UK_YCORP_CGcode_A

This article was first published in the January 2016 UK edition of Accounting and Business magazine.

UK-listed companies may not be thrilled about the idea, but they now have a new compliance regime to contend with.

‘After a long and difficult gestation, the 2014 UK corporate governance code is now upon us,’ wrote Mark O’Sullivan, director of corporate reporting at PwC in a blog back in March 2015. ‘There’s been a lot of resistance along the way but the denial phase is over. Companies are being challenged to look again at the ways they assess and report on their plans and prospects, and the risks associated with them.’

During the consultation, The 100 Group – a quietly influential organisation comprising the FDs from the FTSE 100 companies and a few large privately owned companies – told the Financial Reporting Council (FRC): ‘We have concerns regarding the proposed changes to the code’. BP even told the FRC that the new code would increase the chances of the company being sued.

Nevertheless, the new code is now here. Finalised in September 2014, it came into effect for companies whose balance sheet dates fall on or after 30 September 2015. The first trickle of annual reports subject to the new code are appearing on investors’ desks, while the torrent of December year-end reports will start arriving any day now.

But what’s the big deal with the new corporate governance code? It hinges on two significant amendments to the previous code and two additional statements that companies must provide (setting aside some relatively straightforward changes relating to bonus clawbacks and the election of directors).

Identifying weaknesses

For years, boards have had to report that they have undertaken a review of the effectiveness of their internal controls. Now, the new code says they also have to report on that review. ‘They now have to talk about what they did and what the outcomes were,’ says O’Sullivan. ‘And they need to identify – if they exist – any significant failings or weaknesses. So one key area of focus is what constitutes a significant failing and weakness.’

The other important amendment is that the code clarifies the requirement that companies not only review their internal controls but monitor them on an ongoing basis. ‘It’s suggesting more of a year-round process rather than a once-a-year,’ says O’Sullivan. ‘So how do we monitor and how frequently should we do so? And what hurdle do we set as to whether something is a significant failing or weakness or not?’

One of the more contentious aspects of the new code has been the introduction of a ‘viability statement’. Up until now, companies have had to report whether the going concern concept applies, with the general assumption that this means the company will be around for something more than the next 12 months. The new viability statement requires companies to look ‘significantly’ further ahead than that. In fact, they have to specify a time period over which the company looks to be viable.

Derwent London, a FTSE 250 property company, was an early adopter of the code, with its 2014 annual report. It issued a viability statement covering a five-year period. Some other early adopters, such as FTSE 250 asset management group ICG, have opted for three years.

However, what matters, says O’Sullivan, isn’t the period chosen, but ‘the context by which you explain that period – and that may trip some companies up’.

Matthew Lester, CFO of Royal Mail Group and chairman of The 100 Group’s investor relations and markets committee, isn’t concerned that different companies will have different periods for their viability statements – it reflects their particular business reality. ‘For well-informed investors it does not represent a problem at all,’ he says. ‘The issue could be that [less diligent] people could go and say that company X only puts its viability for three years and is therefore a much riskier company than a company that puts out 10 years.’

Risk ranking

The code now also requires companies to report on their principal risks and what they are doing to mitigate them. Previously, the wording was for ‘significant risks’.

The FRC said in its final draft of the code that the change was to match the wording of the strategic report requirements of the Companies Act 2006.

But David Jackson, company secretary of BP, told the FRC that the change ‘will expose us to increased legal and regulatory risk’. The word ‘principal’, he said, ‘will imply that these risks are the most important or have been selected from key risks. Asking companies to effectively “rank” their key risks could expose them to litigation in the circumstances that an event impacting the company later takes place that has not been identified as a principal risk.’

Jackson added that, in calling for companies to explain how risks are being mitigated, the code contradicts the requirements of the Securities and Exchange Commission (SEC), which is responsible for the corporate governance code in the US. The FRC said: ‘This is not an argument against improving reporting standards in the UK.’

Lester, who wrote The 100 Group’s response to the FRC consultation, is broadly supportive of the FRC’s stance. He rails against the kitchen-sink approach in which almost every conceivable risk is dumped into the annual report, generating ‘40 pages of meaningless guff. I therefore encourage the FRC to continue working away at this one.’

But Lester did initially have concerns about the code. While he thought it was ‘encouraging better disclosure of risks and a meaningful assessment of their impact’, he was concerned that the viability statement would deteriorate into a succession of uninformative boilerplates and was therefore unnecessary.

He says: ‘Those companies that take stewardship very seriously are already giving a lot of consideration to the risks and disclosing the risks, and incorporating risk management in how they describe how the company is managed and the risks it faces.’ He says the extra compliance burden is marginal but adds: ‘We heard from investors that they were fearful that not all companies were taking it as seriously as we, The 100 Group, were.’

O’Sullivan agrees there is a risk of boilerplate statements, but says that’s not really the point. He thinks the real benefit of the code lies in ‘raising the bar and raising the degree of challenge that the board places on management around risk management and internal controls. That internal challenge may not manifest itself in external disclosure but may improve the quality of risk management.’

Lester agrees that changing behaviour must have been the FRC’s intention. ‘But I fear that what is actually going to happen is that there is going to be a lot more disclosure and no change in behaviour,’ he says.

He says, however – more than once – that The 100 Group are supporters of the code. ‘We welcome the fact that the code is kept refreshed and people consider it in the light of recent learnings. And I think that the way this has turned out is that 90% or 95% of what we would have wanted to see in the code is there.’

Which is just as well – because it’s here, now, and we’re about to see its effects.

Andrew Sawers, journalist