Essential Corporate News: Week ending 26 January 2024

FRC: Revised UK Corporate Governance Code 2024 published

On 22 January 2024, the Financial Reporting Council (FRC) published an updated UK Corporate Governance Code (2024 Code). This follows publication of  a consultation paper (Consultation) in May 2023 which proposed revisions to the 2018 UK Corporate Governance Code (2018 Code), and a subsequent Policy Statement published by the FRC in November 2023 which gave an indication of the revisions to be made in the 2024 Code. 

Background

The Consultation followed the UK Government's June 2022 response to the White Paper, Restoring Trust in Audit and Corporate Governance, which identified areas of the 2018 Code that could be strengthened, particularly around directors' responsibilities for internal control, risk, audit and corporate reporting. Further details of the Consultation are in our briefing Changes proposed to UK Corporate Governance Code  - Potential implications for listed issuers. 

However, when the Government’s previously announced plan for primary legislation to modernise the regulation of audit, corporate reporting and governance was not included in the King’s Speech 2023, the FRC’s Policy Statement noted that, following engagement with stakeholders in relation to the Consultation, the FRC had decided to take forward only a small number of the original 18 proposals in the Consultation and to stop development of the remainder.

Section 1 – Board leadership and Code purpose: Key changes

• Principle A: To ensure the company can meet its objectives and measure performance against them, this revised Principle makes it clear that boards will need to have not just the necessary resources to do this, but also the necessary policies and practices.
• Principle C: This new Principle sets out the expectation that governance reporting should focus on board decisions and their outcomes to demonstrate the impact of the company’s governance practices. The updated Introduction to the 2024 Code notes that this should help companies streamline and focus reporting on the 2024 Code and mean that unduly long explanations of policy can be avoided. The Principle also states that where the board reports on departures from the provisions of the 2024 Code, it should provide a clear explanation.
• Provision 2: A revision to this makes it clear that while boards must continue to assess and monitor culture, they must also assess and monitor how the desired culture has been embedded. 

Section 3 – Composition, succession and evaluation: Key changes

• Principle J: This Principle has been revised to require appointments and succession plans to promote diversity, inclusion and equal opportunity. References to specific diversity characteristics are no longer included given diversity policies can be wide ranging.
• Principle L: This makes clear that as part of the annual board evaluation, the board’s performance should be considered alongside its composition, diversity and the effectiveness of its members in working together to achieve objectives.
• Provisions 21, 22 and 23: In each of these Provisions, reference is now made to a “board performance review” rather than to a “board evaluation”, reflecting the addition in Principle L above.

Section 4 – Audit, risk and internal control: Key changes

• Principle O: This has been amended to require the board to establish and maintain an effective risk management framework, as well as an internal control framework.
• Provisions 25 and 26: These Provisions, which set out the main roles and responsibilities of the Audit Committee, as well as the matters it should report on, have been amended to reflect the requirements set out in the FRC’s Minimum Standard: Audit Committees and the External Audit, published in May 2023 and to avoid duplication with that Minimum Standard.

• Provision 29: This heavily amended Provision (which will not apply until financial years beginning on or after 1 January 2026) relates to the role of the board in its monitoring and effectiveness review of the company's risk management and internal control framework. That monitoring and review should be in future cover reporting controls, as well as financial, operational and compliance controls which are currently specified as part of the monitoring and review of all material controls. In addition, there is a new requirement for the board to provide the following in the annual report.
  • A description of how the board has monitored and reviewed the effectiveness of the framework.
  • A declaration of the effectiveness of the material controls at the balance sheet date/
  • A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to imporve them and any action taken to address previously reported issues.

Section 5 – Remuneration: Key changes 

• Provision 37: This Provision has been added to, with it being specified that directors’ contracts and/or other agreements or documents relating to directors’ remuneration should include malus and clawback provisions.
• Provision 38: This is a new Provision requiring the annual remuneration report to include ca description of its malus and clawback provisions. This description should include the following:
  • The circumstances in which malus and clawback provisions could be used.
  • A description of the period for malus and clawback and why that period is best suited to the organisation.
  • Whether the malus and clawback provisions were used in the last reporting period and, if so, a clear explanation should be provided in the annual report.

Effective date of 2024 Code changes

All changes apart from those relating to Provision 29 concerning the risk management and internal controls framework will come into effect for accounting periods beginning on or after 1 January 2025. This means that premium listed companies (whether UK or overseas incorporated) with a financial year end of 31 December will need to start reporting against the 2024 Code in their annual report and accounts for the year ending 31 December 2025. 

In light of the new arrangements companies will have to put in place to be able to report against revised Provision 29, the effective date for reporting against that Provision is accounting periods beginning on or after 1 January 2026. Until then, Provision 29 of the 2018 Code will continue to apply. 

Next steps

The FRC is proposing to publish digitally accessible guidance to accompany the 2024 Code on 29 January 2024. While not forming part of the Code, that guidance is aimed at helping boards consider how they might comply with the 2024 Code.  

(FRC, UK Corporate Governance Code January 2024, 22.01.2024)

(FRC, FRC revises UK Corporate Governance Code, 22.01.2024)

Companies House: Get ready for changes to UK company law

On 22 January 2024, Companies House published a further blog post about changes resulting from the Economic Crime and Corporate Transparency Act 2023 (ECCTA) that are likely to come into effect in early March 2024. This follows a previous Companies House blog post on the changes published on 3 January 2024. 

Companies House is aiming to introduce the first set of changes on 4 March 2024 though the precise date depends on parliamentary timetables as secondary legislation is needed to introduce the changes. 

The blog post focuses on the following changes:

New rules for registered office addresses

From 4 March 2024, companies must have an ‘appropriate address’ as their registered office. This is one where:

• any documents sent to the registered office should be expected to come to the attention of a person acting on behalf of the company; and
• any documents sent to that address can be recorded by an acknowledgement of delivery.

Companies will not be able to use a PO Box as their registered office address from 4 March 2024, though they can continue to use a third-party agent’s address if they meet the conditions for an appropriate address. Companies using a PO Box as their registered office address will need to change it by 4 March 2024.

Companies that do not have an appropriate registered office address could be struck off the register. When Companies House identify an inappropriate registered office address, they will change it to a default address held at Companies House. The company must then provide an appropriate address, with evidence of a link to that address, within 28 days. If Companies House do not receive this evidence, they will start the process to strike the company off the register.

Registered email address to be provided

From 4 March 2024, all companies will have to provide a registered email address to Companies House but that email address will not be published on the public register.

From that date, new companies will need to provide a registered email address on incorporation. Existing companies will need to provide a registered email address when they file their next confirmation statement with a statement date from 5 March 2024. 

Companies will have a duty to maintain an appropriate registered email address, in the same way as their registered office address. Any company that does not do this will be committing an offence.

Statement of lawful purpose

On a new company incorporation from 4 March 2024, the subscribers will need to confirm that they are forming the company for a lawful purpose.

Companies will also need to confirm the company’s intended future activities are lawful on the annual confirmation statement from 4 March 2024.

(Companies House, Get ready for changes to UK company law, 22.01.2024)

DSIT: Draft Cyber Governance Code of Practice – Call for views

On 23 January 2024, the Department for Science, Innovation and Technology (DSIT) published a draft Cyber Governance Code of Practice (Cyber Code) to help directors and others in organisations of all sizes shore up their organisation’s defences from cyber threats. Views on the Cyber Code are being sought.  

Aimed at executive and non-executive directors and other senior leaders, the measures in the Cyber Code seek to establish cyber security issues as a key focus for businesses, putting them on an equal footing with other threats such as financial and legal issues. 

A key focus of the Cyber Code, which has been designed in partnership with industry directors, cyber and governance experts and the National Cyber Security Centre (NCSC), is making sure organisations have detailed plans in place to respond to and recover from any potential cyber incidents. This plan should be regularly tested so it is as robust as possible, with a formal system for reporting incidents also in place.  

Organisations are also encouraged to equip employees with adequate skills and awareness of cyber issues so they can work confidently alongside new technologies.

Views, to be submitted by 19 March 2024, are sought on three particular issues as follows:  

Design of the Cyber Code

The draft Cyber Code (set out in Annex A) is presented in the form of five overarching principles with relevant actions underneath each principle. The actions are not framed in technical language and they go beyond being outcomes focused to provide a clearer expectation of directors. The aim of this is to make it easier for directors in organisations of all sizes to understand which actions they should be taking, and why, so that they can better govern cyber risk. However, the Government seeks views on whether the actions that directors should be taking to govern cyber risk are presented and explained in a way that is straightforward to understand and implement.

The Government notes that further guidance on implementation of the principles and actions in the Cyber Code is provided within the NCSC’s Cyber Security Toolkit for Boards and the two will work together to form a coherent set of guidance for boards, directors and their senior advisers. However, views are sought as to whether further guidance would help industry implement the Cyber Code effectively. 

Driving uptake of use and compliance with the Cyber Code

The Cyber Code would be launched as a voluntary tool but it would support and align with a number of existing regulatory obligations. The Government plans to work closely with regulators and competent authorities, as well as broader sectoral regulators, to embed the Cyber Code in the existing regulatory landscape as and where it relates to cyber security and broader resilience. 

However, views are sought on where the Cyber Code may be best placed and promoted to ensure it reaches directors and forms a core aspect of their knowledge base on risk management in a digital age, as well as on the role other bodies could play in the implementation and uptake of the Cyber Code. Views on potential barriers to implementation that should be considered are also called for. 

Merits of and demands for an assurance process against the Cyber Code

To drive uptake, the Government is also seeking views on the benefits and risks of implementing either a self or independently assessed assurance process against the Cyber Code. Views are sought on potential demand for an assurance mechanism to support the implementation of the Cyber Code, who might find value in an independently assured ‘badge’ and for what market communication and transparency purposes it would be used. Equally, view are sought on associated risks of assuring cyber governance. 

(DSIT, Draft Cyber Governance Code of Practice – Call for views, 23.01.2024)