Newsflash - FRC Review of corporate governance reporting

The FRC has today published its ‘Review of Corporate Governance Reporting’ which is based on a review of a sample of 100 companies drawn from the whole premium listed market. The comprehensive report presents the findings from the review and sets out the FRC’s expectations for the future application of the Code and reporting. It should be studied carefully by all those involved in the preparation of the annual report. In addition, reviewers, particularly members of the audit committee, should ensure that their companies are well prepared in advance of their year ends to address the recommendations and to consider matters for ongoing improvement.

The report highlights areas of high-quality reporting, but also draws attention to improvement needed in areas such as disclosures on workforce and wider stakeholder engagement, diversity and oversight of the effectiveness of the risk management and internal control systems. In particular, the FRC has looked closely for disclosure of actions and outcomes resulting from governance policies, procedures and activities noting that better disclosures include specific examples and case studies.

The Executive Summary makes the following point:

“Only through high-quality reporting, including outcomes and impacts, will readers be able to assess the effectiveness of governance activity.”

As last year, the FRC notes a general improvement in reporting. The review highlights the continuing need for high quality governance which is linked to effective decision-making by Boards and management and for greater clarity as to how a company is applying the Code’s principles and clearer explanations where there are departures from the Code provisions so that shareholders and stakeholders have greater confidence in the quality of governance.

To improve disclosures, the FRC reporting expectations include the following:

• Moving away from declaratory statements and providing specific disclosures.
• Providing clear and meaningful explanations when departing from the Code.
• Demonstrating how the company’s culture, is aligned to its purpose, values and strategy.
• Reporting on engagement with shareholders and stakeholders, and how their views have been considered.
• Making clear linkages in the report to policies or disclosures that relate to stakeholder matters.
• Reporting on diversity, including at a senior leadership level beyond the recommended external targets including objectives and targets.
• Explaining how the board or a committee has reviewed the effectiveness of the risk management and internal control systems (see further detail below).
• Reporting on how the executive remuneration arrangements align with the company’s purpose, values and strategy.

In addition, the FRC draws attention to ensuring clarity in the disclosures of:

• not only the outcomes from culture assessment and monitoring activities, but also the impact of any remedy initiatives to assess their effectiveness in the following reporting year;
• the extent to which shareholder engagement activity enabled shareholders to ask questions and present their views and concerns;
• how workforce views obtained from engagement activities are connected to actions carried out by the board;
• management of modern slavery risk including how the company has evaluated the impact of modern slavery on the business and who is responsible for driving strategy on modern slavery;
• the methodology used to calculate energy and carbon data, as well as a discussion of work that is underway to disclose in future, or to enhance current disclosure, and clarity about which of the Scope 3 categories will be included;
• how diversity objectives and initiatives link to company strategy; and
• procedures to identify and manage emerging risks; and following an assessment, an explanation of the emerging risks identified and actions to mitigate them.

Review of the risk management and internal control systems – enhancing the quality of reporting

As last year, the report makes clear that improvements are required in this area and that companies are expected to explain how they have monitored their risk management and internal control systems throughout the year and any changes made to ensure their continuous efficacy.

“Good reporting should include details on how the board monitors these systems on a regular basis, in addition to a formal annual review. The annual report should describe any actions that companies have taken during the year to improve or strengthen the risk management and internal controls systems, even when the annual review of these has found no weaknesses or inefficiencies.”

As a reminder, Code Provision 29 states the following: “The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.” This is supplemented by paragraph 58 in the existing Guidance which states that: “The board should summarise the process it has applied in reviewing the effectiveness of the system of risk management and internal control. The board should explain what actions have been or are being taken to remedy any significant failings or weaknesses.”

The FRC’s report sets out the following examples of actions undertaken by the board or a committee to review the risk management and internal control systems:

• Considering the reports from senior management on their own assessment control and risk management
• Receiving assurance from management on compliance with relevant policies
• Receiving internal assurance of the effectiveness of the internal control function
• Reviewing reports from the management risk committee
• Reviewing reports from the internal audit function
• Reviewing reports from the external auditor
• Appraising the company’s response to cyber-risks and data protection
• Reviewing instances of whistleblowing and other incidents
• Carrying out an independent external review

In relation to reporting on the outcome of the review, the FRC makes clear that disclosure should demonstrate the current state of the risk management and internal control systems confirming the effectiveness of these systems or, where weaknesses or inefficiencies have been found, describing these in the report. Of the 100 companies reviewed by the FRC, the following disclosures were observed:

63 stated that their systems were either effective/adequate or no weaknesses/inefficiencies were identified
10 stated that weaknesses had been identified
20 provided no comment on the outcome of the review
7 did not make clear that they had reviewed their systems

The report states that companies should disclose what evidence led them to their conclusion about the effectiveness by reporting on the actions they have taken to monitor and review those systems during the year. The FRC notes that reporting on this area is something that they have been asked to consult on in 2023 as part of the Government’s response to the ‘Restoring trust in corporate governance and audit’ White Paper and that it is encouraging to see so many companies reporting on the effectiveness of their systems.

To read the full FRC Review of corporate governance reporting click here.