How are CROs preparing for changes to the UK Corporate Governance Code?

5 min read
Sep 6, 2023

In response to the Financial Reporting Council's (FRC) position paper on how it will support amendments to the UK Corporate Governance Code, risk leaders at affected companies are considering what the changes will mean for their organisation, as well as actions they will need to take in order to comply with the new code.

While the Corporate Governance Code operates on a 'comply or explain basis', several London Stock Exchange-listed organisations in our network have raised preparation for the changes as their key risk priority right now.

Virtual meeting: Preparing for changes to the UK Corporate Governance Code
September 13th 2023, 9am BST
Request to participate

We are helping our members to prepare for these changes by gathering insights and facilitating collaboration opportunities. During virtual-one-to-ones, small workshops and collaborative group discussions, members have shared the key actions their organisations are taking ahead of the code changes:

1. Frame risk management as a key part of resilience

Members agree that:

“The overarching aim of the new resilience statement is to reshape how people talk about risk: instead of resilience being a component of risk, managing risks can be seen as a contributor to overall organisational resilience.”
risk leader

FTSE-listed organisation

While many organisations are already structured to focus on resilience as an outcome of good risk management, other companies have affirmed that they too are taking steps to reframe how they think about risk.

2. Prepare scenarios for Resilience Statement

As companies anticipate further guidance from the FRC about what the resilience statement should include, members have highlighted how they are already meeting with financial modelling teams, who are responsible for modelling viability statement scenarios.

Virtual meeting: Preparing for the resilience statement
September 20th 2023, 9am BST
Request to participate

In order to ensure the business is ready, some steps currently being taken by members include the preparation of reverse stress tests: at least one of these will need to be outlined in the new resilience statement.

3. More focus on assurance mapping

We have been helping many of our members to address their longstanding priority of aligned assurance (as well as accountability for assurance), holding collaborative discussions between risk leaders and pooling insights from assurance experts across the network.

Based on our conversations with these risk leaders, the new audit and assurance policy can be considered a sensible change overall and is unlikely to represent a massive departure from what many companies are already doing.

Preparing for the AAP - what stage is your organisation at compared to your peers?

One of the proposed changes to the code is that public interest entities (PIES) should publish a triennial AAP and annual implementation report on the AAP within the annual report. This will set out the company's approach to assuring the quality of information it reports to shareholders.

Preparing for the AAP pulsecheck-1

To understand the different stages organisations are at, in terms of preparing for the AAP, we are conducting a pulse check with members and risk leaders in our wider network; if you would like to participate in this pulse check and, in return, gain insights from other businesses, request to participate here.

However, one step these companies are prioritising - in order to prepare for the code changes - is placing a greater focus on ESG and, more specifically, providing assurance for carbon disclosures; ultimately, the business needs to be able to prove it is delivering what it claims to be delivering with regard to its sustainability targets.

4. Hold early adopter discussions

As changes to the Corporate Governance Code move closer, an important point of debate for many organisations is whether to get ahead of the new developments and become an early adopter for some (or all) of the different statements that will soon be required under the code.

While some risk leaders are "still deciding" whether to be early adopters, or hold off for another year, others have expressed that they have no appetite at this moment to move any sooner than they need to; on the contrary, they would rather wait and see what changes will need to be made before  they implement anything.

This topic, and much more, will be discussed at a series of meetings for CROs and risk leaders in September; while there may be a limited amount of information available currently to support early adoption, these collaborative discussions will provide a forum for participants to find out how their peers are preparing for update to the code and ensuring they can act appropriately when the new requirements are confirmed. Register your interest here.

5. Collaborate on the internal controls statement

The most common concern raised so far, by listed companies in the network, is the new internal controls statement and its potential impact on how businesses view risk management as a practice.

According to several risk leaders, a major issue is the FRC's positioning of the internal controls statement, which has been described as too vague and open to a wide range of interpretations, while questions have also been raised around its practicality. 

The expected scope of this statement is also unclear, and most members involved in our collaborative meetings on the code changes have flagged that a controls statement may make their approach to risk management too downside-focused and control-oriented. Instead of helping the business to make good decisions, pursue opportunities, and achieve growth, this could cause risk management to become a box-ticking exercise.

While this situation does present a potential problem for risk leaders, especially those who are looking to adopt a more agile approach to risk management, our members are already collaborating on solutions, and sharing practical insights on the measures they've already taken to prepare for the internal controls statement specifically. 

How are risk leaders tackling the internal controls statement?
CROs and heads of risk at UK-listed organisations will be sharing their approaches to the internal controls statement at our virtual member meeting on 13th September 2023 at 9am BST.
Request to participate

What are the key changes to the UK's Corporate Governance Code?

Four major updates that are giving risk leaders pause for thought, in terms of how (and what) they need to prepare for corporate reporting are:

  • Audit and assurance policy - This statement describes how company directors are taking action to seek assurance (both internally and externally) about the information they provide to shareholders
  • Resilience statement - Reports on matters that could represent a material risk to the business over both the short and medium term
  • Fraud risk statement - This will require directors to report the steps they have taken to prevent and detect fraud
  • Internal controls statement - A declaration about the effectiveness of a company's internal controls over a 12-month reporting period and basis for that assessment

Ultimately, the overarching purpose of these changes is to encourage companies to provide a board-level declaration about whether they can reasonably conclude that risk management and controls are effective over a reporting period of 12 months.

How is Risk Leadership Network supporting members with changes to the UK Corporate Governance Code?

As more information regarding the implementation of the code becomes available, we'll be facilitating group discussions and one-to-ones between members, as well as conducting bespoke benchmarks and pulsechecks for members where required.

Although we usually facilitate collaborations exclusively for our members, on certain subjects, our membership benefits from shared insight from a wider pool of participants. So if you're a risk leader at a company with a premium listing on the London Stock Exchange we'd be delighted for you to be involved:


Virtual meeting: Preparing for UK Corporate Governance Code

September 13th 2023, 9am BST
Request to participate
Virtual meeting: Preparing for UK Corporate Governance Code

Virtual meeting: Preparing for the Resilience Statement (UK Corporate Governance Reform)

September 20th 2023, 9am BST
Request to participate
Virtual meeting: Preparing for the Resilience Statement (UK Corporate Governance Reform)

Pulsecheck: Preparing for the AAP

What stage is your organiation at compared to your peers? 
Request to participate by 20th September to receive the pulsecheck report.

Pulsecheck: Preparing for the AAP

Get new posts by email