and a medium term (to be chosen and justified by the board).
Since the Resilience Statement will be a requirement for Public Interest Entities ("PIEs") meeting a 750 employees and 750 million annual turnover requirement and not all listed companies reporting against the Code will meet these size thresholds, the Consultation proposes that the Code's going concern and "viability" (i.e., assessment of the future prospects of the company, including its ability to meet its liabilities as they fall due, etc.) provisions should continue for those companies that do not produce a Resilience Statement. Significantly, the Consultation says that reporting against this provision of the Code in lieu of producing a Resilience Statement should be available to those "companies that choose not to have a Resilience Statement and explain why not". Presumably, such companies will want to explain that they are not subject to the relevant requirements and think the less prescriptive reporting requirement of the Code is appropriate for them.
Audit Assurance Policy
The other new statutory corporate reporting requirement flowing from the Restoring Trust reforms will require a policy statement to be published at least every three years, covering the company’s approach to assurance of the quality of its non-financial disclosures. This will have to state whether, and if so, to what extent, external assurance will be sought over any part of its Resilience Statement or internal controls reporting, describe the internal auditing and assurance process, and disclose the policy and approach to the tendering of external audit and non-audit services and how shareholder and employee views have been taken into account in the policy. This will be complemented by an annual report on how the assurance activity described in the policy is being implemented.
As with the Resilience Statement, the Consultation proposes the "voluntary" production of Audit Assurance Policies by companies which report against the Code but do not meet the size thresholds for PIEs to make publishing a policy mandatory. Those companies are encouraged to consider producing one on a "comply or explain" basis. This will assist investors and others in monitoring corporate reporting on a comparable basis.
Audit committees - additional responsibilities
The Consultation includes proposals with respect to a number of audit committee responsibilities, in particular:
Malus, Clawback and Remuneration more generally
As requested by the Government in its Response, the FRC is proposing strengthening the Code’s existing malus and clawback provisions in relation to director remuneration by specifically mandating the inclusion of malus and clawback terms in directors service contracts and by increased disclosure in annual reports of details of those terms and their triggering and usage during the last five years.
In addition, the revised Code will require remuneration policies and outcomes to promote, amongst other things, the company’s long-term sustainable success and its environmental, social and governance objectives and to take account of workforce pay and conditions. It will also require disclosure in the annual report of the company’s approach to investing in and rewarding its workforce.
The Consultation is responding to an increased concern among investors about overboarding - directors taking on too many other directorship or other positions that prevent them from devoting sufficient time to their board responsibilities - by proposing two additions to the Code. The first will require the annual board performance review - the term that the Consultation prefers to see used in place of the existing “board evaluation” term - to consider each director’s other outside commitments and their impact on her ability to perform her role effectively. The second change will require more detailed disclosure in annual reports about each director’s other commitments and how they manage these.
Renewed focus on "outcomes reporting"
A common complaint of the FRC and investors is that reporting by companies on the comply or explain basis under the Code is too often formulaic and lacking in detail about what governance activities have been carried on within the company. The FRC hopes to address this issue and thereby improve the quality of reporting under the Code by introducing a new Principle that requires reporting under the Code to be focussed on outcomes and the impact of the company's governance practices and how the Code has been applied. As a"Principle", rather than a "Provision" of the Code, this is something that, under the Listing Rules, premium listed companies will have to confirm they have complied with.
Non-Financial Reporting review
Simultaneously with the launch of the Consultation, the DBT (working with the FRC) launched a review of non-financial reporting as part of its "Smarter Regulation to Grow the Economy" agenda. That review (the "NFR Review") will look at opportunities to rationalise and simplify current non-financial reporting requirements ("NFRRs) for companies, so that they remain fit for purpose and deliver information that the market finds useful, as well as supporting growth in the economy and making the UK competitive for businesses to operate from. The review follows on from the Government's July 2022 Post Implementation Review ("PIR") of the UK's implementation of the EU Directive on Non-Financial Reporting and the strategic report and related reporting reforms under the Companies Act 2008.
PIR recommended that NFRRs be amended rather than revoked, with sustainability reporting being aligned, as the Government proposed in its Greening Finance: A Roadmap to Sustainable Investment, with the standards to be introduced by the International Sustainability Standards Board.
The NFR Review invites feedback (by 16 August 2023) on the content requirements for strategic and directors reports - e.g., business and principal risks review, the so-called section 172(1) statement and, for quoted companies, their strategy and business model, environmental, social, community and human rights issues and numbers of female and male directors and senior managers. It will also look at rationalising the various threshold tests that trigger NFRRs and whether micro-entity and small and medium company reporting thresholds are set at the right level. Feedback is also invited on the detail (but not the policy) of other NFRRs, such as the Modern Slavery Act statement and gender pay gap reporting.
The proposed changes to the Code this time are not as substantial as those made to produce the 2018 version but still contain some that are significant, for example, the new "outcomes-focused" reporting Principle, enhanced risk management and internal controls reporting and much more detailed malus and clawback disclosure. These will increase the effort and thought required from companies to meet more demanding monitoring, review and disclosure obligations under the Code.
The proposed extension by the FRC of the forthcoming statutory requirements to publish Resilience Statements and an Audit Assurance Policy beyond large companies meeting the 750:750 PIE size test mentioned above (see Resilience, Viability and Going Concern Statements above), to any company reporting under the Code, is particularly notable. Yes, this will be on a "comply or explain" basis, but with some investors and proxy advisers tending to view this more as a "comply or else" option, it may be that "small" listed companies will find it difficult to report on any other basis than that required for a full resilience Statement and Audit Assurance Policy. We will have to wait and see, including for the relevant draft statutory instruments when published.