Halex Consulting's response to the FRC Code consultation
FRC Code consultation

Halex Consulting's response to the FRC Code consultation

Halex Consulting Halex Consulting

Halex Consulting

Leading thinking in Board Evaluation, Risk & Assurance

发布日期: 2023年10月3日
+ 关注

Halex Consulting 's response to the Financial Reporting Council 's consultation on its proposed changes to the UK Corporate Governance Code (‘Code’)

Introduction

Halex Consulting is a boutique governance consultancy providing independent board performance reviews and risk management consultancy. Halex Consulting principal, Chris Burt , is a co-founder of the Risk Coalition and is principal author of Raising the Bar, the Risk Coalition’s internationally recognised leading practice guidance for board risk committees.

We welcome the opportunity to provide our views on the FRC’s proposed Code changes.

Summary

Overall, we support the proposed Code changes subject to a small number of caveats and suggestions for changes detailed below. That said, several of the proposed changes are likely to require substantial effort by organisations to ensure continued Code compliance.

Our primary concern with the proposed Code changes is not what is included, but what is absent.

The 2018 version of the Code has one passing reference to the role of the board risk committee, and yet large financially regulated organisations are required to have one. This is why the Risk Coalition felt obliged to publish its Raising the Bar guidance in December 2019.

Increasingly we are seeing board risk committees being established outside of financial services.

Despite accumulating evidence that organisations with a board risk committee manage risk better than those without (see note), and despite the substantially increased burden being placed on audit committees by the proposed Code changes, the FRC continues to avoid suggesting that organisations periodically consider the benefits of establishing a board risk committee. (We noted with interest paragraph 49 of the consultation document which demonstrates the FRC’s apparent willingness to consider the necessity for Code companies to have a sustainability committee.)

If the FRC persists with the current draft text, then we strongly recommend that the FRC incorporate the following paragraph from Raising the Bar into the Code to ensure that all organisations have a clear lead committee on risk topics, and which would require audit committee chairs to pay sufficient attention to risk matters in the absence of a board risk committee:

“[The audit committee should] provide consolidated oversight and challenge of management’s treatment and reporting of the organisation’s principal and emerging risks, including those risks within the remit of other board committees.”

In the absence of a committee having clearly established consolidated risk oversight accountability, the first point at which there is a consolidated view of the organisation’s risks is the board. In our experience as board reviewers and risk management experts, boards rarely have the time - or sometimes inclination - to provide robust oversight of the organisation’s entire risk landscape.

[Note: In response to the question: “How would you assess the quality of risk oversight in organisations with a dedicated board risk committee versus those without?” in a recent Risk Coalition survey, 82% of independent non-executive directors surveyed thought it was better, 14% about the same and 4% thought it was worse. Sample size: 72 INEDs.]

Structure of the Code

The structure of the Code is consistent with previous versions and is appropriate. It would be helpful, however, if the FRC were to clearly reinforce in the Code preamble that principles must be applied, but that provisions are ‘comply or explain’.

While included in the 2018 version, the requirement lacked clarity and was easily missed.

Question 3 - Do you have any comments on the other changes proposed to Section 1?

Principle B states: “The board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are all aligned.”

In our experience - and that of the financial regulators - boards struggle with culture. To help boards get a better grip of this topic, it may be helpful to amend this principle to state that the board should set its culture expectations of the organisation.

Question 4 - Do you agree with the proposed change to Code Principle K (in Section 3 of the Code), which makes the issue of significant external commitments an explicit part of board performance reviews?

It is not clear what problem this proposed change is attempting to address. In principle, this is a positive change but in practice, we doubt whether it will make a material difference to the number of NED roles board members hold.

In our experience, over-boarding only presents as an issue where the board member regularly fails to attend or is unavailable for board/committee meetings, is seen to be under prepared or fails to contribute to discussions.

All of these are performance issues that can be addressed through existing governance processes.

Question 5 - Do you agree with the proposed change to Code Provision 15, which is designed to encourage greater transparency on directors’ commitments to other organisations?

We believe this is a useful change but that the words of the provision need slight amendment: “All significant external director appointments should be listed in the annual report, describing how each director has sufficient time to undertake their role effectively in light of commitments to other organisations.”

Question 9 - Do you support the proposed adoption of the CGI recommendations as set out above, and are there particular areas you would like to see covered in guidance in addition to those set out by CGI?

We are broadly comfortable with the CGI recommendations that the FRC proposes to adopt.

There is a weakness, however, in the board performance review market that these recommendations do not address. Specifically, there is an incentive for board reviewers not to be overly critical of the boards they review since future business prospects rely on receiving positive client feedback.

This undermines the value of independent board performance reviews and tends towards bland reports that ‘skim the issues’.

We would be happy to engage with the FRC on how best to address this market failure.

Question 12 - Do you agree that the remit of audit committees should be expanded to include narrative reporting, including sustainability reporting, and where appropriate ESG metrics, where such matters are not reserved for the board?

We do not agree with the suggestion that the remit of audit committees should be expanded to include narrative reporting. We believe that the board should decide to which committee it delegates this responsibility.

Question 13 - Do you agree that the proposed amendments to the Code strike the right balance in terms of strengthening risk management and internal controls systems in a proportionate way?

While we agree that the proposed amendments are likely to lead to a strengthening of risk management and internal control systems, the effort required to implement these changes will be substantial. How substantial – and whether this is proportionate - will largely depend on the additional guidance being developed.

For example:

  • the scope of the proposed changes covers all operations – strategic, operational, compliance and reporting - not just internal controls over financial reporting. This scope is significantly broader than Sarbanes-Oxley, which in itself was a major undertaking for many organisations.
  • The reference to material controls will require organisations to establish which controls are material. In turn this will require a major scoping effort covering all the organisational activity areas noted in the paragraph above.
  • The proposed changes will require the introduction of routine monitoring and testing of all material controls. Dependent on the definition of material controls, this could result in the need to routinely identify, document and test hundreds of controls across the organisation each year. It is not clear who should do this, how often or to what standard the controls should be tested.
  • Code firms are likely to incur substantial consultancy costs for readiness assistance from the large consultancy firms, as they did when Sarbanes-Oxley was introduced. Experience shows that these firms will tend towards a conservative project approach, encouraging more documentation and testing than less, with associated implications for costs.

Question 14 - Should the board’s declaration be based on continuous monitoring throughout the reporting period up to the date of the annual report, or should it be based on the date of the balance sheet?

While requiring more effort, the board’s declaration should be based on a routine monitoring approach. Sarbanes-Oxley adopts a balance sheet date approach since it focuses on internal controls over financial reporting. In that scenario, material control failures earlier in the period are not relevant provided management remediate them before the year-end to evidence the reported numbers are reliable.

Question 15 - Where controls are referenced in the Code, should ‘financial’ be changed to ‘reporting’ to capture controls on narrative as well as financial reporting, or should reporting be limited to controls over financial reporting?

It depends on the problem the change is attempting to address. If the policy concern is unreliable financial reporting, as was the driver for Sarbanes-Oxley, then the word ‘financial’ should be retained. If, as seems likely, the FRC is attempting to address a broad range of financial and non-financial reporting challenges then using the word ‘reporting’ is better.

However, by removing the reference to financial controls, there is a risk that firms may not give adequate consideration to other types of financial controls no longer referenced, such as financial performance and financial resilience related controls.

We should also highlight that in proposed provision 30, the text makes reference to operational, reporting and compliance controls whereas paragraph 70 of the consultation document (in its definition of a material weakness) references strategic, operational, reporting and compliance objectives, which is based on COSO guidance.

In our view, it would be helpful if the Code were consistent between the things an organisation is seeking to achieve (strategic, operational, reporting and compliance objectives), and the means by which their achievement is assured – strategic, operational, reporting and compliance related controls.

Moreover, we believe the FRC should consider going beyond COSO’s suggestion, which is some years old, and consider requiring definition of objectives / controls covering:

  • Strategic aims
  • Operational (effectiveness, efficiency and resilience)
  • Financial (performance, reporting and resilience)
  • Reputation, culture and conduct
  • Compliance (legal, regulatory and policy)
  • Sustainability (including continued viability)

We make this suggestion on the basis that risk management is not about managing risks per se. It is about enabling an organisation to achieve its objectives through the effective management of risks.

Therefore, in order for an organisation’s risk management arrangements to be effective, it needs to have clearly defined objectives across a range of categories covering both the things the organisation chooses to do (e.g. strategic aims), and those it is required to do as part of its licence to operate (e.g. comply with law and regulation).

Adopting this change should lead to a substantial improvement in the quality and effectiveness of Code firms’ risk management arrangements.

Question 16 - To what extent should the guidance set out examples of methodologies or frameworks for the review of the effectiveness of risk management and internal controls systems?

It would be helpful were the guidance to provide examples of leading practice methodologies and frameworks, such as that provided by the Risk Coalition, but firms should not be required to apply them. Instead, firms should be encouraged to adopt an approach appropriate to their circumstances, particularly since risk management practices are evolving rapidly and being too directive could stifle innovation.

Q17: Do you have any proposals regarding the definitional issues, e.g. what constitutes an effective risk management and internal controls system or a material weakness?

Halex Consulting has developed its own model of risk management effectiveness. In our view, the two key questions any review of risk management effectiveness should be able to answer are:

  • Do our risk management arrangements meet board, executive, regulatory and other stakeholder expectations?
  • Do our risk management arrangements help us meet our strategic objectives?

In addition, we suggest the FRC adopts the Risk Coalition’s definition of principal risks:

Principal risks – The most significant or key risks facing an organisation, including those that may threaten the organisation’s business model, future performance, solvency or liquidity and reputation. Principal risks may include all types of risk including, inter alia:

  • existing and emerging risks, internal and external risks, financial and non-financial risks, in-house and extended enterprise risks;
  • categories or types of risk as defined in an organisation’s risk universe; and
  • risk scenarios in which combinations of risks or risk types may crystallise.

Other textual comments and suggestions

Detailed below are a number of comments and suggestions for text changes.

Provision 1

  • The board should define, rather than assess, the basis on which the company generates and preserves value over the long-term.
  • Reference to climate ambitions and transition planning are very current, but will age rapidly.

Provision 2

“The board should define its culture expectations…”

Provision 3

  • “…the chair should seek regular engagement with major shareholders and other key stakeholders…”
  • “Committee chairs should engage with shareholders and other key stakeholders on significant matters related to their areas of responsibility.”

Provision 15

“All significant external director appointments should be listed in the annual report…”

Provision 29

  • “The board should carry out a robust assessment of the likely achievement of the company’s strategic objectives given the emerging and principal risks attaching. The board should confirm in the annual report that it has completed this assessment, including a description of its strategic objectives and associated principal risks, and an explanation of how these are being managed or mitigated. The board should explain in the annual report what procedures are in place to identify and manage emerging risks and describe these risks.”

We would be happy to discuss any of our suggestions with the FRC in due course.

Sincerely,

Chris Burt

Principal

Halex Consulting Limited

86-90 Paul Street / London / EC2A 4NE

M +44 (0)7905 469039 T +44 (0)20 3823 6569 E [email protected]


要查看或添加评论,请登录