“More governance. More reporting. Yet more for the Committee to deal with.” That may well be an accurate response to the updated UK Corporate Governance Code. But it would be the wrong way of looking at it.
As with just about any governance requirement, you’re stuck with it—so you might as well make the best of the situation. And, in fact, what can at first appear to be an imposition can often bring benefits.
Maybe I’ve put on my rose-tinted spectacles but let’s look at the changes that will need dealing with by audit committees and risk committees ahead of the introduction of the new requirements from the 2026 reporting year.
There are all sorts of steps that the committees will need to take over the next couple of years. For some regulated financial institutions, it is likely that many of the processes, controls and assurance coverage that will be needed are already in place. But even they could gain from asking themselves whether there would be some benefits from doing more work around the effectiveness approach.
Committees will be working out what they need to do. So rather than walk through those steps, let’s think through just some of the benefits they should be looking for:
Assess the effectiveness of the risk management and internal controls framework
This change requires boards to explain how they have done this, not just confirming that they have. Often boards will focus on the processes and structure: does the framework look like what we’re supposed to have?
That’s combined with some partial assessment from internal audit on how it’s working, along with some form of confirmation from management and exception reporting.
But what really matters is the impact that the framework has on the way the organisation is run. How does it affect management judgment and decision-making? How are risks and controls taken into account? How is the risk-reward balance assessed? How do those at the coal face understand the risks and the control demands and work within these?
This brings us to risk culture. It’s naturally acknowledged that the culture has to be the bedrock of sound risk management. But how many boards or executive teams take a structured approach to assessing the risk culture across the organisation? Boards are increasingly used to trying to get a picture of the organisational culture, but that’s different from looking at attitudes and behaviours around risk and control.
Being a learning organisation matters, too. Are lessons learnt and shared? Not only those experienced by the business itself, but learnings from the experience of other organisations, or maybe from different offices or subsidiaries of your own.
So boards should be developing effectiveness models to help capture different aspects of effectiveness, explicitly including culture and learning as just two examples. And it should be obvious that if the board and executive can get a better grip on the different influences on effectiveness, there should be business benefits to be had too.
Make a declaration on the effectiveness of material controls
This second main new requirement also calls for an explanation from the board of how weaknesses will be tackled or have been already. Defining a “material control” should, in itself, lead to a beneficial discussion.
Is this around financial materiality and impact? The extent to which it protects us from risks to reaching our strategic goals? The significance of the impact on key stakeholders? Or possibly the risk to our reputation?
There are quite a few other angles and the definition needs pinning down. That way the focus of efforts and investment around material controls is clear, and all can be on the same page and understand why they matter. It also helps determine where to direct limited assurance and compliance resources.
Describe the approach to identifying and managing emerging risks
Often this approach is a bit vague, partly because the emerging risks are themselves quite ill-defined. How can you have a risk management response in place for a risk that has yet to take shape fully? Boards often are reluctant to spend time on weakly defined, future risks, and will hold back on pushing management over the response.
But the new requirement will mean that more needs to be done to define what is meant by ‘emerging’, and to understand the processes that management have in place to develop their response in line with (and preferably ahead of) the development and growth of the risk. And then to keep track of the development of the risk and response.
The benefit comes not from certainty or precision but from the confidence of knowing that structured processes are in place for spotting risks that might otherwise slip beneath the radar or come on more strongly than expected.
At the same time, this encourages management to look ahead: often the pressures of the day to day or the shorter term can mean that neither management nor the board has the time and inclination to speculate. If it all becomes a bit too late, the risk develops into, at worst, an immediate threat, or at least a risk that cannot ignored and demands management time and investment.
Among the frustrations and demands of new requirements, there are significant benefits to be had. As is so often the case, governance works well if there is a benefit to the business. So it’s important to search for that and keep the value front of mind, even when it’s tempting to respond with “No, please, not more!” or “We’re on top of that already.”
Even if it involves a sigh and resigned recognition that there’s not much you can do about it. Look for the benefits and you may well find that these are real and will make a difference.
Richard Sheath is a director of Independent Audit Limited, the board performance and governance effectiveness specialists.