• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code

October 13, 2023

In a recent Risk Coalition Risk Committee Chairs Forum roundtable discussion, held in conjunction with Ashurst Risk Advisory, senior risk professionals and a representative from the Financial Reporting Council gathered for an animated debate regarding the risk management and internal controls implications of the proposed changes to the Code.

The proposed changes and what they mean

A key proposed change under the UK Corporate Governance Code would require the Board to conclude on the effectiveness and material weaknesses regarding risk management and internal controls relating to operations, reporting and compliance.  The Board will also need to provide an explanation for the basis of its conclusions.

The group unanimously agreed most sensible Boards will therefore likely require a suitable cascading risk management framework to support any conclusions.

Whilst a key feature of the UK's corporate governance approach includes the 'comply or explain' principle, senior Board members felt as accountable individuals they would want to have gathered the relevant support to make any form of statement in relation to the effectiveness of internal controls.  Therefore, whilst the idea of ‘explain’ (instead of ‘comply’) allows for flexibility in approach, it was felt doing nothing, despite the proposed changes, was not an option at all.

The reality in relation to how organisations oversee and manage their risks today

The wide-ranging nature of risk management and internal controls caught by this requirement, which are not limited to financial statement controls, will be a challenge for many organisations.  

Perhaps the most fascinating revelation of the debate was the unanimous agreement by the senior risk professionals that most organisations do not have the right level of risk management framework in place to be able to confidently meet the requirements of the Code.

Whilst a roundtable participant questioned the validity of this statement (after all Boards have to manage risk today!), the senior risk professionals in the room insisted there is much work to be done (outside of the larger financial services organisations).  This includes (i) development of a more holistic risk management framework and taxonomy (ii) appropriate measures in relation to risk appetite, risk tolerance and material risk; (iii) detailed documentation of processes and controls in relation to operational, reporting and compliance risk; (iv) better delineation of roles and responsibilities; and (v) a clearer connection between the risk framework and the work of the first line, compliance and internal audit.

We might do well to remember the intended outcomes of the proposed changes

As the discussion moved on to the 1 January 2025 deadline, a rather bold comment was made in relation to the notion the final Code and the deadline might need to recognise this will be an evolution, with a tolerance for improvement in risk management practices which would likely continue over the following years.

It was explained the proposed Code changes and the deadline were being driven by a governmental request.  It was noted by other roundtable participants that we might do well to remember the intended outcomes of the government’s requests.  This is to drive better standards of boardroom accountability, improve corporate governance, enhance internal control oversight, and vastly improve risk management standards.  Additionally, the changes are part of the overall to effort to minimise the risk of bad market outcomes due to poor risk management practices which do not adequately pre-empt and manage the volatile nature of risks specific to an organisation.

It was felt a deadline for the sake of a deadline will not achieve anything and may in fact lead to the wrong outcomes.  After all, we are where we are for a reason, and it is clear there is much work to be done.

The guidance

As expected, the conversation could not conclude without a few questions on the FRC's much anticipated supporting guidance.

Broadly, the group acknowledged the FRC would not be able to publish a one-stop solution for every organisation, and whilst concepts such as material controls could be common at a concept level, the actual material controls would depend on the organisation, its business and its operating model.

Notwithstanding this, there was a unanimous request for the guidance to cover the key concepts of a risk management framework and what good might look like.  A concern was expressed that without this some organisations may not know what to do, or may chose not to acknowledge what good looks like.  Whilst it was felt organisations would each need to find a tailored and proportionate solution, there are still basic parts of every approach which should be in place to aid better market outcomes, better standards, and avoid the competitive advantage which may come from applying inadequate standards. 

Are we moving to a model of taking zero risk?

As the debate drew to a close, a very sensible question was asked in relation to UK competitiveness and whether the proposed changes to the Code were increasing the burden on UK firms.

It was suggested that the complexities behind making the UK competitive again were not down to the Code reforms, and if anything, these reforms were intended to make UK companies a safe bet.

I also chimed in to talk about my work on (and personal interest in) the UK Capital Markets Reform where it has become clear there are a lot of complicated factors at play, for example, tax, listing rules, education of young people, investment habits etc.  We ended on the important note (and reminder) to say this type of reform (and, of course, regulation in general), offers a level playing field and a set of guardrails for organisations to follow.  These guardrails allow for better risk management decisions to be made.  The key here (and perhaps the biggest change to be made), is the acceptance this requires a mindset shift change in relation to the fact these types of reforms are not there to promote a zero approach to risk management at all.  They are in fact in place to empower organisations with the tools to make better informed decisions about which risks and the level of risk to take.  If done properly, UK companies can avoid firefighting when caught out by risk, and perhaps can even start to think about making commercial risk-based decisions.  Now there is a revelation.  

Nisha Sanghani is a Partner at Ashurst Risk Advisory (the consulting division of Ashurst), and heads up the Regulatory, Governance, Risk & Resilience Practice.  Prior to joining Ashurst, Nisha was the CEO of Rosediem Consulting.  Nisha is well known for her work advising Boards and organisations on risk and regulatory matters, including operationalising frameworks and operating models aimed at achieving better risk management whilst increasing corporate value. 

Tags: Nisha Sanghani
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson