Ashurst Governance & Compliance Update - Issue 48

Corporate Governance  

1.  UK Corporate Governance Code 2024 and accompanying guidance published

The Financial Reporting Council recently released the UK Corporate Governance Code 2024.  Our overview of the principal changes in the 2024 Code can be found here.

The FRC has also published guidance to support those who use the 2024 Code. 

The guidance incorporates the FRC's current Guidance on Board Effectiveness, Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and Guidance on Audit Committees. The guidance is not mandatory, nor does it form part of the 2024 Code. It is also not prescriptive. The primary purpose of the guidance is to 'stimulate boards’ thinking on how they can carry out their role in governing the company effectively'. To that end, the guidance contains suggestions of good practice to support directors and their advisors in applying the 2024 Code.

According to the FRC, the guidance should not be used as a tick-box list of actions to be followed in every situation.  Rather, reporting against the 2024 Code should always be proportionate and appropriate to the relevant company. Individual boards should decide on the governance arrangements most appropriate to their company’s circumstances by applying the Principles of the 2024 Code and complying, or when appropriate, explaining why they are not complying with the Code's Provisions.

The guidance comprises five sections that reflect the structure of the 2024 Code: 

• Board leadership and company purpose.
• Division of responsibilities.
• Composition, succession and evaluation.
• Audit, risk and internal control.
• Remuneration.

Headline changes made to the current guidance referred to above include:

• More granular guidance in relation to issues pertaining to the embedding of culture across an organisation.
• Guidance on 'outcome-based reporting' with related 'Questions for Boards' to ask themselves and considerations related to the cycle of stakeholder engagement.
• Guidance on relations with suppliers, including dialogue-driven engagement methods which may be deployed and disclosures which might be made in the context of Modern Slavery Act statements.
• Good practice guidance to support the effective management of board committees. This includes both risk and sustainability committees as well as more granular guidance on the roles of each of a board's three main committees.
• Further detail on director induction and board and committee training.
• Thoughts on how companies can continually support D&I initiatives and how nomination committees can report on progress.
• Considerably more detailed guidance on the establishment of a risk management and internal control framework, risk governance generally and deciding on risk appetite, the management, mitigation and monitoring of risk and material controls, and the declaration of the effectiveness of the framework. A section has also been included on cyber risk management.

Relatedly, the Chartered Governance Institute UK & Ireland has published a guidance note on Terms of Reference for the Sustainability or ESG committee, which includes a model set of terms of reference.

The CGI guidance sets out how to ensure sustainability or ESG committees adopt good practice in accordance with the other committee recommendations in the UK Corporate Governance Code. 

2.  Draft Cyber Governance Code of Practice: call for views 

The government has launched a call for views on a draft of The Cyber Governance Code of Practice. The Cyber Code has been designed by industry leaders in collaboration with the National Cyber Security Centre and is intended to formalise the government's expectations of directors for governing cyber risks, as they would with any other material or principal business risk. The Cyber Code is intended to apply to organisations of all sizes and to operate on a purely voluntary basis. 

Feedback is due by midnight on Tuesday 19 March 2024. 

Background

The introduction of the Cyber Code forms part of the £2.6bn National Cyber Strategy 2022, published on 15 December 2022, which seeks to protect and promote the UK's digital economy and drive up cyber resilience standards.

The Companies Act 2006 presently requires all large companies to provide an annual "description of the principal risks and uncertainties facing the company". However, this does not require disclosure of information regarding how these risks and uncertainties are being addressed and mitigated nor their likelihood and potential impact and companies’ underpinning governance processes for risk management and developing business resilience. 

The FRC recently published an updated UK Corporate Governance Code 2024 (see Item 1 above). One of the Provisions proposes that boards make a declaration that their company's risk management and internal controls systems have been effective throughout the reporting period. Another Provision requires companies to carry out robust assessments of the company's emerging and principal risks. The government has indicated it will work to ensure consistency between both codes.

While there is no one-size-fits-all approach to governing business risks such as cyber risk, the Cyber Code is intended to bring together the critical governance areas that directors need to take ownership of, in a form that is simple to engage with. Its primary emphasis revolves around ensuring that businesses have plans in place to mitigate the likelihood of a cyberattack and to respond and recover from any such attack. It is essential for those plans to undergo regular testing and there should be a formalised incident reporting system in operation as well. The Cyber Code also urges business leaders to do more to equip their employees with appropriate cyber security skills and awareness.

Proposed approach 

The call for views is focused around three issues:

1. The design of the Cyber Code

The Cyber Code is presented in the form of five overarching principles with relevant actions underneath each principle. The principles are: 

• Risk Management: This principle emphasises the importance of strong risk management practices, encouraging organisations to recognise, prioritise, and consistently evaluate critical digital processes, information, and services crucial for business continuity and success. It focuses on the integration of cybersecurity risks into a comprehensive enterprise risk management framework;
• Cyber Strategy: This principle recognises the significance of monitoring and adjusting the cyber resilience strategy in accordance with recognised cyber risks, business strategy and legal obligations. Sufficient resources should be designated to enhance cybersecurity capabilities that can address effectively emerging threats while maintaining flexibility and adaptability;
• People: The focus of this principle is on nurturing a culture of cyber resilience. Transparent cybersecurity policies that synchronise the organisation's values with the cyber resilience strategy is considered critical. Individuals should be encouraged to assume accountability for cyber literacy and secure data handling practices, facilitated by a robust cyber training and awareness programme;
• Incident Planning and Response: This principle encourages organisations to possess clearly outlined strategies for addressing and recovering from incidents that impact crucial processes, technology and services. Regular testing and evaluations following incidents should be conducted to improve future response and recovery plans; and
• Assurance and Oversight: The Cyber Code supports the establishment of a governance structure that complements the organisation's current governance framework. This involves outlining the roles and duties of directors in overseeing cyber resilience, engaging in ongoing discussions with senior executives and establishing formal reporting that aligns with business goals.

2. How the government can drive uptake of use and compliance with the Cyber Code

The government suggests introducing the Cyber Code on a voluntary basis with the intention that it will complement existing regulatory requirements. Although the Cyber Code alone is unlikely to be capable of instigating the necessary enhancements in cyber risk management at the board level, the government is investigating the potential use of the Code to assist regulatory compliance with regulations such as the UK General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) regulations. Nonetheless, given that cyber risk has become a significant threat to any business with an online presence, regardless of whether it is currently regulated, the government considers that all organisations should embrace the Cyber Code. For that reason, the positioning and promotion of the Cyber Code, the potential roles of other entities in implementing and adopting the Cyber Code, and any obstacles to its implementation are all open for discussion.

3. The merits and demand for an assurance process against the Cyber Code

To encourage adoption, the government is examining the advantages and risks of incorporating a self-assessment or independently evaluated assurance process aligned with the Cyber Code. The call for views aims to gather insights on the possible interest in such a mechanism, identify those who may benefit from an independently verified "badge," and explore the associated risks.

EU Sustainability Reporting

3.  EFRAG consults on EU sustainability reporting standards for SMEs

EFRAG (formerly the European Financial Reporting Advisory Group) has launched a consultation on exposure drafts of EU sustainability reporting standards (ESRS) for listed and non-listed small and medium-sized enterprises (SMEs). 

The ESRS have been developed to support sustainability disclosures required under the EU Corporate Sustainability Reporting Directive 2022 (CSRD). For information on the development of the first twelve ESRS, see First European Sustainability Reporting Standards (ESRS) .

The Exposure Draft ESRS for listed SMEs (ED LSME), will be issued as a delegated act and effective on 1 January 2026 (unless the relevant SME exercises the option in Article 19a(7) to opt out for a further two years). It will set reporting requirements for SMEs that are public-interest entities or 'PIEs' (i.e. entities with transferable securities admitted on an EU regulated market, small and non-complex institutions, and captive insurers and reinsurers). The ED LSME aims to set reporting requirements that are proportionate and relevant to the scale and complexity of the activities and to the capacities and characteristics of listed SMEs. ED LSME includes sections on general requirements, general disclosures, policies, actions and targets as well as metrics.

The Exposure Draft ESRS for non-listed SMEs (ED VSME) is a voluntary sustainability reporting standard. The aim of the ED VSME is to help micro, small and medium-sized enterprises by standardising ESG data requests and streamlining processes for them to respond to requests for sustainability information that they receive from the businesses for which they are suppliers. ED VSME is also intended to help SMEs access sustainable finance.

EFRAG is seeking views, amongst other things, on simplification of the reporting requirements for SMEs that these exposure drafts seek to achieve.  The consultation will be open for comment until 21 May 2024. 

Economic Crime and Corporate Transparency 

4.  Companies House announces date for introduction of first ECCTA 2023-related measures 

Companies House has announced that it is aiming to introduce on 4 March 2024 the first set of measures brought in by the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023). This depends on the requisite secondary legislation having been implemented, with Companies House making clear that 4 March 2024 is the earliest possible implementation date.

The measures scheduled to be introduced on 4 March 2024 include:

• greater powers for the registrar to check, query or reject information submitted to Companies House and to request supporting evidence;
• measures to clean up the register, using data matching to identify and remove inaccurate information;
• greater control over company names;
• new rules for registered office addresses and a new obligation for all companies to register an 'appropriate' email address;
• changes to the requirements for registering new companies to include a new statement by subscribers that the company is being formed for a lawful purpose. Companies will be required to confirm in the annual confirmation statement that their future activities will be lawful;
• the ability to annotate the register when information appears confusing or misleading; and
• the registrar's new powers to share information with other government departments and law enforcement agencies.

Regulations relating to the ability of the registrar to annotate and remove information from the Companies House Register and the Register of Overseas Entities have also been laid before Parliament. They will come into force at a future date to be determined by reference to the implementation of other sections of ECCTA 2023.  We will let you know when that happens.

Narrative Financial Reporting

5.  FRC reviews private company reporting

The FRC has published a thematic review of the reporting by the UK's largest private companies. 

Overall, the FRC found the quality of corporate reporting to be 'mixed', particularly in terms of how clearly companies explained material matters that were complex or judgemental.

Key findings that companies and their auditors should take into account for future annual reports are:

• The best strategic report disclosures focused on the matters that are key for an understanding of the company. These were explained in a clear, concise and understandable way that was consistent with the disclosures in the financial statements. Good quality reporting does not necessarily require greater volume.
• Better examples of judgement and estimates disclosures included detail of the specific judgement involved and clearly explained the rationale for the conclusion. The significance of estimation uncertainty was much more apparent when sensitivities were quantified.
• Accounting policies for complex transactions and balances were often untailored, providing boilerplate wording. Entity-specific policies are particularly critical for revenue, where the better examples explained the nature of each significant revenue stream, the timing of recognition and how the value of revenue was determined.

Whilst not withing the scope of the review, the report also makes observations on climate-related disclosures. 

The report concludes with the FRC's reporting expectations of the UK's largest private companies:

• Provide a strategic report that contains a balanced analysis focused on the elements of development, performance and position that are key for an understanding of the company.
• Explain how the company or subgroup fits into a wider group structure to allow a user to understand fully the context in which it operates.
• Tailor accounting policies for transactions and balances that are complex or judgemental and keep policies under review to ensure that they remain complete, relevant and accurate.
• Disclose revenue policies explaining the nature of each significant revenue stream, when it is recognised and how its value is determined.
• Provide specific details of judgements taken and clearly explain the rationale for the conclusion reached.
• Clearly distinguish which estimates have a significant risk of material adjustment to the carrying amount of assets and liabilities in the next financial year. Provide additional quantitative detail where it is necessary for an understanding of the significance of the estimate.
• Disclose clearly the nature of the obligation giving rise to a provision and the associated uncertainty in timing or amount for significant provisions.
• Explain the nature of each significant financial instrument risk within the company. Where necessary for an understanding of the exposure, this should include quantification and provide information on the sensitivity to potential future changes.
• Conduct a critical review of the annual report and accounts prior to finalisation. This includes considering whether the report as a whole is clear, concise and understandable, as well as checking for internal consistency and more detailed presentation and disclosure matters.

6. PERG publishes 2023 annual report and latest good practice reporting guide

The Private Equity Reporting Group has published its sixteenth Annual Report and latest Good Practice Reporting Guidelines. The Annual Report reviewed 81 portfolio companies (2022: 73) that fall within the scope of the Guidelines and the 71 firms (2022: 64) that back them (private equity firms and those operating in a private-equity like manner).

By way of reminder, PERG was established to monitor conformity with the Walker Guidelines, which are now known as The Guidelines for Disclosure and Transparency in Private Equity, and to make periodic recommendations to the BVCA regarding any necessary changes to those Guidelines. 

Key findings

The uncertain and volatile macroeconomic environment, legacy Covid-19 pandemic issues and the high rate of inflation have had an adverse impact on many businesses both globally and in the UK. PERG found the impact on UK companies being brought out in some of the narrative reporting it reviewed, with increased disclosure on financial position, business strategy and employees.

96 per cent of the sample of 25 portfolio companies selected for detailed review (2022: 25) complied with the disclosure requirements in the annual report either by including the additional disclosures expected by the Guidelines in their annual report or by addressing omissions via the use of an addendum following review (2022: 100 per cent).

A significant number of companies also produced 'excellent' individual disclosures. 60 per cent of the sample reviewed prepared disclosures to at least a 'good' standard, which matches the figure from 2022. One company prepared disclosures to an 'excellent' standard, while one company was found non-compliant.

The annual report highlights a deterioration in 2023 in the standard of disclosure on non-financial key performance indicators. It also reveals continued non-compliance with disclosures that are specific to the Guidelines, such as social and community issues and gender diversity information.

Only 60 per cent of the portfolio companies reviewed included a statement of compliance with the Guidelines in their annual report, which is nevertheless an improvement on last year (2022: 52 per cent).

81 per cent of portfolio companies published an annual report in a timely manner on their website (2022: 78 per cent); 83 per cent published a mid-year update in a timely manner on their website (2022: 86 per cent).

The latest version of the Good Practice Reporting Guide, published by PERG and PwC, highlights examples of good practice to help portfolio companies improve the transparency and disclosure of their financial and narrative reporting.

Review of the Guidelines

In 2022, PERG and the BVCA launched a review of the Guidelines. PERG expects to publish a report on this review at the end of 2024, with the revised Guidelines coming into effect in 2025.

Equity Capital Markets

7.  The Public Offers and Admissions to Trading Regulations 2024 

The Public Offers and Admissions to Trading Regulations 2024 have been made, alongside the publication of an Explanatory Memorandum. The Regulations create a new regulatory framework for the offering of securities to the public and the admission of securities to trading in the UK, replacing the EU-derived UK Prospectus Regulation. Building on Lord Hill's recommendations in the UK Listing Review, they seek to implement a more streamlined and agile regime which is tailored to the needs of UK markets. The Regulations are substantively the same as the draft form laid before Parliament in November 2023 (see our ECM update here). 

Revised regulatory framework

In overview, the revised regulatory framework set out in the Regulations:

• creates a general prohibition on public offers of securities against which there are a series of exemptions. The principal exemptions are envisaged to be offers where the securities are admitted to trading on a UK regulated market or a primary multilateral trading facility (MTF) - such as AIM - or offers that are conditional on admission and offers made via a regulated platform (see below);
• establishes a new regime for securities admitted to trading on a UK regulated market or MTF. Admissions to a regulated market or MTF are categorised as 'designated activities' - the designated activities regime having been introduced by the Financial Services and Markets Act 2023 to enable more proportionate regulation. It is in the context of admissions to trading on a regulated market where the FCA is given enhanced rule-making responsibilities, including in relation to specifying when a prospectus is required and prospectus content requirements; and
• creates a new regulated activity to cover the operation of a 'public offer platform' - such as a crowdfunding platform. In a bid to increase capital raising opportunities for unlisted companies, whilst recognising the need to protect investors in this area, the Regulations provide that offers must be made via public offer platforms where they exceed £5 million, unless another exemption applies under the new regime. The public offer platforms will be authorised and supervised by the FCA and will be subject to FCA rules.

Next steps

The Regulations came into effect on a limited basis on 30 January 2024 - for example, for the purposes of enabling the FCA to make or approve rules and to give guidance. They will come into full effect once the FCA has consulted on changes to its rules, given its enhanced rule-making powers under the revised regime. The FCA is expected to move to a formal consultation process in the summer, following its series of 'engagement papers' and focus groups which were launched last year. 

For additional information on the public offers and admissions to trading regime, please see our ECM update here.

EU foreign direct investment 

8.  EU foreign direct investment screening 

The European Commission has adopted a legislative proposal for a new regulation on the screening of foreign investments into the EU and repealing the current FDI Screening Regulation ((EU) 2019/452).

The proposed regulation establishes an EU framework for the screening, by Member States, of foreign investments in their jurisdiction, on the grounds of security or public order.

The regulation also provides for a co-operation mechanism allowing Member States and the EU Commission to exchange information and suggest measures if a foreign investment is likely to affect negatively security or public order in more than one Member State, or through a project or programme of EU interest.

The information to be provided as part of any screening includes: the name of the investor, the global ultimate owner of the investor and the EU target, the ownership structure of the investor and, where applicable, of the corporate group of which the investor is a part and a comprehensive description of the investment, its value and its source. It also includes detailed information on the EU target, its activities and alternative providers, the ownership structure of the EU target and, where applicable, of the corporate group of which it is a part as well as information about the other legal entities in the same corporate group located in other Member States.

The regulation sets out rules for Member States and the EU Commission for determining a foreign investment’s likely impact on security or public order and for Member States’ screening decisions. 

Member States will be required to report to the Commission annually, on a confidential basis, on their activities under their screening mechanism. 

In turn, the EU Commission must publish a publicly available annual report on the implementation of the regulation to the European Parliament and to the Council.

The regulation will enter into force on the twentieth day following its publication in the EU's Official Journal. However, to allow sufficient time for Member States and entities to prepare for implementation, there will be a transitional period of 15 months before the provisions of the regulation apply.

The proposal will be next forwarded to the European Parliament and the Council for consideration under the ordinary legislative procedure.

ESG: climate-related developments

9.  Transition Plan Taskforce mandate extended 

The mandate for the Transition Plan Taskforce (TPT), which was set up following COP26 in Glasgow to deliver a 'gold standard' framework for Transition Plans (TPs), has been extended by HM Treasury until at least 31 July 2024.

The TPT has nearly completed the tasks in its existing terms of reference including publishing a Disclosure Framework and Implementation Guidance. The TPT consulted in autumn 2023 on a suite of sectoral guidance, which it is anticipated will be published in Q1 2024 (see Transition Plan Taskforce issues Disclosure Framework and consults on sector guidance and AGC Update, Issue 44). 

The seven sectors covered by this guidance are asset owners, asset managers, banks, electric utilities & power generators, food & beverage, metals & mining and oil & gas. The TPT will also publish notes on adaptation, nature, just transition, emerging markets & developing economies and SMEs, and a 'Forward Pathway' on TPs.

The TPT will also support the Transition Finance Market Review launched in January 2024.  This will consider what the UK financial and professional services ecosystem needs to do to become a leading hub for, and provider of, transition financial services.

10.  IIGCC Guidance on developing net zero voting policies and practices

The Institutional Investors Group on Climate Change, which has over 400 members representing $65 trillion in assets, has published guidance to support asset owners and asset managers develop net zero voting policies and practices. 

The guidance is aligned with the Net Zero Investment Framework, which recommend investors adopt a voting policy consistent with assets in their portfolio achieving net zero emissions by 2050 or sooner. Investors that have made net zero commitments through the Net Zero Asset Managers (NZAM) and Paris Aligned Asset Owner (PAAO) initiatives will also be able to use the IIGCC guidance to develop stewardship strategies and voting policies that are consistent with their net zero objectives.

The guidance outlines three core principles underpinning the concept of net zero voting, namely that such voting should: (i) align with the investor’s own net zero objectives and targets; (ii) communicate net zero expectations to investee companies, clients and other stakeholders; and (iii) support net zero stewardship, engagement and investment approaches. 

Authors: Will Chalk, Rob Hanley, Vanessa Marrison, Becky Clissmann, Marianna Kennedy and Kseniia Samokhina