Video transcript: Revised UK Corporate Governance Code

Transcript

Katie Griffin: Good morning, everyone, and welcome to this webinar. We're delighted you are all able to join us today. As a brief introduction, I'm Katie Griffin, a director within PWC's governance, risk and compliance practice. I've spent the past three years closely following the government's reform agenda into audit, governance and reporting, and I'm supporting and advising businesses on how to interpret and deliver against the requirements. As you will have seen, the FRC released the revised corporate governance code on the 22nd of January, with further guidance coming out on the 29th of January.

Our focus for today is on the most substantial changes covered in Section 4 of the Code relating to audit, risk and internal control. We will shortly summarise the key changes and bring our panel in for discussion on the practical actions that boards and management could take to respond. I'm delighted to again be joined by Richard Bailes, who leads our governance, risk and compliance team in the UK, Lisa Bark, a partner in our financial services team and Jayne Kerr, a director in our audit public policy team who has been helping companies think through the reform agenda for a number of years. We hope to have a few minutes for questions and answers at the end, so please do add these to the Q&A functionality throughout. Lastly, a brief reminder that we have updated our Restoring Trust publication, Restoring Trust in Risk Management and Internal Control, which goes into much more detail and gives practical advice about today's topic. So firstly, Jayne, can you give us a brief summary of what's changed in the code, specifically in relation to audit, risk and internal control, please?

Jayne Kerr: Thank you, Katie, and good morning, everyone. So the first thing to note is the effective date of the revised code. So the revised code will be effective from the 1st of January 2025 for all of the changes, with the exception of provision 29, which is the declaration over internal controls which we're going to cover today; that will be effective from the 1st of January 2026. Important to remember though, in the meantime the current code, the existing code, is still in effect and a lot of the things we're going to say today around risk management, internal controls are equally applicable under the current code as well. So they're good practice to do today as well as when you have to make the new declaration. So on the screen you can see the two main changes in this part of the code. Under principle O, there's a definite enhancing of requirements for the board, not only to establish risk management and internal control frameworks (which was always the case) but to maintain their effectiveness. And that leads on to amended provision 29, which is the most significant amendment to the code around the new declaration. So provision 29 always required boards to do monitoring and review and report on an annual basis over the effectiveness of risk management systems and internal control systems at their company, but it was not necessarily a formal or a formalised way of reporting.

What's very clear from the revised corporate governance code is there is a much more formal, more explicit, declaration that boards will have to make. The key parts of that are that the board will have to describe how it's come about, reviewing its monitoring and reviewing its internal controls and risk management; an actual positive declaration that material controls are effective at the balance sheet date; and the description of any material goals that are not working effectively at the balance sheet date and what's going to be done to improve those. For those of you that were involved in the consultation, and I'm sure many people on the call were, will recall that this is a little bit different to what was being proposed, and it's clear that the FRC has taken into account the views of those that responded. So to point out a couple of areas therefore; it was initially proposed that the effectiveness assessment would be throughout the period: that's now at the balance sheet date - and Lisa will talk a bit later about what ‘at the balance sheet date’ might mean. For material failures. it was originally proposed that even if a control was remediated by year end when it failed during in-year testing, it would still be disclosed. They are now just looking at year end failures or ineffective controls.

There is a focus on material controls here and the scope remains the same as it was proposed in the consultation, which is material controls including financial reporting, operating and compliance. That reporting controls is ‘new’ in the way it's described. But again, as Lisa said, we'll talk a bit later about reporting controls. If they were material controls, they've always been part of the requirements here. So, some changes. We also have the guidance which is helpful: it came out last week and what was really clear from the guidance the FRC put out, and in their subsequent webinars, was that it's non-prescriptive, it's flexible and a lot of this will come down to judgment on behalf of the board and of the company as a whole. What is clear though, is that we do have a stronger declaration at the end of this process. So we think, in our view at least, there needs to be more formality and a lot of companies will see change in this area around how the board approaches that monitoring and review process. But we do think as a way to do this proportionately and importantly on a risk-based approach, and that's what we've covered in our Restoring Trust guide, which we'll refer to a number of times in the call and also what we're going to pull out some of the key areas of today.

Katie: Thank you, Jayne. That's very helpful. Thank you for covering all that. And lots of companies are asking for practical advice and examples of how to approach the new declaration given this has been left to businesses to determine what is right for them. To help businesses navigate through this, we've created a process that can be followed, which can be seen on screen now. It's also explored in more detail in our Restoring Trust guide, but we will briefly cover some of the sections now. So to do that, I'd like to turn to our panel. Richard, turning to you first, we know that risk is clearly an integral part of the process. What stood out in particular for you in terms of the revisions to the code, and what would you suggest companies think about in terms of risk management?

Richard Bailes: Well, it's to an extent ironic to me that one of the less-spoken words during this whole consultation process has been “risk” because much of the focus has been on internal controls. One of the key areas of emphasis in this revised code and importantly within the guidance is the strengthened link between risk and controls. This makes sense because we can't really track material controls without understanding enduring and emerging material risks. To bring this to life, I would call out three specific wording areas. Firstly, the previous version of the code referred to internal control and risk management systems almost as though they were two separate or unconnected themes. Now it defines the risk management and internal control framework as a single ecosystem. This use of a singular word “framework” rather than two systems for me emphasises the point.

As Jayne mentioned earlier, the wording that is new explicitly sets out the need for an annual review of the effectiveness of the company's risk management and internal control framework, including a description on how the board has monitored and reviewed its effectiveness. It's also worth noting that the guidance refers to some specific frameworks organisations may wish to leverage; COSO, for example, being one of them. I suspect this is to encourage companies to use recognised external frameworks to guide their activities as opposed to essentially establishing a framework internally. The reference may also be useful in terms of COSO, may also be useful to US filers who are dual listed, as this is obviously one of the recognised frameworks that's used for scoping purposes in US filing. Secondly, there's also enhanced reference to explaining what procedures are in place to identify and manage emerging risks.

This is quite relevant. For me, recognising the fact that the external risk landscape is fast evolving, which we're all very aware of, and this fast evolving landscape is actually having real impacts on businesses. I would argue that the annual risk review that's a single once a year exercise is a thing of the past. And thirdly and finally, moving to the guidance, it states that the Board should establish, approve and communicate a risk appetite for the organisation. It's not an insignificant point. This will push many to formally implement a risk appetite statement. In my experience, there are actually very few premium listed organisations who have done this.

Katie: Thank you Richard, for highlighting those particular areas. So, what would you say all this really means in practical terms?

Richard: Well, practically speaking, there needs to be a tighter linkage between risk and controls. Many will need to implement enhanced risk management activities. Boards should ask their management teams if the right enduring risks and dynamic risks are being addressed and whether the controls to address them are, importantly, specific and auditable enough, and that the ownership of those controls are within the organisation and understood. So this linkage of risks to control, and control to assurance should be very clear. Therefore, considering formalising a specific risk assurance mapping exercise might be something to consider.

Katie: Thank you. That was really helpful. I'm going to turn to you now, Lisa. Steps two and three of our proposed process are around identifying material risks and material controls. We've heard lots of feedback concerned with the broad scope of the declaration and how to determine what material controls are. Can you give us some advice in this space please?

Lisa Bark: Yes, sure. So what I would say is I think there has been a lot of debate around the different types of categories of control, the financial, operational, reporting and compliance. In actual fact, I think the code really just wants us to focus on all material controls and arguably they are just examples of types of groupings. So I'd say firstly, businesses should think about what their material risks are. So whether it is to do with their business models, solvency, reporting, reliability or compliance with laws and regulations, and then to identify the key controls that would address those risks and remembering that a control is only needed if there's a risk that needs addressing.

Those controls will then just most likely fall into the categories that are described in the code. So whether they're formerly labelled in that way or not. I do appreciate making it sound reasonably easy and I completely recognise that it can be complex, and also they can be highly aggregated and so a drilling down of sorts will be needed. But principal risks such as the ones that are in your annual report, are a good place to start, and I think also non financial controls can be a good place to begin. We know that there's already been a lot of work conducted on financial reporting controls. So now is a great time to conduct a review of your scoping and to begin to capture all the material controls which you will need to review and report on.

Just want to point out as well that I work with a lot of companies in the financial services sector and a lot of them will already have a more detailed risk assessment underpinning their principal risk disclosures, mostly because they're required to run more detailed risk and control self-assessment programs by the regulators already. This will also be the case for some non financial services firms. So my advice to these companies is certainly not to start again, but perhaps it's more of a top down exercise to ensure that the financial reporting and non-financial reporting and other risk assessment and the associated controls are able to be pulled together in a way that enables the support of the declaration with perhaps some enhancements along the way.

Katie: Thank you, Lisa. And just to build on that, looking at step five in the plan, that's about having a well thought out approach to assurance, which is obviously also going to be key for this. So Jayne, could you expand on what we mean by this and what it might entail?

Jayne: When we talk about assurance here, we're talking about assurance with a Big “A” which for those who are auditors and assurance providers on the call will know is usually performed to a formal standard. But also assurance with a small A which is what you get from the other lines of defence. Everything is contributing to your overall comfort that these risks are being addressed. And this is why it is so important to consider assurance. It’s clear in the guidance from the FRC that there's no expectation that the board themselves will be doing the day to day reviewing and monitoring process over the controls. It's very likely that management is responsible for that, but ultimately the board are the ones that have to make the declaration, so they need to get themselves comfortable that this process is embedded; the controls are working and that there's a process in place that they can rely on for their declaration.

And I think that's where the assurance comes in and bridges that gap. That can be assurance across all the different lines of defense or a couple of the different lines of defense depending on what the board wants. It might be that when you do your scoping exercise and you determine the material controls, the board decides that over this particular area of risk and these controls, I want internal audit to do more testing. This might be a new or an immature area, for example. Or it might be on an occasion they decide that they want some external assurance. External assurance is not being mandated in any way, but there might be some areas where the board thinks they want that little bit of extra comfort. So this is really about bridging that gap between what's happening on a day to day basis around the controls and with making the board feel comfortable to actually make the declaration, and using the different lines of defense and degrees of assurance to actually help provide that.

Katie: Thank you, Jayne. And thank you all for highlighting some of those practical activities for boards and for management to help start planning and executing some of this now. And as mentioned, all three of the areas that we've just briefly touched upon, as well as the other steps that were shown on screen are described in much more detail in our Restoring Trust guide. So, lots to digest and lots to cover. What we thought we would do now is turn to a bit of a quick fire round to cover some of the other points and questions that we're frequently asked and we know that are on companies’ minds. So I'll start with you, Lisa. What does it mean to report at the balance sheet date?

Lisa: I don't think the expectation is that all the evidence is gathered at the balance sheet date or even as-at the balance sheet date. I'd say a robust monitoring review process should be conducted really at logical milestones throughout the reporting period, so that there is early warning of controls that are failing and then they can be remediated. Also for regularly occurring controls, it would be sensible to get more than one example any way that they're operating. I'd say the FRC guidance was helpful on this too. It said the board should provide a summary of how it is monitored and reviewed the effectiveness of the framework during the reporting period.

Richard: Lisa, if I could just jump in there. So I think that while we're not expected to be looking at a US SOX type approach here, it would be foolish not to take some of the ways of working around SOX because it is essentially a point in time assessment. So perhaps considering an interim testing phase and then a follow-up wave that can look at roll forward to validate that any remediations have been dealt with. That's naturally a logical approach to take to executing testing. And I would say that in addition on the scoping approach, it would make sense to set this out formally and also to formalise how the severity of deficiencies should be treated or assessed. And I've seen many pass these artifacts through board and audit committee approval.

Katie: So thank you both. OK, so I'm going to take another question now, this one. I'll go to Jayne with. How much detail should be included in the declaration and then and the basis for declaration as well?

Jayne: It's a good question, because I think if you can determine up front what you're going to say in your declaration and that sort of basis for declaration part, that will help with some of the key decision points you need to make along the way. The FRC suggested in their guidance that you may want to include description of the information that boards received, the types of assurance they have in place and then if a formal framework is being used. I would actually add on to that, and Richard mentioned it there, the way you’ve scoped this, your approach to it and how you determined what is a truly risk based approach, focusing on risks. And then the controls and how you've narrowed that down to the really most important material controls and also perhaps a description of what you thought about when considering what's material and all the different areas. I do think that the clear, detailed, transparent reporting will not only be informative, but it will also be really hard to challenge.

Katie: Thank you, Jayne. So for the next question, I think I'm going to turn to Lisa. Now we've got some clarity over the timing of this and when it's going to be applicable from what, what advice would you give Lisa if people were thinking “what should my next six months look like,” can you give some ideas for that please?

Lisa: Yes, sure. So I would say first of all, it partly depends how far you've come already, but don't lose momentum. So I think a lot of programs are already in progress. So I think that's really important. And I also think it's helpful to get a refined road map that's ratified by the board and potentially challenged by others as well. So maybe by performing an initial maturity analysis, if you haven't done so already, just so that you can be clear of what you've got to do and when you need to do it. I think that knowing now what needs to be done will really help you to plan without having a cliff edge in 2026. I think it's also worth maybe thinking about if you want to do a dry run. So having a view as to how well positioned you would be to make a declaration in 2024 or 2025 and that can help to bring the assessment to life for you and then helping to get the buy in from others in your organisation.

Also good to set the expectations of the Audit Committee, of the Board, and Risk committees as well as needed. Assessing whether your risk and control framework is well defined and understood in line with what Richard had been mentioning earlier, and then getting on with your non financial control design and articulation. I think that's really important if you do feel in your organisation it's at a different stage from your financial control. Also thinking about whether you might want to treat this as a change program, so having internal audit involved and providing assurance on the progress could be helpful. And then one last thing, I do think it's worth mentioning at this point is that I don't think this is simply a compliance exercise. So to me, the spirit of the code is about having a strong controls culture and de-risking your business. So it really is all worthwhile activity as well.

Katie: Thanks Lisa. Thanks for highlighting those. I think they're all really important and a good checklist for people to think about. Right, Richard, lastly for a bit of a final quick fire question. What would be your top tip for those who need to deliver on this?

Richard: Well, if I could say two things, Katie. Firstly, don't ignore the use of technology to help enable you to work with the flow of risk to control and control, and control to assurance. Unlike where we were maybe 20 years ago when, in my experience with something like US SOX came out, there are some very agile and cost effective cloud based technology solutions out there now, and I'm seeing many who are doing readiness activities at the minute putting this at the front of their programs rather than as an afterthought. And this mainly because I think the key benefit is that it can provide workflow capability and allows organisations to embed the ownership into the business.

So if you're doing, for example, self certification as part of this, which is I think is going to be a pretty common theme, that can be pretty powerful. The second thing I would say is to always consider the importance of the capability and capacity within your lines of defense model. I look at lots of organisations in any given year and one thing I see is there's often inadequate compliance and/or internal audit function. But what lies at the heart of this in many ways, is the need for control design capability, which requires a distinct skill set. So I see a lot of building internal control capability. So ask yourselves if the organisation is fit for purpose as you embark on the journey.

Katie: Excellent. Thank you, Richard. And thank you to the panel for answering those quick fire questions. Just a reminder, please do post any questions that you have in the Q&A functionality. We have a few coming through and we've got a few minutes now where we're going to spend some time answering those ones to, to the best of our ability, that have come in so far. OK. So the first question I might turn to you Lisa, for this one. So this is a question on material controls, which we know is coming up a lot. And the question asks “should we consider whether controls are material individually or in aggregate?” For example, if you have identified multiple issues in one area, such as the accuracy assertion in payables. If this in aggregate equates to a material issue, would you report it as a material weakness? Lisa, are you happy to kick us off with that one?

Lisa: Yes, sure. Thank you. And I saw another question come through as well, talking, asking about whether material control deficiencies would have some sort of grading system similar to SOX, which is where the language of material weakness would come from. And I think the FRC have been quite clear in the final version of the code, there is no language like the SOX language in here, right? So we don't have the language of ‘material weakness’ anymore. I think in terms of what's the material control, I do still think that language that is in the guidance that talks about which controls are material are based on how that deficiency could impact the interest of the company and the shareholders. I think there is quite a similarity to the SOX language. I also think it's a useful tool to be able to use. We're not going to get that definition from the FRC. They've been very clear that they don't want this to be prescriptive, but I do think the reality is that using the terminology, for example, the ‘key controls’ that will be almost equivalent potentially to the material controls, and then having a grading. The important point here will be to lay out actually in your declaration what you have used, and how you've determined that based on what works for your organisation, and that will then help you to consider the severity.

Katie: Thanks Lisa. That's really helpful.

Richard: Katie can I just jump in there?

Katie: Yeah, of course

Richard: I think there's another process-oriented piece to this right which is materiality is both an individual and aggregate level as Lisa referred to. But a formal approach to this sort of aggregated deficiency analysis, the phrase often used is a ‘statement of aggregated deficiency.’ This is quite easy in the more financial transactional space like the question probed at. I think the harder bit is in the operational controls definition where there's a lot more qualitative criteria that are going to have to be used.

Katie: Yeah. Thank you, Richard. Jayne, I'm going to turn to you. I'm actually going to ask you 2 questions, one of which I think one you may have already covered, which has just popped through. Can you just clarify the dates again for us on this? So is it for the accounting period starting first of Jan 2025 or 2026? And I assume we're referring to the Section 4 information that we just talked through.

Jayne: Yes. So the whole code, the revised code, is for reporting periods beginning on or after January 1st 2025, except for provision 29, which is the declaration, which is 1st of January 2026. So it would be reporting periods on or after 1st of January 26th where you have to first make this. So for the majority of companies, it's going to be in their December 31st, 2026 annual report that they make this declaration for the first time. But I will highlight again, the declaration itself is new, but there are still current ongoing requirements that all of this is relevant for under the code that you have to make today.

Katie: Yeah. Thank you, Jayne. That's good to clarify. And the next question for you is actually on the PIE definition. So that's been talked about the expanded PIE definition for a little while now. Can you just remind us whether that planned amendment has been scrapped or retained?

Jayne: So the PIE definition expansion, which was to expand public interest entity definition and regulation to large private companies is part of some legislation which has been postponed and it's very unlikely to come in place until after the next general election subsequent to that, at some point, so that is on hold. There's another question there, I think on the audit and assurance policy. Similarly, legislation to bring that in is also being withdrawn at this stage. I would emphasise though, that the population that this corporate governance code is applicable to is premium listed entities. So those two thresholds and requirements around Audit and Assurance Policy / PIE definitions aren't necessarily going to impact you as you have to apply the code. If you're a premium listed company or a company that voluntarily adopts the code, then this is all applicable to you.

Katie: Brilliant. Thank you, Jayne. I'm really conscious of time and so I think we're going to wrap up now, but we will try and cover all of the questions that we can that have come through and we'll come back to you where we can on those. But thank you again for attending today's webcast and thank you very much to our panel. We hope you found this a useful and practical update. The webcast has been recorded and we will make it available shortly. We're running a similar session on Friday at 11:00 o'clock for any colleagues that may have missed out. There's some registration still available for that too. We will also look through the questions we've not been able to cover. As I mentioned on screen you will see a QR code linking to the Restoring Trust series that we've mentioned a few times throughout the webcast. Do please scan that and that should take you directly to the website. There's lots to be considering here. Please do stay in touch with me, the panel or your regular PwC contact as you're thinking develops or if we can support you on anything we have discussed today. Thank you again for joining.

Follow us