The corporate reporting landscape in the UK continues to develop rapidly as demand grows for relevant and transparent information that meets the requirements of today’s users of annual reports. Stakeholders seek to understand how companies are pivoting to meet the challenging social, economic and political changes of the day, and how they plan to remain resilient in the face of uncertainty. Stakeholders expect businesses to play a crucial role in driving sustainable economic and social development by responding to existential challenges, including climate change, regulatory scrutiny and developments in technology, including artificial intelligence. Annual reports are a critical component in this ongoing dialogue between business and wider society. Our Corporate Reporting Insights focus on timely, short and topical observations designed to help you navigate new disclosure requirements, emerging practices and growing expectations for greater transparency and accountability.Explore our reports to discover these trends in corporate reporting.
Explore our 2025 insights
Sign up here to hear about future updates
Climate-Related ReportingHow ready are UK companies for climate-related reporting under UK Sustainability Reporting Standards (UK SRS)?
Climate change and other sustainability matters can create material financial risks and opportunities for companies, now and into the future. Transparency on how companies are addressing these broader drivers of value and risk remains an area of focus for investors, regulators, policy-makers and other stakeholders.In the UK, the government has committed to adopting the International Sustainability Standards Board's (ISSB) standards as UK Sustainability Reporting Standards (UK SRS) and in June 2025 issued consultations on drafts of these standards and on transition plan requirements. The government proposals include small amendments to the ISSB standards to facilitate their use in the UK and a ‘climate-first’ approach for the adoption of these standards.The draft climate standard, UK SRS 2 Climate-related Disclosures, incorporates the Task Force on Climate-related Financial Disclosures (TCFD) Recommendations and Recommended Disclosures. UK listed companies already make disclosures consistent with TCFD as required by the UK Listing Rules. However, there are some differences between the TCFD recommendations and the disclosure requirements in the draft UK SRS S2.Our survey of annual reports looks at the first 30 annual reports issued by FTSE 100 reporters in 2025 and considers how ready these companies are for climate-related reporting under the draft UK SRS. In doing so, we draw out key areas of difference between the TCFD recommendations and the disclosure requirements in draft UK SRS S2 to assist companies looking to streamline and enhance current disclosures and identify the differences between their current reporting practices and the requirements of the anticipated UK SRS.Read the full report
Key takeaways
63% of companies referred to UK SRS or ISSB and 7% of companies specifically stated that ISSB standards had been taken into consideration when preparing current year disclosures
All companies identified the board, and/or board level committee, as having responsibility for climate and/or sustainability matters
All companies disclosed that some form of scenario analysis had been performed with the number of scenarios used ranging from two to nine
47% of companies included disclosures that were identifiable as plans to transition to a low-carbon economy, an additional 43% provided some, but more limited information that indicated how targets would be met but lacking sufficient granularity and specificity to represent a plan
77% of companies included some information on the potential impact of climate-related issues on their financial performance and position with nearly three-quarters of those companies providing qualitative information only
All companies had at least one climate-related target which always included a Scope 1 and 2 GHG emissions reduction target; 80% of companies also included some Scope 3 GHG emission reduction targets
97% of companies disclosed metrics for one or more of the 15 categories of Scope 3 emissions. 77% of companies commented on the challenges of obtaining Scope 3 data
90% of companies obtained external assurance over selected sustainability reporting metrics
Review the Industry-based Guidance on Implementing IFRS S2. As per draft UK SRS S2, this is identified as a source of guidance that companies may refer to and consider to help identify climate-related risks and opportunities and to help identify industry-based metrics, relevant to a company’s business model and activities2
Assess the draft UK SRS S2 requirements related to climate resilience and use this to further develop the company’s approach to climate scenario analysis
Collaborate with suppliers to enhance the quality and completeness of Scope 3 data, including the timeliness of in-year data availability for reporting in the Annual Report
Continue to develop credible transition plans, for example, creating a net zero roadmap and establishing a detailed climate action plan
1These steps would also assist UK entities in considering their approach to reporting under updated Provision 29 of the UK Corporate Governance Code which will be effective for periods commencing on or after 1 January 2026 and will require boards to provide a declaration on the effectiveness of their material controls.2This is an area where draft UK SRS differs from ISSB standards. For more information, read our Need to Know publication.
Controls & Assurance Laying the foundations for the new declaration on the effectiveness of internal controls
The 2024 UK Corporate Governance Code (‘the 2024 Code’) aims to strengthen board accountability for the effectiveness of the risk management and internal control framework. Provision 29 includes a new requirement for a board declaration on the effectiveness of material controls together with a clear explanation of how the board has undertaken its monitoring and review responsibilities. This goes beyond the current Provision 29 of the 2018 UK Corporate Governance Code, which sets the expectation for the board to monitor and review the effectiveness of financial, operational and compliance controls. In their latest corporate governance review the UK FRC highlighted the need for directors to focus on explaining their actual practices, as opposed to policies and procedures in order to demonstrate that a company is well governed, sustainable and able to deliver investment, growth and competitiveness. The updated Provision 29 will apply for reporting periods beginning on or after 1 January 2026. Building on our 2024 survey, we have looked at how 50 FTSE 350 December 2024 reporters explained their approach to controls and assurance. We have considered how reporting practices are evolving in readiness for the new declaration. We also highlight better practice examples of reporting.Read the full report
Key takeaways
88% of companies included some description of how risk appetite is used as part of the risk management framework (consistent with 2024), 50% of those also described what different risk appetite categories the company used or the factors affecting the level of risk appetite
48% (2024: 44%) of companies explained clearly how each of the three lines of defence (operational management, internal monitoring and internal audit) operated within their organisation with a further 20% (2024: 24%) explaining some aspects and 32% (unchanged from 2024) making no reference at all
30% of companies stated clearly whether non-financial reporting controls had been covered by the board’s monitoring and review activities (unchanged from 2024)
82% of companies referenced planned activities in preparation for the new declaration on the effectiveness of material controls (up from 64% in 2024)
48% of companies clearly stated that monitoring and reviewing activities over risk management and internal controls are currently focused on the organisation’s material or significant controls
32% (2024: 50%) of companies provided a positive conclusion on the effectiveness of their risk management and internal control systems; 22% (2024: 16%) included the attestation required by the Sarbanes-Oxley Act on controls over financial reporting; 20% (2024: 20%) provided a negative conclusion; 22% (2024: 14%) provided no conclusion; and 4% (2024: 2%) just referred to the systems being in accordance with the FRC Guidance
Over two thirds of the SOX reporters in our sample provided the required SOX attestation on financial reporting controls and also a broader confirmation on the effectiveness of the internal control framework, including operational, compliance and financial controls
20% of companies either had introduced or were developing a policy on audit and assurance to assist the board with planning for assurance to support the new declaration (up from 14% in 2024)
Actions to take
Review the processes related to risk appetite, risk culture and define ‘materiality’ in respect of controls to be covered by the declaration
Consider whether existing monitoring and review activities cover all aspects of the risk management and internal control framework, not just in relation to financial reporting
Ensure all responsibilities to support the declaration on the effectiveness of material controls (including communication with the rest of the board on the approach) are clearly defined and incorporated appropriately in the board committees’ terms of reference
Conduct an assurance mapping process across the different sources of assurance available to the organisation (both internal and external) to determine whether the appropriate level of assurance will be available for the purposes of the upcoming declaration and consider whether developing a policy on audit and assurance would be beneficial for internal and external stakeholders
Corporate Reporting Insights 2024Diversity & Inclusion:Are companies achieving the targets in the new Listing Rule?
The background to our surveyThe FCA oversees the Listing Rules and introduced a new requirement1 for premium and standard listed companies to provide disclosures on board and leadership diversity for periods commencing on or after 1 April 2022, reflecting the drive for transparency around social issues.Our survey looks at how the first 30 FTSE 350 December 2023 reporters met the new Listing Rule requirements for the first year of mandatory disclosure. We also explore whether the annual reports reflect the transparency society and regulators are looking for around board diversity, executive management diversity and how diversity and inclusion are integrated within the business — for instance whether they are included in disclosures on purpose, culture, values, strategy, succession planning, reward, and board performance review.Last year we conducted a survey to explore whether December 2022 year end reporters were complying early with the new Listing Rule requirements and how their disclosures reflected diversity and inclusion; where we provide a comparator figure this is from those findings.1 Listing Rules LR 9.8.6R(9-11) for premium listed companies and LR 14.3.33R for standard listed companies with a listing of equity shares.Provide a statement setting out whether the company has met the following targets on board diversity as at a chosen reference date within its accounting period:
At least 40% of the individuals on its board of directors are women
At least one of the senior positions on the board of directors is held by a woman – the chair, the chief executive, the senior independent director, or the chief financial officer
At least one individual on the board of directors is from a minority ethnic background
In cases where the company has not met all these targets, state the targets it has not met and the reasons for not meeting those targets.Set out the reference date used for the statement and if it is not the same as the year end date, an explanation as to why.Disclose numerical data: a table in a set format for each of the ethnic background and the gender identity or sex of the individuals on the board and in executive management.Provide an explanation of the approach to collecting the data used for the purposes of making all the disclosures above; that should be consistent for all elements of the reporting and across all individuals. The explanation should include the method of collection and / or source of the data, and where data collection is done on the basis of self-reporting by the individuals concerned, it should include a description of the questions asked.The new Listing Rule statement90% of companies in our sample – all but three – presented the required statement explaining whether they had met the three targets set out in the Listing Rules. Over 80% of companies that provided a statement used the year end, 31 December, as their reference date – this is likely to make it simpler for these companies to achieve consistent disclosure year-on-year.Just over half of companies had met all three Listing Rule targets for their 2023 reports. Of those that hadn't met all the targets, around two-thirds described specific actions they were planning to take to meet targets in the coming year or future years. A handful of companies disclosed more challenging board diversity targets they had set themselves, having met the Listing Rule targets.The Listing Rule requires a set format for two separate tables – reporting on sex or gender identity and on ethnic diversity. This is intended to make it more straightforward for investors to compare data across different reports. All but one company had produced these tables, with almost all using the correct format.
However, in line with the findings in our 2022 Diversity and Inclusion survey, for those who disclosed the required data, it wasn’t always obvious which of sex or gender identity they had chosen to report on. Half of companies still did not make this clear, with many using the table heading “Reporting on gender identity or sex”. A handful stated they were reporting on “gender identity and sex”. Of those that did seem to be clear on the distinction, 80% reported on gender identity rather than sex, with some of those voluntarily including additional categories such as non-binary in their tables.Almost three out of four companies (73%) explained the approach they had taken to collecting the data used for the purposes of making diversity disclosures at board and executive level – a Listing Rule requirement. However, although all of those companies indicated that self-reporting had been used to gather the data, only six companies clearly described the questions they had posed to the board and executive management.Of the three companies that did not present a statement on whether they had met the Listing Rule targets, two of those explained that their future plans included seeking greater diversity on the board and only one also omitted the numerical tables.In terms of location in the annual report, over half of companies included their statement in the Nomination Committee report, with a third placing it elsewhere in the corporate governance statement. A handful of companies included disclosure in the strategic report or (in the case of the numerical tables) in the directors’ report. Have companies met the Listing Rule targets?Board diversity and inclusion: succession planningDiversity and inclusion are inextricably linked to the quality and thoughtfulness of succession planning throughout the organisation, including at executive and board levels. We have examined what companies say about how they assess their succession planning needs, how they instruct search and recruitment agencies and how accessible they make their appointment process.The UK Corporate Governance Code requires companies to describe the work of the nomination committee and the process used in relation to appointments, the approach to succession planning, and how both support developing a diverse pipeline.77% of boards – generally nomination committees – discuss the importance for their business of achieving a diverse board when talking about planning for skills and experience at board level. Nomination committees discuss the benefits of board diversity in the broadest sense for improved decision-making, breadth of strategic vision, and understanding global, local or customer context. Some also mention that it is helpful to reflect the make-up of the broader workforce. A handful mention the impact of investor pressure for the board to become more diverse, including through AGM votes.This disclosure does not appear to be driven by any specific regulatory requirement, instead by the "soft pressure" of the FTSE Women Leaders and Parker reviews, which are mentioned by a large majority of companies. In practice it often sits alongside disclosures mandated by the DTR, the UK Corporate Governance Code and now by the Listing Rules.In line with our findings last year, comparatively few companies set out how they make the board appointment process accessible to a wider pool of talent. In some cases the accessibility of recruitment has been drawn out for the workforce but this is not reiterated in the nomination committee's report in respect of board and executive team searches. This can be a key driver of improved access to diverse candidates, particularly where candidates are neurodivergent or have caring responsibilities.Do succession planning disclosures reflect diversity and inclusion initiatives?Board diversity and inclusion: board performance reviewsOur findings suggest that there are fewer outcomes and fewer actions being set over time with respect to diversity and inclusion at board level. Based on the companies we reviewed, rather than a failing in governance, this seems to reflect ongoing success in embedding diversity and inclusion as a key feature of the board, thus leading to fewer actionable findings in board performance reviews.Many of the actions set out relating to diversity and inclusion for the coming year relate to boards extending their focus to executive management or the business as a whole, rather than the board itself.This year we noted an increasing cohort recognising the skills and experience of individual board members on diversity and inclusion matters, highlighting recent relevant external roles or expertise in board biographies.Do board performance review disclosures reflect diversity and inclusion initiatives?Reporting on how diversity and inclusion is embedded into the businessThe FRC has highlighted the need to draw out in the annual report why diversity and inclusion are important to the strategy of the business. Although this continues to be a challenge for companies to articulate, we were encouraged to find that 87% explained persuasively why workforce diversity and inclusion was important to the business – although most companies could be more effective at explaining the link between diversity and inclusion and corporate strategy.The overwhelming majority of companies discussed workforce diversity and inclusion in their workforce engagement disclosures this year – 87%, up from 73% in 2022. A handful of companies had newly introduced KPIs regarding diversity and inclusion, with new measures relating to executive management, adding to the more usual KPI regarding the proportion of women in the workforce. Fewer companies felt the need to discuss diversity and inclusion in connection with their values or purpose statement.Almost 90% of companies also discussed diversity and inclusion in the context of training and skills. For the most part this related to training dedicated to bringing on women, Indigenous people, or individuals from an ethnic minority background as future leaders in the business. Some also included the use of their diverse workforce to improve the skill set in the business more widely – for instance through reverse mentoring, or training on how to speak with local customers – with some informative and interesting case studies.The approach used to improve diversity and inclusion varied between companies, but the majority focused on both building from the ground up and external recruitment at more senior levels, with almost all including statements about developing diversity and inclusion throughout the business via culture change and bringing on the existing workforce.Where do companies incorporate disclosure on diversity and inclusion this year?To concludeAlmost all companies are reporting in line with the Listing Rule requirements and have updated their board diversity targets accordingly – with some setting more stretching targets to reflect their commitment to diversity at board and senior leadership levels.For some, diversity and inclusion both at board and workforce level is now "business as usual", leading to less overall disclosure as fewer changes are introduced year on year. Others are finding that regulatory and investor pressure to fully embed diversity and inclusion are leaving them running to catch up.Boards should continue to challenge themselves to monitor company culture and take action where warranted to embed diversity and inclusion more thoroughly. They should evaluate whether diversity and inclusion in the broadest sense are appropriately embedded into their companies’ culture, values, strategy, succession planning, reward, and board performance reviews – and into their annual report.
Assess whether the annual report explains in a clear and consistent way why diversity and inclusion at workforce, executive management, and board level is important to the business
Where the business has set diversity targets for workforce, executive management and the board, disclose and explain those targets and provide annual updates regarding progress and actions
Evaluate the board's existing approach for building diversity and inclusion into succession planning and board performance reviews and consider how to report transparently in this area
Ensure that all elements of the FCA Listing Rule are included and clearly identifiable:
a statement setting out that each of the targets in the Rule have been achieved or a plan to achieve them
both mandated tables on sex or gender identity and ethnicity
an explanation of how data has been gathered for the board and executive management
Corporate Reporting Insights 2025Climate-related ReportingHow ready are UK companies for climate-related reporting under UK SRS?
The background to our surveyClimate change and other sustainability matters can create material financial risks and opportunities for companies, now and into the future. Transparency on how companies are addressing these broader drivers of value and risk remains an area of focus for investors, regulators, policy-makers and other stakeholders.In the UK, the government has committed to adopting the International Sustainability Standards Board's (ISSB) standards as UK Sustainability Reporting Standards (UK SRS) and published a Roadmap to adoption. In June 2025, the government issued consultations on drafts of UK SRS and on transition plan requirements. The government proposals include small amendments to the ISSB standards to facilitate their use in the UK and a ‘climate-first’ approach for the adoption of these standards.The UK government will consider separately how to integrate UK SRS into the UK legislative framework, and the scope of entity that it intends to apply the standards in due course. The Financial Conduct Authority (FCA) is also expected to consult on proposals to update the UK Listing Rules to refer to UK SRS and to finalise its policy position on this matter once the standards are available for use. So, how ready are UK companies for climate-related reporting under the draft UK SRS? UK listed companies are already required by the UK Listing Rules to make climate-related financial disclosures consistent with the Task Force on Climate-related Financial Disclosures (TCFD) Recommendations and Recommended Disclosures. The draft UK SRS are based on the ISSB Standards which incorporate the 4 pillars (governance, strategy, risk management, metrics and targets) and recommended disclosures of TCFD. As a result, TCFD reporting is expected to serve as a useful and solid platform from which UK companies can ‘step up’ into reporting under UK SRS.However, while the draft UK SRS standards incorporate the TCFD recommendations and guidance, there are some differences in the disclosure requirements. In addition, the current UK Listing Rule requires a “comply or explain” approach, whereas draft UK SRS as reporting standards require an entity to make an explicit statement of compliance, in the same way as is required under IFRS financial reporting standards.Our survey of annual reports1 looks at the first 30 annual reports issued by FTSE 100 reporters in 2025 and considers how ready these companies are for climate-related reporting under the draft UK SRS. In doing so, we draw out key differences between the TCFD recommendations and the requirements of the draft climate standard, UK SRS S2 Climate-related Disclosures2. We also consider other themes relevant to the UK sustainability reporting environment and highlight considerations for companies looking to streamline and enhance current disclosures, and identify the differences between their current reporting practices and the requirements of the anticipated UK SRS.
1For the purposes of this survey, we considered disclosures included within the Annual Report and any other relevant document that was clearly referenced from the Annual Report, for example a separate TCFD report, sustainability report or standalone transition plan.2Under a ‘climate-first approach’, companies in scope will also be required to apply draft UK SRS S1 General requirements for Disclosure of Sustainability-related Financial Information in so far as it relates to disclosure of information on climate-related risks and opportunities. The application of certain requirements in draft UK SRS S1 will represent a change compared to TCFD but is not considered in this survey. The International Sustainability Standards Board (ISSB) sits alongside the International Accounting Standards Board (IASB) which is responsible for issuing IFRS Accounting Standards. The ISSB’s aim is to issue high quality disclosure standards to meet the sustainability needs of investors. Its goal is for its standards to be used to form a global baseline of sustainability information.The ISSB has issued two standards to date: IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information and IFRS S2 Climate-related Disclosures:
IFRS S1 sets out overall requirements for an entity to disclose information about its sustainability-related risks and opportunities that is useful to primary users of general purpose financial reports in making decisions relating to providing resources to the entity.
IFRS S2 sets out the requirements for identifying, measuring and disclosing information about climate-related risks and opportunities that is useful to primary users of general purpose financial reports in making decisions relating to providing resources to the entity.
As part of its 2024–2026 work plan, the ISSB is researching risks and opportunities associated with sustainability topics beyond climate for entities to meet the information needs of investors. These research projects will help the ISSB decide whether it should pursue standard-setting for disclosure requirements on some or all of these topics, including human capital, biodiversity, ecosystems and ecosystem services.Reporting against the TCFD guidance and comparisons to draft UK SRS S2General disclosuresAll but two companies stated that their disclosures are consistent with the TCFD recommendations. The two companies that stated their disclosures were not consistent clearly identified the areas of non-compliance, which for both included aspects of scenario analysis and disclosures related to financial planning.Some companies which stated that their disclosures were consistent with TCFD recommendations referred to further enhancements being made to some aspects of the TCFD reporting. The most commonly referenced areas of improvement related to enhancing data and reporting processes for Scope 3 Greenhouse Gas (GHG) emissions, further consideration of the potential impact of climate-related issues on financial performance and financial position and further analysis of the organisation’s strategy and resilience with respect to climate scenarios.63% of companies referred to UK SRS or ISSB in their disclosures. While many of these disclosures were in the context of monitoring ongoing regulatory reporting requirements, 7% specifically stated that ISSB standards had been taken into consideration when preparing current year disclosures.Governance disclosuresGovernance disclosures provide a foundation for stakeholders to understand how a company manages its sustainability-related risks and opportunities. A clear governance structure can signal a strong commitment to sustainability and enhance investors’ confidence. It was therefore encouraging to see that all companies identified the board and/or board level committee(s), as having responsibility for climate and sustainability matters. However, it wasn’t always clear from the disclosures how these responsibilities are split between relevant committee(s) and the board.While the draft UK SRS S2 governance disclosure requirements are broadly consistent with the TCFD recommendations, draft UK SRS S2 requires more detailed information, for example, how responsibilities for climate-related risks and opportunities are reflected in terms of reference, mandates, role descriptions and other related policies applicable to the responsible body or individual. Therefore, companies may wish to consider enhancing their disclosures in respect of governance of climate-related risks and opportunities to bring in the required specificity in readiness for UK SRS.Companies may also wish to consider how the requirements of the UK Corporate Governance Code 2024 interact with the draft UK SRS S2 requirements.Strategy disclosuresThere are some areas of difference between the TCFD recommendations and draft UK SRS S2 with respect to strategy-related disclosures.Industry-based disclosure topicsBoth the TCFD recommendations and draft UK SRS S2 require a company to disclose its climate-related risks and opportunities over the short, medium and long term. All companies disclosed climate-related risks and 97% of companies disclosed at least one climate-related opportunity.Several companies in our survey referred to considering industry guidance, including SASB and GRI standards, in identifying climate related risks and opportunities. Under draft UK SRS S2, companies may ‘refer to and consider the applicability of industry-based disclosure topics’ defined in the Industry-based Guidance on Implementing IFRS S2 when identifying climate-related risks and opportunities. The guidance, which is derived from SASB Standards, sets out possible ways to apply some of the disclosure requirements in draft UK SRS S2 but does not create additional requirements. The draft UK SRS S2 reflects a proposed amendment to the IFRS S2 requirements so that companies ‘may’ consider this guidance, whereas under IFRS S2 companies ‘shall’ consider this guidance.Plans to achieve climate-related targetsCompared to the TCFD recommendations, the requirements in draft UK SRS S2 related to an entity’s plans to transition to a low-carbon economy are more specific and granular and include disclosure of how the entity plans to achieve the greenhouse gas emissions targets it has set for itself and also those required by regulation or legislation.14 (a) Specifically, the entity shall disclose information about:(iv) any climate-related transition plan the entity has, including information about key assumptions used in developing its transition plan, and dependencies on which the entity’s transition plan relies; and(v) how the entity plans to achieve any climate-related targets, including any greenhouse gas emissions targets, described in accordance with paragraphs 33–36.Climate-related transition plan (draft UK SRS S2 definition)A transition plan is ‘an aspect of an entity’s overall business strategy that lays out the entity’s targets, actions or resources for its transition toward a low-carbon economy, including actions such as reducing its greenhouse gas emissions.47% of companies included disclosures that were identifiable as plans to transition to a low-carbon economy, i.e. disclosures on targets and actions to support their transition toward a low-carbon economy. An additional 43% of companies provided some, but more limited, information, for example in the form of a high-level roadmap or disclosures that indicated how targets would be met but lacking sufficient granularity and specificity to represent a plan.These findings are broadly consistent with the findings of our 2024 Corporate Reporting Insights Survey on Climate Transition Plan Disclosures, indicating no overall improvement in the number of companies disclosing information on transition plans. However, there was a noticeable improvement in the signposting of these disclosures with companies making better use of clear sub-headings/sections within the Annual Report and clearer cross-referencing to other reports. Fewer companies cross-referred to a separate standalone transition plan report published outside of the annual report than in the previous year.In the UK, the focus on high quality transition plan disclosures is likely to remain given that transition plans are an integral part of the UK government’s Roadmap for its strategy to green the financial system. The government issued a consultation on the implementation of transition plan requirements in June 2025. The Financial Conduct Authority (FCA) has stated its intention to consult in 2025 on requirements for companies regarding transition plans and related disclosures.The UK government established the Transition Plan Taskforce (TPT) in 2022 as part of the delivery of the UK government’s Roadmap for its strategy to green the financial system.The TPT was given a two-year mandate to develop the ‘gold standard’ for private sector climate transition plans and in 2023 published its final Disclosure Framework and Implementation Guidance, setting out good practice for robust and credible transition plans as part of an entity’s annual reporting.The TPT Disclosure Framework has been developed to ‘be consistent with, and build on’ IFRS S2 Climate-related Disclosures (IFRS S2), issued by the International Sustainability Standards Board (ISSB).The TPT Disclosure Framework is currently a voluntary framework. However, companies required under the UK Listing Rules to make a statement of consistency with the TCFD recommendations are required to ‘describe their plans for transitioning to a low-carbon economy’ and in its December 2022 Primary Market Bulletin, the FCA encouraged companies to go further and consider the proposed TPT outputs when making transition plan disclosures. The FCA has stated that it plans to consult on introducing guidance aligned with the TPT Framework in 2025, at the same time as consulting on proposals for mandatory sustainability disclosure requirements based on UK SRSs.In 2024, the IFRS Foundation announced that it assumed responsibility for the TPT Disclosure Framework and related guidance, which it now hosts on its Sustainability Knowledge Hub.In June 2025, the IFRS Foundation published a guidance document, using the TPT disclosure-specific materials, to support users and preparers of transition plans disclosed under IFRS S2. In the longer term, the ISSB will consider the need to enhance the application guidance within IFRS S2.In June 2025, the UK government issued a consultation on how to implement its manifesto commitment to mandate UK-regulated financial institutions and large companies to develop and implement credible transition plans that align with the 1.5°C goal of the Paris Agreement. As part of this consultation, the government is seeking views on options to take forward transition plan requirements in order to provide the market with credible and decision-useful information.Financial effects of climate-related risks and opportunities77% of companies included some information on the potential impact of climate-related issues on their financial performance and position with nearly three-quarters of those companies providing qualitative information only. The quality of these disclosures varied. Some companies used scoring for anticipated effects of identified climate-related risks and opportunities (e.g. low / medium / high) but often with limited information on “how” these conclusions were reached. Some companies specifically described the impacts over the short-, medium- and long-term. Where this was the case, the most understandable disclosures included colour-coded diagrams and charts to show different anticipated financial effects across different time horizons.While it was encouraging to see these disclosures, the requirements in draft UK SRS S2 are more specific and granular than the TCFD recommendations. Draft UK SRS S2 sets out the circumstances in which quantitative and qualitative information is required and requires companies to use all reasonable and supportable information that is available at the reporting date without undue cost or effort to prepare these disclosures.15 An entity should disclose information that enables users of general purpose financial reports to understand:
(a) the effects of climate-related risks and opportunities on the entity’s financial position, financial performance and cash flows for the reporting period (current financial effects); and
(b) the anticipated effects of climate-related risks and opportunities on its financial position, financial performance and cash flows over the short, medium and long term, taking into consideration how climate-related risks and opportunities are incorporated into the entity’s financial planning (anticipated financial effects).
16 Specifically, an entity shall disclose quantitative and qualitative information about:
(a) how climate-related risks and opportunities have affected its financial position, financial performance and cash flows for the reporting period;
(b) the climate-related risks and opportunities identified in paragraph 16(a) for which there is a significant risk of a material adjustment within the next annual reporting period to the carrying amounts of assets and liabilities reported in the related financial statements;
(c) how the entity expects its financial position to change over the short, medium and long term, given its strategy to manage climate-related risks and opportunities, taking into consideration:
i. its investment and disposal plans (for example, plans for capital expenditure, major acquisitions and divestments, joint ventures, business transformation, innovation, new business areas, and asset retirements), including plans the entity is not contractually committed to; and
ii. its planned sources of funding to implement its strategy; and
(d) how the entity expects its financial performance and cash flows to change over the short, medium and long term, given its strategy to manage climate-related risks and opportunities (for example, increased revenue from products and services aligned with a lower-carbon economy; costs arising from physical damage to assets from climate events; and expenses associated with climate adaptation or mitigation).
Climate resilience/scenario analysisBoth the TCFD recommendations and draft UK SRS S2 require companies to describe the resilience of the company’s strategy, taking into consideration different climate-related scenarios. It was encouraging to see that all companies had undertaken some form of scenario analysis and that 90% of companies clearly referred to the use of scenario analysis in describing the resilience of the company’s strategy. The number of scenarios used ranged from 2 to 9 with an overall average of 4.In all these cases, at least one of the scenarios was a 1.5 or 2°C scenario, consistent with the TCFD recommendation to use a 2°C or lower scenario, in line with the Paris Agreement. While draft UK SRS S2 does not specify which climate-related scenarios to use, it does require a company to use an approach that is commensurate with its circumstances and to state whether any of the scenarios are aligned with the latest international agreement.The Paris Agreement is a legally binding international treaty on climate change. It was adopted by 195 Parties at the UN Climate Change Conference (COP21) in Paris, France, on 12 December 2015. It entered into force on 4 November 2016.The Paris Agreement’s central aim is to strengthen the global response to the threat of climate change by keeping a global temperature rise this century well below 2°C above pre-industrial levels and to pursue efforts to limit the temperature increase even further to 1.5°C. However, in recent years, world leaders have stressed the need to limit global warming to 1.5°C by the end of this century.In moving from TCFD to draft UK SRS S2, companies would be required to provide additional information on significant areas of uncertainty the company has considered in its assessment of resilience, the company’s capacity to adjust and adapt its strategy and business model over time and how and when the company has carried out its climate-related scenario analysis.50% of companies identified some uncertainties the company considered in its scenario analysis assessment and/or assessment of climate resilience. Disclosures ranged from high level statements about uncertainty (e.g. a general acknowledgement that quantifying the impacts of climate change is an emerging practice with associated inherent uncertainty) to more granular company-specific disclosures, for example referring to limited history of the interactions between climate risks and the economy, macroeconomic assumptions (such as demand in climate-sensitive sectors or GDP), government policies, technology evolution and the future trajectory of carbon prices.67% of companies provided some details on how the company had carried out its climate-related scenario analysis, for example, by either referring to the sources of those scenarios or clarifying whether the climate-related scenarios used for the analysis were associated with climate-related transition risks or climate-related physical risks. Some companies not only stated which scenarios they used to assess climate resilience but also explained why their chosen climate-related scenarios were considered relevant, for example referring to the likelihood of some pathways as a reason for being included or excluded from further group analysis.70% of companies disclosed when the scenario analysis was carried out. Some companies also provided information about timings of future scenario analysis, including some that stated an intention to carry out scenario analysis at the same time as revising the entity’s overall strategy.22. An entity shall disclose information that enables users of general purpose financial reports to understand the resilience of the entity’s strategy and business model to climate-related changes, developments and uncertainties, taking into consideration the entity’s identified climate-related risks and opportunities. The entity shall use climate-related scenario analysis to assess its climate resilience using an approach that is commensurate with the entity’s circumstances (see paragraphs B1–B18). In providing quantitative information, the entity may disclose a single amount or a range. Specifically, the entity shall disclose:
(a) the entity’s assessment of its climate resilience as at the reporting date, which shall enable users of general purpose financial reports to understand:
(i) the implications, if any, of the entity’s assessment for its strategy and business model, including how the entity would need to respond to the effects identified in the climate-related scenario analysis;
(ii) the significant areas of uncertainty considered in the entity’s assessment of its climate resilience;
(iii) the entity’s capacity to adjust or adapt its strategy and business model to climate change over the short, medium and long term, including:
(1) the availability of, and flexibility in, the entity’s existing financial resources to respond to the effects identified in the climate-related scenario analysis, including to address climate-related risks and to take advantage of climate-related opportunities;
(2) the entity’s ability to redeploy, repurpose, upgrade or decommission existing assets; and
(3) the effect of the entity’s current and planned investments in climate-related mitigation, adaptation and opportunities for climate resilience; and
(b) how and when the climate-related scenario analysis was carried out, including:
(i) information about the inputs the entity used, including:
(1) which climate-related scenarios the entity used for the analysis and the sources of those scenarios;
(2) whether the analysis included a diverse range of climate-related scenarios;
(3) whether the climate-related scenarios used for the analysis are associated with climate-related transition risks or climate-related physical risks;
(4) whether the entity used, among its scenarios, a climate-related scenario aligned with the latest international agreement on climate change;
(5) why the entity decided that its chosen climate-related scenarios are relevant to assessing its resilience to climate-related changes, developments or uncertainties;
(6) the time horizons the entity used in the analysis; and
(7) what scope of operations the entity used in the analysis (for example, the operating locations and business units used in the analysis);
(ii) the key assumptions the entity made in the analysis, including assumptions about:
(1) climate-related policies in the jurisdictions in which the entity operates;
(2) macroeconomic trends;
(3) national- or regional-level variables (for example, local weather patterns, demographics, land use, infrastructure and availability of natural resources);
(4) energy usage and mix; and
(5) developments in technology; and
(iii) the reporting period in which the climate-related scenario analysis was carried out (see paragraph B18).
23. In preparing disclosures to meet the requirements in paragraphs 13–22, an entity shall refer to and consider the applicability of cross-industry metric categories, as described in paragraph 29, and may refer to and consider industry-based metrics associated with disclosure topics defined in the Industry-based Guidance on Implementing IFRS S2 as described in paragraph 32.Risk managementThe risk management disclosure requirements in draft UK SRS S2 are broadly consistent with the TCFD recommendations. 93% of companies clearly disclosed information about their processes for identifying, assessing and monitoring risks. 68% of these companies referred to opportunities, as well as risks – reporting on opportunities is an additional disclosure requirement under draft UK SRS S2.83% of companies also provided some insights into how the processes for identifying, assessing, prioritising and monitoring risks and opportunities informed and were integrated into the company’s overall risk management process.Metrics & targetsTargetsAll companies disclosed one or more climate-related target. All companies had at least one target related to reducing their Greenhouse Gas (GHG) emissions.Draft UK SRS S2 requires additional disclosures about the validity of any climate-related targets a company has in place. Survey findings on current disclosures in this area are set out in the table below.
Draft UK SRS S2 disclosure requirement
Survey findings
Whether Scope 1, Scope 2 or Scope 3 greenhouse gas emissions are covered by the target
All companies explicitly stated that their targets covered Scope 1 and 2 GHG emissions and 80% also included Scope 3 emissions.
Whether the target and target methodology has been validated by a third party
47% of companies disclosed that their targets had been verified by a third party. In all cases, the third party referenced was the Science Based Target Initiative (SBTi).
How the latest international agreement on climate change, including jurisdictional commitments that arise from that agreement, has informed the target
77% of companies made reference to international agreements either explicitly by specific reference to the Paris Agreement or implicitly by disclosing that their targets had been verified by SBTi when explaining how targets had been set.
Any revisions to the target and an explanation for those revisions
Where revisions to targets were made, most companies explained that the revisions were the result of the availability of new or more relevant information to assist in target setting.
Other companies stated that they had successfully achieved their short-term targets and/or had set new or improved long-term targets to match their progress.
The entity’s processes for reviewing the target
20% of companies stated that targets had been reviewed but with little information being provided on how this review was performed.
Meeting some of these disclosure requirements will be relatively straightforward, for example, confirming if a target has been revised or validated by a third party. Other disclosure requirements may require more work and early consideration. For example, the ability to disclose the process for reviewing targets will depend on the maturity of a company’s approach to its transition plan and whether a process has been established and embedded into the organisation’s governance structure and internal control systems.Use of Carbon offsets to meet targetsDraft UK SRS S2 requires disclosures on the planned use of carbon offsets to achieve greenhouse gas emissions targets (referred to as ‘carbon credits’ within the standard).57% of companies clearly disclosed that they used or intended to use carbon offsets in the future, with all but one stating that they intended to use the offsets to meet climate-related targets. Of these companies, just under a quarter quantified the use of offsets in meeting those targets, with this information typically expressed as a percentage of the target. Of those companies that did not quantify the use of offsets, most made a general statement that any residual emissions would be offset.Companies should be mindful of an additional requirement under draft UK SRS S2 to disclose ‘whether the target is a gross emissions target or net emissions target’. Where a net emissions target is disclosed, a separate gross emissions target will also need to be disclosed.36. For each greenhouse gas emissions target disclosed in accordance with paragraphs 33–35, an entity shall disclose:(e) the entity’s planned use of carbon credits to offset greenhouse gas emissions to achieve any net greenhouse gas emissions target. In explaining its planned use of carbon credits the entity shall disclose information including, and with reference to paragraphs B70–B71:
(i) the extent to which, and how, achieving any net greenhouse gas emissions target relies on the use of carbon credits;
(ii) which third-party scheme(s) will verify or certify the carbon credits;
(iii) the type of carbon credit, including whether the underlying offset will be nature-based or based on technological carbon removals, and whether the underlying offset is achieved through carbon reduction or removal; and
(iv) any other factors necessary for users of general purpose financial reports to understand the credibility and integrity of the carbon credits the entity plans to use (for example, assumptions regarding the permanence of the carbon offset).
MetricsBoth the TCFD recommendations and draft UK SRS S2 require companies to disclose cross-industry climate-related metrics, including but not limited to GHG emissions.GHG emissionsAll companies disclosed Scope 1 and 2 emissions, in line with the TCFD recommendation to make these disclosures regardless of any materiality assessment. Under draft UK SRS S2, disclosure of Scope 1 and 2 emissions would only be required if considered material and therefore the number of companies reporting these disclosures may change over time. Draft UK SRS S2 requires Scope 1 and 2 emissions to be disaggregated between the consolidated group and other investees, including associates, joint ventures and unconsolidated subsidiaries.While TCFD recommendations ask for disclosure of Scope 3 emissions ‘if appropriate’, under draft UK SRS S2 disclosure of scope 3 emissions will be mandatory3 where these emissions are material. In our survey 97% of companies disclosed one or more of the 15 categories of Scope 3 emissions.Purchased Goods and Services (Category 1) and Business and travel (Category 6) were the most reported Scope 3 emission metrics, disclosed by 60% and 77% of companies, respectively.Overall, more companies reported upstream emissions (Categories 1 to 8) than downstream emissions (Categories 9 to 15). The heatmap to the right provides more insight into the split between different industries.80% of the financial services companies in our survey disclosed financed emissions (Category 15). IFRS 2 will require companies with activities in asset management, commercial banking or insurance to disclose additional and specific information about this metric.Of the 97% of companies that disclosed Scope 3 emissions, the majority of companies referred to limitations associated with Scope 3 emissions reporting or the need for continuous improvement. Many of these companies made general references to a lack of data availability and often explained that this was the reason for not reporting certain categories of Scope 3 emissions. Other companies commented on the uncertainties with regard to the accuracy of data provided and/or the need to engage with suppliers to improve their understanding of Scope 3 emissions. A few companies specifically stated that Scope 3 data from previous reporting periods was used for current year reporting due to an inability to collect and collate current year data in time for reporting.Given the draft UK SRS S2 requirement to disclose material Scope 3 emissions, companies may wish to collaborate with suppliers to enhance the quality and completeness of Scope 3 data in preparation for reporting under UK SRS, prioritising those categories that are more likely to be material to their business and specific circumstances. 3Under IFRS S2, entities are permitted to use a transitional relief and are not required to disclose its Scope 3 greenhouse gas emissions in the first year of reporting.Heatmap of reported Scope 3 GHG emission by industriesOther cross-industry metricsExcluding the cross-industry metrics on greenhouse gas emissions, the most reported metric was the percentage of executive remuneration linked to climate-related considerations, which 80% of companies disclosed.Under draft UK SRS S2, in addition to disclosing the remuneration metric, companies will be required to disclose ‘whether and how climate-related considerations are factored into executive remuneration’. While many companies disclosed this information, the quality of these disclosures varied and it was not always clear exactly how climate had been considered. A similar disclosure will also apply to internal carbon pricing metrics; companies will be required to disclose ‘whether and how’ a carbon price is applied in decision-making.Metrics related to the percentage and amount of assets or business activities vulnerable to climate-related transition and physical risks, and aligned to climate-related opportunities, were three of least reported metrics. While the TCFD All Sector Guidance acknowledges some of the challenges with reporting these metrics, stating that some companies ‘will need time before such metrics are disclosed’, companies should note that IFRS S2 is more prescriptive. With specific reference to these three metrics, IFRS S2 requires a company to use ‘all reasonable and supportable information that is available to the entity at the reporting date without undue cost or effort’.Climate-related metrics disclosed by companiesCompanies seeking to improve current TCFD reporting may wish to prioritise enhancing the systems and processes needed to capture data for the cross-industry metrics. As part of this exercise, it may be efficient to refer to and consider the industry-based metrics associated with disclosure topics described in the Industry-based Guidance on Implementing IFRS S2 to help identify metrics that may provide decision-useful information to users.29 An entity shall disclose information relevant to cross-industry metric categories of:
a) the amount and percentage of assets or business activities vulnerable to climate-related physical risks;
b) the amount and percentage of assets or business activities aligned with climate-related opportunities;
c) the amount of capital expenditure, financing or investment deployed towards climate-related risks and opportunities;
d) in relation to internal carbon prices:
i. an explanation of whether and how the entity is applying a carbon price in decision-making (e.g. investment decisions, transfer pricing and scenario analysis); and
ii. the price for each metric tonne of GHG emissions the entity uses to assess the costs of its GHG emissions; and
e) in relation to remuneration:
i. a description of whether and how climate-related considerations are factored into executive remuneration; and
ii. the percentage of executive management remuneration recognised in the current period that is linked to climate-related considerations.
Assurance 93% of companies obtained external assurance over selected sustainability metrics. Only those companies in scope of the EU’s Corporate Sustainability Reporting Directive (CSRD) obtained limited assurance over the entire sustainability report.Of those companies that obtained external assurance, all obtained assurance on GHG emission metrics and 73% also included other broader sustainability metrics, such as health & safety, diversity and inclusion, community investment and quality of management metrics.75% of companies that obtained external assurance stated that a limited level of assurance had been obtained. The other 25% of companies obtained a mix of limited and reasonable levels of assurance and in most cases, reasonable assurance had been obtained for Scope 1 and 2 GHG emissions. One company reported on having obtained reasonable assurance over all its Scope 1, 2 and 3 GHG emissions with the exception of one Scope 3 category.61% of companies in our survey stated that their external auditors had provided external assurance on sustainability metrics. The FRC’s recent Assurance of Sustainability Reporting Market Study found that ‘the proportion of FTSE 100 companies using their auditors to provide sustainability assurance grew from 25% in 2019 to 37% in 2023’. In combination, this data highlights a growing trend towards using external auditors for sustainability assurance.External assurance is a critical area of stakeholder focus with an increasing number of companies obtaining voluntary assurance to drive confidence and trust in sustainability reporting. While some jurisdictions, such as the EU, have introduced mandatory assurance on sustainability reporting, it is currently unclear if a similar approach will be taken in the UK. 44In June 2025, the UK Government launched a consultation on developing a voluntary oversight regime for assurance of sustainability-related financial disclosures.
To concludeTCFD reporting as currently required under the FCA’s Listing Rules serves as a useful platform from which UK companies can ‘step up’ into reporting under UK SRS. To get ready for these changes, boards may wish to consider undertaking a gap analysis between the requirements in the draft UK SRS S1 and UK SRS S2 and their current reporting practices. Such an exercise will help identify areas of difference and highlight opportunities to enhance current disclosures and prepare for anticipated reporting requirements. This, coupled with strengthening governance structures, data processes and controls, will help enable a smoother transition to UK SRS.
Review the Industry-based Guidance on Implementing IFRS S2. As per draft UK SRS S2, this is identified as a source of guidance that companies may refer to and consider to help identify climate-related risks and opportunities and to help identify industry-based metrics, relevant to a company’s business model and activities.
Assess the draft UK SRS S2 requirements related to climate resilience and use this to further develop the company’s approach to climate scenario analysis
Collaborate with suppliers to enhance the quality and completeness of Scope 3 data, including the timeliness of in-year data availability for reporting in the Annual Report
Continue to develop credible transition plans, for example, creating a net zero roadmap and establishing a detailed climate action plan
*These steps would also assist UK entities in considering their approach to reporting under updated Provision 29 of the UK Corporate Governance Code which will be effective for periods commencing on or after 1 January 2026 and will require boards to provide a declaration on the effectiveness of their material controls.
Corporate Reporting Insights 2025Controls & AssuranceLaying the foundations for the new declaration on the effectiveness of internal controls
The background to our surveyThe 2024 Corporate Governance Code became effective from 1 January 2025, except for Provision 29 – the board’s declaration on the effectiveness of material controls – which will apply to reporting periods beginning on or after 1 January 2026. Until then, existing Provision 29 of the 2018 UK Corporate Governance Code continues to apply. As a reminder, the updated Provision 29 will require the board to provide the following disclosures in the annual report:
a description of how the board has monitored and reviewed the effectiveness of the risk management and internal control framework;
a declaration of effectiveness of material controls as at the balance sheet date; and
a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.
As companies are getting ready to report under this new Code requirement, we looked at how 50 FTSE 350 December 2024 reporters have approached preparation for the new declaration and considered various aspects related to the new Provision 29.How risk appetite is used in risk managementA board of directors is required to identify the principal risks which could impact delivery of their company purpose, strategy and business model. Establishment of an effective control framework requires there to be clarity of the board’s view of the amount of risk it is willing to take in achieving the purpose, strategy and business model. This is known as the risk appetite and should drive the level of control put in place to keep risk within the agreed risk appetite. The board should ensure that the risk appetite is also communicated at the appropriate levels throughout the company in a timely manner, including any changes to it. We looked at current reporting practices for describing risk appetite and its role in the risk management and internal control framework.88% (2024: 88%) of companies included some description of how risk appetite is used as part of the risk management framework but there was significant variation in the depth and quality of the information provided. For example, some companies only briefly mentioned the board’s responsibility for setting risk appetite without explaining how risk appetite is used in the risk management framework. This year we also looked at how these companies described the different risk appetite categories used or the factors affecting the level of risk appetite. 50% of those companies that included some description of how risk appetite is used also provided clear additional disclosure on risk appetite categories and/or factors. Some factors included: (i) financial objectives, (ii) strategic objectives set by the board and (iii) ethics, reputation & values. Better reporters demonstrated the risk management and internal control framework in a diagram, clearly explaining how risk and control cycles operate. Some companies disclosed the risk appetite for each principal risk, explaining the factors which impacted the level allocated. Some of those categories included: averse, limited, moderate and high; averse, curious, open, seeking; critically low, low, medium and high.Example disclosures which include the elements described above: Lloyds Banking Group PLC (page 141 2024 ARA), Aviva PLC (page 75 2024 ARA), RHI Magnesita (pages 48–49 2024 ARA), Intercontinental Hotels Group PLC (page 44 2024 ARA), Serco (pages 62–63 2024 ARA), Croda International Plc (page 30 2024 ARA), Shaftesbury Capital PLC (page 60 2024 ARA)Describing the control frameworkAs described above, a board should explain in the annual report how it has monitored and reviewed the effectiveness of the material controls. The monitoring and review activities may be supported by internal and/or external assurance. Effective use of internal controls and assurance delineate risk management roles across an organisation, improving clarity, accountability and effectiveness. A commonly used control framework, often referred to as the “three lines of defence”, includes the following elements:
first line – operational management, which handles day-to-day ownership and management of risks and controls.
second line – internal monitoring and oversight functions, including risk management and compliance.
third line – internal audit, which provides independent assurance and evaluation of risk management processes.
When describing their control framework, 48% (2024: 44%) of companies explained clearly how the three lines of defence operated within their organisation with a further 20% (2024: 24%) of companies providing explanation for some lines of defence. Better practice examples presented a diagram demonstrating how the three lines of defence interact and clearly explaining the responsibilities of each line. Some companies also referenced the work of external audit and/or other regulatory requirements which they referred to as a “fourth line of defence”.Example disclosures which include the elements described above: Weir Group PLC (The) (page 62 2024 ARA), Hiscox (page 42 2024 ARA), Bakkavor Group (page 67 2024 ARA), Breedon Group (page 48 2024 ARA), Mondi Group (page 61 2024 ARA)The board’s oversight roleKey to a proportionate and practical approach to the new declaration on the effectiveness of material controls is the identification of “material controls”. Importantly, the 2024 Code states that “material controls” should include “financial, operational, reporting and compliance controls”. The inclusion of a specific “reporting” control consideration is intended to cover controls over both financial and non-financial reporting. We looked at how companies explained the scope of the board’s current oversight activities.The description of the board’s monitoring and review activities did not always make clear which controls had been covered, with oversight of non-financial reporting controls being particularly unclear. These findings are broadly consistent with last year. The “IT and other” category in the graph largely related to specific reference to monitoring and review of IT controls, consistent with last year.This year, we also looked at where the responsibility for oversight over non-financial reporting lay and found that 72% of companies delegated oversight of the integrity of non-financial and financial reporting to the audit committee. When explaining how monitoring and review of non-financial reporting had been undertaken, audit committees referenced disclosures provided in accordance with various sustainability reporting requirements, e.g. the UK Listing Rule on the Task Force on Climate-related Financial Disclosures (“TCFD”); Corporate Sustainability Reporting Directive (“CSRD”). Only 4% of companies (2024: 6%) reported that they had updated the audit committee’s terms of reference to reflect an enhanced focus on the internal control framework and additional oversight responsibilities in relation to non-financial reporting, risk appetite and risk culture.As we get closer to the new declaration, we also looked at the audit committee chairs’ introductory letters to see whether they highlight or make any specific reference to oversight of risk, controls or assurance that goes beyond a reference to the audit committee’s standard responsibilities and found that 48% of companies did so. Most of those references were to the audit committee’s focus on laying the foundations for the new Provision 29 requirements from 1 January 2026.More generally, 82% (2024: 64%) of our sample referenced planned activities in preparation for the new declaration. Some companies presented case studies on the activities they have undertaken to prepare for the new declaration, including identifying the scope of material internal controls and undertaking an assurance gap analysis (see also section Assurance below).Establishing clear parameters and guidance internally on what constitutes a “material control” will be an important part of a company’s approach to the new declaration. 48% of companies in our sample clearly stated that monitoring and review activities over risk management and internal control are currently focused on material or significant controls, with a further 4% also explaining the approach to determining what constitutes a material or significant control, with some companies defining them as “those controls that have the most influence in mitigating a risk”. A number of companies also mentioned plans to strengthen material IT controls and bring them into scope for the future declaration.As a reminder, paragraph 272 of the FRC Guidance states that material controls are those that can include, but are not limited to, controls over:
risks that could threaten the company’s business model, future performance, solvency or liquidity and reputation (i.e. principal risks)
external reporting that is price sensitive or that could lead investors to make investment decisions, whether in the company or otherwise
fraud, including override of controls
information and technology risks including cybersecurity, data protection and new technologies (e.g. artificial intelligence).
Example disclosures which include the elements described above: Howden Joinery Group Plc (page 148 2024 ARA), Anglo American plc (page 190 2024 ARA)Scope of monitoring and review activitiesExplaining the outcome of the board’s oversight activityA further key step in the declaration readiness process is to agree what control effectiveness means for the organisation. The FRC Guidance (para 286) reiterates that when a control is effective that “does not mean that the risk is eliminated” but rather that the effective control should be working to keep an identified risk within the board’s risk appetite. The FRC has made it clear that it is for the board to determine its own levels of required assurance in relation to the effectiveness of the material controls.This year, we noted a shift away from companies providing positive conclusions on the effectiveness of the internal control framework and more providing confirmation that the internal control framework aligns with the FRC Guidance. For the SEC registrants in our sample, we noted that over two thirds, in addition to the required SOX attestation, provided a broader confirmation on the effectiveness of the internal control framework, including operational, compliance and financial controls.Whilst none of our sample reported that they had identified any significant failings or weaknesses, some companies have referenced immaterial control failures which have been remediated during the year. Most of those related to manual and IT controls and, in some cases, the identified deficiencies affected audit testing and resulted in more substantive procedures by the external auditor.SEC registrants breakdownSEC registrants breakdownAssurance
As part of the preparations for the, now withdrawn, requirement for an Audit & Assurance Policy, many companies had started an assurance mapping exercise to build an understanding of where different sources of assurance were obtained in relation to external reporting. To help boards prepare for the new declaration of the effectiveness of material controls, it would seem sensible to extend this mapping exercise to cover assurance over the effective operation of material controls beyond external reporting, e.g. material financial, operational, reporting and compliance controls. In this way, a full picture of assurance (from all sources – both internal and external) can be developed and assessed.
86% (2024: 84%) of companies in our population indicated or explained where assurance had been provided over certain data elements in the front half of the annual report, with almost all of those (98%) being from external assurance providers. Some companies used icons or symbols to indicate metrics which have been subject to external assurance, with a cross reference to further information on the nature of the assurance, the provider and the assurance report. Others used footnotes to provide similar information.
Having a clear policy on audit and assurance helps address a number of consideration points for reporting under Provision 29:
in publishing the policy, the directors convey to readers the extent of assurance over the information they communicate;
the policy helps provide clarity over the role of the auditor beyond that required for the financial statements; and
it facilitates dialogue between internal audit, external audit or another assurance provider.
In developing their policy, boards will consider the areas where assurance is required and who should provide it - internal audit, external audit or another assurance provider.
It was positive to see that 20% (2024: 14%) of companies in our survey had either introduced or were developing a policy on audit and assurance to assist boards with the upcoming declaration on the effectiveness of material controls. Better practice examples recognised the value of documenting an assurance plan and continued work in this area by developing a clear internal framework for audit and assurance, helping them to (re)evaluate material controls for the new declaration.
Example disclosures which include the elements described above: Rio Tinto (page 113 2024 ARA), Serco (page 64 2024 ARA)To conclude
The update to Provision 29 in the 2024 UK Corporate Governance Code focuses on the board’s monitoring and review activity and requires a board declaration on the effectiveness of material controls. Audit committees will need to undertake a formal re-assessment of the risk management and internal control framework, including revisiting risk appetite, approach to identifying and evaluating effectiveness of material controls for the declaration and ensuring that it covers all material operational, financial, reporting and compliance controls.
The FRC’s Corporate Governance Code Guidance is helpful in understanding what is expected from these processes and oversight activities. We have also updated our publication ‘Risk, controls and assurance: a framework for the new material controls declaration’ to reflect the insights we have gathered over the past year and to help boards and audit committees navigate the new requirement.
Review the processes related to risk appetite, risk culture and define ‘materiality’ in respect of controls to be covered by the declaration
Consider whether existing monitoring and review activities cover all aspects of the risk management and internal control framework, not just in relation to financial reporting
Ensure all responsibilities to support the declaration on the effectiveness of material controls (including communication with the rest of the board on the approach) are clearly defined and incorporated appropriately in the board committees’ terms of reference
Conduct an assurance mapping process across the different sources of assurance available to the organisation (both internal and external) to determine whether the appropriate level of assurance will be available for the purposes of the upcoming declaration and consider whether developing a policy on audit and assurance would be beneficial for internal and external stakeholders
Corporate Reporting Insights 2024Generative Artificial Intelligence:Developments in reporting
The background to our surveyA company’s strategic report is designed to be a summary of its purpose, strategy, business model, values, risks, opportunities and governance. The best strategic reports combine all of these elements into a clearly-structured, informative whole. Early in 2023, businesses were faced with the rapid rise of Generative AI, which can be briefly defined as AI that synthesises bodies of data to create original content that would previously have taken human skill and expertise. Since then, boards have been making decisions regarding the opportunities, risks, governance structures and policy choices associated with Generative AI. In this survey, we read the most recent annual reports published by the constituent companies of the FTSE 100 index to explore how they approached this topic and reported on risks, opportunities, policies and controls over AI and Generative AI.How do annual reports mention AI or Generative AI?91% of the FTSE 100 mentioned AI in their most recent annual report. More than half of these (57%) mentioned Generative AI.
Companies that discussed Generative AI often provided some detail on their existing and historical use of AI and the landscape they are now operating in. Examples of reporting included exploration of potential future strategies, detail regarding external and competitor trends and description of projects in pilot or developmental stages, each based on use of Generative AI. More than one company also mentioned conducting a review of their existing use of AI. Whereas in 2023 the main industries that identified business opportunities were media and technology companies, that has now expanded to include other sectors, including financial, telecommunications and consumer goods. We found the better disclosures were informative and reasonably detailed, going into the methods the companies were using to train or otherwise upskill employees, their expectation of changes to work structure for their employees, and their expectations of future developments in Generative AI and how it would impact the business model and external landscape. A handful of companies mentioned that they expected a positive impact from using AI to target emissions reductions or otherwise assist with their climate ambitions. Our reading of certain annual reports suggested some lack of clarity regarding the distinction between machine learning and Generative AI. In one case, the company had clearly determined to use “AI” in the annual report as a broad term to include all AI-related technologies and had reflected this in its internal policy documents.Involvement of the board This year, twelve companies in the FTSE 100 drew out in their disclosures that one or more directors had experience or expertise in AI, as set out either in director biographies or in the Nomination Committee report. Seven of those companies indicated that AI had been discussed by the board during the year. Indeed, a third of the boards in our survey mentioned AI or Generative AI in their corporate governance disclosures outside the context of board biographies or recruitment criteria – an increase from only four boards in 2023. Most of these mentions were in the context of the board’s activities or areas of focus for the year and only a handful of companies included any detailed disclosure around the board’s discussions. Where this was the case, it was generally in the context of strategic discussions, partnerships or deep-dives provided to the board by management experts. Some boards also mentioned board-specific training or bringing in external experts to discuss AI with the board. The majority of committee reports did not cover AI, although we saw some high-level mentions in audit committee or risk committee reports. One board had formed a separate technology committee to assess new technologies including AI. How does the annual report mention AI?Risk and control frameworkDevelopments in regulation of Generative AI, in particular those applying to large language models, are moving at pace.In the UK, in May an AI Security Code of Practice was published for consultation, and in July, the King’s Speech set out that the new Government “will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models.” In the EU, the EU AI Act was formally approved in May and came into force in August this year. The Act takes effect in stages, starting from 6 months after it comes into force and applying in its entirety after 24 months (by August 2026). The Act is designed to be proportionate to the level of risk posed by the organisation/AI use-case. The higher the risk of harm to society, the more substantial the regulatory regime that applies. The Act also applies extraterritorially - for instance, where a provider or system is based outside the EU but the system or its outputs are intended to be used within the EU. 19 companies disclosed that they had identified forthcoming AI-related regulations, such as the EU AI Act, and a handful of these mentioned at least one impact on their business. Consistent with last year’s survey results, a majority of companies that mentioned regulation operated in financial services. The diagram illustrates how AI is reflected in risk disclosures, with 53 companies mentioning AI in their risk management disclosures, compared to 11 in 2023. 39 companies in total identified AI as an emerging risk to their business.How is AI reflected in risk disclosures?In several cases disclosures on emerging and principal risks went into some detail, focusing on areas including a risk of cyber attacks increasing in both quantity and precision through criminals employing AI tools, the risks posed by “deepfakes” in identity theft and social engineering and the risks of failing to comply with new regulatory regimes around AI. Some also mentioned the risks associated with adequate governance and ethics, and the risk of bias, around new opportunities or products. One company mentioned that although the risk of cyber attacks is higher due to AI, there is also an opportunity for improved detection methods, again using AI, and a handful of other companies also cited AI in risk mitigation, including risks outside the IT sphere such as corporate culture. The diagram illustrates the various controls companies have disclosed relating specifically to AI. There has been a noticeable shift since the approach companies described last year, when most companies had added elements of AI into an existing IT control framework. This year, the majority of companies that disclosed a controls framework described a separate AI controls framework and many included some discussion of the governance structure surrounding that framework.Some companies described whether their AI policies apply to the use of the company’s own proprietary AI products, the use of and sharing of data with external AI products, or both. Several companies also mentioned setting up a committee, oversight forum or working group with the responsibility to maintain and update company and employee policies. What controls are in place over AI?To concludeThe speed of development and adoption of new technologies has never been higher and increasingly is at the forefront of strategy. Companies are experimenting with AI and developing use cases, flexing their existing business models and exploring the value that can be created.Annual reports are reflecting this thinking, drawing out the way companies are evaluating future risks and opportunities. Increasingly they also provide a good level of detail on the policies they put in place and the governance structures that ensure AI is implemented effectively and ethically – helping shareholders to evaluate this information. Boards may wish to encourage management to monitor and provide regular updates on the advances in technology and the developing regulatory requirements that Generative AI poses, and they may wish to put thought to whether the annual report adequately reflects how the company is addressing this fast-evolving topic.
We encourage boards to make it clear to users of the annual report how they considered the opportunities offered and risks posed by Generative AI and any potential impact on their business model and strategy.
Providing a description of the controls and policy frameworks applicable to Generative AI, both used by the company in determining use cases and imposed on employees in their day to day activities, along with any training provided on the technology, regulation or ethical landscape, is also helpful to aid stakeholder understanding.
Boards may want to consider the need to have appropriate technical knowledge and expertise available to them in order to enable them to exercise their governance and oversight responsibilities in a rapidly developing digital landscape.
Get in touch
Veronica PooleGlobal IFRS Leader, NSE Head of Accounting and Corporate Reporting
