FRC Consults on the UK Corporate Governance Code

On 24 May 2023, the Financial Reporting Council ("FRC") launched a consultation on proposed revisions to the current (2018) edition UK's Corporate Governance Code (the "Consultation" and the "Code"). This follows on from the Government's request for the FRC to look at certain provisions of the Code - specifically, risk management and internal controls reporting and malus and clawback for directors - that were highlighted in the Government's May 2022 Response to its Restoring Trust in Audit and Corporate Governance White Paper ("Restoring Trust"). 

Responses to the Consultation are requested by 13 September 2023, with a revised Code intended to apply to reporting companies for accounting years starting on or after 1 January 2025.

UK incorporated companies are also subject to significant "governance-related" reporting obligations in their strategic and director reports and those obligations are also to be reviewed by the Department for Business & Trade (the "DBT") and the FRC as part of the Government's "Smarter Regulation" programme (see Non-Financial Reporting review below). 

Key points

The Consultation is focused more on drafting revisions to the Code than a substantive "relaunching" of the Code which we saw in 2018. Nevertheless, some of these drafting changes are significant and are intended to impose new governance obligations and disclosure requirements on companies and their boards. Key new Code requirements covered by the Consultation, include:

• enhanced risk management and internal control obligations and reporting 
• audit committees - new responsibilities for reviewing sustainability and other narrative reporting
• malus and clawback of remuneration reporting for directors
• overboarding - heightened focus in board reviews and greater disclosure in annual reports
• enhanced "comply or explain" reporting, with a focus on outcomes and clearer explanations for any departures from Code provisions
• enhanced diversity reporting 

Risk management and internal controls

Perhaps the biggest change that the Government announced in its Response to its original Restoring Trust proposals was to drop a proposed "Sarbox-like" requirement for directors to make an explicit statement in annual reports that they regard their company's internal controls to be effective and why, possibly coupled with a requirement for auditors to provide formal assurance of this statement. Instead, following significant negative feedback on the proposals, the Government announced (#2.1.34 of the Response) that it would be taking "a Code-based approach as the most practical and proportionate way of strengthening boardroom focus on internal control matters" and would invite the FRC to consult - as it is now doing - on including in the Code a new requirement for a statement from the board about the effectiveness of the internal control systems and and the basis for their statement. 

The new risk management and internal controls statement

The key revisions to the Code in this area that the Consultation proposes are:

• including (as a new Code provision 30) a requirement for the annual report to include: 
  • a declaration whether the board can reasonably conclude that the company's risk management and internal control systems have been effective during the reporting period and up to the date of the report
  • an explanation of the basis of the declaration (including how the effectiveness of the systems has been monitored and reviewed)
  • a description of any material weaknesses or failures identified and remedial action being taken
• extending the Code Principle of establishing risk management and internal control systems to one of maintaining systems that are effective
• extending the requirement to monitor these systems so that it expressly covers controls relevant to reporting, in particular narrative reporting. 

The FRC will be updating its current Risk Management, Internal Control and Reporting guidance to reflect the revised requirements of the Code and sets out in the Consultation a list of matters that the revised guidance will cover. 

Resilience, Viability  and Going Concern Statements 

While the Government dropped its proposed "Sarbox-like" internal controls requirements from its Restoring Trust corporate governance reforms last year, it confirmed that it would be proceeding with its two other new corporate reporting reforms - the production of a Resilience Statement and an Audit Assurance Policy. We discussed what these reforms will involve and how they will apply in our Shearman Corporate Governance & Executive Compensation Survey 2022 (pp.47-50). 

The Resilience Statement will be a new statutory disclosure into which two existing disclosures under the Code — the viability and the going concern statements — will be subsumed. The statement will require the board to explain its approach to risk management — showing how risks and resilience issues (including cyber security, supply chain resilience and business continuity) are being addressed — over the short and a medium term (to be chosen and justified by the board). 

Since the Resilience Statement will be a requirement for Public Interest Entities ("PIEs") meeting a 750 employees and 750 million annual turnover requirement and not all listed companies reporting against the Code will meet these size thresholds, the Consultation proposes that the Code's going concern and "viability" (i.e., assessment of the future prospects of the company, including its ability to meet its liabilities as they fall due, etc.) provisions should continue for those companies that do not produce a Resilience Statement. Significantly, the Consultation says that reporting against this provision of the Code in lieu of producing a Resilience Statement should be available to those "companies that choose not to have a Resilience Statement and explain why not". Presumably, such companies will want to explain that they are not subject to the relevant requirements and think the less prescriptive reporting requirement of the Code is appropriate for them.

Audit Assurance Policy

The other new statutory corporate reporting requirement flowing from the Restoring Trust reforms will require a policy statement to be published at least every three years, covering the company’s approach to assurance of the quality of its non-financial disclosures. This will have to state whether, and if so, to what extent, external assurance will be sought over any part of its Resilience Statement or internal controls reporting, describe the internal auditing and assurance process, and disclose the policy and approach to the tendering of external audit and non-audit services and how shareholder and employee views have been taken into account in the policy. This will be complemented by an annual report on how the assurance activity described in the policy is being implemented.

As with the Resilience Statement, the Consultation proposes the "voluntary" production of Audit Assurance Policies by companies which report against the Code but do not meet the size thresholds for PIEs to make publishing a policy mandatory. Those companies are encouraged to consider producing one on a "comply or explain" basis. This will assist investors and others in monitoring corporate reporting on a comparable basis. 

Audit committees - additional responsibilities

The Consultation includes proposals with respect to a number of audit committee responsibilities, in particular: 

• sustainability reporting - recognising the increasing importance and significance of ESG and sustainability with respect to corporate reporting and stakeholder interest, the FRC says that it considered whether to recommend that companies set up new sustainability committees. However, it has instead decided to add specifically to the audit committee's responsibilities under the Code, monitoring the integrity of narrative reporting, including sustainability reporting, and reporting on its work in this area in the annual report, as well as any assurance of ESG metrics and other sustainability disclosures that has been commissioned. 
• Audit Assurance Policy - the audit committee, unsurprisingly, will be expected to have primary responsibility for developing this policy
• Audit Committees and the External Audit: Minimum Standard - two days before the Consultation, the FRC published a standard for audit committee work in relation to the company's external audit, setting out expectations with respect to, for example, the committee's management and oversight of non-audit relationships with audit firms, the audit tendering process, engaging with shareholders on the scope of the external audit and reviewing auditor independence, objectivity and effectiveness. Although the Standard initially applies to FTSE 350 companies, the Consultation proposes that it will apply to all companies reporting under the Code (on a "comply or explain" basis) since it represents in many cases best practice already followed by companies.

Malus, Clawback and Remuneration more generally

As requested by the Government in its Response, the FRC is proposing strengthening the Code’s existing malus and clawback provisions in relation to director remuneration by specifically mandating the inclusion of malus and clawback terms in directors service contracts and by increased disclosure in annual reports of details of those terms and their triggering and usage during the last five years.

In addition, the revised Code will require remuneration policies and outcomes to promote, amongst other things, the company’s long-term sustainable success and its environmental, social and governance objectives and to take account of workforce pay and conditions. It will also require disclosure in the annual report of the company’s approach to investing in and rewarding its workforce.

Overboarding

The Consultation is responding to an increased concern among investors about overboarding - directors taking on too many other directorship or other positions that prevent them from devoting sufficient time to their board responsibilities - by proposing two additions to the Code. The first will require the annual board performance review - the term that the Consultation prefers to see used in place of the existing “board evaluation” term - to consider each director’s other outside commitments and their impact on her ability to perform her role effectively. The second change will require more detailed disclosure in annual reports about each director’s other commitments and how they manage these. 

Renewed focus on "outcomes reporting"

A common complaint of the FRC and investors is that reporting by companies on the comply or explain basis under the Code is too often formulaic and lacking in detail about what governance activities have been carried on within the company. The FRC hopes to address this issue and thereby improve the quality of reporting under the Code by introducing a new Principle that requires reporting under the Code to be focussed on outcomes and the impact of the company's governance practices and how the Code has been applied.  As a"Principle", rather than a "Provision" of the Code, this is something that, under the Listing Rules, premium listed companies will have to confirm they have complied with. 

Non-Financial Reporting review

Simultaneously with the launch of the Consultation, the DBT (working with the FRC) launched a review of non-financial reporting as part of its "Smarter Regulation to Grow the Economy" agenda. That review (the "NFR Review") will look at opportunities to rationalise and simplify current non-financial reporting requirements ("NFRRs) for companies, so that they remain fit for purpose and deliver information that the market finds useful, as well as supporting growth in the economy and making the UK competitive for businesses to operate from. The review follows on from the Government's July 2022 Post Implementation Review ("PIR") of the UK's implementation of the EU Directive on Non-Financial Reporting and the strategic report and related reporting reforms under the Companies Act 2008.

PIR recommended that NFRRs be amended rather than revoked, with sustainability reporting being aligned, as the Government proposed in its Greening Finance: A Roadmap to Sustainable Investment, with the standards to be introduced by the International Sustainability Standards Board.  

The NFR Review invites feedback (by 16 August 2023) on the content requirements for strategic and directors reports - e.g., business and principal risks review, the so-called section 172(1) statement and, for quoted companies, their strategy and business model, environmental, social, community and human rights issues and numbers of female and male directors and senior managers. It will also look at rationalising the various threshold tests that trigger NFRRs and whether micro-entity and small and medium company reporting thresholds are set at the right level. Feedback is also invited on the detail (but not the policy) of other NFRRs, such as the Modern Slavery Act statement and gender pay gap reporting. 

Final thoughts

The proposed changes to the Code this time are not as substantial as those made to produce the 2018 version but still contain some that are significant, for example, the new "outcomes-focused" reporting Principle, enhanced risk management and internal controls reporting and much more detailed malus and clawback disclosure. These will increase the effort and thought required from companies to meet more demanding monitoring, review and disclosure obligations under the Code.

The proposed extension by the FRC of the forthcoming statutory requirements to publish Resilience Statements and an Audit Assurance Policy beyond large companies meeting the 750:750 PIE size test mentioned above (see Resilience, Viability and Going Concern Statements above), to any company reporting under the Code, is particularly notable. Yes, this will be on a "comply or explain" basis, but with some investors and proxy advisers tending to view this more as  a "comply or else" option, it may be that "small" listed companies will find it difficult to report on any other basis than that required for a full resilience Statement and Audit Assurance Policy. We will have to wait and see, including for the relevant draft statutory instruments when published.