article banner
Article

BEIS consultation: corporate resilience

Announcement

January 2024 update - the FRC have now published a revised Corporate Governance Code with new Internal Control reporting requirements. For the latest see FRC Code update improves internal controls reporting.

In October 2023 the government announced it has withdrawn proposed secondary legislation (including the Resilience Statement discussed below), after companies and industry bodies again raised concerns about onerous reporting requirements.

The BEIS consultation will see an increase in the accountability of directors across several areas, as part of a move by the government to increase public trust in audit and corporate governance. We look at what this means for you.

One of the most important areas covered by the BEIS consultation is reporting on corporate resilience. In his report Sir Donald Brydon noted that:

“Arguably, the information shareholders want most is reassurance about the resilience of a company”

In response, the government is proposing that directors will be required to explain, in the annual report, how they are assessing the company’s prospects and addressing challenges to the business model over the short, medium, and long term.

This is a substantial expansion of existing responsibilities relating to risk disclosures, going concern and, for public interest entities(PIEs) applying the UK corporate governance code, viability reporting.

What's the current thinking on corporate resilience?

While no final decisions have yet been taken, the government has outlined its initial thoughts on what it would like to see. The core proposal is a new ‘resilience statement’ to be included in the report.

This will have three sections with different time horizons:

1 A short-term section broadly aligned with today’s going concern statement.

2 A medium-term section with a specified five-year outlook period. This must include at least two reverse stress testing scenarios.

3 A long-term section to explain the directors’ assessment of the major long-term challenges faced by the company and its business model, and how these are being addressed.

The outlook period is not defined, so the directors will have some discretion here. But it will need to be substantially longer than the five-year, medium-term period.

The government proposes that the risks addressed will mostly be determined by the directors, but some common resilience issues may be prescribed. The prescribed issues may include:

  • cyber security
  • climate risk
  • supply chain resilience
  • future investment needs
  • the sustainability of dividend polices
  • major disruptive events.

An effective resilience statement should also be coherent with, and linked to, other relevant parts of the annual report, such as the business model and strategy reporting.

The government is also inviting views on:

1Whether the resilience statement should include reporting in accordance with the Taskforce on Climate-Related Financial Disclosures framework (TCFD).

2 Phased introduction, starting with premium-listed companies with other PIEs to follow two years later.

What does this mean for audit and assurance?

Broadly speaking, today’s statutory audit encompasses going concern disclosures, but not risk and viability reporting. These are subject only to limited review for material inconsistencies.

The government wishes to encourage additional assurance on resilience reporting, but doesn't propose to mandate it. Directors will, therefore, need to decide whether to obtain additional external assurance. They will also need to explain their decision in the company’s audit and assurance policy - another new reporting requirement.

We also anticipate a critical role for the company’s internal audit function in challenging the contents of, and inputs to, the resilience statement. Effective scrutiny and challenge will be essential in helping directors get comfortable with content of the statement

Investor and other stakeholder expectations will undoubtedly play a part in shaping market practice.

All directors of PIEs fall under the scope of the new definition.

Article

UK SOX is coming: how can you get ahead of the curve?

Uncover what you need to know to stay ahead

What do the proposals mean in practice?

All companies affected will have experience in risk assessment, risk reporting and going concern. Listed companies and others that apply the UK corporate governance code (the UK Code) also have experience in viability reporting.

Section 

Typical impact on public interest entities that apply the UK corporate governance code, including listed companies

Typical impact on other public interest entities

Short term

Minor

This largely replicates going concern reporting

Minor

This, again, largely replicates going concern reporting

Medium term

Medium

This section will incorporate the existing viability statement, but also expands it:

  • looks out five years (common practice today is three)

  • include at least two reverse stress-test scenarios

  • may need to address some prescribed issues, such as digital security and climate risk.

Major

This will be new reporting and will require additional policies processes and governance

Long term

Major

The long-term section is new reporting and will require additional input to understand and consider emerging risks and opportunities. Policies, processes and governance will need to evolve to consider a wider array of factors which become relevant as the forecasting horizon is extended.

Major

As with PIEs that apply the UK corporate governance code, the long-term section is new reporting and will require additional policies, processes and governance, which will evolve over time

Wide-ranging implications

Overall, the key point is that this is much more than a reporting exercise.

If a company’s business model – including its funding strategy, investment and dividend policies – is not resilient the new reporting will bring this into sharp focus. Directors will need to review these fundamental matters through the lens of the new reporting. Existing risk-management and scenario-planning processes will need to be benchmarked, and in many cases upgraded.

Many well-run companies in the PIE category are already considering short-, medium- and long-term threats through both the risk management process and strategic planning. Risk management processes have also been evolving to encompass emerging risks and the resilience statement will be another opportunity to strengthen this aspect.

Many companies are only at an early stage of embedding climate risk into these processes, while others have already made significant progress. From January 2021, premium-listed companies are already required to report on whether their climate disclosures are in-line with the TCFD recommendations or explain why not.

The government has also consulted separately on whether and how to require TCFD-based reporting more widely. Although the outcome isn’t yet known, it’s clear that climate-risk assessment and reporting will require special attention.

Boards will clearly need to devote more time and resources to longer-term resilience assessment, but we see this this as an opportunity as much as a challenge.

Our view on the BEIS consultation

We support new reporting, which should give stakeholders better insights into how the directors assess and respond to current and emerging risks. We think this can act as a catalyst for better governance of long-term risk management.

It’s important that the resilience statement isn't viewed as certifying a company’s long-term survival. No business can be 100% future-proof and a commitment to long-term risk management should not stifle the entrepreneurship and managed risk-taking that is essential in a vibrant and competitive economy.

The requirements should allow flexibility on whether, and to what extent, the specific risk areas to be addressed are reflected in the short-, medium- and long-term sections. Each risk could be a short-term, going concern-type issue for one company but a long-term issue for another.

Some risks, such as cyber security, might be both a short- and a long-term issue. We believe that the requirements should enable the directors to reflect the matters in whichever sections they have assessed to be most relevant to the company.

What are the next steps?

While we don’t know the exact form or timing of the new requirements, the overall direction is clear. Companies likely to be in scope should commence their readiness assessment sooner rather than later, and where not already present, integrate a risk and resilience aspect within all relevant business change programmes.

How we can help

We can help you to identify and manage your risks, realise opportunities and improve your business performance. Our team will support you to connect risk to the strategic objectives of your business, as well as your day-to-day operations, providing integrated risk management across the most important aspects of your business.

For more information on how we can support you, visit our business risk services page.