FRC Review of corporate governance reporting

The FRC has published its ‘Review of Corporate Governance Reporting’ (the “Report”) which is based on a review of a sample of 100 companies drawn from the whole premium listed market.

The FRC Report notes a general improvement in governance reporting especially relating to workforce and other stakeholder engagement and remuneration. However the Report also draws attention to improvement needed in areas such as monitoring and review of the risk management and internal control systems, avoiding boilerplate language in the application of the Code and focussing on reporting the outcomes of governance processes and policies. Both preparers and reviewers of annual reports, particularly members of the audit committee, should consider the FRC’s findings ahead of their next reporting period.

The Executive Summary makes the following point:

“Corporate governance disclosures are an opportunity to build trust and understanding, and demonstrate why the UK is an attractive investment market, rather than being a compliance exercise.”

The review highlights the continuing need for high quality governance which is linked to effective decision-making by boards and management, for greater clarity as to how a company is applying the Code’s principles, and for clearer explanations where there are departures from Code provisions so that shareholders and stakeholders have greater confidence in the quality of governance.

Across the Report, the FRC sets out a number of key messages to draw attention to areas recommended for further improvement, including:

• reporting on board considerations and decisions, the company’s activities and the associated outcomes will reduce boilerplate disclosure and provide more concise and meaningful disclosures to users;
• where there are departures from the Code, in addition to the timeline of anticipated compliance, reporting on how alternative arrangements provide benefits to shareholders and other stakeholders;
• reporting on intermediary outcomes or milestones from stakeholder engagement, which allows users to know the company is working on feedback received and explaining why companies consider stakeholder engagement mechanisms to be effective;
• demonstrating how diversity objectives and initiatives link to company strategy and how these initiatives have contributed to improving their diversity targets;
• discussing the specific internal and external safeguards used to protect the external auditor’s independence;
• highlighting how and why principal risks have changed from the previous year, together with any explanation of changes to the mitigation strategy; and
• explaining how the company’s purpose and values are linked to executive remuneration arrangements.

Monitoring and reviewing the effectiveness of the risk management and internal control systems

The FRC notes there has been ‘little year on year improvement’ in the quality of reporting of the assessment of risk management and internal controls systems and highlight the monitoring and review activities as an area for particular focus. Only 20 companies provided insightful information on how the monitoring and review activities were conducted or what areas were covered. With the increased focus on the UK’s approach to internal controls, the FRC notes that most companies need to do more work to demonstrate robust systems, governance, and oversight.

Provision 29 of the Code states that ‘The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.’

The Report sets out the FRC’s observations regarding what makes good reporting in this area:

• A clear statement describing the review undertaken: Avoid using general, boilerplate language such as “the board (or a relevant committee) reviews the effectiveness of risk management and internal control systems.” Instead, provide a definitive and clear statement of who performed the review and the scope of the review undertaken during the year.
• Process for the review: Good reporting on the process for the review includes details of how the board or its delegated committee have undertaken the review, who was consulted, what reports or evidence were received, and what areas were covered by the review.
• Reporting the outcomes of the review: Where the board has determined the risk management and internal controls systems to be effective, this should be clearly stated in the annual report together with how the board reached this conclusion. In addition, where material weaknesses or inefficiencies have been identified, the company should explain the nature of the weakness or inefficiency and include the future actions the Board has taken or will take to remediate these.

The FRC highlights that good reporting in this area will provide shareholders, markets, and other stakeholders with confidence in the systems companies have in place to identify, assess, and manage risk effectively and sustain their resilience.

Cyber and information technology

The Report also includes observations from cyber and information technology reporting. While the Code does not require reporting in these areas, the FRC commends companies which outlined the risks, opportunities, and importance of cyber security to their business. The FRC notes that boards should be comfortable with understanding the cyber risks in their business and how they are managed.

In addition, the FRC looked at the extent to which artificial intelligence (AI) was reported in the sample. Just under half of companies mentioned AI in their reports, however none of these companies disclosed the board’s involvement in their approach or oversight of AI. Once again, the FRC has encouraged boards to have a clear view on how AI is being used and developed in a responsible manner and ensure the necessary governance processes are implemented. This may warrant further training and education of boards.

To read the full FRC Review of corporate governance reporting click here.