Ethics & Compliance and the Corporate Governance Code
Ethics & Compliance and the Corporate Governance Code
On 22 January 2024, the Financial Reporting Council (FRC) announced the long-awaited update to the UK Corporate Governance Code (the Code). This was followed a week later by the publication of the Corporate Governance Code Guidance (the Guidance) which supports companies to apply the Code Principles by providing advice, further detail and examples.
In this article, we explore the key updates to the Code and what they mean for Ethics & Compliance (E&C) teams.
Ethics & Compliance and the Corporate Governance Code
The first version of the Code, published in 1992, focussed on the governance systems by which companies were directed and controlled and has continued to evolve to take account of the increasing demands on the UK’s corporate governance framework.
While the Code only applies to those companies with a premium listing on the London Stock Exchange, many more companies have chosen to follow the Code as a standard for best practice giving their boards assurance that the appropriate systems, policies and practices are in place.
Controls frameworks are common in the financial controls arena, particularly following the introduction of US SOX. However, few companies outside of financial services have typically progressed to the point where they have effective mapping and frameworks in place in relation to compliance controls. E&C teams should now be paying much closer attention to this latest Code update.
Changes to the Corporate Governance Code?
Some of the key changes focus on internal controls and culture and therefore have direct relevance to E&C.
- Principle O has been amended and now requires the board to not only establish, but also maintain the effectiveness of, the risk management and internal control framework (including compliance controls).
- A new Provision 29 requires the board to monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.
- The 2018 Code already required that boards monitor, review and report on financial, operational and compliance controls, however the 2024 Code adds the requirement for the board to make a declaration of effectiveness in relation to material controls including financial, operational, reporting and compliance controls.
- The board should include descriptions within the annual report of how they have monitored and reviewed the effectiveness of the control framework as well as highlighting any material controls which have not operated effectively and include the action taken, or proposed, to improve them and address previously reported issues.
- Also relevant to E&C teams are amended provisions relating to corporate culture. Within the context of ensuring that the company’s purpose, values, strategy and culture are aligned an amended Provision 2 now requires that boards should not only assess and monitor culture but also how the desired culture has been embedded and report on activities and actions taken within the annual report.
The changes under Provision 29 are significant and the additional requirements around declarations of effectiveness, monitoring and reviewing control frameworks and providing commentary on inefficient controls will likely mean that the board and their 2nd line functional teams across finance, risk, controls and compliance will need to start planning sooner rather than later. Although the 2024 Code updates will not apply until financial years beginning on or after 1 January 2025 (for Provision 29 this is for financial years beginning on or after 1 January 2026) businesses are already starting to consider the key questions.
The updates to the Code will require more detailed focus on compliance controls as part of a wider controls framework and with the additional requirements around organisational culture these changes should be seen as an opportunity for E&C teams to tailor, enhance and further embed existing E&C programmes.
Next Steps for Ethics and Compliance teams
For E&C teams, early planning in relation to the following considerations is recommended as part of the process to build an effective compliance controls framework:
Compliance Controls:
- Is there an internal control framework and does this address compliance controls?
- Are the risk registers sufficiently mature as a starting point for both risks and internal controls?
- How mature is the approach to internal controls and enterprise risk within the organisation – is a shift in culture and behaviours now required?
- What is the best way to develop a compliance control framework to the level of maturity such that it aligns and can be integrated with other controls across the organisation?
- Who is responsible for maintaining the internal controls framework and what is the role for E&C?
- What does material mean in relation to compliance controls – revisit the compliance aspects of principal risks to support this process?
- How to deliver the right level of assurance so that the board can reach a conclusion on the effectiveness of material controls and to support an internal controls declaration?
- How are control failures and proposed remediation activities to be reported to the board?
- How can technology be leveraged to help embed and sustain the controls framework?
Culture: (See our separate article on “Successfully Embedding Corporate Culture under the new Corporate Governance Code”)
- Have you defined the culture and shared values you need to deliver your strategy and purpose?
- Do you know how to embed your desired culture effectively?
- Is your culture enabling your commercial success?
- Do you measure if the culture and values are being embedded effectively?
BDO Controls Methodology – A journey to Code Compliance
Below is a sample roadmap to compliance. Each organisation will be different and will need to consider current maturity as well as the nature, size and applicable risks for the organisation.
| Scoping & Risk Assessment | Q2-Q4 2024 |
Assess current maturity of risk management and controls. Ensure key scoping questions are addressed. Ensure organisational wide risk assessments are conducted for each compliance risk area. Define scope of material controls and assess risk culture. |
| Risk & Control Design | Q2 24 - Q2 25 |
Identify clear and comprehensive control requirements, material controls, guidance and supporting technology. Leverage work conducted in relation to financial controls. |
| Implementation & Remediation | Q1 25 - Ongoing |
Perform a control gap analysis exercise, assessment of control design and remediation of control gaps. Assess operational effectiveness. |
| Assurance, Reporting & MI | Q2 25 - Ongoing |
Ongoing risk aligned controls assurance, escalation and remediation of control issues, reporting to the Board and preparation for the controls declaration. |
Our experts across Ethics & Compliance, Internal Controls, Risk and Corporate Governance are available to assist. For more information, please contact Paul Hockley.