With updates to the UK Corporate Governance Code in effect from 1 January 2025 now is the time to ensure plans are in place to address the new requirements.
What are the key requirements to the revised Section 4 of the Code?
The key revision to Section 4 of the Code is included within provision 29, whereby:
- The board will describe how it has monitored and reviewed the effectiveness of the company's risk management and internal control framework;
- Make a declaration over the effectiveness of all material controls as of the balance sheet date; and
- Describe any material controls which have not operated effectively, and the actions taken or proposed to improve them.
While the concept of material controls in the Code is not a new one, the requirement for the board to disclose the effectiveness of controls is. With this requirement, the FRC are looking to increase trust and resiliency in the UK markets and improve the transparency of financial information to stakeholders of listed companies.
The revisions to the Code do not act as a set of rules, which differentiates from the Sarbanes-Oxley Act of 2002 (SOX) for US listed companies. Instead, the Code offers companies the opportunity to comply or explain their reporting against the Code’s provisions. The intent in doing so is to help companies streamline and focus on the reporting principles of the Code, and disclose to stakeholders important information in a manner which makes most sense for the company.
What are the next steps to enabling compliance?
The level of effort to comply with the revisions to Section 4 will vary across companies depending on the maturity of their current risk and control documentation. For example: a company with well-maintained risk registers and control matrices, which are constantly re-assessed to ensure alignment with how processes operate within the business, may have significantly less effort to uplift their documentation compared to a company navigating growth or expanding into new territories without documenting new or expanding risks.
While there is not a prescriptive ruleset outlining how to drive compliance moving forward, there are several proactive steps companies can start thinking about today to prepare for the new requirements:
- Define the concept of ‘material control’ across risks within the company. This will need to consider quantitative and qualitative elements of risks, which are not limited solely to financial reporting risks.
- Review current repository of risk and control documentation including, but not limited to, risk registers, process and control flowcharts or narratives, or risk and control matrices.
- Evaluate documentation for gaps against your defined concept of materiality.
- Implement or remediate controls to address material risks.
- Determine how you plan to obtain assurance over control effectiveness and what level of assurance the board will require to be confident in signing the declaration. Understanding where deviating in reporting against the provision may be more appropriate for your company is also key when making this assessment.
- Document and communicate results of the evaluation of the effectiveness of controls to the board on at least an annual basis.
How can CFGI support you?
Our team has extensive experience assisting companies through process and controls transformation programmes, including documenting the current state of controls, assessing control gaps, implementing and remediating controls, and testing the design and operating effectiveness of controls.
CFGI operates in a flexible and hands-on way to help your company build a framework which complies with the revised Code requirements. When you work with CFGI as an experienced compliance partner, you gain access to a wealth of risk management experience across companies of various sizes and industries, bringing valuable insights when building or expanding your risk and controls framework.
Free from auditor independence requirements, CFGI can advise, support, and act as an extension of your finance and compliance team.
If you would like to talk through how these updates affect your business or the challenges you are facing contact us at: www.cfgi.com/contact-us or get in touch directly with our Cambridge lead Paul Cooper at: pcooper@cfgi.com
