Skip to main content

Good corporate governance for internal controls

The need for good corporate governance is evident, be it through legislations or changes to the UK Corporate Governance Code, and it has been a key area of focus for stakeholders for many years. The current rise in regulatory interest in corporate governance over a wide spectrum of areas impacting companies brings into focus a new reality that boards need to embrace in their corporate governance.

But what is a good corporate governance? This blog focuses on the expectations of good corporate governance in relation to the control environment of an organisation. Overall, good corporate governance encompasses four areas:

  • The importance of internal controls through the UK Corporate Governance Code BEIS paper.
  • The expectations of the regulators over outsourced regulations.
  • Third-party risk management and incoming operational resilience regulation; and
  • Link to Environmental, Social and Governance (ESG) matters.

1. The importance of internal controls through the UK Corporate Governance Code


The Financial Reporting Council’s (FRC) 2021 guidance set out what it expects in a risk management and internal control framework. Based on the UK Corporate Governance Code principles, the board should establish procedures to manage risks, oversee the internal control framework, and determine the nature and extent of the principal risks a company is willing to take to achieve its long-term strategic objectives. Furthermore, according to Provision 29, the board is expected to monitor the company’s risk management and internal control systems and report on their effectiveness in the annual report. The monitoring and review should cover all material controls, including financial, operational, and compliance controls.

The Code raises questions about how a board can achieve annual monitoring and reporting, such as how aware it is of what is happening within the organisation, what the board is informed of, and how accurate the information the board has access to is. These questions underline the need for organisations to have a clear and well-defined framework, with a comprehensive assessment of entity-level controls, scope, monitoring, and review processes, as well as the establishment of robust reporting protocols for accountability and action, which is supported by sufficient and appropriate documentation. Indeed, most UK companies already have controls in place but have no, or insufficient, formal reporting to their boards on these controls.

According to a survey we carried out in 2021, most business leaders consider that they have work to do before they will be compliant with regulation changes, with 53% of the respondents acknowledging that they have work to do across all areas of their internal control framework.

Enhanced Focus on Financial Services Firms

The FCA’s Principles for Businesses outline the fundamental obligations that regulated firms must adhere to. Any enhanced Internal Control over Financial Reporting (ICFR) requirements should align with a broader system of internal controls requirements already stipulated by the FCA. FCA’s Principle 3 on management and control requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. This is reinforced by the FCA’s Systems and Controls sourcebook, which states a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business. By adhering to the FCA's Principles for Businesses, companies not only reduce the risk of being prosecuted, but also gain more customers by aligning themselves with desired values. These points are also highlighted by the Department for Business, Energy & Industrial Strategy (BEIS) in its 2022 consultation paper, stressing the importance of strengthening internal controls in organisations and promoting a culture of strong governance and risk management at all levels.

2. The expectations of stakeholders over outsourced activities



The current industry trend to outsource business processing activities has resulted in added complexities for corporate governance. This trend, which has been accelerated by globalisation and technology, has also meant an uplift in concerns from stakeholders, especially regulators on the risk arising from third-party relationships. It ensues boards should manage the risks that could arise from outsourcing business activities as they would for activities performed directly by management teams. This has led to the need for additional work to be performed over third-party relationships, including:

  • Bespoke independent controls reporting;
  • Increased oversight, such as more regular contact and independent review of the third-party’s control environment; and
  • Internal audit reviews on third parties.

3. Third-party risk management implications from operational resilience


Operational resilience is set to have profound implications for third-party risk management in the run-up to compliance to the provisions of the Code by March 2025. In addition to that, a wealth of other key regulations and significant implications for outsourcing arrangements and managing third-party risk needs to be considered. The following are examples of regulations that are bringing into focus the need for third-party risk management:

  • SS1/21 Operational Resilience - Impact tolerance for important business services: the statement sets out the expectation for operational resilience for firms’ important business services, for which they are required to set impact tolerances.
  • SS2/21 Outsourcing and third-party risk management: the statement sets out the Prudential Regulation Authority’s (PRA) expectations for third-party relationships and their risk management on business continuity, governance, operational resilience, and risk management. It covers areas such as scope, governance and record keeping data security, access, audit and information rights, and business continuity and exit plans for third-party relationships.

As part of their vulnerability remediation process, firms are required to remediate those vulnerabilities that are identified as part of their engagement with third parties and need to be aligned with third-party organisations in relation to risk management. As a result, the supplier relationship management, or third-party risk management needs to be an integral part of how organisations demonstrate their operational resilience.

4. Link to ESG matters



The link between corporate governance over internal controls and ESG is currently attracting a lot of attention. Businesses who stay ahead of the curve by incorporating ESG into their corporate governance framework will be well-positioned to deal with future ESG-related risks. To get ahead, having a clearly defined risk framework, linked to control assertions and overlaid by the services provided by critical outsourced service providers, is a crucial foundation for effective ESG reporting and requirements.

Three factors have contributed to the incorporation of ESG considerations into the risk framework of companies:

  • Transnational and national regulatory changes

EU Regulations in the form of Sustainable Finance Disclosure Regulation (SFDR) and the EU Taxonomy have been a catalyst for change, promoting greater transparency of sustainability in the investment process, and a new ESG product classification regime. Governmental commitments and national and trans-national frameworks, notably Task Force on Climate-Related Financial Disclosures (TCFD) and Sustainability Disclosure Requirements (SDR) add further disclosure requirements on investment firms. This fast-evolving global ESG regulatory landscape results in new, complex, and sometimes contradictory requirements for companies.

  • Corporate commitments

Corporate commitments have also increased the scrutiny and pressure on companies. To address to ESG concerns, companies are now increasingly responding to the sustainable finance agenda by making corporate-level ESG commitments. This can range from focusing on Net Zero or Carbon Negative approaches to addressing diversity & inclusion, gender pay gaps, and employee working conditions. These commitments require material changes to firms and a focus on product re-design, accurate data, reporting and operational change.

  • Client demand

Clients, both institutional and retail, have created demand for ESG products and solutions, requiring material change to the way investment firms operate and manage money. Asset owners have also requested capability to support their own ESG commitments, including the provision of specialised data and reporting.

These three factors have led many firms to assess legacy products in light of the emphasis on ESG and Net Zero as well as the focus on investment transparency.

What should companies do now?


As businesses look to full compliance to the provisions of the Code, it is prudent for them to take practical steps to ensure their organisations are ready to meet the multidimensional expectations of the various stakeholders. This will require a wholistic assessment of all parties that play a key role in the overall risk framework of the organization to ensure they are aligned to the organisations’ risk framework. Achieving full compliance to the provisions of the Code will require companies to be aware of not just the immediate risk from its organisational processes, but also risks that come with outsourcing key business processes.