FRC publishes revised UK Corporate Governance Code

On 22 January 2024, the FRC published a revised edition of the UK Corporate Governance Code (the Code). This follows on from the consultation on several important changes to the Code that it launched in May 2023 (see our briefing on that here) and its announcement in November 2023 of a major scaling back of those proposed changes (see our briefing on that here) following the Government's decision to withdraw the implementation of the new statutory corporate reporting reforms that it had proposed as part of its Restoring Trust in Audit and Corporate Governance project. 

The new Code replaces the 2018 edition of the Code and will apply to all premium listed companies (or “equity shares commercial companies”-listed companies when the FCA's single segment listing reforms take effect - see our briefing on those here) with financial years starting on or after 1 January 2025. However, the most important change introduced by the new Code - enhanced disclosures with respect to risk management and internal controls - will only apply for financial years starting on or after 1 January 2026 (to give companies more time to prepare for making these new disclosures).

When publishing the new Code, the FRC also published these other documents:

• summary of the Code changes
• a webpage dedicated to the Code with a Technical Q&A ("Code Q&A")
• a new Code “mythbuster” guide.

The FRC published guidance on the new Code on 29 January 2024 ("new Guidance") and held a “deep dive” webinar on internal controls on 30 January 2024.

Key points

The most important change being made to the Code is to expand the existing disclosure and responsibility of the board with respect to the company's risk management and internal control systems. 

The new Code also: 

• requires increased disclosure about malus and clawback provisions in relation to executive director remuneration,
• re-emphasises the flexibility that is intended to be provided to companies through the “comply or explain” reporting principle, and
• calls for governance reporting that is focused on activities and outcomes, rather than on “unduly long explanations of policy”.

Enhanced risk management and internal controls reporting

The existing Code - in Section 4 (Audit, Risk and Internal Control) - requires the board (as a Code Principle (Principle O) and so something that reporting companies must explain how they have followed, rather than, as with a Code Provision, something about which they can provide an explanation for not having followed) to establish a risk management and internal controls framework. Provision 29 also requires the board to monitor the company's material risk management and internal controls systems and, at least annually, to carry out a review of their effectiveness and report on that in the annual report. Provisions 28 and 30 also respectively require the annual report to include viability and going concern statements.  

The new Code will expand Principle O so that it expressly requires boards to maintain the required risk management and internal controls framework (as well as to establish it). Provision 29 will also be expanded to require the annual report include:

• a description of how the board has monitored and reviewed the effectiveness of the risk management and internal controls framework,
• a declaration of the effectiveness of the company's material controls - which must include reporting controls as well as compliance , financial and operational controls - as at the balance sheet date, and
• a description of any material controls which have not operated effectively as at the balance sheet date and the action taken (or proposed) to improve them and any action taken to address previously reported issues.

While this reporting requirement is much reduced from the similar reporting requirements envisaged by the (now dropped) Restoring Trust reforms, it does represent a significant tightening up on what boards currently have to say in the annual report about how satisfied they are about the effectiveness of their company's risk management and internal controls systems. 

The Code Q&A points out that the systems to be reviewed and covered by the declaration are those that the board decides are material for the company and that it will be up to individual boards to decide what, if any, external assurance they should seek in relation to the systems effectiveness declaration they make. 

Malus and clawback provisions

The existing Code already requires remuneration schemes and policies to include the right of the company to recover or withhold sums or share awards in appropriately specified circumstances. The new Code rephrases this requirement by requiring any contracts covering director remuneration to include malus and clawback provisions. It also requires the annual remuneration report to include a description of the malus and clawback provisions, including:

• when the malus and clawback provisions can be used,
• the period for malus and clawback and why that period is best suited to the company, and
• whether these provisions have been used in the last reporting period and, if they have, a clear explanation of the reason for this must be provided in the report.

The FRC had originally proposed a five-year look back period for use of malus/clawback reporting but, accepting feedback that this may merely generate additional reporting of little value, has restricted disclosure to the last reporting period.

The Code Q&A states that these new malus/clawback disclosures should be focused on executive directors rather than all other executives. 

Focused and flexible reporting

The FRC has taken the opportunity when publishing the new Code to re-emphasise that the “comply or explain” principle really does mean that - with the option of non-compliance where a clear and convincing justification is provided - at least so far as the FRC is concerned, rather than the “comply or else” approach which some companies have felt is how the investor community tends to view the Code's reporting principle. Thus the FRC's CEO is quoted in the new Code's press release as saying:

“It is important that the flexibility of the ‘comply or explain’ principle is properly utilised. The FRC is clear that compliance can mean either complying with the Code provisions as set out or providing a cogent and justified explanation for why a provision is not suitable in the specific circumstances for the company whilst demonstrating the principles of good governance." 

The existing Code already encourages investors to engage constructively with companies in relation to departures from the Code and not to evaluate departures from the Code in a purely mechanistic way without having regard to the company's individual circumstances. The new Code retains this encouragement and states that “the Code does not set out a rigid set of rules; instead it offers flexibility through ”comply or explain" reporting against Provisions". 

Going hand in hand with this flexible approach to following the Code is a new Principle C. This requires governance reporting to focus on board decisions and outcomes in the context of the company's strategy and objectives and also that any reported departures from the Code's Provisions should be provided with clear explanations.  

Board diversity (Principle J)

This principle has been broadened to one promoting diversity, inclusion and equal opportunity, instead of one that is limited to diversity of particular types. The FRC had originally proposed expanding the list of diversity groups to include references to protected and non-protected characteristics. However, it has decided to adopt a more generalist approach in revising Principle J, following feedback that expressed concern that listing non-protected characteristics risked inadvertently not prioritising important groups.

Final thoughts

The new Code also includes some minor changes - some just drafting or removing duplication, and others to insert into the Code's Provisions dealing with the work of the audit committee, references to the FRC's new (and currently voluntary) External Audit: Minimum Standard, which was published last year and covers the work of audit committees in relation to their company's external audit.

This update of the Code, though limited in scope, seems to strike the right balance between introducing more focused additional disclosures (and one or two more focused Code Principles) for companies while leaving them the flexibility to apply the Code's Principles and follow or diverge from (with the required clear explanations and justifications) the Code's disclosure Provisions as may be appropriate to their own circumstances. The significance of the new Code's risk management and internal controls reforms should not, however, be underestimated.