Governance Briefing — January 22, 2024
The Financial Reporting Council’s 2024 UK Corporate Governance Code, effective for FYs from 1 January 2025, elevates board accountability for internal controls, culture, remuneration discipline, and outcomes-based reporting, demanding refreshed assurance playbooks.
Executive briefing: The UK Financial Reporting Council (FRC) issued the UK Corporate Governance Code 2024 on , marking the first major refresh since 2018. The revised Code applies to premium-listed companies for financial years beginning on or after , with the flagship new internal controls declaration (Provision 29) taking effect one year later. FRC’s intent is to focus on fewer, higher-impact requirements that strengthen board accountability for risk management, corporate culture, and remuneration outcomes, while reinforcing the “comply or explain” ethos through more decision-useful disclosures.
Internal controls declaration. Provision 29 now obliges boards to state in their annual reports whether the company’s material internal controls—covering financial reporting, operational processes, and compliance obligations—were effective throughout the reporting period and up to the date of approval. Boards must explain the basis for their declaration, describe any material weaknesses identified, and outline remedial actions taken or planned. The provision mirrors expectations emerging from the UK government’s Restoring Trust in Audit and Corporate Governance agenda and aligns with the US Sarbanes-Oxley Section 404 framework. Governance teams therefore need to upgrade documentation on control design, testing methodologies, reliance on assurance providers, and escalation protocols for deficiencies.
Implementation timeline and readiness checkpoints. Although Provision 29’s declaration starts for financial years commencing on or after , audit committees and internal audit functions should use 2024–2025 to perform dry runs. Key milestones include mapping the inventory of “material” controls, determining control owners, formalising evidence retention standards, and aligning testing schedules with external auditor expectations. Organisations should decide whether to adopt a three-lines model in which the second line (risk/compliance) performs independent verification, or whether to rely on internal audit attestations. Documenting these decisions in board minutes and audit committee reports provides traceability when investors or regulators scrutinise compliance.
Board reporting on culture and outcomes. The Code retains the emphasis on corporate culture (Principle B) but raises expectations for evidence-based reporting. Boards must describe how they monitor culture indicators—such as employee engagement survey results, whistleblowing statistics, health and safety metrics, and diversity outcomes—and how insights influence strategic decisions. Provision 2 encourages boards to explain the alignment between culture, purpose, and values, including examples of interventions taken when behaviours fall short. Companies should integrate culture dashboards into regular board packs, assign executive sponsors for culture remediation, and ensure remuneration committees consider cultural outcomes when assessing incentive plans.
Remuneration accountability. Provision 37 now requires remuneration committees to report on the operation of malus and clawback arrangements during the year, detailing trigger events considered, decisions made, and any recovery outcomes. Committees must set out the minimum period for malus/clawback (at least two years) and review the arrangements annually. This level of transparency responds to investor demands following high-profile misconduct cases. Governance teams should update remuneration policies, document scenario analyses for potential clawback events, and coordinate with legal counsel on enforceability across jurisdictions. Internal audit should test whether recovery processes are operational, including evidence of board oversight and communications with impacted executives.
Audit committee responsibilities. The revised Provision 26 asks audit committees to describe how they monitor the integrity of narrative reporting, including sustainability-related disclosures, and to explain the assurance they have obtained over non-financial information. Committees must also set out how they assess external auditor independence, audit quality indicators, and the effectiveness of internal audit. Given the UK’s rapid adoption of International Sustainability Standards Board (ISSB) disclosures, audit committees need to integrate climate and sustainability reporting controls into their assurance scopes, possibly by appointing subject-matter experts or engaging specialist assurance providers.
Board evaluation and succession planning. Provision 21 reinforces that externally facilitated board evaluations should result in clear action plans with progress updates reported in subsequent annual reports. Chairs are expected to articulate what improvements were targeted, which actions have been completed, and how the board is monitoring ongoing development. Provision 23 stresses succession planning for both the board and senior management, linking pipeline development to company strategy and diversity objectives. Nomination committees should expand skills matrices, maintain emerging leader inventories, and incorporate succession risks into principal risk disclosures.
Outcome-focused disclosures. The FRC encourages companies to move beyond boilerplate “comply or explain” language by articulating outcomes and the rationale for any deviations. Boards should rehearse scenarios where an “explain” approach is appropriate—for example, when group structures complicate applying provisions uniformly—and ensure explanations cover the alternative governance arrangements, how they achieve the Code’s principles, and plans for future alignment. Investor relations teams must collaborate with governance leads to prepare narrative case studies demonstrating the effectiveness of tailored arrangements.
Integration with risk and assurance frameworks. To support the internal controls declaration and broader Code expectations, organisations should update their governance risk and compliance (GRC) architecture. Practical steps include harmonising risk taxonomies across enterprise risk management, internal audit, and compliance functions; aligning control testing frequencies with risk severity; and implementing technology platforms that capture control performance data, incidents, and remediation status in near real time. Many issuers are extending their use of assurance mapping to identify overlaps and gaps between internal audit, second-line reviews, and external assurance providers. These maps become vital evidence when boards describe the “basis” for their control effectiveness statements.
Data, technology, and reporting enablement. Finance and risk teams should evaluate whether existing systems can support the narrative detail expected in annual reports. For example, boards may require dashboards showing remediation progress for significant control deficiencies, quality metrics for key data used in sustainability reporting, and linkage between incentive outcomes and cultural indicators. Investing in integrated reporting platforms or control attestation tools can reduce manual effort and facilitate auditor walkthroughs. Companies should also confirm that document management processes comply with the FRC’s recommendation to retain evidence supporting statements for inspection.
Stakeholder engagement and communication. The Code’s principles on stakeholder relations remain intact, but FRC commentary stresses the need to demonstrate how stakeholder views influence board decisions. Investor outreach programmes should include discussions on internal control assurance plans, remuneration structures, and culture initiatives. Workforce engagement mechanisms—such as designated non-executive directors, workforce advisory panels, or employee surveys—must feed insights into board deliberations, with feedback loops documented in annual reports. Transparent communication about how the board weighs competing stakeholder interests strengthens credibility with regulators and investors.
Coordination with international requirements. Multinational groups must reconcile the UK Code with overseas regimes such as the US Securities and Exchange Commission’s disclosure controls requirements, the EU Corporate Sustainability Reporting Directive (CSRD), and Hong Kong’s CG-1 module on bank governance. Establishing a global governance steering committee can prevent fragmented control frameworks and duplicative testing. The committee should catalogue jurisdictional overlaps, align terminology, and ensure that group-level policies satisfy the highest applicable standard. For dual-listed companies, harmonising the UK internal controls declaration with any US SOX attestations will be critical to avoid conflicting statements.
Next steps for governance teams. Immediate actions include briefing the board and audit committee on the Code’s changes, commissioning a gap assessment against current governance arrangements, and developing a multi-year implementation roadmap. By mid-2024, organisations should finalise definitions of material controls, set documentation standards, and initiate capability-building programmes for finance, risk, and internal audit staff. Throughout 2025, companies ought to execute rehearsal attestations, refine reporting templates, and test incident escalation protocols. By early 2026, boards should be able to evidence the end-to-end control evaluation process, including management representations, independent assurance, and remediation of issues surfaced during rehearsals.
The 2024 Code signals a renewed regulatory focus on demonstrable governance outcomes. Boards that invest in robust control evaluation, culture measurement, transparent remuneration oversight, and cross-functional coordination will be well placed to deliver credible reports and maintain investor confidence. Treating the Code as a catalyst for integrated risk management—not merely a compliance checklist—will differentiate leading issuers as scrutiny intensifies over the next reporting cycles.
Continue in the Governance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Public-Sector Governance Alignment Playbook — Zeph Tech
Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…
-
Third-Party Governance Control Blueprint — Zeph Tech
Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.
-
Governance, Risk, and Oversight Playbook — Zeph Tech
Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…