Due to the uncertainty and lack of clarity around UK Corporate Governance Code reform expectations and requirements, most risk teams are focusing on "no regret" moves that they can implement now that add genuine value to their business.
UPDATE ON THE CORPORATE GOVERNANCE CODE CHANGES
The government's announcement, which you can read in full here, states: "Draft regulations published in July would have added certain additional corporate and company reporting requirements to large UK listed and private companies, including an annual resilience statement, distributable profits figure, material fraud statement and triennial audit and assurance policy statement...the Business Secretary has now decided to withdraw these regulations, and will be setting out options to reform the wider framework shortly to reduce the burden of red tape on businesses."
Having spoken with our members impacted by the code - largely FTSE-listed businesses - it seems most are waiting for further guidance from the FRC before pursuing any of the proposed (and now withdrawn) requirements. The main exception to this concerns the proposed requirement around an internal controls statement - a declaration around the effectiveness of a company's internal controls over a 12-month reporting period and basis for this assessment. Most organisations we spoke to are continuing their work around this statement.
Throughout corporate governance code member meetings across the network, CROs have often spoken about "no-regret" moves they are implementing to enhance risk management and elevate the function across their business, regardless of whether the proposed changes become requirements. You can read about these approaches of your peers in this and other related blogs.
We will keep you updated on further developments in due course.
We recently held several workshop-style virtual meetings, all relatively small-group discussions, between heads of risk at large FTSE and PIE organisations.
At these meetings, held under the Chatham House Rule, these risk leaders shared the actions that they're already implementing now, that they feel will improve enterprise risk management at their business, regardless of whether the code changes eventually come into effect.
1. Build the right culture
Risk leaders agreed that it is important to get the messaging around controls and risk management right internally, so as not to contradict any entrepreneurial spirit or agility the company as a whole promotes among staff and business units.
“Educating the business on the purpose of controls is key: they should enable the right risk-taking and strategy-implementing. They are not there to restrict. ”
2. Review your principal risks
Most risk leaders at our virtual meetings were reviewing their principal risks and asking themselves, "Do they align with business strategy?".
|One organisation is categorising their principal risks as 'strategic risks' and breaking these down further into 'supporting risks'. Ahead of the code changes, they're also reviewing the balance between threats and opportunities captured in the principal risks.|
3. Align your risk appetite to where your business is currently
The whole premise of the code, members agreed, is for risk management improvement. Many organisations are prioritising aligning risk appetite to where the business is currently. For some members, appetite has been set, is static, and not useful in reality. They're looking to change this ahead of the code changes.
4. Second-line risk team's effectiveness reviews
Some risk leaders are changing the structure of their team to prepare for changes.
One member, for example, shared how they've split their risk team into a "2a" and "2b": the former focusing on defining and embedding minimum standards across the first line, the latter focused purely on assurance.
Others flagged that they've established working groups, headed by either the CRO or head of audit or assurance, and often comprising key stakeholders from Risk, Internal Controls, Finance, Company Secretary, People and Talent, Sustainability, among others.
5. Map your controls
It may be a good idea, taking inspiration from some of our members, to get each business unit to map their controls to the global enterprise-level set of key controls. This reinforces the importance of a standardized controls framework for consistency in approach.
We also noted several FTSE organisations are prioritising assurance mapping activities too, placing particular emphasis on ESG and modern slavery-related risks.
6. Increase accountability from executives
At one organisation, each principal risk category is assigned to an executive committee member who becomes a sponsor for this risk and its controls. This also helps drive authority for the risk team to then enforce the risk and controls frameworks.
These are high-level insights shared at a recent series of member meetings. To discuss this challenging and ever-changing topic in more detail, as more information becomes available, request to be involved here.