Background:
The UK FRC has launched a consultation on revisions to the UK Corporate Governance Code for the first time in five years.
Summary:
The main proposed changes concern those parts of the code that address the need for a more robust framework of prudent, effective risk management and internal controls. The proposed change aim to providing a stronger basis for reporting on, and evidencing the effectiveness of, the framework during a given reporting period.
New draft legislation is already being prepared which will include a requirement for companies with a high number of employees or a high level of turnover to produce a Resilience Statement (This might tie in nicely with the Operational Resilience work being led by FCA for financial services firms vis-à-vis DORA in the EU). Notably the UK FRC plan also to build upon previous guidance, by adding to this by the end of the year. Look out for this guidance “ Risk Management Internal Control and Related Reporting ” but the advice would be to take some proactive steps now.
Assessment and Impact:
Annual Reporting
Whilst traditionally expectations set out in Corporate Governance Codes relate to “Financial Reporting”; the UK FRC plan to broaden this for the purpose of Annual Reports, to include requirements for an explicit Directors Statement about the effectiveness of the company’s internal controls and a basis for that assessment. Even where Annual Reports make reference to effectiveness today, this is often only high-level, for example; “systems have been effective during the year or that no material weaknesses have been identified ”.
Moving beyond the “financial” in “financial reporting”, is an important step and will highlight more significant issues impacting a company’s strategy, operations, reporting or compliance activity. This will require organisations to draw on existing risk assessment capabilities. For example the Financial Crime Business Wide Risk Assessment, in place to identify, assess financial crime Risk Areas, Threats and Risk Indicators and in turn the effectiveness of the Financial Crime control framework. UK Corporate governance guidance suggests these type of assessments should be performed at least annually, with further expectations, set out in relevant regulations (e.g. UK Money Laundering Regulations) and by the FCA in their Regulatory Handbook for Financial Crime. Keeping these up to date and dynamic is imperative to keep ahead of the rapidly evolving threat landscape. Depending on these assessments, however, first requires these to have been designed effectively.
It is Acuminor’s view that the changes will improve the quality of Annual Reports, which can be used for a number of purposes, not only, capital allocation decisions by Investors, but also can support acquisition due diligence. The acquisition of a Canadian bank was recently prevented by the regulator due to potential weaknesses in their financial crime control framework. This is a key example, whereby failing to ensure the effectiveness of financial crime controls, has acted as a barrier to growth, which can have significant strategic consequences for a business, and in turn why the BWRA is so imperative.
How will the Guidance be enhanced?
The Financial Reporting Council will update their Guidance at the end of the year, building upon previously issued guidance; this will cover many topics some of which include:
- Role of the risk management and internal control framework in achieving the company’s objectives and its key elements
- Skills and experience, delegation of duties and responsibilities including those of management and their day-to-day responsibilities
- The difference between continuous monitoring and a review and Board’s decisions about frequency and
- Procedures to identify and manage emerging risks .
- What constitutes an effective risk management and internal control framework and what is considered a: material weakness [1] : vs a Deficiency [2]
- Areas that the board should particularly consider when carrying out a review of the effectiveness for example:
- the design, implementation and operation of the risk management and internal control systems,
- the risk appetite
- management’s reporting to the board
Self-Assessment Considerations
The guidance also plans to build out further self-assessment questions in addition to those included in earlier guidance documents, ‘Internal Control- Revised Turnbull Guidance For Directors On The Combined Code’ (see Appendix 5 ). Suggestions include:-
-
- “Does the company have clear objectives and have they been communicated so as to provide effective direction to employees on risk assessment and control issues?”
- “Are authority, responsibility and accountability defined clearly such that decisions are made and actions taken by the appropriate people?”
Suggested Next Steps
From a financial crime perspective, it is recommended firms review the quality and effectiveness first and foremost of their financial crime risk assessment not only considering how internal processes or technological solutions, enable the identification of emerging threats and risks, but to kick the tyres on how the design and effectiveness of controls are assessed.
Consider whether a manual, spreadsheet-based approach which draws inputs from lengthy inherent risk questionnaires is appropriate? Does such an approach lead to high quality dependable outputs? What impacts could potential errors associated with these processes have for the downstream framework you wish to implement and assure? So too, consider the quality of methodology; are the methods via which you identify residual risk, following the assessment entirely subjective? How can you evolve this to combine both objective and subject matter expertise?
Alongside, what are your risk management objectives and how do these influence your risk appetite? Have you implemented a Roles and Responsibilities Framework? Is it being followed? How do you oversee this? Who should be accountable for the BWRA?
Acuminor supports the changes proposed by the consultation, as we believe this will lead to better outcomes in the long run, not only improving corporate transparency but helping drive further focus on the importance of the BWRA as part of an organisation’s financial crime framework. If your organisation would like to talk about your existing intelligence or business risk assessment capabilities, or if you are considering a technological solution like Acuminor’s Risk Assessment Professional don’t hesitate to contact Acuminor via sales@acuminor.com or acuminor.com. We think this could be a crucial proactive step, improving confidence in, the design and operating effectiveness of your control framework, providing the basis for attestations required for annual reporting purposes.
[1] “A fault, deficiency or failure in the design or operation of the risk management and internal control framework, such that there is a reasonable possibility that the company’s ability to identify, assess, respond to or monitor risks to its strategic, operational, reporting and compliance objectives is adversely affected”
[2] “could be a shortcoming in the design, implementation or operation of any of the components of the risk management and internal control systems. It could affect any of the company’s strategic, operational, reporting or compliance objectives”