The FRC has published its ‘Review of Corporate Governance Reporting’ (the “Report”) which is based on a review of a sample of 100 companies drawn from the whole premium listed market.
The FRC Report notes a general improvement in governance reporting especially relating to workforce and other stakeholder engagement and remuneration. However the Report also draws attention to improvement needed in areas such as monitoring and review of the risk management and internal control systems, avoiding boilerplate language in the application of the Code and focussing on reporting the outcomes of governance processes and policies. Both preparers and reviewers of annual reports, particularly members of the audit committee, should consider the FRC’s findings ahead of their next reporting period.
The Executive Summary makes the following point:
“Corporate governance disclosures are an opportunity to build trust and understanding, and demonstrate why the UK is an attractive investment market, rather than being a compliance exercise.”
The review highlights the continuing need for high quality governance which is linked to effective decision-making by boards and management, for greater clarity as to how a company is applying the Code’s principles, and for clearer explanations where there are departures from Code provisions so that shareholders and stakeholders have greater confidence in the quality of governance.
Across the Report, the FRC sets out a number of key messages to draw attention to areas recommended for further improvement, including:
Monitoring and reviewing the effectiveness of the risk management and internal control systems
The FRC notes there has been ‘little year on year improvement’ in the quality of reporting of the assessment of risk management and internal controls systems and highlight the monitoring and review activities as an area for particular focus. Only 20 companies provided insightful information on how the monitoring and review activities were conducted or what areas were covered. With the increased focus on the UK’s approach to internal controls, the FRC notes that most companies need to do more work to demonstrate robust systems, governance, and oversight.
Provision 29 of the Code states that ‘The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.’
The Report sets out the FRC’s observations regarding what makes good reporting in this area:
The FRC highlights that good reporting in this area will provide shareholders, markets, and other stakeholders with confidence in the systems companies have in place to identify, assess, and manage risk effectively and sustain their resilience.
Cyber and information technology
The Report also includes observations from cyber and information technology reporting. While the Code does not require reporting in these areas, the FRC commends companies which outlined the risks, opportunities, and importance of cyber security to their business. The FRC notes that boards should be comfortable with understanding the cyber risks in their business and how they are managed.
In addition, the FRC looked at the extent to which artificial intelligence (AI) was reported in the sample. Just under half of companies mentioned AI in their reports, however none of these companies disclosed the board’s involvement in their approach or oversight of AI. Once again, the FRC has encouraged boards to have a clear view on how AI is being used and developed in a responsible manner and ensure the necessary governance processes are implemented. This may warrant further training and education of boards.
To read the full FRC Review of corporate governance reporting click here.