UK Corporate Governance Code

Accounting periods beginning on or after 1 January 2025 fall under the Financial Reporting Council’s (FRC) revised UK Corporate Governance Code. Premium-listed companies must show how boards govern internal controls, sustainability risks, and assurance frameworks while preparing for the new internal controls declaration in 2026. Investors, proxy advisors, and regulators are demanding richer narrative reporting: directors must explain how they evidence effective risk management, oversee audit and assurance policies, integrate environmental and social factors, and respect universal opt-out preferences when stakeholder data fuels governance analytics. Boards that prepare now will avoid last-minute scrambles when 2025 annual reports go to print.

Timeline and regulatory intent

The 2024 Code applies on a comply-or-explain basis to accounting periods starting 1 January 2025. Provision 29—requiring an annual declaration that material internal controls were effective—becomes mandatory one year later, but the FRC expects boards to use 2025 as a dry run.

The Regulator’s Corporate Reporting Review team has already signaled that it will monitor progress through 2025 annual report filings, especially for companies in energy, financial services, retail, and technology where prior reviews uncovered control deficiencies. The FRC’s November 2024 guidance emphasized that boilerplate explanations will trigger further inquiry, and that the regulator will coordinate with the Financial Conduct Authority (FCA) to escalate serious failures.

Boards should therefore set up a multi-year roadmap. Phase one (Q1–Q2 2025) focuses on assessing the control environment, refreshing audit committee charters, and validating stakeholder engagement processes. Phase two (Q3–Q4 2025) concentrates on evidence capture, assurance planning, and drafting narratives that integrate financial and non-financial risk. Boards must also align with forthcoming legislation on audit and corporate governance reform, which may codify elements of the Code into statute. Keeping Parliament, investors, and auditors apprised of progress will reduce surprises.

Board governance priorities

• Internal controls declaration readiness. Directors must understand the population of “material controls” across financial reporting, operational resilience, regulatory compliance, and sustainability. Management should map controls to strategic risks, assign ownership, and implement quarterly effectiveness testing. Boards need dashboards that show remediation status, targeted completion dates, and linkage to key performance indicators (KPIs).
• Audit and assurance policy (AAP) setup. Provision 26 requires companies to publish a three-year rolling AAP. Boards should decide which non-financial metrics—greenhouse gas emissions, cybersecurity resilience, workforce data—will receive external assurance and on what cadence. Engagement letters, independence assessments, and assurance outcomes must be archived to support investor scrutiny and to prepare for potential mandatory assurance of sustainability information.
• Culture and workforce engagement. Provision 5 still expects boards to engage the workforce through director designated channels, advisory panels, or workforce directors. Governance reports must explain how these mechanisms informed decisions on pay, hybrid work, and sustainability transitions. Documenting opt-out rates for employee data analytics (for example, monitoring tools used to assess productivity or travel emissions) shows respect for privacy rights and builds trust.

Universal opt-out and stakeholder data stewardship

Corporate governance narratives now rely on data from investors, employees, customers, and suppliers. Boards must respect universal opt-out mechanisms across jurisdictions—spanning the UK Data Protection Act, EU GDPR, California Consumer Privacy Act (CCPA), and emerging U.S. state privacy laws. Key actions include:

• Register and reconcile opt-out signals. Maintain a central consent ledger that captures Global Privacy Control headers, email unsubscribe requests, investor preference center selections, and workforce data withdrawal notices. Link the ledger to board dashboards so directors can see the percentage of stakeholder datasets that are eligible for analytics underpinning culture, sustainability, and governance metrics.
• Update governance analytics models. When opted-out data is removed, risk and remuneration committees must document how they rebalanced scorecards, engagement sentiment analyzes, or pay ratios. This ensures decisions remain evidence-based without relying on data individuals have declined to share.
• Third-party assurance of opt-out controls. Include universal opt-out processes within internal audit plans and, where material, within the AAP. Auditors should test whether investor relations platforms honor web browser signals, whether whistleblowing systems respect anonymity preferences, and whether HR analytics exclude employees who opted out.

Evidence collection and documentation

The FRC expects companies to substantiate statements with strong evidence. Boards should create an evidence management framework covering:

• Control testing documentation. For each material control, retain test scripts, sampling rationale, results, and remediation actions. Where management overrides occurred, note the approvals, compensating controls, and how incidents were reported to the board.
• Assurance logs. Compile a register of internal audit engagements, external assurance assignments, and management self-assessments. Include scopes, key findings, and actions. Linking this log to board committee agendas ensures follow-up is tracked to completion.
• Stakeholder engagement evidence. Archive minutes from workforce forums, investor roadshows, and stakeholder roundtables. Record the opt-out options offered during each session and the outcomes. Document how feedback influenced decisions on climate strategy, remuneration, diversity, and supply chain ethics.

Reporting improvements

Annual reports for FY2025 must move beyond compliance checklists. The FRC urges companies to integrate narrative reporting across sections, avoiding duplication between the strategic report, governance report, and sustainability report. Boards should ensure the internal controls declaration references the same risk factors discussed in viability statements and resilience statements. Climate-related reporting should cross-reference scenario analysis, emissions trajectories, and capital allocation decisions, while clarifying how universal opt-out obligations shape data availability.

Companies should also explain the governance of digital systems supporting reporting. Describe how enterprise resource planning (ERP), risk management, and sustainability platforms interface; outline the cybersecurity controls safeguarding sensitive data; and disclose how disaster recovery plans protect evidence repositories. Investors now expect transparency on how boards oversee emerging technology risks, including AI used for forecasting or assurance analytics.

Audit committee deep dive

Audit committees play a central role in the 2024 Code. Chairs should schedule deep dives on:

• Internal controls architecture. Review management’s mapping of key controls, including IT general controls, segregation of duties, and manual management review controls. Ensure the mapping covers subsidiaries and joint ventures. The committee should challenge whether data feeding sustainability metrics is subject to the same rigor as financial data.
• Universal opt-out compliance. Audit committees must test whether data subject rights requests and opt-out signals are honored within finance and risk systems. For example, if suppliers opt out of marketing communications, confirm that procurement analytics remove their data when modeling payment terms or sustainability performance.
• External auditor oversight. Document how the committee assessed auditor independence, challenged key audit matters, and evaluated auditor resilience. The FRC expects candid commentary on how auditors responded to complex issues such as climate-related impairment testing.

Remuneration and culture alignment

Provision 37 emphasizes that remuneration outcomes must align with company purpose and values. Boards should describe how climate, customer trust, and culture metrics—potentially impacted by universal opt-out rates—feed into executive pay. If a significant portion of employees opt out of data-driven monitoring tools, remuneration committees should consider alternative indicators (for example, survey participation, verified operational KPIs) and explain those adjustments. Documenting this process will satisfy investor stewardship codes and avoid accusations of cherry-picking data.

Investor and regulator engagement

Investors are sharpening their stewardship expectations. The UK Stewardship Code and global asset managers expect transparent reporting on internal controls, assurance roadmaps, and stakeholder governance. Boards should maintain an engagement register capturing meetings with top shareholders, questions raised, and commitments made. Ensure that follow-up letters reference universal opt-out safeguards when discussing data-driven governance insights.

Regulators may request information at short notice. Prepare briefing packs summarizing control testing outcomes, assurance coverage, and opt-out compliance metrics. Include contact details for responsible executives, escalation protocols, and document retention policies. Having these packs ready reduces response time if the FRC or FCA opens a thematic review.

Action plan for 2025

• Conduct a board-level workshop on the 2024 Code, focusing on Provision 29, AAP obligations, and universal opt-out governance. Capture agreed actions and link them to board committee workplans.
• Implement an evidence vault with role-based access control that stores control testing artifacts, assurance reports, stakeholder engagement minutes, and opt-out logs. Integrate the vault with enterprise content management tools to support discovery and retention.
• Commission an independent readiness assessment in Q3 2025 to validate progress. The assessment should test control effectiveness, review the quality of narrative reporting drafts, and verify that universal opt-out obligations are embedded across finance, HR, sustainability, and investor relations processes.

By embedding governance discipline, universal opt-out compliance, and audit-ready evidence into 2025 reporting cycles, UK premium-listed companies can deliver credible annual reports that satisfy regulators and investors. Boards that treat the 2024 Code as a strategic framework—not a compliance hurdle—will strengthen trust, support access to capital, and build resilience ahead of the 2026 internal controls declaration.

Related articles

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 92/100 · May 24, 2023

UK Corporate Governance Code Consultation

The UK Financial Reporting Council launched a consultation on revisions to the UK Corporate Governance Code on May 24, 2023, proposing new internal control, audit committee, and ESG reporting expectations for…

Governance · Credibility 73/100 · August 14, 2020

Taiwan and Corporate governance

Updated roadmap explainer detailing FSC Corporate Governance 3.0 priorities for board accountability, ESG metrics, assurance, and phased milestones through 2023.

Governance · Credibility 86/100 · January 1, 2025

Hkex Climate Ifrs S2

Hong Kong's IFRS S2-aligned climate disclosure requirements went effective in 2025. The phased implementation means larger issuers face requirements first. Ensure your climate reporting meets the enhanced standards.

Governance · Credibility 86/100 · January 1, 2025

UK Internal Controls Code

UK premium-listed companies face new internal control disclosure requirements under Provision 29. The 2025 reporting cycle is your build year—get control inventories, testing frameworks, and evidence management in place…

Governance · Credibility 86/100 · March 31, 2025

Korea Esg Disclosure Go Live

Korean issuers with assets above KRW 2 trillion file their first mandatory ESG disclosures alongside 2024 business reports, compelling boards to attest to sustainability governance and data controls under the FSC…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Governance, Risk, and Oversight Playbook

  Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

References

1. FRC: UK Corporate Governance Code 2024 — frc.org.uk
2. 2024 UK Corporate Governance Code (PDF) — frc.org.uk
3. EY: Key changes in the 2024 UK Corporate Governance Code — ey.com