How are CROs preparing for changes to the UK Corporate Governance Code?

7 min read
Sep 6, 2023

In response to the Financial Reporting Council's (FRC) position paper on how it will support amendments to the UK Corporate Governance Code, risk leaders at affected companies are considering what the changes will mean for their organisation, as well as actions they will need to take in order to comply with the new code.


This blog was published before the UK government's announcement on 16 October 2023 regarding the withdrawal of its draft new reporting regulations following a consultation period. The ideas and approaches shared within this blog are based on insights practising CROs and risk leaders shared with each other prior to that date.

The government's announcement, which you can read in full here, states: "Draft regulations published in July would have added certain additional corporate and company reporting requirements to large UK listed and private companies, including an annual resilience statement, distributable profits figure, material fraud statement and triennial audit and assurance policy statement...the Business Secretary has now decided to withdraw these regulations, and will be setting out options to reform the wider framework shortly to reduce the burden of red tape on businesses."

Having spoken with our members impacted by the code - largely FTSE-listed businesses - it seems most are waiting for further guidance from the FRC before pursuing any of the proposed (and now withdrawn) requirements. The main exception to this concerns the proposed requirement around an internal controls statement - a declaration around the effectiveness of a company's internal controls over a 12-month reporting period and basis for this assessment. Most organisations we spoke to are continuing their work around this statement.

Throughout corporate governance code member meetings across the network, CROs have often spoken about "no-regret" moves they are implementing to enhance risk management and elevate the function across their business, regardless of whether the proposed changes become requirements. You can read about these approaches of your peers in this and other related blogs. 

We will keep you updated on further developments in due course.


What are the key changes to the UK's Corporate Governance Code?

Four major updates that are giving risk leaders pause for thought, in terms of how (and what) they need to prepare for corporate reporting are:

  1. Audit and assurance policy - This statement describes how company directors are taking action to seek assurance (both internally and externally) about the information they provide to shareholders.
  2. Resilience statement - Reports on matters that could represent a material risk to the business over both the short and medium term.
  3. Fraud risk statement - This will require directors to report the steps they have taken to prevent and detect fraud.
  4. Internal controls statement - A declaration about the effectiveness of a company's internal controls over a 12-month reporting period and basis for that assessment.

Ultimately, the overarching purpose of these changes is to encourage companies to provide a board-level declaration about whether they can reasonably conclude that risk management and controls are effective over a reporting period of 12 months.

When do organisations need to be ready by?

The changes to the code, if implemented, are expected to apply to financial years beginning on or after 1st January 2025.

The UK Corporate Governance Code operates on a 'comply or explain' basis.

What preparations are organisations making already?

We are helping our members to prepare for these changes by gathering insights and facilitating collaboration opportunities. During virtual-one-to-ones, small workshops and collaborative group discussions, members have shared the key actions their organisations are taking ahead of the code changes (as of September 2023):

1.  Focus on "no regret" moves you can implement now

Due to the lack of clarity provided around reform timeframes, most risk teams are focusing on "no regret" moves that they can implement now.

6 "no-regret" actions companies are implementing to prepare for UK Corporate Governance Reform
Read the article here.
Read now

2. Frame risk management as a key part of resilience

Members agree that:

“The overarching aim of the new resilience statement is to reshape how people talk about risk: instead of resilience being a component of risk, managing risks can be seen as a contributor to overall organisational resilience.”
risk leader

FTSE-listed organisation

While many organisations are already structured to focus on resilience as an outcome of good risk management, other companies have affirmed that they too are taking steps to reframe how they think about risk.

3. Prepare scenarios for the Resilience Statement

As companies anticipate further guidance from the FRC about what the resilience statement should include, members have highlighted how they are already meeting with financial modelling teams, who are responsible for modelling viability statement scenarios.

In order to ensure the business is ready, some steps currently being taken by members include the preparation of reverse stress tests: at least one of these will need to be outlined in the new resilience statement.

Collaborate with your peers on UK Corporate Governance Code reform
We'll be working with CROs and heads of risk in our network to effectively respond to new information as it's released.
Request to get involved

4. More focus on assurance mapping

We have been helping many of our members to address their longstanding priority of aligned assurance (as well as accountability for assurance), holding collaborative discussions between risk leaders and pooling insights from assurance experts across the network.

Based on our conversations with these risk leaders, the new audit and assurance policy can be considered a sensible change overall and is unlikely to represent a massive departure from what many companies are already doing.

Preparing for the Audit and Assurance Policy (AAP) - what stage is your organisation at compared to your peers?

One of the proposed changes to the code is that listed companies and PIE organisations should publish a triennial AAP and annual implementation report on the AAP within the annual report. This will set out the company's approach to assuring the quality of information it reports to shareholders.

Preparing for the AAP pulsecheck-1

To understand the different stages organisations are at, in terms of preparing for the AAP, we are conducting a pulsecheck with members and risk leaders in our wider network. See the highlights here.

However, one step these companies are prioritising - in order to prepare for the code changes - is placing a greater focus on ESG and, more specifically, providing assurance for carbon disclosures; ultimately, the business needs to be able to prove it is delivering what it claims to be delivering with regard to its sustainability targets.

5. Hold early adopter discussions

As changes to the Corporate Governance Code move closer, an important point of debate for many organisations is whether to get ahead of the new developments and become an early adopter for some (or all) of the different statements that will soon be required under the code.

While some risk leaders are "still deciding" whether to be early adopters, or hold off for another year, others have expressed that they have no appetite at this moment to move any sooner than they need to; on the contrary, they would rather wait and see what changes will need to be made before  they implement anything.

Regardless of early adoption, when talking to their businesses, the majority of risk leaders share a clear sentiment: they want stakeholders to understand the genuine value the proposed changes can bring to the business and how they support it to make better business decisions, rather than seeing the changes from simply a regulatory angle.

6. Collaborate on the internal controls statement

The most common concern raised so far, by listed companies in the network, is the new internal controls statement and its potential impact on how businesses view risk management as a practice.

According to several risk leaders, a major issue is the FRC's positioning of the internal controls statement, which has been described as too vague and open to a wide range of interpretations, while questions have also been raised around its practicality. 

The expected scope of this statement is also unclear, and most members involved in our collaborative meetings on the code changes have flagged that a controls statement may make their approach to risk management too downside-focused and control-oriented. Instead of helping the business to make good decisions, pursue opportunities, and achieve growth, this could cause risk management to become a box-ticking exercise.

While this situation does present a potential problem for risk leaders, especially those who are looking to adopt a more agile approach to risk management, our members are already collaborating on solutions, and sharing practical insights on the measures they've already taken to prepare for the internal controls statement specifically. 

7. Collaborate with your peers

Affected members at Risk Leadership Network have already benefited from peer insights and collaborations that we've facilitated:

  1. Member meeting: Preparing for changes to the UK Corporate Governance Code, 13th and 20th September 2023
    This virtual workshop style meeting was so popular with our UK members that we repeated the session. See insights from the meeting here.

  2. Pulsecheck: Preparing for the AAP (published September 2023)
    We surveyed CROs and heads of risk at FTSE and large PIE organisations in the UK to see what stage they're at in their developments. View the highlights here.

  3. Member meeting: Preparing for the Resilience Statement: UK Corporate Governance, 20th September 2023

  4. Member meeting: Developing an AAP, 28th September 2023
    Members discussed how they are approaching/planning to approach the development of an AAP. 

We will continue to discuss the challenges involved in preparing for the code reforms with our members and will facilitate peer-to-peer knowledge sharing in response to their priorities. 

You'll probably end up spending a lot of your valuable time working out what impact the code reform will have on your organisation, potentially struggling to decide what the best course of action is and feeling in the dark about what your peers are doing. And you might even have to shell out budget on a consultant to clarify.

Or,the other option - collaborate with other risk leaders in our network - through workshop-style meetings, 1-to-1 discussions and bespoke benchmarks and pulsechecks. Hear what other organisations are doing, their successes and lessons learned, directly from their heads of risk and CROs.

Request to be involved as we continue to support our members through targeted collaborations on UK Corporate Governance Code reform.

Get new posts by email