On 22 January 2024, the FRC published a revised edition of the UK Corporate Governance Code (the Code). This follows on from the consultation on several important changes to the Code that it launched in May 2023 (see our briefing on that here) and its announcement in November 2023 of a major scaling back of those proposed changes (see our briefing on that here) following the Government's decision to withdraw the implementation of the new statutory corporate reporting reforms that it had proposed as part of its Restoring Trust in Audit and Corporate Governance project.
The new Code replaces the 2018 edition of the Code and will apply to all premium listed companies (or “equity shares commercial companies”-listed companies when the FCA's single segment listing reforms take effect - see our briefing on those here) with financial years starting on or after 1 January 2025. However, the most important change introduced by the new Code - enhanced disclosures with respect to risk management and internal controls - will only apply for financial years starting on or after 1 January 2026 (to give companies more time to prepare for making these new disclosures).
When publishing the new Code, the FRC also published these other documents:
The most important change being made to the Code is to expand the existing disclosure and responsibility of the board with respect to the company's risk management and internal control systems.
The new Code also:
Enhanced risk management and internal controls reporting
The existing Code - in Section 4 (Audit, Risk and Internal Control) - requires the board (as a Code Principle (Principle O) and so something that reporting companies must explain how they have followed, rather than, as with a Code Provision, something about which they can provide an explanation for not having followed) to establish a risk management and internal controls framework. Provision 29 also requires the board to monitor the company's material risk management and internal controls systems and, at least annually, to carry out a review of their effectiveness and report on that in the annual report. Provisions 28 and 30 also respectively require the annual report to include viability and going concern statements.
The new Code will expand Principle O so that it expressly requires boards to maintain the required risk management and internal controls framework (as well as to establish it). Provision 29 will also be expanded to require the annual report include:
While this reporting requirement is much reduced from the similar reporting requirements envisaged by the (now dropped) Restoring Trust reforms, it does represent a significant tightening up on what boards currently have to say in the annual report about how satisfied they are about the effectiveness of their company's risk management and internal controls systems.
The Code Q&A points out that the systems to be reviewed and covered by the declaration are those that the board decides are material for the company and that it will be up to individual boards to decide what, if any, external assurance they should seek in relation to the systems effectiveness declaration they make.
Malus and clawback provisions
The existing Code already requires remuneration schemes and policies to include the right of the company to recover or withhold sums or share awards in appropriately specified circumstances. The new Code rephrases this requirement by requiring any contracts covering director remuneration to include malus and clawback provisions. It also requires the annual remuneration report to include a description of the malus and clawback provisions, including:
The FRC had originally proposed a five-year look back period for use of malus/clawback reporting but, accepting feedback that this may merely generate additional reporting of little value, has restricted disclosure to the last reporting period.
The Code Q&A states that these new malus/clawback disclosures should be focused on executive directors rather than all other executives.
Focused and flexible reporting
The FRC has taken the opportunity when publishing the new Code to re-emphasise that the “comply or explain” principle really does mean that - with the option of non-compliance where a clear and convincing justification is provided - at least so far as the FRC is concerned, rather than the “comply or else” approach which some companies have felt is how the investor community tends to view the Code's reporting principle. Thus the FRC's CEO is quoted in the new Code's press release as saying:
“It is important that the flexibility of the ‘comply or explain’ principle is properly utilised. The FRC is clear that compliance can mean either complying with the Code provisions as set out or providing a cogent and justified explanation for why a provision is not suitable in the specific circumstances for the company whilst demonstrating the principles of good governance."
The existing Code already encourages investors to engage constructively with companies in relation to departures from the Code and not to evaluate departures from the Code in a purely mechanistic way without having regard to the company's individual circumstances. The new Code retains this encouragement and states that “the Code does not set out a rigid set of rules; instead it offers flexibility through ”comply or explain" reporting against Provisions".
Going hand in hand with this flexible approach to following the Code is a new Principle C. This requires governance reporting to focus on board decisions and outcomes in the context of the company's strategy and objectives and also that any reported departures from the Code's Provisions should be provided with clear explanations.
Board diversity (Principle J)
This principle has been broadened to one promoting diversity, inclusion and equal opportunity, instead of one that is limited to diversity of particular types. The FRC had originally proposed expanding the list of diversity groups to include references to protected and non-protected characteristics. However, it has decided to adopt a more generalist approach in revising Principle J, following feedback that expressed concern that listing non-protected characteristics risked inadvertently not prioritising important groups.
The new Code also includes some minor changes - some just drafting or removing duplication, and others to insert into the Code's Provisions dealing with the work of the audit committee, references to the FRC's new (and currently voluntary) External Audit: Minimum Standard, which was published last year and covers the work of audit committees in relation to their company's external audit.
This update of the Code, though limited in scope, seems to strike the right balance between introducing more focused additional disclosures (and one or two more focused Code Principles) for companies while leaving them the flexibility to apply the Code's Principles and follow or diverge from (with the required clear explanations and justifications) the Code's disclosure Provisions as may be appropriate to their own circumstances. The significance of the new Code's risk management and internal controls reforms should not, however, be underestimated.