Six steps to prepare for risk management and internal control changes

Our engagement with companies indicates that they are at different stages of preparation and maturity. Addressing the new requirements will progress at different speeds depending on the availability of resources and organisational complexity. The reputation of UK directors is at stake if they have to report failures in material controls in the public domain. To be ready for the first year of compliance with Provision 29, companies with a December year-end should complete the following six steps over the next 12 months:

1. Establish a cross-functional team

When the exact outcomes of revisiting the Code were uncertain, many companies focused their efforts on strengthening and streamlining internal controls over financial reporting. The declaration introduced by the Code, however, covers all material controls. This requires a cross-functional management steering committee, where representatives of the second and third lines have an important role to play.

2. Agree on the definition of material controls

As there is no prescribed definition of a material control, many organisations find it challenging to agree on what these are and how many there should be. Boards should consider controls that:

• Address the risk of material errors in both financial and non-financial reporting

• Mitigate principal risks that could affect the long-term sustainability of the business 

There is no set benchmark for the number of material controls. This will depend on several factors, many of which are company-specific. We expect that directors will prefer to assess the operational effectiveness of a smaller number of more pervasive controls, such as entity-level controls or management-level oversight committees, performed at higher levels in the organisation.

3. Determine disclosures and principal risks needing material controls 

Referencing the internally developed definition, agree on which disclosures and principal risks require material controls. Companies that have an assurance policy are finding it helpful in identifying those non-financial disclosures that stakeholders, and especially investors, rely on for decision-making. The board can look to viability statement scenarios to challenge the appropriateness of selected principal risks.

4. Conduct a walkthrough for one principal risk

Success depends on management bringing the board along on the journey. Presenting a finalised list of material controls may backfire if directors do not have confidence in the approach taken in developing it. Explaining the proposed approach to directors by choosing one principal risk as an example to walk through the process can safeguard against such unintended consequences.

5. Establish an initial list of material controls and assign ownership and oversight

Once the board is satisfied with how material controls are identified or implemented, an initial list can be established. It is then important to provide clarity not only on who the control's owner will be but also on whether the board or one of its committees will be responsible for overseeing the control. 

Defining the effectiveness of material controls may be complicated and less binary than for transaction-level controls. Proper documentation of the controls will be essential. Companies could look to the COSO framework (PDF), developed by the Committee of Sponsoring Organizations of the Treadway Commission, to help determine the documentation required to support the board’s assessment.

6. Agree on the target level of confidence and determine the confidence gap 

Finally, the board will need to determine what evidence it will require to form its view on the effectiveness of material controls. The Code does not introduce an explicit requirement for internal assurance. Consequently, we refer to levels of ‘confidence’ rather than ‘assurance’ to reflect this flexibility. When determining target levels of confidence with respect to principal risks, boards should consider, amongst others, their risk appetite and impact on resilience. For disclosures, considerations may include the potential for error and reputational consequences. 

If existing activities across the three lines and any external assurance do not provide the evidence needed to achieve the target level of confidence required by directors, management must propose plans to address the confidence gap. These should be in place for 2026. 

Part 2: Enhancing narrative reporting

Reporting under Provision 29 of the 2024 Code on how the board monitored and reviewed the effectiveness of the risk management and internal control framework will also need to change. In addition, the Financial Reporting Council (FRC) has set companies a new challenge: Governance reporting should focus on board decisions and their outcomes in the context of the company’s strategy and objectives. 

Helping companies address these reporting changes is among the top themes of our Reframing the governance narrative (PDF) publication.

We have advocated for action-focused and outcome-oriented reporting — in fact, the title of our 2020 publication on FTSE 350 narrative reporting trends was From intent to action (PDF). This, however, remains an area that requires improvement, for example:

• Only 18% of companies disclose board activities in a manner that is clearly linked to decisions or outcomes.
• Only 24% of companies provide insights into the outcomes of culture monitoring, and a mere 9% confirm that their actual culture aligns with the desired one.

Companies need to get better at following up on commitments made in previous years and disclosing the outcomes of stakeholder engagement. Furthermore, a more detailed and comprehensive process narrative of how the board monitors and reviews the risk management and internal control framework will be required. This is important as it is ‘the basis’ on which the directors make their declaration on the effectiveness of material controls — the outcome. 

Currently:

• Just over a third of companies refer to assurance processes as part of discussing mitigating actions for a subset of their principal risks.
• Only around 30% of companies identify a risk owner, and just 12% explain which governance body has oversight of that particular risk.
• Only around a third of companies provide a risk appetite rating or a specific risk appetite statement for each principal risk.
• Although more than three-quarters of companies disclose a year-on-year change in overall risk profile, less than a third of these disclose how mitigating actions evolved as a result.

Our 2023 publication on narrative reporting trends, Striking the right balance (PDF), remains relevant to other areas of front-half reporting.