It’s striking how little we are hearing about the revised UK Corporate Governance Code, or seeing audit committees react. Maybe it’s because the changes seemed quite tame, once the politics had led to a severely pruned rework. Or maybe it’s because a lot of the changes don’t kick in until 2026. Or perhaps it comes down to companies concluding that it’s all just about reporting.

Whatever the cause, boards need to come to a clear position once 2025 gets under way. If changes are needed, leaving it longer could end in an unhelpful rush at the 2026 reporting year deadline. That might mean a lost opportunity to get business value from the changes as time pressure leads to a minimalist, compliance-driven solution. So audit and risk committees need to decide: does this require much change for us (and, if so, what?) or can we rely on what we already do and just tweak the reporting?

It’s not straightforward. There is always the option to comply in form but not substance, simply looking to report that bit more—but that entails some risk. Making public statements in the annual report may not feel quite as demanding as reporting to a regulator but, if something goes wrong, it would be unsurprising if some start delving into the detail of directors’ statements in the annual report.

Minimal compliance is also rather a blinkered approach. Code-driven changes in reporting are often a good opportunity to stand back and check that you are doing things as well as you think. Reporting and compliance requirements can often drive better behaviours that bring benefits to the business, and not just to the auditors and lawyers.

Areas of focus

Let’s just recap briefly on the main changes, setting out what stands to be gained by not missing these opportunities.

First up, the change requires boards to explain how they have assessed the effectiveness of the risk management and internal control framework, not just confirming that they have. Vague or boilerplate explanations could end up looking unconvincing. Too often we see committees that equate effectiveness with having recognisable ERM structures and processes, without also considering whether the risk management framework is having the intended impact. Sometimes they overlook things such as the risk culture, learning from risks that have crystallised, or the need to frame how things are working in the context of strategic development.

Next is the new requirement for the board to make a declaration on the effectiveness of material controls, along with an explanation of how weaknesses will be tackled (or have been already). Making a declaration is different from merely reporting on how the control framework works. The risks for the board and management are different—especially when you’re explaining how a previously identified weakness has been successfully addressed.

There is a raft of questions around how much documentation is needed and what processes need to be established: making a declaration on the effectiveness at balance sheet date will have to depend on effectiveness assessment during the course of the year. Most audit and risk committees will already be doing a lot around this, but structuring it to support certification may mean augmenting it to a level we don’t always see except, to a degree, in SOX compliance cases.

What’s needed will depend partly what you define as “material”: there is no specific guidance and each board will have to decide.

There is also the approach to identifying and managing emerging risks. This will have to be described. Often, this is quite vague. What’s “emerging” is unclear: how far out do you go before it’s unrealistic or nonsensical to try to assess the scale of the risk, never mind formulate a response?

We often see boards having interesting discussions around emerging risks at the strategic level, typically on their away day, but rarely does that go on to the next step of pinning down the response. Maybe it just needs to be a high level description of how you scan horizons and begin developing the mitigation. But, with emerging risks being so varied in nature and immediacy, a general catch-all description might come over as bland and evasive.

The key to getting this right will be adopting the appropriate mindset. If you merely approach it from a compliance and reporting viewpoint, then the outcome will be process-driven reporting that convinces neither stakeholders nor the board itself.

Consider how this new requirement can actually help the business and the value should become evident. Won’t most businesses benefit from a rigorous approach to checking that risk management is having the expected impact? That material controls are, in fact, in good shape? And that emerging risks are being anticipated, and prepared for?

It can be hard to embrace new regulatory demands, especially when they appear to be just adding more and more to the annual report. Draw out the business benefits, however, and it should at least become positive rather than painful.

Richard Sheath is a director of board evaluation consultancy Independent Audit Limited