UK Corporate Governance Update Spring 2024

The Financial Reporting Council (FRC) has published the 2024 UK Corporate Governance Code (2024 Code) and new guidance to the 2024 Code for boards (Guidance). The 2024 Code follows the FRC's consultation on the 2018 UK Corporate Governance Code (2018 Code)  in May 2023 and its subsequent decision in November 2023 to limit the number of changes to the Code (see our previous briefing). This followed concerns from respondents to the consultation about the increasingly onerous reporting obligations for listed companies.

Internal control changes

As expected following the FRC statement in November 2023, the key changes to the 2018 Code are focussed on internal controls. Amended Provision 29 states that the annual report should include the following:

• a description of how the board has monitored and reviewed the effectiveness of its internal control framework

• a declaration of effectiveness of the material controls at the balance sheet date (the Board Declaration)

• a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.

In addition, amended Principle O provides that the board should not just establish procedures for managing risk but should establish and maintain an effective risk management and internal control framework.

Other key changes

Other key changes include the following:

• an amendment to Principle C to provide that governance reporting should focus on board  decisions and outcomes in the context of the company's strategy and objectives. There is an increased emphasis on outcomes as well as on embedding culture within the organisation in both the 2024 Code and the Guidance. For example, amended Provision 2 of the 2024 Code says that the board should not only assess and monitor culture itself but should assess and monitor how the desired culture has been embedded

• an amendment to Principle J to provide that appointments to the board and succession planning should promote diversity, inclusion and equal opportunity rather than referencing specific groups

• updating Provisions 25 and 26 to reflect the Minimum Standard: Audit Committees and External Audit

• malus and clawback - updating Provisions 25 and 26 to provide that directors' contracts which cover director remuneration should include malus and clawback and that annual reports should include a description of malus and clawback provisions

Guidance

The Guidance incorporates guidance currently set out in three documents: the Guidance on Board Effectiveness, the Guidance on Audit Committees and the Guidance on Risk Management, Internal Controls and Related Financial Business as well as adding new guidance on internal controls and a new section on good practice for the successful management of board committees which also sets out guidance for risk and sustainability committees. It is worth noting that the Chartered Governance Institute (CGI) has also recently published specimen terms of reference for an ESG or sustainability committee (see below) and highlights the increasing importance of these committees for listed companies. The guidance in relation to risk management is more detailed than previous guidance and is in line with the revised expectations on risk set out in the 2024 Code. There is also a section on cyber risk management. The Guidance is described as a "supportive tool" rather than a set of rules for companies to follow. It is not mandatory and is not part of the Code, rather it contains suggestions of good practice to support application of the Code. It is now set out in a helpful order which follows the Code Principles.

In relation to Section 1 "Board Leadership and Company Purpose", it is interesting to note an emphasis on third party stakeholders, and in particular suppliers. The Guidance states, for example, that it is important that companies should be seeking the views of their suppliers in line with Provision 5 and that payment terms are one metric that companies can consider to demonstrate how they foster relationships with their suppliers. This aligns with the ethos behind the Reporting on Payment Practices and Performance Regulations 2017 which have recently been amended (see below).

In relation to internal audit, the Guidance now suggests that given their size and complexity, FTSE 350 companies should consider having an internal audit function.

In relation to internal controls, the Guidance states that its role is not to set out the detailed procedures or framework by which a company designs its risk management and internal controls framework as attempting to define one approach to achieving good practice would be counterproductive. It does suggest that the board could use a recognised framework or standard for designing and maintaining the effectiveness of its framework (such as ISO) but does not mandate a particular framework, noting that the framework should be tailored to the individual company.

Whether a company uses a recognised framework may in part depend to what extent it uses the services of external advisers such as accountants who may prefer a particular framework, particularly if they are asked to provide assurance in relation to the Board Declaration. The Guidance states that there is no requirement or expectation in the 2024 Code that companies should obtain external advice or assurance and notes that it is the board of a company who should decide if any form of external assurance is necessary. It then goes on to say that the type of assurance may be something that boards may wish to discuss with investors which is an interesting comment as it clearly indicates that the FRC consider that investors will have views on the topic (even though obtaining external assurance in itself is not prescribed).

The Guidance does not set out detailed prescriptive guidance in relation to the Board Declaration and notes that the board should consider the size, maturity, complexity and strategic objectives of the company. In addition, it helpfully states that the board should form its own view and exercise the standard of care that would generally be applicable to directors exercising their duties. In relation to reporting on areas for improvement, the board is not expected to provide disclosures which in its professional judgement would contain confidential information.

Timing

The 2024 Code will apply to accounting periods beginning on or after 1 January 2025, other than Provision 29 (internal controls) which will apply to accounting periods beginning on or after 1 January 2026. Amended Principle O (see above) will therefore apply from 1 January 2025.

Comments

The FRC's press release and feedback statement in relation to the 2024 Code emphasises the following:

• the need for high quality governance outcomes, achieved in the most proportionate and effective manner
• the FRC's position as an enabler of growth and competitiveness
• that the FRC is not defining "material internal controls" as it is for boards to determine what their material internal controls are as they will differ for each company
• the importance of the FRC's "comply or explain" approach and its flexibility.

Taking each of these points in turn, it is clear that the FRC has taken on board feedback from respondents to the consultation that reporting requirements for listed issuers were becoming increasingly onerous. There was also a concern expressed by some respondents about overlapping requirements from different regulators and legislation. This feeds into the next point regarding growth and competitiveness where the FRC's proportionate response can be seen as a part of the desire to promote the UK as an attractive venue for listed companies to operate, a desire which has been articulated by many participants but can also be seen in the latest consultation paper from the FCA on reforms to the UK listing regime (CP23/31). The 2024 Code should be seen as part of a wider framework of reforms, bearing in mind that companies listed on the new equity shares for commercial companies category (ESCC) will be required to adhere to the UK Corporate Governance Code which for some companies who may have transferred from the former standard listing segment to the ESCC may be a big step up in corporate governance terms. Please see our briefing here for more on the proposed reforms to the UK listing regime.

The FRC's general approach to the internal controls changes has been to avoid prescriptiveness and there is an over-arching theme throughout the Guidance that boards are expected to evaluate what is appropriate for their particular company in terms of internal controls.  In reality, we would expect companies to seek external assistance in relation to the effectiveness statement given that Provision 29 is new and untested and the fact that the FRC is not issuing prescriptive guidance for companies. In relation to the Board Statement, it will be interesting to see how practice develops, given the emphasis on companies adopting their own approaches, the non-prescriptive nature of the Guidance and the statement from the FRC that some companies may wish to "explain" in certain circumstances. 

The FRC's emphasis on the importance of the "comply or explain" regime is helpful, given concerns expressed in responses to the consultation that the regime is seen in practice as being "comply or else". The FRC's "mythbuster" document published at the same time as the 2024 Code states that the FRC's 2023 Annual Review of Corporate Governance Reporting found that well over 50% of companies departed from one or more provision of the Code and notes that "comply or explain" gives companies the scope to communicate salient and pertinent information to stakeholders. This is also reiterated in the comment from the FRC's CEO Richard Moriarty who rather despairingly points out that "Frankly, a good explanation illustrates better governance more than a situation where a Board defaults to compliance with a specific Code provision that manifestly doesn't suit its circumstances but where the Board lacks the confidence to make the explanation". It is to be hoped that encouragement from the FRC (including during the upcoming review of the Stewardship Code) and statistics such as the one above should discourage the "comply or else" approach from investors and encourage better explanations where companies do not comply (see below).

In November 2023, the FRC published its annual review of corporate governance reporting which looks at reporting against the UK Corporate Governance Code. The review highlighted many examples of high quality and insightful reporting by companies. Key takeaways from the review include:

• there was a slight improvement in the reporting of departures from the Provisions of the 2018 Code. However, there is still room for improvement in providing clear and meaningful explanations on the reasons why companies deviate from the Provisions

• the FRC recognised improvements in the reporting of application of the Principles of the Code, but highlighted that a Principle by Principle explanation often added to the length of the report and contained little company specific information. Instead companies are encouraged to report on how application of the Principles has made a difference to board decisions and their outcomes which aligns with the focus on outcomes based reporting in the 2024 Code (see above)

• there has been a continued improvement in reporting on both workforce and stakeholder engagement but there is still more that can be done, particularly in respect of stakeholder engagement where the FRC encourages companies to report on their progress in addressing issues raised by stakeholders

• there has been little improvement in the reporting on the process applied by the Board in reviewing the effectiveness of the system of risk management and internal control. Whilst the explanation of the process does not need to be extensive, it should provide specific and concise information about the actions taken by the board. This includes details of how the board or relevant committee have conducted the review, who was consulted, what evidence was reviewed and what areas were covered

• companies should move away from boilerplate reporting to provide more specific examples, where relevant using an actions and outcomes based approach and avoiding repetition.

Perhaps most important on the above list is the focus on risk management and internal controls, particularly in light of the new enhanced internal controls aspects of the 2024 Code (referred to above). The FRC have been keen to emphasise that the 2018 Code requires reporting on internal controls and that the existing expectations remain. Commentary around reporting on internal controls may therefore be helpful guidance to companies looking to ensure they are meeting existing expectations and well prepared for the enhanced provisions introduced by the 2024 Code (see above).

On 31 January 2024, the FRC published a review of the reporting of 20 of the UK's largest private companies. The review looked at the annual report and accounts of 20 private UK companies operating in a variety of industries with revenues ranging from £1.5 billion up to £24 billion. The FRC concluded that the quality of reporting was mixed, particularly in terms of how clearly companies explained material matters that were complex. The FRC states that many of the issues identified could have been avoided if a sufficiently critical review of the annual report and accounts had been carried out.  Key findings include:

• Disclosures should explain the nature of the relevant company and its operations and how it fits in to the group structure to enable users to fully understand the business and a company's role and function within the group.

• Strategic reports should focus on the elements of development, performance and position that are key for understanding the company and explain them in a clear, concise and understandable way that is fair and balanced and consistent with the disclosures in the financial statements.

• Accounting policies for complex transactions often used boilerplate wording rather than being tailoring to the situation.

• The level of detail provided in respect of material provisions on the nature of the obligation and the associated uncertainty was below the level expected by the FRC.

• The disclosure of financial instrument risks was boilerplate and generic, describing the nature of risks without fully explaining why they were relevant.

We note that the sample of 20 companies is small when compared to the sample of 100 listed companies whose reports were reviewed for the FRC's Review of Corporate Governance Reporting referred to above. This is not surprising given there is an easily identifiable pool of listed companies to select from but it makes it harder to identify themes in reporting and apply these to private companies in general.

The report recognises that the nature of private companies means that there are fewer 'users' of their reports when compared to listed peers. Shareholders of private companies are more likely to be involved in the business and will therefore have greater access to information and be less reliant on the annual report. However, the FRC also state that there are other users, e.g. employees and providers of credit who may look to the annual report for information. As the reporting requirements applicable to large private companies grow, it is increasingly important that private companies ensure that the quality of the reporting is sufficient to both meet the requirements set by legislation and meet the needs of users.

The Quoted Companies Alliance (QCA) has published a new edition of its corporate governance code (QCA Code). The QCA Code is aimed at growth companies and has been adopted by the majority of AIM companies as well as some smaller premium listed companies. The new QCA Code reflects latest good practice and places greater emphasis on corporate purpose, environmental and social issues, risk management, board structure and communications. It is recommended that companies apply the new Code for accounting periods beginning on or after 1 April 2024.

On 31 January 2024, the CGI published model terms of reference for sustainability or ESG committees (Sustainability Terms of Reference). Whilst there is no requirement for companies to have a sustainability or ESG Committee under the 2018 or 2024 Codes or otherwise, the guidance note highlights that 37% of the UK's 150 largest listed companies has a board committee dedicated to ESG, sustainability or corporate social responsibility issues.

The Sustainability Terms of Reference add to the suite of model terms of reference already published by the CGI for board committees (audit, nomination and remuneration). In line with the other terms of reference, the CHI's intention is to provide a good practice guide for companies. There is no requirement to adopt the Sustainability Terms of Reference in the format published by the CGI but instead companies should modify the model terms to best suit their business and the issues that are most relevant to their needs.

The CGI's recommendation for membership of a sustainability or ESG committee is at least three independent non-executive directors. This reflects the requirements in both the 2018 and 2024 Codes for all members of the board committees (or a majority in the case of the nomination committee) to be independent non-executive directors and the recommendation in the Guidance that any members of board level committees should be independent non-executive directors. However, the notes to the Sustainability Terms of Reference recognise that there are examples of executive directors sitting on sustainability committees and this may be appropriate, depending on the remit of the committee and its terms of reference.

The Economic Crime and Corporate Transparency Act (ECCTA) received Royal Assent on 26 October 2023, with the first changes coming into force in late 2023 and the remainder due to come into force in stages during the course of 2024. The ECCTA introduces a wide range of reforms and is a key part of the Government's ongoing legislative strategy to tackle economic and financial crime. We have produced a summary of the changes to company law (as they affect companies) that form part of the ECCTA which includes the new rules around identity verification. You can listen to more detail on the changes to corporate criminal law introduced by the ECCTA in our webinar and podcast series. In due course we will also be publishing a summary to the changes to be introduced in respect of limited liability partnerships.

On 16 November 2023, Glass Lewis (GL) published its 2024 proxy voting policy guidelines for the United Kingdom. Amendments to the 2023 guidelines include the following:

• Director attendance - GL has clarified that it typically recommends voting against re-election of directors that failed to attend either at least 75 per cent of board meetings or an aggregate of 75 per cent of board and applicable committee meetings

• Interlocking directorships - this is where directors serve on each other's boards. GL has clarified that it will vote against directors who have interlocking directorships on both public and private companies and that it will also look at other types of interlocks such as those with close family members of executives or within group companies on a case by case basis

• Director accountability for climate-related issues - from 2023, GL's policy on climate changes disclosures was that the largest, most significant emitters should provide disclosures in line with the Task Force on Climate-Related Financial Disclosures (TCFD) and that the boards of these companies should have explicit and clearly defined oversight responsibilities for climate-related issues. From 2024, GL will apply this policy to FTSE100 companies operating in industries where the Sustainability Accounting Standards Board has determined that companies' greenhouse gas emissions represent a financially material risk. In relation to TCFD, the FCA's Listing Rules already require premium listed companies to disclose in accordance with TCFD

• Cyber risk oversight - the policy now states that GL expects that where a company has been materially impacted by a cyber-attack, it should provide periodic updates communicating its ongoing progress towards resolving and remediating the impact of the cyber-attack. The policy also states that GL may also vote against appropriate directors if they judge the board's oversight, response or disclosures concerning cyber security related issues to be insufficient or not provided to shareholders. We also note that companies will need to be mindful of their on-going obligation to disclose inside information if a cyber-attack occurs. 

GL has also clarified the following:

• Executive shareholding requirements - companies should generally adopt minimum executive share ownership requirements that should apply for the duration of an executive's tenure, and for a period of time post-employment

• Standard listed companies - policies generally apply to standard listed companies in the same way as they do to AIM companies, however, they are applied on a case-by-case basis given the varied market capitalisation and complexity of standard listed companies.

It is also worth noting that GL has updated its capital management guidelines to follow the Investment Association Share Capital Guidelines on allotment resolutions i.e. it will approve the resolution referencing the additional third of issued share capital where it refers to fully pre-emptive offers (rather than just rights issues).

On 10 January 2024, the government published the draft Reporting on Payment Practices and Performance (Amendment) Regulations (AmendmentRegulations) which will amend the existing legislation on payment practices (Reporting on Payment Practices and Performance Regulations 2017 and the associated Limited Liability Partnerships (Reporting on Payment Practices and Performance) Regulations 2017) (Payment Practices Regulation).

The proposed changes to the Payment Practices Regulation follow a government consultation with amendments to:

• extend beyond the current sunset date of 6 April 2024 for up to seven years with a review after five years;

• require in scope businesses to report the total value (in additional to volume) of payments due in the reporting period that have not been paid within agreed terms.

• require in scope businesses to report the percentage of payments in the reporting period that were not paid by the due date as a result of a dispute.

• make payment dates clearer when supply chain finance is used.

The government aim (as stated in the explanatory memorandum) is that the additional transparency will drive continued reductions in payment times. If approved, the Amendment Regulations will come into force on 5 April 2024.

The amendments proposed are likely to be uncontroversial. We expect that for most businesses existing processes in place to collect the required data can be easily adapted to collect additional information. As mentioned above, the ethos underlying the Payment Practices Regulation aligns with that set out in the Guidance as referred to above in relation to suppliers.