Governance & Compliance 2: Internal controls and Provision 29 of the UK Corporate Governance Code

Will:
Hello and welcome to the second in our series of AGC, Ashurst Governance and Compliance Podcasts, where we focus on the latest developments in the world of governance, compliance, and reporting. I'm Will Chalk, partner in Ashurst London corporate team focusing on corporate governance. In this edition, we're going to focus on the 2024 iteration of the UK Corporate Governance Code and one aspect of it in particular, predictably the revised Provision 29 and the key practical steps which companies should be thinking about, in particular. A bit of background post-BHS, Carillion and other corporate scandals and after three significant consultations on the future of audit and corporate governance reform, in March 21, the Financial Reporting Council launched a very wide-ranging consultation on changes to the code. This dovetailed with other legislative changes, which would've imposed even more significant reporting requirements on public interest entities. And despite those additional obligations, resilient statements, audit and assurance policies, chief among them being shelved at the 11th hour with knock on implications for the extent of changes elsewhere in the code, Provision 29 or the changes to it and its implications for risk management and internal controls remain as a key amendment.

The 2024 code, which applies to companies on regulated markets such as the main market of the stock exchange by virtue of the FCA's listing rules formally applies to financial periods beginning on or after the 1st of January 2025. That's slightly to gloss over the transitional provisions the FCA has recently published, but it's in play now. However, given its significance Provision 29, the revised Provision 29 applies a year later, so to reporting periods beginning on or after the 1st of January 2026, so we'll see the first reports based on it in early 2027. Now, I'm delighted to be joined by two people heavily involved in industry discussions and consultations related to the code in general, and Provision 29 in particular. First, my colleague, Nisha Sanghani. Nisha is a partner in our risk advisory consulting team. Nisha, hello.

Nisha:
Hi Will. Thanks so much for inviting me on today.

Will:
And we're also joined, I'm delighted today by Peter van Veen, the Director of Governance and Stewardship at the ICAEW. Peter, hello.

Peter:
Hi Will. Thanks for inviting me.

Will:
And you've been focused on this in particular like Nisha a lot. Do you want to just elaborate on some of that focus?

Peter:
Well, so at the ICAEW we've worked extensively with the FRC and certainly provided lots of feedback on the consultations in trying to balance out the intents and as you outlined in relation to those corporate collapses and strengthening corporate governance. And at the same time balancing the load on boards and the requirements on boards and audit committees, which we are somewhat concerned are being overburdened by new requirements. We've tried to strike that balance and well, we'll discuss a little bit in this today whether that balance is being struck or not, but that's really what we've been focused on with the FRC.

Will:
Do you want to kick us off just by giving us a brief reminder of what new Provision 29 expects of companies?

Peter:
Sure. It's fairly straightforward on the face of it, and that is that the board should be monitoring the company's risk management frameworks and internal control frameworks, and at least annually carry out a review of its effectiveness. And it should really be providing an attestation or a declaration if you like, that it's happy that these things are in order and are fit for purpose. And this monitoring and review, the annual review should cover all material controls, including financial of course, but also operational reporting, so the annual report and so forth and compliance controls.
And the board should outline in the annual reports a description of how the board has gone about the monitoring and reviewing of the effectiveness of the framework, a declaration, so the signed declaration by the board of the material controls as at the balance sheet date. And a description of any material controls which have not been operating effectively as at that date, the action that they've taken or proposed to improve them, and any actions taken previously to those material controls. On the face of it, it doesn't sound like there is a lot to it, but in practise it's quite a big ask, I think.

Will:
Thanks, Peter. Nisha, turning to you, there's been a lot of debate about the public disclosure. Peter's already mentioned that attestation. Do you think that statement of effectiveness is a fair requirement?

Nisha:
Good question Will. I think the purpose of the attestation or the disclosure requirements that Provision 29 sets out is really to help the board's focus towards what the end objectives are. In terms of its fairness, I think it absolutely is fair. I think a lot of the debate comes about because there's a lot of confusion in terms of how boards get to the position where they could make those declarations and they could do that in quite a scientific way. When it comes to making public disclosures, especially when you are a director with statutory duties that you have to comply with, obviously you want to make sure that you've done things very diligently. And so that's what people are grappling with, how to get to the point of being able to make that statement.

And I think we'll talk about it as the conversation progresses, but some of the challenge comes about the fact that... Peter talks about the fact that the board has to be responsible for the internal control framework as well as the risk management framework. And that could be quite detailed depending on the size, complexity, and business model of an organisation. And so really the board has a piece of work to do in order to be able to bring that framework together into a level that can be discussed at a boardroom, which is quite a bit of work to do to be able to get to that point. I think the debate is really in relation to what needs to be done, what's required, and how much work needs to be done to get there as opposed to making the end statement?

Will:
Thanks, Nisha. Before we get to what that work looks like, Peter, this is a question that's been asked a lot, but I'm interested in your view time and again, we've heard people referring us to the revised Provision 29 as Sarbanes-Oxley by the back door. Do you agree with that?

Peter:
Well Will, it is a good question. It's one that we've asked ourselves of the FRC at the time, is that the intention? Now, the FRC has been absolutely clear. It is not the intention... By drafting a new Provision 29, it's not the intention by the FRC to actually create a Sarbanes-Oxley through the back door. I think the last thing the FRC want and we want for that matter is to have a very long tick box exercise, which effectively Sarbanes-Oxley has become on the financial control side of the equation. And let's not forget, Provision 29 has operational compliance and reporting controls as well, so you would make that a very long list if you took the same approach as Sarbanes-Oxley. Now, some companies might decide they're quite comfortable with Sarbanes-Oxley because they are already report to that, and let's just extend that approach to these additional controls and just run a bigger Sarbanes-Oxley type process. But that would be the choice by the company. That is definitely not what the FRC is looking for.

The FRC is looking for meaningful kind of oversight of material controls, and I think the emphasis has to be on material. It's not about all controls that the FRC are not expecting boards to engage at the same level with every single control in the company. They're looking for material controls. And I think that's where the challenge is going to be. One, for the boards to feel comfortable that they are on top of and understand what the material controls are. And to really, when they do sign on the dotted line to say we've reviewed it and we're happy that everything's in order, that they feel comfortable and have comfort that they are fully aware of the material controls and that they're being managed and overseen properly by the various functions in the company. I think the emphasis is quite different. It's not an imposed big checklist by the FRC, it's really... At the face of it it can be quite a simple exercise, but in practise it could be quite complex depending on the company and depending on how complex its risk and control environment is going to be.

Will:
There's work to do. Nisha, where do companies start 18 months out to the extent... Because a lot of companies have started this work already, but we're aware of others that are in the foothills frankly, of this particular exercise. Where's the priority focus to start with? How do you get companies starting particularly when facing the enemy of time and the tyranny of the urgent?

Nisha:
Well, one of the other things, Will, just to touch on what you just talked about in terms of, is this Sarbanes-Oxley through the back door? The other thing that's been widely debated is do organisations require a framework to be able to comply with Provision 29? And it's an elephant in the room. And I'm going to stand up and I'm going to say it. I'm going to hold up my head high and say, "Yeah, you absolutely need a framework." I actually don't see how you can achieve this objective without one. And actually one of the other changes in the Code is Provision O, and if you look at Provision O, it actually talks about the fact that the board is no longer responsible for just establishing an internal control framework, but it's also responsible for overseeing and maintaining a framework, and it purposely uses the word framework. And so the next question is, okay, so a board requires a framework to be able to meet these requirements, how does it go about building on frameworks that it's already got in its organisation to be able to make these declarations required by Provision 29?

Again, there's lots of debate people talk about top down, bottom up, what does that mean? When it comes to internal controls and risk management, many organisations will have lots and lots of controls, micro level controls all around the organisation. And typically what firms do is they will run very detailed processes where control owners are required to map out their controls, state whether or not they're operating and designed effectively and do all sorts of weird and wonderful things to be able to produce management information relation to that. That's great. But the problem for the board, and as Peter just talked about, is the board has to be focused on the material controls within the organisation. And those very much need to be linked to the principal risks of the organisation. And that's where we need to start thinking about a top down view and how we bring that top down and bottom up view together. And so in my view, what boards need to be doing as a first step towards being able to meet these requirements is really challenge themselves on what the true principal risks to the business are.

And I mean that in a very specific way. I think the way businesses should look at principal risks is not, what did we historically sit around the boardroom and debate about the things that we were worried about? I mean actually go through quite a scientific exercise of looking across their value chains and looking at those key risks that they think would impact their organization's key critical success factors. And that would be risks that impact organisational revenue, cost base, and therefore profitability. They could impact the organization's resilience. For example, a heavy operational business might be reliant on supply chain, so that might be a key risk for that business. Another example would be risks that impact the business's stakeholders. And by stakeholders, I don't just mean shareholders, I also mean customers, investors and other parties down the value chain. I think that's the first exercise that the board needs to do, re-challenge itself on what those principal risks are.

Will:
Won't they have done that when in producing their annual reports every year?

Nisha:
Absolutely they would have, but I think they have to almost redo this with a bit more of a critical lens, noting that now there's a public disclosure required in relation to that. And the reason I think that's an important exercise is remember the board is responsible for maintaining, establishing and overseeing the risk management framework. A risk management framework covers all the risks that impact the organisation, so that's your bottom down, that's your bottom up view. Sorry.

Will:
And just elaborate a little bit more on what you mean by framework, Nisha.

Nisha:
A good way to think about framework is actually the FRC's guidance itself has, for example, an example of the COSO framework, which is included in there, which talks about the COSO framework is very much a specific framework that is designed for organisations to almost document and articulate what their risk taxonomy looks like. A risk taxonomy is all of the risks that apply to your organisation. And then the framework helps you to establish how those risks are disseminated across your organization, managed, what your risk appetite and your tolerance is for each of those risks as an organisation. And then who within the organisation in terms of functional owners, is responsible for owning the controls as they relate to the mitigation management and oversight of those risks, so that's what a framework is. But coming back to what I was just saying, I think it's really important not just to build a framework that has lots and lots of controls documented, but as a board, think about how that framework can support you in developing organisational strategy, overseeing and looking at the changing risk profile of business change, for example.

One of the key drivers of the corporate governance code reform, and you talked about it really well earlier, Will, is around some of the corporate failures that obviously we've seen over the years that have passed. And one of the key things that's come out as part of those corporate failures is actually organisations, they often think about risk, they often think about strategy, but those two things often aren't thought about hand in hand. But of course they have to be thought about hand in hand because it would be completely wrong of organisations to live in a world where they don't take any risk. Organisations can't make money, they can't build businesses if they take zero risk, so they need to take risks, but they need to do that in a way that they understand what risks they're taking and they take them within the aptitude or the appetite of the business.

And that's why this type of framework is really important where we not just look at a bottom up view at all the hundreds of controls within the organisation, but actually we take a top down view as a board and we understand what's material to the organisation, where do we need to be concerned? And if we change our business strategy, perhaps we're moving from being a business that invests in asset type A to asset type B, what does that do in terms of changing our operational risk profile and what active decisions do we now need to make on the back of that? That's what I think is key in terms of this framework, and that's what the FRC mean when they talk about comply or explain. They're not being prescriptive in what organisations should do and how deep they should go when it relates to one particular risk because they cannot, every business is different, every business has a unique business model. And they will be more mature when it comes to certain risks within the organisation and less mature in other cases.

And that's how the board then needs to remain flexible in terms of where it might seek assurance, where it might seek additional oversight in relation to areas where perhaps it's less mature.

Will:
Peter, coming back to you and the declaration of effectiveness, we've heard lots of debate about the extent to which boards will want to get their risks and controls assured. Are we talking about getting them all assured or is it a partial response?

Peter:
Well, I think the short answer to, should they get assurance on all the risks is no, absolutely not. I don't think there's any intent to create a whole new assurance requirement on this area in terms of Provision 29. What is the case, and as Nisha has already alluded to, is that boards may well want to get some level of external assurance or certainly external support. And it really is down to the maturity of the organisation.

Lots of companies, the largest around are already doing most of this. They're not necessarily signing the declaration, but they've got the frameworks, they've got their risks, material risks, key risks lined up. They know what they are, they have a mature internal control framework with the material ones monitored by the board. That is not a new development for the bigger companies out there. For them, this is about, okay, well what additional work do we need to do as boards to satisfy this provision and sign that declaration?

And they might want to get an external or the external auditory even to come in and just give them some comfort that... Do a light check on the frameworks just to make sure they're fit for purpose, that they've kept pace with the changing risk landscape and that they're not signing something that they shouldn't be signing. There'll be that, and I think the mature companies will see this as part of business as usual and just a bit of a refresh and potentially won't be all that onerous. I think if you're not in that space. I think if you are starting relatively fresh saying, okay, and I suspect most of the companies falling under Provision 29 probably aren't necessarily in this space, but there'll be plenty who'll say, okay, well we haven't formalised these things. We know what our risks are. We have got internal control, but we've never tied it all together for board signature and board oversight.

And I think then you might well want to get some external support, not because it's a question of trust that you don't trust your internal audit or your internal control or the other aspects of internal controls, but rather of the board needs to satisfy themselves that these are all fit for purpose. And they might feel and decide getting some external perspective on that will help them A, sleep better at night, that they've signed something that is absolutely spot on for them without necessarily having to rely on internal audit or other functions to provide that picture because there's always some bias in that. No one's going to hold up their hand and say, well, we haven't been looking after the right controls or risks if they haven't. I think that's a really important aspect. But I think there is a challenge also for the board in the declaration signature side, and it has to do with the board's own kind of processes in terms of how aligned are the board on these things.
Because deciding which risks and control, well, which are controls and material and which are the key risks, especially the material controls that different board members might have different views. And you have to get that alignment within the board that you're all buying into that this is your risk universe and these are the key ones that you're going to focus more time on as a board. Because it's not just a question of signing stuff off, of course, it is the board's responsibility to manage the material risks of the business in terms of, at least, from an oversight perspective. This is a good opportunity for boards to really align and get that alignment and make sure that you are focusing on the right risks and that your control framework is managing those material controls to manage those key risks and without it creating a whole new burden on boards, which unfortunately it might do.

And our concern has been that if people, coming back to your previous question on it being Sarbanes-Oxley through the back door, if people do take a more of a Sarbanes-Oxley approach in terms of a very long checklist, invariably this is going to end up at the audit committees to do list of things to go through. And audit committees are already overstretched and overburdened with compliance-related activity. And the last thing they need is another big exercise, annual exercise. And let's not forget, the audit committee typically meet four times a year, so if you make this an annual exercise, that's one audit committee meeting dedicated to just this topic, probably. When are they going to have time to look at the other things they're supposed to be looking at? And I think this is the big worry, the board, there is an information asymmetry here. Boards do not have the same information as the internal, as the management and as the functions in the company itself.
And so how do the boards make sure they have sufficient information? They can never have all the information. That's an unrealistic expectation that they have enough information to sign that declaration. And I think this is really a judgement call by the board as to how much they want to bring in external assurance to give them that comfort to help with that information asymmetry and also take some of the pressure off the audit committee or others on the board who might be tasked in managing this or coordinating this. But it's a judgement call. I think that's what it comes down to.

Will:
Sure, I agree. And Nisha, but your view, there's a positive to be taken from this additional work, right?

Nisha:
Yeah, 100%. Look, I agree with everything Peter just said in terms of that judgement call point. And I think what this exercise will do, and that's on the basis that it's not treated as a box ticking exercise, I think it will really help boards to bring risk management into the day-to-day of strategy setting and decision making. And I think that's absolutely key, and that's what the FRC's intentions are in terms of the changes to this code and Provision 29 in particular. The way that I look at this when I... In my days when I was sitting on a board, the biggest bugbear I had, and we did by the way, have very detailed Sarbanes-Oxley-style control reports that used to come to the board, and it was the biggest bane of the board because we'd get all these reports with dashboards and colour coding about every single control in the organisation, but it was very difficult to see through the wood to the trees.

And so I think even in the most mature organisations, probably the work that needs to be done is that knitting piece, being able to build that enterprise strategic view and linking that back to the more detailed control view that continues to sit with management and the functions. That is management and the functions. And of course the board should get positive assurance around all risks to the business, but it's really the material and principal risk that the board wants to focus on. I have this great analogy, it's a Christmas tree analogy, and I used to use it a lot when I sat on a board, but if you think about Christmas tree, the star at the top, think about that as your principal risk to your organisation. Let's just say that was health and safety risk because I'm an operational organisation, all the bulbs on the Christmas tree are lit up and all of those bulbs represent various controls throughout the organisation.

If one or two of those bulbs go out, obviously that's a problem. That's a problem for management. And those need to be resolved and we need to have the mechanisms to identify that within our organisation. But are those things that I should lose sleep over in the boardroom? Not necessarily. However, if one of the bulbs is critical and it's responsible for sending the light circuit to the star and it's going to materially impact that principal risk, I'm going to be concerned about that. And that's really what this is all about. That's exactly what this exercise is about. It's about understanding all the lights on that Christmas tree and understanding where those sit, but then allowing the board to focus on that star and those key lights that impact that star being alight. And for me, that's what this exercise should be all about.

Will:
Plenty to be getting on with over the coming months, I think we can all agree. Do reach out if you'd like to port in working out how these changes impact you. Nisha, Peter, thank you so much for joining us and for creating such a practical road map. And thanks to all of you for listening to our podcast. There's more to come, many of which will develop the issues in our board priorities for 2025, which you can find on our website. Please do share the podcast with interested colleagues and let us know if you think we can improve them in the future. Bye for now.