In January the Financial Reporting Council (FRC) unveiled the latest 2024 UK Corporate Governance Code (the Code), which places requirements on the board to consider the effective management of risks, including those related to or managed by third parties. Here we explain exactly what these changes are, what they mean for you and what you should do next.

Contents

arrow right iconThe transition to enhanced governance standards

arrow right iconWhat relevant changes have been made to the Code?

arrow right iconWhat do the latest Code changes mean for you?

arrow right iconHow should you respond to the Code reforms?

The transition to enhanced governance standards

The Code update asks companies to report on the effectiveness of their material controls and is now sharpening the focus on how material third party risks are managed. 

This shift is reshaping compliance oversight in boardrooms, emphasising the need for transparency and accountability and moving beyond financial controls and into material reporting, operational and compliance controls.

As we approach the effective date of January 1, 2025, and subsequent board declarations for periods starting after January 1, 2026, it's evident that global governance reforms are gaining momentum. Organisations must assess the impact of these changes on their operations and level of controls, adapt accordingly, and assess that they’re operating effectively by the end of the year. 

Annual reports are expected to comprehensively detail third party risk management strategies, aligning with the FRC's commitment to transparency. Proactive engagement, tailored strategies, and diligent implementation are vital for organisational operational readiness and compliance.

Complying with the regulations requires careful assessment and strategic planning to ensure resilience and compliance.

What relevant changes have been made to the Code?

The key change is the inclusion of the newest provision, Provision 29. The focus of its inclusion is primarily on evaluating material controls, emphasising the need for organisations to prioritise key aspects of their governance processes. The board must include:

  • An explanation of how it monitored and reviewed the framework's effectiveness, including the extent of controls managed by third parties and their impact.
  • A declaration regarding the effectiveness of material controls as of the balance sheet date.
  • Details of any material controls that didn't operate effectively as of the balance sheet date, along with proposed or implemented actions to improve them and any actions taken to address previously reported issues.

Download: Corporate Governance Review 2023

Find out how strong governance practices can help your organisation.

Pragmatic guidance on how to get the most out of your reporting while preparing for the upcoming revisions to the Financial Reporting Council (FRC)’s Code. 

Please complete the form to download your copy of the 2023 Corporate Governance Review

nc_pixel

Thank you for submitting this form. Our team will be in touch with you shortly.

What do the latest Code changes mean for you?

It's crucial to understand the implications of these changes for how you manage third party risk. Key aspects to consider include:

Heightened transparency in the internal control process

Our latest Corporate Governance Review revealed that while 94% of FTSE 350 companies identify operational risks, including third party and supplier risks, as a principal risk, only 10% assure aspects of their third-party controls, for example, in relation to their supply chains. This indicates a need for increased scrutiny and action by boards and management. 

Visibility of your third party risks and controls

Boards and management often lack sufficient visibility into the risks managed by third parties and existing levels of assurances provided by them.

The benefits of allowing third parties to deliver services that support your organisation do not come risk free. There are many examples of ongoing cyber exposure in the media, including a report from the UK government, which found that 32% of businesses recalled experiencing breaches or attacks in the last 12 months. Whether you are in direct control or have outsourced services, you need to demonstrate that you have understood and documented the controls and that you maintain an understanding of their potential impact on you if they fail.

Outsourcing processes and controls doesn’t outsource the risks being managed so it’s important to understand the quality (design and operation) of those being managed by others on behalf of your organisation. Often, third party questionnaires are relied upon to provide detail on controls, but these do not provide sufficient assurance to support a declaration under the enhanced code requirements.

An inventory of all third parties must be maintained

Many businesses lack a comprehensive inventory of their current third party suppliers, which is essential for understanding who key third parties are and whether they carry material risks to internal controls and regulatory compliance. Before engaging any key third party service provider, due diligence should be conducted to ensure that they have adequate controls in place to support recent code reforms.

Recent Code reforms underscore the importance of overseeing controls maintained by key suppliers. Like practices observed in the US SOX world, it is critical to ensure that key service providers understand their role in maintaining internal controls and supporting them on an ongoing basis. This needs to be reflected in communications between the company and key third parties

How should you respond to the Code reforms?

Conduct an assessment of your third parties' material risks and controls

Here are three key steps you can take to help you manage third parties’ material risks and help to ensure you’re ready for the effective date of January 2025:

  • Perform a risk assessment to identify and evaluate critical activities managed by third party suppliers. You need to understand the boundary and ownership between retained and outsourced activities to ensure that all stakeholders understand their roles and responsibilities and discharge their duties.
  • Establish clear processes and controls for overseeing third party material risks and ensure that these are integrated into their overall compliance programme. If a third party supplier uses another service organisation to support in their critical processes, it is important to evaluate end-to end risk and bring them into the scope as applicable.
  • Consider service auditor reporting to provide independent assurance and identify any gaps or deficiencies in the control framework. Doing this will provide a rigorous and objective challenge while also allowing for timely remediation where necessary.

To discuss these updates and how you can prepare your business, contact our experts. They can help you navigate the regulatory landscape's intricacies and ensure you remain compliant.