The canal leading to the top of the Falkirk Wheel. The Falkirk Wheel is a rotating boat lift in Scotland connecting the Forth and Clyde Canal with the Union Canal.

Six steps to prepare for risk management and internal control changes

Photographic potrait of Maria Kepa
Maria Kępa

EY EMEIA Assurance Director

Contributors

6 minute read 10 Sep 2024
Related topics
Assurance
Financial accounting advisory services
CFO agenda

Companies listed within the Commercial Companies category are already preparing for the 2024 UK Corporate Governance Code (the Code).

in brief

  • From 1 January 2025, companies will have to apply the principles of the revised 2024 Code, and comply with, or explain against its provisions.
  • The revisions require changes to both underlying governance process and to annual reporting, with a new emphasis on an outcomes-oriented narrative.
  • Companies are already taking steps to prepare for changes to risk management and internal control requirements, effective from 1 January 2026.

How EY can help

The next two years will bring significant changes as commercial listed companies prepare for the 2024 UK Corporate Governance Code (the Code). Addressing the changes (PDF) will require enhancements to both underlying governance processes and narrative reporting. 
 

Part 1: Enhancing underlying processes

Good corporate governance underpins the UK's attractiveness as a place to do business. The new requirement in Provision 29 of the Code for an explicit declaration by directors on the effectiveness of material controls is a positive and proportionate enhancement of the board of directors' responsibilities.

However, there is little guidance on how directors can approach these changes in practice. Our publication, Addressing the new risk management and internal control requirements, including Provision 29 (PDF), discusses how companies are tackling the challenges of identifying material controls, defining their effectiveness, agreeing on the levels of confidence required by the board and revisiting the board's role in monitoring and reviewing the risk management and internal control framework. 

When executed well, these enhancements to risk management internal control will drive operational improvements, lead to better decision-making, safeguard resilience and enhance stakeholder value. In turn, this will improve trust in companies and help build a better working world.

Our engagement with companies indicates that they are at different stages of preparation and maturity. Addressing the new requirements will progress at different speeds depending on the availability of resources and organisational complexity. The reputation of UK directors is at stake if they have to report failures in material controls in the public domain. To be ready for the first year of compliance with Provision 29, companies with a December year-end should complete the following six steps over the next 12 months:

1. Establish a cross-functional team

When the exact outcomes of revisiting the Code were uncertain, many companies focused their efforts on strengthening and streamlining internal controls over financial reporting. The declaration introduced by the Code, however, covers all material controls. This requires a cross-functional management steering committee, where representatives of the second and third lines have an important role to play.

2. Agree on the definition of material controls

As there is no prescribed definition of a material control, many organisations find it challenging to agree on what these are and how many there should be. Boards should consider controls that:

  • Address the risk of material errors in both financial and non-financial reporting

  • Mitigate principal risks that could affect the long-term sustainability of the business 

There is no set benchmark for the number of material controls. This will depend on several factors, many of which are company-specific. We expect that directors will prefer to assess the operational effectiveness of a smaller number of more pervasive controls, such as entity-level controls or management-level oversight committees, performed at higher levels in the organisation.

3. Determine disclosures and principal risks needing material controls 

Referencing the internally developed definition, agree on which disclosures and principal risks require material controls. Companies that have an assurance policy are finding it helpful in identifying those non-financial disclosures that stakeholders, and especially investors, rely on for decision-making. The board can look to viability statement scenarios to challenge the appropriateness of selected principal risks.

4. Conduct a walkthrough for one principal risk

Success depends on management bringing the board along on the journey. Presenting a finalised list of material controls may backfire if directors do not have confidence in the approach taken in developing it. Explaining the proposed approach to directors by choosing one principal risk as an example to walk through the process can safeguard against such unintended consequences.

5. Establish an initial list of material controls and assign ownership and oversight

Once the board is satisfied with how material controls are identified or implemented, an initial list can be established. It is then important to provide clarity not only on who the control's owner will be but also on whether the board or one of its committees will be responsible for overseeing the control. 

Defining the effectiveness of material controls may be complicated and less binary than for transaction-level controls. Proper documentation of the controls will be essential. Companies could look to the COSO framework (PDF), developed by the Committee of Sponsoring Organizations of the Treadway Commission, to help determine the documentation required to support the board’s assessment.

6. Agree on the target level of confidence and determine the confidence gap 

Finally, the board will need to determine what evidence it will require to form its view on the effectiveness of material controls. The Code does not introduce an explicit requirement for internal assurance. Consequently, we refer to levels of ‘confidence’ rather than ‘assurance’ to reflect this flexibility. When determining target levels of confidence with respect to principal risks, boards should consider, amongst others, their risk appetite and impact on resilience. For disclosures, considerations may include the potential for error and reputational consequences. 

If existing activities across the three lines and any external assurance do not provide the evidence needed to achieve the target level of confidence required by directors, management must propose plans to address the confidence gap. These should be in place for 2026. 

Agreeing the level of confidence required by the board

Agreeing the level of confidence required by the board

Part 2: Enhancing narrative reporting

Reporting under Provision 29 of the 2024 Code on how the board monitored and reviewed the effectiveness of the risk management and internal control framework will also need to change. In addition, the Financial Reporting Council (FRC) has set companies a new challenge: Governance reporting should focus on board decisions and their outcomes in the context of the company’s strategy and objectives. 

Helping companies address these reporting changes is among the top themes of our Reframing the governance narrative (PDF) publication.

We have advocated for action-focused and outcome-oriented reporting — in fact, the title of our 2020 publication on FTSE 350 narrative reporting trends was From intent to action (PDF). This, however, remains an area that requires improvement, for example:

  • Only 18% of companies disclose board activities in a manner that is clearly linked to decisions or outcomes.
  • Only 24% of companies provide insights into the outcomes of culture monitoring, and a mere 9% confirm that their actual culture aligns with the desired one.

Companies need to get better at following up on commitments made in previous years and disclosing the outcomes of stakeholder engagement. Furthermore, a more detailed and comprehensive process narrative of how the board monitors and reviews the risk management and internal control framework will be required. This is important as it is ‘the basis’ on which the directors make their declaration on the effectiveness of material controls — the outcome. 

Currently:

  • Just over a third of companies refer to assurance processes as part of discussing mitigating actions for a subset of their principal risks.
  • Only around 30% of companies identify a risk owner, and just 12% explain which governance body has oversight of that particular risk.
  • Only around a third of companies provide a risk appetite rating or a specific risk appetite statement for each principal risk.
  • Although more than three-quarters of companies disclose a year-on-year change in overall risk profile, less than a third of these disclose how mitigating actions evolved as a result.

Our 2023 publication on narrative reporting trends, Striking the right balance (PDF), remains relevant to other areas of front-half reporting.

Summary

Companies should not underestimate the effort required to comply with the revisions to the 2024 Code. Many firms have already started analysing what changes will be necessary to their risk management and internal control framework. For some, defining and identifying material controls is proving to be a challenge. In addition, the annual report narrative requires a whole-scale rethink to meet the challenge of outcomes-based reporting. Boards wanting to tell a cohesive and compelling story about governance over risk management and internal control should not wait, but take action in the next reporting cycle to enhance and restructure the existing narrative.

How EY can help

About this article

Photographic potrait of Maria Kepa
Maria Kępa
EY EMEIA Assurance Director
Director in EY's UK audit practice and corporate governance team. Experience working with clients in media, mining and other sectors in Europe, America and the Middle East. Mother of two.

Contributors

Related topics
Assurance
Financial accounting advisory services
CFO agenda

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.