In January 2024, the UK Corporate Governance Code underwent some pivotal updates to reflect the evolving governance landscape. These changes signal a shift towards more robust governance practices for the premium LSE-listed companies who operate under the code – particularly in controls oversight and effectiveness. What do they mean for risk professionals and board members?
This blog covers:
- Who is covered by the code?
- What are the key changes to the code?
- Diving deeper into controls
- A path to readiness
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
Who is covered by the code?
The code applies to all companies with a premium listing on the London Stock Exchange, who must comply with the UK Listing Rules.
The updated version of the code applies to the accounting period starting 1 January 2025, except for Provision 29 on controls effectiveness – an acknowledgement that this will be the most significant shift for many and require planning and investment. This provision applies to accounting periods starting 1 January 2026.
The code is principles-based and adopts a ‘comply or explain’ approach. Boards are permitted to implement a reasonable alternative to the principles or clauses of the code if it can be adequately explained in annual reporting.
What are the key changes to the code?
You can find a full summary of the changes here, but in short:
- Principle on measuring performance changed to focus on board decisions and their outcomes on the company’s strategy and objectives
- Requirement added to not only measure culture, but also how a desired culture has been embedded
- Principle on board appointments adjusted to be more inclusive
- Audit committees required to meet the May 2023 Minimum Standard: Audit Committees and the External Audit
- Director remuneration provisions updated to cover malus and clawback, including a requirement to describe these provisions in the annual report, and to report any actual application of these provisions
- New provisions to monitor the internal control framework and review its effectiveness
Diving deeper into controls
The biggest shift, reflected in a delayed application date for this provision alone, is provision 29 on the controls framework and effectiveness. Here is the provision in full, with our emphasis added on the more critical changes.
“The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The board should provide in the annual report:
- A description of how the board has monitored and reviewed the effectiveness of the framework;
- a declaration of effectiveness of the material controls as at the balance sheet date; and
- a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.”
While controls over reporting have been added to the list, it should be reiterated that it isn’t just financial controls related to the balance sheet, but operational controls (aligned with operational risks) and compliance controls that need to be considered in the review.
In the 2018 version of the code, the requirement was to report on the control effectiveness review. This now needs to be expanded to include the ‘how’. Not just how the controls have been assessed by management, but how the board have received that information, provided reasonable challenge to management where required, and why they are comfortable that the internal control framework is operating as intended.
The required declaration – and description of ineffective material controls - will need to be supported by data and evidence on controls. If sufficient control frameworks, systems and processes do not exist, it will be difficult for the board to discharge its responsibilities under this provision.
A path to readiness
The best way for businesses covered by the code to meet their responsibilities will be within a robust internal control framework, linked to a risk management framework and compliance framework. Here are some key areas to review and assess:
- Review control frameworks – Review control frameworks to ensure they cover how controls are identified and documented, how they link to risk and controls frameworks, and how material or key controls are differentiated from other controls.
- Review controls assurance processes – There should be a clear process that can be consistently applied for controls assurance. This includes definitions for design and operating effectiveness, how frequency of individual control assurance is determined, the types of tests that will be conducted, and evidence that must be retained.
- Assess existing control governance - The control framework should include clear governance, with clear roles and responsibilities for control ownership, operation, and independent assessment of their effectiveness. This should also extend to reporting and escalation requirements when deficiencies are identified.
- Assess systems and reporting – Assess the systems in place to capture information about controls. This data collection should enable aggregation and insights to be provided to management and the board on the status of the controls assurance program. It should prompt identification of issues that require action, or issues with the assurance program itself.
While the requirement is for the board to review the effectiveness of controls at least annually, controls assurance as performed by management or specialist teams should be an ongoing process. A well-executed assurance plan not only enables efficient declarations when preparing the annual report – it provides assurance that can enable additional risk-taking in pursuit of objectives. Controls should be seen as enablers of sustainable reward – not a hindrance.
Conclusions and next steps
As we've explored in this blog, risk controls are essential but are often not managed as effectively as they could be. This can lead to frameworks that are inefficient, costly, and ultimately, insufficient in addressing the risks they are meant to mitigate.
When making assessments of your UK Governance Code compliance, you may identify some gaps or areas of improvement in your risk management and controls management frameworks. Protecht can help address these with complete risk and controls management solutions to run across your whole business, including risk control training in Protecht Academy, automated controls monitoring in Protecht ERM, as well as custom risk consulting solutions.
Example Protecht ERM controls management dashboard:
A great starting point for building your understanding of controls is Protecht’s Controls Management eBook. This free resource digs into the essential elements of controls, exploring how they modify risk, the different types of controls, and the key measures that should be recorded in a risk and control register. We also cover the critical aspects of control monitoring, assurance, and reporting on the control environment. This comprehensive resource is designed to provide you with the knowledge and tools necessary to develop a robust and effective controls framework:
