The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
Review of Corporate Governance Reporting 2023
- Executive Summary
- Introduction
- Main Findings
- 1. Board Leadership and Company Purpose
- 4. Audit, Risk and Internal Controls
- Audit
- Risk Management
- Principal Risks
- Changes to principal risks
- Emerging risks
- Monitoring and reviewing the effectiveness of the risk management and internal control systems
- Reporting on the review
- AUDIT COMMITTEE REPORT CONTINUED
- b) Reporting the outcome(s) of the review
- c) Consolidating and improving reporting in this area
- 5. Remuneration
- 6. Cyber and Information Technology
Executive Summary
The Financial Reporting Council's (FRC) latest review of corporate governance reporting showcases examples of high-quality and insightful reporting by many companies. The Corporate Governance Code (Code) is a flexible one, where companies can (and many do) depart from the Provisions of the Code provided that they clearly explain how they have maintained effective governance. We are encouraged that in line with previous years, companies are more transparent in reporting departures from the Code. This is a positive development, although explanations sometimes lack clarity, and few companies report to a consistently high standard across their annual reporting.
Disappointingly, we continue to find too many examples of unconvincing boilerplate reporting which fails to meet stakeholder expectations. Simply stating the timeline for achieving compliance with a provision is not enough, they also need to say why their alternative arrangements delivered benefits to the company and its shareholders.
Over the last few months there has been discussion about the assessment of risk and the quality of internal controls, including debate about how and whether the UK regulatory framework should be improved. This review finds that there has been little year-on-year improvement in the quality of reporting in this area; some companies report very well but the majority do not, and fail to demonstrate sufficiently robust systems, governance and oversight are operating effectively.
The focus on workforce engagement is commendable – the best reporters show the beneficial impacts arising when companies broaden their engagement to include culture, purpose and values. Stakeholder engagement reporting also continues to improve, and the FRC would like to see companies build on this by reflecting on the feedback received and its impact on board decisions. Engagement is important, but only where it leads to high-quality outcomes.
We urge all companies to pursue a goal of strong, clear and informative reporting of governance outcomes, and the actions that this drives. Genuine insights, rather than repetition of generic language, are essential for the application of the Code's principles and the spirit of 'comply or explain'. Corporate governance disclosures are an opportunity to build trust and understanding, and demonstrate why the UK is an attractive investment market, rather than being a compliance exercise.
Good governance goes beyond box-ticking to embed the right behaviours and culture. Companies should focus on actual practices rather than policies and procedures to demonstrate that a company is a well-governed and sustainable, and able to deliver investment, growth and competitiveness.
The Financial Reporting Council Limited 2023 The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 8th floor, 125 London Wall, London EC2Y 5AS
Introduction
As in the previous three years this review considers the reporting of 100 premium listed companies who are required under the Listing Rules to follow the Code. The sample of companies reviewed changes year on year and is a mixture of FTSE 100, FTSE 250 and Small Caps.
The Listing Rules require companies to make a statement of how they have applied the Code's Principles; this should be supported by high quality reporting on the more detailed Provisions.
All reporting against the Code should be in the context of the circumstances of the company. Therefore, we would expect governance reporting to be different and demonstrate good governance in the spirit of the Code. There is no template or "one size fits all" approach. The Code allows boards and committees to consider their approach in the context of their particular circumstances and report accordingly.
Unlike the Principles, the provisions operate on a 'comply or explain' basis. We have for the last few years commented that as a regulator, we are supportive of departures from the Code, where there is a clear rationale for doing so. This year's review once again found well over 50% of companies departing from one or more provision of the code, demonstrating that many companies recognise that the Code is not 'comply or else'.
There is a high bar for standards of corporate governance in the UK. Repetitive and boilerplate reporting does not mean better quality governance. The aim of this review is to give an overview of the reporting that we have assessed, highlight good practice, trends over time, and explain where practices and reporting fall short, and need improvement.
By showcasing high quality reporting, we look to raise standards to support appropriate transparency and build trust from shareholders and stakeholders.
We hope that companies, their advisors, and stakeholders will consider the review and act upon it accordingly.
Main Findings
Code Compliance
Application of the Principles
This aspect of our review was concerned with how companies reported on their application of the Code's Principles within their compliance statement. Last year, we found that many companies concentrated their reporting on compliance with Code's Provisions at the expense of describing their application of the Principles. We observed that most companies disclosed that they had applied the Principles and provided signposting to information that could be found elsewhere within their report that shed further light on this. The best reporters provided a statement illustrating the application of the Principles in each section of the Code, along with signposting to further relevant information, where appropriate.
Last year, we noted that we were able to find some examples of good quality reporting against the application of Principle O (Risk Management Procedures). This is again the case this year (see, for example, Trustpilot Group Plc Annual Report 2022, pages 65-78 and 125-127). The example cited provides a detailed description of the company's procedures to manage risk, oversee the internal control framework, and of its principal risks. There were examples of good reporting on other Principles as well. Some companies have provided, in their compliance statement, high-level commentary on the application of the Principles under the broad headings of each section of the Code, but then complemented this with signposts to those parts of the annual report which relate to the application of a particular Principle of set of Principles. This approach has the advantage of not adding unnecessarily to the length of the annual report by discussing each Principle separately and in detail, instead providing a helpful overview with cross-references where appropriate. We encourage companies to use this approach, including, for example, links to parts of their website where this contains relevant information.
Good reporting on the application of Code Principles also provides detail on specific board actions and considerations in the year. There was some evidence of companies starting to report along these lines although there is room for improvement. In positive examples, we saw one company linking the Principles in the Code section on Division of Responsibilities clearly to actions taken by the board to review the time required for the Director role. Another company made links between the application of Principle Q on remuneration and their review of the company's remuneration policy, including setting out clearly the engagement which had been undertaken to support this review. Such examples are encouraging, and we would like more companies to take this type of specific, outcomes-focused approach to reporting on how they have applied the Code Principles.
In summary, whilst there have been improvements in how companies report on their application of the Code Principles, we would encourage companies to move away from a formulaic Principle by Principle approach which adds to the length of the annual report and contains little company-specific information, and instead to report clearly and concisely on how application of the Principles has made a difference to actions taken by their board.
Key Message: Reporting on board decisions and their outcomes
Reporting on board decisions and their outcomes should reduce boilerplate disclosures and provide the reader with more concise and insightful narrative.
Compliance with the Provisions
In previous years, we have noted that sometimes compliance statements can be ambiguously worded. This can leave the reader unsure as to whether the company has fully complied with the Code, or where relevant, which Provisions they have not complied with. This issue does not seem to be as evident this year, with a majority of companies either clearly stating full compliance or setting out what Provision(s) they depart from. However, some companies are still not offering clear reporting on compliance, with vague statements still being employed, such as 'the company has complied with all the Provisions of the Code except as specifically identified in this report'. As we have previously stated, this is unhelpful for the reader as it is not always clear to see which Provisions the company has not complied with. A company's compliance statement should clearly set out which Provisions they haven't complied with.
Additionally, in some instances, companies claim full compliance but do not disclose areas of the Code that they depart from (see the discussion on Provision 38 and 39 below).
This year sixty three companies disclosed departure from at least one Code Provision within their statement.
Total number of companies disclosing a departure from at least one Code Provision
- 2020: 42
- 2021: 64
- 2022: 73
- 2023: 63
Companies sorted by number of Code departures
- 1: 33
- 2: 16
- 3: 9
- 4: 4
- 5+: 1
When companies do depart from a provision, they must still demonstrate through clear explanations that they are applying the Principles. Thirty-seven companies claimed full compliance this year. While this is an increase on last year, it is a significant decrease from 2020.
The increase in the number of companies departing from the Code over time demonstrates the benefits of a code-based approach to governance, in that it allows companies to choose bespoke governance arrangements that suit their particular circumstances provided they are still applying the overarching Principle.
Key Message: Comply or Explain
In some cases, strict adherence with the Code's detailed provisions may not be the right approach for a company. The 'comply or explain' nature of the Code allows companies to adjust their approach to governance to their particular circumstances and business model. Companies must, of course, clearly explain these departures and ensure that they continue to apply the Code's Principles. In the same way, investors, and proxy advisors should not favour strict compliance with the Provisions of the Code but focus on individual company circumstances and the explanations companies provide for their non-compliance.
The graphs demonstrate that from 2020 to 2022 there was generally a year-on-year increase in companies disclosing departure from Provisions. This year we have seen a slight change, with overall reporting of departures dropping slightly. There was an increase in the number of departures from Provision 38 (Pension Alignment). Of the 36 companies that acknowledged their non-compliance with this Provision, 31 stated either that they complied by the end of 2022, or that they will be in full compliance in 2023.
A common reason for non-compliance for the other five companies was that they were honouring existing contractual arrangements with their executive directors, agreed prior to the 2018 Code coming into effect. This is an understandable reason for delayed compliance, but clarity should be provided on when/if directors' contractual pension entitlements will be brought into line with the Code.
Provisions with the highest rate of non-compliance this year, compared to the previous years:
Provision 38 (Pension alignment) * 2020: 11 * 2021: 27 * 2022: 30 * 2023: 36
Provision 19 (Chair tenure) * 2020: 9 * 2021: 16 * 2022: 15 * 2023: 12
Provision 41 (Work of the remuneration committee) * 2020: 4 * 2021: 7 * 2022: 11 * 2023: 11
Provision 24 (Audit committee composition) * 2020: 3 * 2021: 10 * 2022: 10 * 2023: 11
Provision 9 (Chair independence/chair and CEO separation) * 2020: 16 * 2021: 18 * 2022: 12 * 2023: 9
Provision 32 (Remuneration committee composition) * 2020: 3 * 2021: 11 * 2022: 9 * 2023: 5
Provision 36 (Share awards) * 2020: 6 * 2021: 11 * 2022: 8 * 2023: 4
Provision 11 (ED/Independent NED) * 2020: 4 * 2021: 4 * 2022: 7 * 2023: 5
In addition to the companies that have disclosed their departure from Provision 38, 11 companies did not disclose non-compliance with this provision. Seven of these companies explained that one of their executive director's pension contributions are aligned to the workforce rate. All 11 state that executive director pension contributions will be fully aligned in 2023 or 2024 (with only one company setting 2024 as the date for full alignment).
Key Message: Flexibility
The Code offers companies the flexibility to depart from its Provisions. Companies should fully disclose not only what Provisions they do not comply with, but also why they deviate from them, as well as if/when they intend to bring their governance practices into line with the Code. Without this transparency the comply or explain framework is of little benefit to companies or their stakeholders.
Explanations for Code departures
In previous years, we have clearly set out our expectation that companies provide clear and meaningful explanations for any departures from the Code. There is still room for improvement.
Many of the trends observed last year remain. There were instances of unexplained departures, with the focus of reporting being solely on the company's timeline for compliance, as well as instances of boilerplate reporting lacking the detail required to effectively convince the reader that the departure from the Code benefits the company.
Overall, there was a slight improvement in explaining Code departures, with more explanations being understandable and persuasive. Companies could further improve their explanations by explicitly recognising the potential risks arising from the Code departure and a description of actions taken to mitigate these.
Example: providing a meaningful explanation for non-compliance
Why it's useful:
The example shows why the company has not complied with Provision 19 of the Code. The explanation:
- Sets the context and background
- Gives a convincing rationale for the approach taken - signposting to where this is provided in detail in the previous year's report.
- Shows an appreciation for the fact that risks could stem from the Code departure and describes mitigating actions – mainly assessment of the Chair as part of internal and external Board reviews
- Sets out when the company intends to comply
- Is overall an understandable and persuasive explanation.
Chair Succession Tenure Irial Finan joined the Board in February 2012 and was appointed Chair in May
-
He was independent at the time of appointment, as recommended by the Code. He was appointed as Chair designate in October 2018 and became Chair at the conclusion of the AGM in May 2019. In 2021, as Irial had then exceeded nine years on the Board, a comprehensive review of the Chair's tenure including a shareholder consultation was conducted, which was led by Gonzalo Restrepo who was the Senior Independent Director at the time. In line with Provision 19 of the Code, a clear and detailed explanation was provided in the 2021 Annual Report (pages 84 and 85) outlining the conclusions of this review, the rationale for a proposed extension to the Chair tenure, and a recommendation to shareholders that the tenure of Irial be extended by a period of up to three years (or up to the 2025 AGM). In their decision to define a time period for the extension, the Board noted its belief that this would provide clarity and certainty for all stakeholders of the Group. This recommendation was strongly supported by the Company's shareholders with over 93% of votes cast in favour of Irial's re-election at the AGM in
-
During the previous two years, internal evaluations conducted by the Senior Independent Director had included an evaluation of the Chair. These evaluations concluded that his performance was exceptional and that the Board were very satisfied with his support, leadership and independence as Chair. In addition to these internal evaluations, an externally facilitated evaluation of the Board including the Chair was conducted by Ffion Hague of Independent Board Evaluation during 2022. The feedback was highly positive with recognition of the interpersonal dynamics Irial has established in what is considered a diverse and engaged Board. The external review also noted Irial's strong people, investor and customer focus as well as his notable understanding of our business.
As a result, following consideration of the Code, the comprehensive review completed during 2021 and the externally facilitated evaluation conducted in 2022, the Board has concluded that it remains in the best interests of the Group and of all stakeholders that the tenure of Irial continue in line with the prior year recommendation.
Succession Process As noted in the 2021 Annual Report, the Board is committed to ensuring that an orderly succession and transition of the Chair is conducted. As a result, progressing the process remains a priority for the Senior Independent Director who is leading the succession process. During 2022, Kaisa Hietala succeeded Gonzalo Restrepo as Senior Independent Director, and is now responsible for the succession process going forward. A comprehensive handover was conducted following her appointment as Senior Independent Director. In addition, due consideration has been given to the next steps required. During 2023, a detailed specification of the role will be prepared, and an independent external recruitment firm will be selected to work with Kaisa to commence the search process for Irial's replacement as Chair of the Board.
The Board will keep shareholders informed on the matter of the Chair's succession in the Annual Report next year and through direct engagement as appropriate.
Recommendation In conclusion, the Board has carefully considered the Chair's tenure and believes that it is in the best interests of the Company and its stakeholders that Irial remain as Chair for a period of up to two years (or up to the 2025 AGM). The Board is therefore recommending to shareholders the re-election of Irial at the forthcoming AGM in April 2023.
Source: Smurfit Kappa Group Annual Report, 2022, p.111
1. Board Leadership and Company Purpose
Culture, Purpose and Values
Corporate culture
Reporting on corporate culture continues to evolve. While still standing out as a separate theme in reports, 40% of companies included culture among other environmental, social and governance (ESG)/sustainability disclosures, often classifying it as a Social (the S of ESG) issue. However, culture-related reporting was not limited solely to those sections.
Principle B
The board should establish the company's purpose, values and strategy, and satisfy itself that these and its culture are aligned. All directors must act with integrity, lead by example and promote the desired culture.
As the FRC's 2021 Creating Positive Culture: Opportunities and Challenges (2021 Culture Report) found, the CEO plays an essential role in driving and embedding culture throughout the company, but Non-Executive Directors (NEDs) are becoming increasingly more involved. Hence, this year we have looked specifically at whether companies are reporting on NEDs involvement. We have found that while culture is often referred to by Chairs in their letters, suggesting the topic is very much at the top of the agenda of many boards, only around a half of companies reported with insight on this matter. This includes specific references to NEDs culture-related activities beyond assessment and monitoring (Provision 2 of the Code), reporting their explicit involvement in the active creation and promotion of culture across the organisation and focusing on outcomes.
From our sample, we also found that approximately 10% of organisations had set up a dedicated board-level committee or taskforce with an explicit culture remit and one company renamed their remuneration committee 'Remuneration and People Committee' giving this area increased prominence.
Better reporters included case studies and reduced the length of reporting by the use of hyperlinks or QR Codes. Unfortunately, only a minority of companies discussed progress they had made on their culture agenda, setting out actions and activities following from board decisions from the previous year.
Key Message: Culture Reporting
Good reporting focuses on setting out both the practice and policy along with objectives and progress towards milestones. This includes reporting on what activities helped to achieve the outcome. Too often culture-related disclosures in the governance report repeat what can be found in the strategic report or wording from the Code.
Example
"A healthy corporate culture is one in which SSE has a purpose, values and strategy that are respected by its stakeholders, and an operating environment that is inclusive, diverse, supportive and engaging; that encourages employees to make a positive difference for stakeholders; in which values guide responsible decisions and actions; and in which attitudes and behaviours are consistent with high standards of conduct and doing the right thing."
Source: SSE Annual Report, 2022, p.137
Purpose and values
Despite a slight dip in the number of companies clearly stating their corporate purpose, the rate of disclosure remains very high. The rate of good supporting information is much lower, only around half of organisations, but it has significantly increased from last year. However, the other half of companies still have a tick-box approach to reporting in this area, with the purpose statement often limited to what resembles a marketing slogan and with no explanatory note.
The better disclosures were clear on each element of the purpose, explaining for example, why the company exists, what it does, the market in which it operates, what it is seeking to achieve, and how it will achieve it. The quality of disclosures does not appear to be correlated with company size and as demonstrated in the following example, a simply defined purpose can be very informative.
Example
"Our purpose: To provide motor insurance, available to the widest possible range of drivers, based upon a fair, risk-based pricing model that is consistent across all customers. Generate excess capital and return this to shareholders or reinvest in the business in order to increase future returns."
Source: Sabre Insurance Annual Report, 2022, p.3
Example
OUR PURPOSE IN ACTION WE'RE CONTINUING TO PROTECT AND GROW BY LIVING OUR VALUES
- Innovating to protect our people
- Security of our commercial operations across the globe
- Safety in every aspect of our business
Source: Chemring Annual Report, 2022 p.6-7
Example
OUR PURPOSE LED STRATEGY Delivering long term sustainable value
The diagram illustrates Bunzl's purpose to deliver essential business solutions and create long term sustainable value for stakeholders. It details how this is achieved through core values (Humility, Responsiveness, Reliability, Transparency) by providing essential business solutions (A one-stop-shop, We source, We consolidate, We deliver) and creating long-term sustainable value (compounding improvements, responsible supply chains, investing in a diverse workforce, taking action on climate change, sustainable and responsible solutions). It also highlights what is ensured (Customer service model, Simplification and efficiency, Local agility and knowledge, Value-add services and expertise) for the benefit of all stakeholders (Shareholders, Suppliers, Communities, Employees, Customers).
Source: Bunzl Annual Report, 2022, p.30-31
Just under 20% of companies referred to values without setting them out within the annual report. The best reporters went beyond simply listing them and explained what those values mean in practice, how they translate into behaviours and how they have been embedded.
We have also observed some good quality reporting where either purpose or values were restated – to remain relevant and aligned with evolving strategy and business. For more discussion of this topic and practical examples see the FRC's 2022 In Focus: Purpose and ESG brief.
Disclosure of the alignment between company purpose, values, strategy and culture (Principle B of the Code) continues to be one of the weakest areas. This year around
40% of companies explicitly discussed the alignment and around a half of those provided meaningful explanations – the same ratio as last year. Better reporters clearly stated their corporate purpose, values and strategy and discussed their alignment with corporate culture within the front part of the annual report, often using visual representation. One company explained the prominence given to those elements by calling them 'the foundation of their business'. Some organisations went a step further by referring to that alignment throughout the report, mostly in the context of sustainability strategy and culture assessment, but also succession planning, talent management, diversity, equity and inclusion, risk management and remuneration.
Example
HOWDENS Our purpose-driven approach
The diagram illustrates Howden's purpose-driven approach, showing how "Our purpose: to help our trade customers to deliver exceptional results for their customers" drives "Our strategy", "Business model", and shapes "Our culture & values", "Sustainability", and "Governance". These elements are influenced by "Markets" and "Risks" and lead to "Long-term value for stakeholders". Key components include entrepreneurial depots, manufacturing and product, pricing, and support, ensuring the business positively impacts people, and efficient distribution networks.
Source: Howden Joinery Annual Report, 2022, p.8-9
Evaluation
Companies increasingly report on the involvement of board committees in culture evaluation – from assessment and monitoring, through embedding to assurance, demonstrating a more joined up approach. However, the level of involvement varies and not every committee has a clearly defined remit. In previous years the nomination committee was most commonly tasked with oversight of culture but some organisations have now moved this responsibility to a board-level sustainability/ESG committee. Those differences in governance and reporting demonstrate flexibility of the Code. Clarkson clearly outlined all elements of their culture with assigned oversight responsibility to their board and each committee.
Assessment and monitoring
We have observed a small reduction in disclosures of culture assessment and monitoring, and in good quality explanations in those areas, with 70% and 20% of companies doing so respectively. However, similar to last year, only six companies provided insightful disclosures that addressed the process, actions and outcomes of culture reviews. Among better reporters, for example ITV, we have noted increased disclosure of insights from the reviews as well as resulting actions and outcomes in the year, however, examples of impact are still hard to find.
Culture metrics were disclosed by just over half of organisations. However, only around 20% of companies disclosed culture-linked targets and 14% disclosed year on year progress. Nonetheless, more companies now include culture and people related metrics as their KPIs in the strategic report.
Key Message: Culture Reporting
Some organisations refer to 'observing' their culture as opposed to 'measuring it', others do both. Whatever approach is used it is important that companies do not lose sight of culture-related risks and opportunities, and their link with strategy.
Examples of wide-ranging metrics/cultural indicators:
- NEDs engagement meetings held.
- Accident/incident rate improvement.
- Annual promotions to management positions.
- Employee equity participation.
- Balanced shortlists and talent development.
- Attitudes to internal audit, risk and regulators.
- Diversity at the management-level.
- Modern slavery statement/audit.
- Promptness of payments to suppliers.
- Legal proceedings issued by suppliers/employees.
Embedding and assurance
Disclosure of how companies approach culture embedding increased by around 20%, which means that just over half of companies discussed it. Better reporters included details of a wide range of embedding initiatives, these can be split out into three broad areas:
- Communication: leadership events, case studies and inspiring stories, high profile campaigns, task force.
- Performance frameworks: development plans and specific objectives, coaching and mentoring, goals and KPIs.
- Resources: new policies and practices, online support, ethics and compliance handbook, culture hubs, advisory panel.
As demonstrated below, one company set a clear timeline for its culture transformation plan, which included several embedding milestones.
Example
Focusing on culture Measuring culture through our dashboard
The diagram illustrates SSE's culture dashboard, showing how their culture is shaped by the way they attract and retain people, work together, look after each other, see themselves, make decisions, manage performance, and lead from the top. It reflects employee sentiment across core themes and actions (Employee engagement, Inclusion, Safety, Life at SSE, My Team, Wellbeing, Our strategy, Doing the right thing) with associated metrics and movement relative to an internal 2021 trend benchmark. Key people metrics and KPIs are also shown, such as employee turnover, employees working flexibly, safe days, leaders engaged across mandatory eLearning courses, certification of leadership development programs, employee engagements, sick days per head, vacancies filled, and contacts on Speak Up Blueprint Plans.
Source: SSE Annual Report, 2022, p.138
Example
TRANSFORMATION IN ACTION
The timeline illustrates Imperial Brands' culture transformation plan: * Jan 2021: Strategy launch sets out case for culture change * Spring/Summer 2021: Consultation with colleagues to develop purpose and vision * Oct 2021: New purpose, vision & behaviours unveiled at first-ever all-colleague conference * Nov 2021: Immersive Connections sessions start * Feb 2022: First top 500 leadership event showcases new behaviours in action * Spring 2022: Global office and factory rebranding * Sep 2022: Connected Leadership coaching launched
Source: Imperial Brands Annual Report, 2022, p.23
Other observations
Although still very rare, some companies talk about the impact of their culture-related strategy on their performance.
Example
"The positive impact of our learning culture is evident both internally and externally. Internally, it has contributed to improved retention, increased promotion rates and more accurate succession planning."
Source: AstraZeneca Annual Report, 2022, p.46
Among the emerging approaches are:
- Recognising the importance of culture strategy when reviewing succession planning for senior management and other recruitment
- Embedding sustainability policies and practices into company culture and desired behaviours
- Reflecting organisational culture and values in the board's and group's diversity, equity and inclusion policy
- Giving more prominence to ethics and recognising the importance of psychological safety.
Example
"In FY23, we launched a campaign to reinforce how line managers have a critical responsibility to be a role model for ethics and integrity at Vodafone and create a culture where we take decisions that foster trust and admiration."
Source: Vodafone Annual Report, 2022, p.23
Companies also increasingly report on their culture/values/behaviours champions and the importance of training middle managers in empowering workforce and in delivering on culture change and embedding. Our 2021 Culture Report talks about both of those themes in greater detail.
Shareholder Engagement
Principle D
In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure effective engagement with, and encourage participation from, these parties.
All companies we reviewed have reported on engaging with shareholders during the reporting year, with 97 companies reporting on engagement that occurred outside of the AGM. As with last year's review, we found that reporting is mostly generic, with limited disclosure of details and feedback received or examples of outcomes, including how the engagement has affected decision-making or strategy.
Last year we emphasised the importance of 'effective engagement'. For companies to have effective engagement with their shareholders, this should include a two-stage process where the company is able to receive views of their shareholders on matters of importance and act upon the feedback received where it considers appropriate.
As with the Stewardship Code, we encourage companies to report on activities and outcomes of their engagement. Better reporters commented on engagement throughout the reporting year, particularly outside of the AGM.
All companies reviewed set out their engagement plans. Companies predominately stated that their engagement was through disclosure. This includes producing annual reports, holding investor relations conferences as well as presentations on specific topics that are material to their company and/or their shareholders.
Example
"We hold an Annual Capital Markets Day for our coverage analysts and major holders, to provide more granular detail on our progress with strategy, performance, and future plans. In 2022 this focused on the Intelligence & Events businesses, their capabilities, business, models and addressable markets."
Source: Ascential Annual Report, 2022, p.70
Such events are useful and offer a platform for the company to set out information to shareholders.
Better reporting demonstrated how the information was received by shareholders and in some cases discussed the issues raised. As noted in previous reviews, companies should be reporting:
- The frequency of engagement.
- The topic of engagement.
- The different methods used to engage with shareholders.
- Feedback received from shareholders.
- Outcome of engagement and if the engagement has led to different decision-making processes.
This can be seen in the following as Croda International described the range of topics discussed with its investor base as well as the frequency of its engagement. It is also evident that it is aware of its investors interest in its recent acquisitions, which shows how it remains actively engaged throughout the year.
<blockquote markdown="1">
**Example**
"In March, we held an investor seminar on Consumer Care, to outline market opportunities and sector strategy in addition to explaining how investment in biotechnology will contribute to future growth. The equivalent seminar for Health Care took place at the London Stock Exchange in October. Given investor interest in our recent acquisitions, the Managing Director of Avanti attended the Pharma event, and we hosted a shareholder visit to Iberchem ... Croda was represented by our Chair, Senior Independent Director and Remuneration Committee Chair. A wide range of topics were discussed including sustainability, Board composition, executive succession, performance metrics and culture. We intend to extend this representation to include our Audit Committee Chair at the 2023 event. We consulted on our proposed remuneration policy during 2022, holding video calls with one third of our investor base."
**Source:** Croda International Annual Report, 2022, p.83
</blockquote>
This company goes a step further by noting the feedback it received from shareholders and how this feedback made it adjust its policy to respond to specific points raised by shareholders.
Better reporting also included companies reporting on their shareholders' key priorities throughout the year. This shows that companies have an awareness of the interests of their significant investors and can engage regarding issues that are material to their investors.
For example: One company in the retail sector listed some of its key shareholder priorities and engagement based on these key issues:
* How the cost-of-living crisis has changed consumer spending habits, including propensity to eat at home versus in restaurants, and reducing the impact of inflation through reducing the number of grocery items purchased.
* The grocery market's response to macro-economic inflationary pressures on raw material prices and operating costs.
* Progress towards our cost savings targets and whether opportunities are unique to the business.
* How the business will address capital allocation once our leverage targets are achieved.
### Provision 3
As described in Provision 3, 'the chair should seek regular engagement with major shareholders in order to understand their views on governance and performance against the strategy. Committee chairs should seek engagement with shareholders on significant matters related to their areas of responsibility'. Where appropriate, board members should be actively engaging with shareholders throughout the reporting year, particularly if there has been a significant vote against a resolution.
We are aware that in some cases investors have a specific policy that may not wholly align with a company approach. This can lead to an investor repeatedly voting against a resolution – in some cases contributing to a 20% or more vote against. In such cases engagement with the investor is unlikely to achieve a change in approach therefore we suggest that companies note this in their annual reports.
### Committee Chairs Engagement
<div class="table-container" markdown="1">
| | Last Year (2022) | This Year (2023) |
|:--------------------------|:-----------------:|:------------------:|
| Chair | 52 | 52 |
| Remuneration Committee Chair | 43 | 63 |
| Senior Independent Director | 11 | 13 |
| Nomination Committee Chair | 2 | 4 |
| Audit Committee Chair | 0 | 5 |
</div>
Overall, there has been a slight increase in the level of engagement with shareholders by committee chairs this year. In particular, reporting on engagement with remuneration committee chairs has increased significantly in comparison to last year. However, reporting on the nature of engagement is still limited. Most examples noted that the committee chair met shareholders to discuss a particular issue, but only a minority offered additional detail, for example whether this had an impact on the remuneration policy.
We were pleased to see a small rise in the number of audit committee chairs engaging with their shareholders. The **Restoring Trust in Audit and Corporate Governance Government Response** provided evidence that 70% of investors wanted greater participation from the Audit Committee Chair. It is not clear whether engagement with audit committee chairs has not been sought by investors or if companies have not reported on this. Of the five companies two provided information about what the engagement involved.
<blockquote markdown="1">
**Example**
"The audit tender process was led by the Audit Committee Chair, supported by a steering committee made up of Audit Committee members and senior management. As well as consulting the FRC... we asked our main institutional shareholders for input and held discussions with companies that had gone through an audit tender themselves."
**Source:** London Stock Exchange Annual Report, 2022, p.109
</blockquote>
<blockquote markdown="1">
**Example**
"The Audit Committee Chair issued a letter to the Company's largest shareholders representing circa 85% of the register outlining the Group's intentions in relation to the external audit tender. Feedback received from shareholders was considered and incorporated into the process as appropriate."
**Source:** TP ICAP Group Annual Report, 2022, p.95
</blockquote>
It is difficult to discern from the annual reports whether the lack of reported engagement from committee chairs is because chairs have not sought engagement or if the investors themselves have not responded to offers of engagement.
We have also seen a growing trend in the use of perception studies, which involve third parties engaging with investors on behalf of a company. The studies gather views on issues concerning their investments, as well as general opinions of the board. For example, one company noted the use of a perception study to provide its board with the opportunity to assess its investor base and behaviour in more detail.
Eight companies reported on using third parties to conduct perception studies to engage with shareholders on several topics on their behalf. This is encouraging as it shows an attempt from companies to engage with their shareholder base to ensure that their views are also considered. However, this does not absolve board members of their responsibility to engage with larger shareholders as emphasised by Principle D, if matters cannot be resolved.
We are aware that many investors first point of contact is below board level and that often issues do not require elevation to the board, however, it is important that investors have a route to the board if necessary and committee chairs should routinely offer this option.
## Stakeholder and Workforce Engagement
### Stakeholder Engagement
Reporting on stakeholder engagement was generally of high quality this year and we continue to see year-on-year improvements in this area. We were pleased to see that the majority of companies in our sample promoted an active dialogue with stakeholders. This contributes to effective two-way engagement. However, reporting in this area is often formulaic and missing specific examples that help companies to demonstrate how they have considered the interests of stakeholders as set out in section 172 of the Companies Act 2006.
We are pleased to see that some companies have provided high-quality explanations of how their stakeholder engagement processes have influenced board decision making and how this has impacted stakeholders. In line with the feedback cycle, which we have included in previous annual reviews, effective reporting on engagement includes:
* **Inputs** – Who is responsible for engaging and why are they engaging?
* **Outputs** – What issues were raised during the engagement?
* **Actions** – What actions have the board taken as a result?
* **Impacts** – What impact have these actions had on stakeholders and the company?
The majority of companies had a comprehensive explanation of their inputs and explained their engagement methods well. The most common engagement methods used with customers were:
* Customer satisfaction surveys.
* Partnering with customers on product development.
* Board members reviewing customer complaints.
* Customer research.
* Trade shows.
We continue to see the use of net promoter scores (NPS) as a way of measuring customer satisfaction. Companies that reported well on the use of an NPS score disclosed what their target was, whether they met their target and if they didn't, what measures they would take to ensure that their target is met in the future. It was good to see that 9% of companies used their NPS score as a KPI for the board.
Performance reviews and meetings continue to be the most commonly used methods of engaging with suppliers. One company developed a stakeholder engagement forum that brought together all of their stakeholders to share their views in order to make improvements across the group of companies. The aim of the forum was to understand priorities, project pipelines and to develop trust and confidence in the Group.
A handful of companies highlighted how their stakeholder engagement initiatives link to their strategy. Some companies identified strategic pillars that were linked to each stakeholder group.
<blockquote markdown="1">
**Example**
"Engagement with key customers during the year influenced the Board's discussions and decisions regarding the annual budgeting and long-term strategic planning processes for the Group."
**Source:** AG Barr Annual Report, 2022, p.78
</blockquote>
This year we were pleased to see that nearly 70% of companies highlighted examples of issues that each stakeholder group had raised during the year.
Common themes and insights that were raised by suppliers included:
* Health and safety.
* Product development.
* ESG targets.
ESG matters were of high importance to many stakeholder groups in our sample. Feedback from customers highlighted that recyclability of products, decarbonisation and climate change were among the issues most important to them. Cost-of-living pressures and the impacts of COVID-19 were also high on the agenda.
Some companies listed 'what matters' to each stakeholder group without explaining whether these were issues raised by stakeholders, or issues that the company perceived to be important to stakeholders. Being more specific and including an explanation as to why these issues are important to stakeholders would add more value to the report.
We have previously commented on the lack of meaningful explanations of outcomes from stakeholder engagement. This year, we are starting to notice a slight improvement in the quality of outcome-based reporting. We have seen some examples of companies directly addressing issues that stakeholders have raised, as shown in the extracts below:
<blockquote markdown="1">
**Example**
"One area highlighted by customers for improvement was on how 'pain points' were addressed. An example of this was a short period where digital bank account balances were not showing correctly due to an issue with the technical architecture. The Bank's response to this issue, and other pain point matters, is outlined opposite. Following feedback from customers on pain points at various points in the service process, the Company has developed a customer pain management system to address pain points early on, to allow these to be addressed more rapidly and efficiently.”
**Source:** TBC Bank Annual Report, 2022 p.146
</blockquote>
To complete the feedback cycle, a few companies explained the impact these actions had on the relevant stakeholder group.
Although we have seen some improvement in outcome-based reporting, the majority of disclosures in this area appear to be general or boilerplate statements that aren't linked to stakeholder views and offer limited value to the reader.
We have seen case studies being used as an effective way of demonstrating how companies have considered interests of their stakeholders. Case studies can be used as a deep dive into a specific board decision or to look more specifically into an event or action that has affected stakeholders.
<blockquote markdown="1">
**Example**
**Case study**
**Impact of the Russia-Ukraine conflict on procurement**
Most components which go into an engine are bought from our suppliers. Power Systems has established a worldwide supply chain with 130 main suppliers (direct material) with a spend of approximately €1.4bn during 2022 (equalling 80% of the total direct material spend). This spend is managed by an international team of procurement and supply chain experts, located globally.
* **Strong risk management system**
* Due to rising tensions prior to the conflict starting in 2022, Power Systems' risk management indicated a high risk from Ukraine suppliers and built up second sources for Ukraine-based suppliers
* After qualification of the parts, procurement could guarantee the supply of parts through several independent sources, enabling Power Systems to run the assembly without any interruption during the conflict
* **Supplier events**
* Power Systems hosted two supplier expos during 2022, built around critical importance across the supply chain, possible gas and power shortages, the drive for zero defects and CO₂ reduction. Special focus was given to military rising demands and to securing the supply chain
* At the beginning of 2022, Power Systems held an event to recognise their best suppliers
* **Board engagement**
* During March, the Board discussed the direct and indirect impact on the supply chain taking into account the situation in Russia and cost inflation pressure on margins
* During May, the Board discussed scenario planning around targeted sanctions and the proposed impact on non-sanctioned Power Systems customers
* In September, the Board received an update on the strong order position with customers making advance deposit payments to secure orders
* **Collaboration**
* To protect the supply chain from unforeseen difficulties, Power Systems require the supply chain to reduce gas dependencies and therefore require regular progress reports to get an overview of existing risk
* A total of 146 European suppliers were contacted regarding potential energy and gas shortages. These included the top 60 suppliers as well as the energy-intensive suppliers. To minimise the risk, further evaluations were made regarding dual sourcing
* Regular management meetings were held with key suppliers to secure the supply chain, strategic partnerships and capacity to cover order increase in Power Systems during 2023
* **Improvement project**
* The purpose was to stabilise the supply chain processes. It was a cross-Group effort, including logistics, quality and procurement to make the business more resilient and to focus all suppliers on supply chain resilience
* State-of-the-art software solutions were implemented to allow Power Systems to detect supply chain risks at an early stage. Solutions included real time information for buyers and management, together with an established risk monitoring process
**Source:** Rolls-Royce Annual Report, 2022 at 53
</blockquote>
We encourage companies to report on their progress in addressing issues raised by stakeholders. In some instances, it is likely that the desired outcome will not be achieved immediately, in these cases, companies could disclose their intentions and outline how their outcomes will be achieved.
<blockquote markdown="1">
**Key Message: Outcomes**
Reporting on intermediary outcomes or milestones is a good way of demonstrating to the reader that the company is working towards a particular outcome.
</blockquote>
### Communities
Some companies gave examples of charitable initiatives which contribute to the communities in which they operate. Many companies reported that these build trust in their relationships with these communities.
Some companies reported well on how they have considered the impact of their operations on the environment, but unfortunately too few extended this to the impact on the communities in which they operate. Companies that addressed this provided declaratory statements.
<blockquote markdown="1">
**Key Message: Communities**
Reporting meaningfully on these community considerations demonstrates that companies are aware of any potential negative impacts and are actively working to mitigate the negative effect on the communities.
</blockquote>
### Prompt Payment
When we first assessed reporting in this area in 2020, we considered reporting on prompt payment in the context of how companies engage with their suppliers.
The Code does not ask companies to report on the payment terms of their suppliers, but companies should engage with their stakeholders and suppliers are included within this group. Payment practices can be an indicator of the relationship a company has with its suppliers. This year we looked for any reference to payment policies to suppliers in our sample and whether or not companies are signatories to the Prompt Payment Code (PPC).
One third of the companies in our sample reference payment terms. This is similar to our 2021 assessment as 40 companies previously referenced payment terms for their suppliers. Twelve companies noted that they are signatories to the PPC, with two companies noting that they align themselves with the prompt payment government guidelines. Sixteen companies explicitly noted that they have a prompt payment policy and four companies detailed how prompt payment had been prioritised at board level.
<div class="chart-description" markdown="1">
**Prompt Payment**
A pie chart illustrating prompt payment practices:
* 70% Clearly described their payment policies.
* 16% Described either their standard payment term timelines or early payment facilities for suppliers.
* 14% Do not describe their payment policies in their annual reports.
</div>
For example, Vanquis Banking Group plc noted it was a signatory of the PPC and that its board oversees the promptness of payments to suppliers.
### Workforce Engagement
In line with reporting on stakeholder engagement, reporting on engagement with the workforce is generally of high quality and offers meaningful information. A significant majority of companies explained how the views of the workforce were escalated to the board for consideration and we continue to see forward-looking methods of workforce engagement which operate with the objective of achieving outcomes for the workforce. This year we were also pleased to see that a number of companies listed workforce engagement as a KPI.
This year we have seen some good explanations of why a particular NED is suitable for the role as the designated NED for workforce engagement. Companies have considered the following:
* Their background.
* Previous roles.
* Their level of exposure to a range of stakeholders.
* Their skills and perspectives.
#### Mechanisms
A designated NED responsible for workforce engagement continues to be the most frequently used engagement mechanism, with 58% of companies this year choosing to adopt this method.
The use of Q&As with a designated NED can be an effective way of explaining to the reader how the views of the workforce are escalated to the board and to highlight the key issues that were raised by employees. This gives the designated NED the opportunity to set out their highlights from the year and to demonstrate the value that their role brings to the company.
Many companies continue to use formal workforce advisory panels as an effective way of engaging with the workforce. One company had a dedicated board-level Workforce Engagement Committee that meet with employees face-to-face to hear their views and escalate issues to the board. The Committee aimed to assist the board in fulfilling its oversight of workforce engagement and works with management to fulfil the four priorities of its Global People Strategy. While this approach may not be suitable for all companies, it demonstrates how engagement mechanisms can be tailored to meet each companies' strategic goals.
Unfortunately, some companies that used a variation of a workforce advisory panel to engage with their employees had a weak explanation of how views of the workforce are considered by the board. Companies that had workforce advisory panels with a clear conduit between them and the board appear to work more effectively.
As with previous years there is no increase in companies appointing a workforce director. The handful of companies that reported on this approach last year demonstrated that this approach is an effective way of engaging and discussing employee issues at the board.
Of the companies that proceeded with one of the specified engagement mechanisms in Provision 5 of the Code, less than 15% of them explained how their chosen engagement mechanism is kept under review to ensure that it is continually effective. It is important that companies use engagement mechanisms that are tailored to their organisation and add value to their own workforce in working towards executing their strategy.
<blockquote markdown="1">
**Key Message: Engagement Mechanisms**
Very few companies explained why they consider their engagement mechanisms to be effective. Provision 5 of the Code states that companies should keep their mechanisms under review so that they remain effective.
</blockquote>
<blockquote markdown="1">
**Example**
"Having a Designated Non-Executive Colleague Champion directly engaging with colleagues promotes a culture of openness, inclusivity and transparency; that's the feedback we have received from colleagues.”
**Source:** Vanquis Banking Group Plc Annual Report, 2022, p.86
</blockquote>
Some boards monitored the effectiveness of their engagement mechanisms with the assistance of their nomination committees.
<blockquote markdown="1">
**Example**
'The (Nomination) Committee continues to monitor progress of the Workforce Engagement Programme including output actions and will have oversight of the implementation process of the Group's redefined Triple A values driven by the employee culture and values survey feedback.'
</blockquote>
To enhance reporting, the company could explain how the nomination committee monitors progress of the programme and give examples of outputs. Companies that reported well in this area explained why their chosen engagement mechanism was suitable for the size and nature of their organisation, as highlighted in the following example:
<blockquote markdown="1">
**Example**
'The Board reviewed its mechanism for workforce engagement and established the Committee in June 2021. The Code requires boards to keep engagement mechanisms under review so that they continue to remain effective. The views and concerns of our workforce are important to be taken into Workforce Engagement Committee Report continued consideration during Board deliberations. The Board considered the workforce engagement mechanisms in place and believed that a Board-level Committee with responsibility for workforce engagement is appropriate given the size and scale of the Group, the differing cultures within each division, and the sub-cultures that exist within our brands. Travel restrictions imposed during COVID-19 meant the Board were unable to meet with colleagues during 2021. The Board believe it is important to meet with the workforce to hear directly from them on their views and concerns.'
**Source:** Flutter Entertainment Annual Report, 2022, p.138
</blockquote>
We continue to see the use of alternative arrangements and some effective ways of engaging with the workforce. Many of the explanations of why the mechanisms are considered to be effective are vague. Explanations should clearly state that they have proceeded with an alternative arrangement and evidence that they have assessed the engagement mechanism to ensure that it is continually effective.
#### Outcomes
We have seen some good examples of actions implemented as a direct result of feedback from the workforce. These examples are most useful when there is a clear link between a specific issue raised by the workforce during their engagement and an action that the board has implemented with the intention of addressing this issue.
Companies that explained their actions and outcomes of engaging with the workforce, discussed issues in relation to matters such as the following:
* IT upgrades.
* Improving communication.
* Employee benefits and wellbeing.
* Learning and development.
Many companies reported on the impact of the cost-of-living crisis and the actions that they implemented as a result with an aim to support their workforces. Unfortunately, most of these examples were boilerplate statements.
Better reporters in this area explained that the workforce had specifically raised concerns about the impacts of the cost-of-living crisis and so the board had decided to address this. Companies that listed multiple issues and actions tended to report more meaningfully.
<blockquote markdown="1">
**Example**
'Promoting Juneteenth – the Beazley RACE network received feedback from our US workforce on the importance of recognising Juneteenth as an official holiday. As a result, the executive leadership team gave its support to granting Juneteenth as a holiday for all of our US workforce from 2023.'
**Source:** Beazley Annual Report, 2022, p.51
</blockquote>
Some companies disclosed actions implemented following a clear stakeholder engagement feedback cycle. Company specific examples that are linked to either points of interest to their workforce or to delivering company strategy add more value to the report.
<blockquote markdown="1">
**Example**
**Uniform upgrades**
**When** January 2022
**Matter raised** Suitability of design and availability of our PPE and uniforms for site-based employees
**Action taken** Following engagement and feedback from several working groups a full review of work wear and PPE was completed and a new supplier was sourced and agreed
**Impact/Outcome** A new range of uniforms, which meets the needs of employees, will be rolled out during 2023
**Informal engagement sessions**
**When** January 2022
**Matter raised** Additional lines of communication between the Board and employees would be beneficial to ensure regular two-way flows of information
**Action taken** The Employee Champion held three additional informal engagement sessions with junior to mid-level employees outside the NEF
**Impact/Outcome** The additional sessions led to more immediate and less formal connections with good quality conversations
**InHouse improvements**
**When** January 2022
**Matter raised** The Company's intranet, InHouse, was difficult to navigate as the search function was not user-friendly
**Action taken** Additional training was made available to enable content owners to keep the information up to date and the search function was changed to deliver results by date rather than relevance
**Impact/Outcome** User experience has improved following the training and enhanced search functionality. Ongoing improvements are being considered to further improve InHouse
**Expenses**
**When** July 2022
**Matter raised** Difficulty in accessing and using the online system to claim back out of pocket expenses
**Action taken** Additional training was made available to ensure the system is accessible
**Impact/Outcome** The additional training was rolled out in September 2022 which has improved the accessibility of the system. In addition, the external online system provider has reduced their response time to queries to further support employees
**Source:** Taylor Wimpey Annual Report, p.105
</blockquote>
## Environment and Task Force on Climate-related Financial Disclosures
### Climate reporting
Although the Code does not specifically ask for reporting on environmental issues, it does consider the governance of risk, engagement with stakeholders and section172 reporting. Therefore, we have considered environment and Task Force on Climate-related Financial Disclosures (TCFD) reporting for a third year. TCFD reporting became mandatory for premium listed companies from 1 January
2021. We were pleased to see that throughout the year, the companies within our sample had taken steps to improve their reporting and strengthen their governance of climate-related issues. We expect this improvement to continue.
### Stakeholder
Almost a quarter of companies in our sample identified the environment as a key component of their section 172 statement. These were often service sector companies, for example: travel and leisure, industrials, media and software service providers. It was good to see some companies set out how they engage with stakeholders and including the outcomes of that engagement.
### Statement of consistency with the TCFD framework
Listed companies are required to include a statement in their annual report stating whether they have made disclosures consistent with the TCFD framework on a 'comply or explain' basis. Of the 100 companies in our sample, 57 companies stated that they had provided full disclosures fully consistent with all the TCFD recommendations and recommended disclosures.
Last year we found that 18 companies stated they were partially consistent with the TCFD Recommendations and Recommended Disclosures. This year 43 companies stated they were partially consistent, where some disclosures were not provided or provided only in part. While the number of companies explicitly stating that they were partially compliant with the TCFD recommendations has increased since last year, it was encouraging to see explanations. The Listing Rules 9.8.6R require the timeframe the company expects to be able to make any recommended disclosures that were not provided to be included. An example of an explanation can be seen in the following example.
<blockquote markdown="1">
**Example**
'...the disclosures are consistent with the TCFD recommendations other than:...
* Impact of climate-related risks and opportunities on the business, strategy and financial planning: We do not disclose the impact of overheating and water stress. This is because additional modelling is required for the impact to be quantified. Additional modelling will be undertaken during 2023 and reported in our next disclosure. Other than the impact of the Future Homes Standard, we do not take account of other climate-related risks and opportunities in our financial planning for the reasons explained below. Additional modelling and more confidence in the potential financial impacts is required before this can be completed.
* Risk management: Currently management of our climate-related risks are not integrated into our existing risk management framework. In the coming year such risks will be integrated into the framework.
**Source:** Vistry Group Annual Report, 2022 p.49
</blockquote>
We would like to remind companies that a good statement clearly explains a company's level of consistency with the TCFD recommendations and recommended disclosures, states any areas where they are not yet compliant, and avoids vague statements. Many companies provided a table including a key to show the areas in which they are compliant or partially compliant with the TCFD recommendations.
<blockquote markdown="1">
**Example**
**TCFD at a glance**
<div class="table-container" markdown="1">
| Pillar | Recommended Disclosures | Actions | Location in Annual Report | FY22 | FY23 | FY24 |
|:-----------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------|:----------------------------------------------------------------|:--------------------------|:----:|:----:|:----:|
| **GOVERNANCE** Disclose the organisation's governance around climate-related risks and opportunities. | a) Describe the Board's oversight of climate-related risks and opportunities. | Ensure governance structure is maintained. | page 75 | A | A | M |
| | b) Describe management's role in assessing and managing climate-related risks and opportunities. | Executive targets to be aligned with carbon reduction targets. | page 119 | A | A | C |
| **STRATEGY** Disclose the actual and potential impacts of climate-related risks and opportunities on the organisation's businesses, strategy, and financial planning where such information is material. | a) Describe the climate-related risks and opportunities the organisation has identified over the short, medium, and long term. | Annual review and further incorporation into business strategy. | page 32 | | C | |
| | b) Describe the impact of climate related risks and opportunities on the organisation's businesses, strategy, and financial planning. | Quantify the impacts on our financial planning. | pages 33 and 34 | A | A | C |
| | c) Describe the resilience of the organisation's strategy, taking into consideration different climate-related scenarios, including a 2°C or lower | Develop robust scenario analyses to test the resilience of the business. | page 32 | — | | C |
</div>
**Source:** De La Rue Plc Annual Report, 2022, p.30
</blockquote>
### Governance of climate-related issues
As mentioned last year, better reporting in this area included clear and specific disclosure of the governance structures and processes by which the board considers climate-related issues. It was good to see almost all companies outline the board and management's oversight of climate-related risks and opportunities. Companies that did this particularly well described engagement with other departments across the organisation and described how effective communication between board, executive and business levels is achieved including processes and frequency by which the board and/or committees are informed about climate-related issues. Some companies also included a diagram showing responsibilities for climate-related information across the organisation.
This year 46 companies had board-level committees such as sustainability, ESG and corporate social responsibility committees, which are responsible for assessing and considering environmental issues. Almost a quarter of these were created in the past year, all of which belonged to an even mix of FTSE 100, FTSE 250 and Small Cap companies. A good example we found of this was a Sustainable Development Committee (SDC) made up of three non-executive directors, the CEO and the Senior Independent Director. Other regular attendees of the SDC included:
* Chief Financial Officer (CFO).
* Chair and non-executives who are not members of the committee.
* Group Technical and Sustainability Director.
* Group Head of Sustainable Development.
* Group Head of Safety & Health.
Other approaches include a management or executive level environment committee, or a climate-specific group below board and executive level. For example, one company had an ESG Sub-committee, TCFD Working Group and a Carbon Steering Committee. Only nine companies this year had none of these structures in place.
<div class="diagram-description" markdown="1">
**Example**
This diagram illustrates the governance structure for climate-related issues across different organisational levels:
**Board Level**
* **Board of Directors**
* Sets SSE's purpose, vision and strategy.
* Oversees SSE's material sustainability matters including climate change.
* **Nomination Committee**
* Responsible for Board appointments to support SSE's strategy.
* **Audit Committee**
* Oversees SSE's climate-related financial disclosures in SSE's Annual Report.
* **Safety, Sustainability, Health and Environment Advisory Committee**
* Oversees SSE's climate adaptation and resilience plans.
* **Remuneration Committee**
* Responsible for Remuneration Policy that includes climate factors.
* **Group Risk Committee**
* Reviews the processes, controls and content of climate-related financial disclosures.
**Executive Level**
* **Group Executive Committee**
* Implements SSE's strategy which includes climate change policies and practice.
**Business Level**
* **TCFD Steering Group**
* Advises on the development of comprehensive, fair, balanced and understandable climate-related financial disclosures.
* **TCFD Working Group**
* Responsible for the production of SSE's climate-related opportunity and risk disclosures with appropriate stakeholder input.
**Source:** SSE Annual Report, 2022, p.37
</div>
### Metrics and targets
As set out in our Corporate Reporting Review (CRR) **Thematic review of climate-related metrics and targets**, climate-related metrics and targets, including 'net zero' plans, are seen as increasingly important by investors and other stakeholders, who expect comparable, clear information explaining company targets, the metrics to track climate risks and the plan for transitioning to a lower-carbon economy.
#### Metrics
Many companies that reported partial compliance with the TCFD recommendations had not achieved full compliance was due to the data integrity and availability of Scope 3 GHG emissions. Nonetheless, it was good to see over 90% of companies report at least some of the 15 Scope 3 emissions categories. Although this was around a 25% increase from last year, the reporting was often limited to only one or two categories, such as business travel and/or employee commuting. It was, however, good to see more companies assessing which Scope 3 categories are relevant or not relevant to them.
For many companies their Scope 3 emissions will be much more significant than their Scope 1 and 2 emissions. We would like to see disclosure of the methodology used to calculate data. Companies should offer information on the work that will support future reporting, and provide clarity on which of the Scope 3 categories they will include.
#### Targets
Most companies in our sample disclosed targets in relation to climate-related issues. While most companies had set net zero or other climate-related targets, the metrics used to track progress were sometimes unclear and explanations of performance were not always provided.
<blockquote markdown="1">
**Example**
**SCOPE 3 TOTAL ANNUAL GHG EMISSIONS**
<div class="table-container" markdown="1">
| Scope 3 category - continuing operations only | Evaluation status | 2022 tCO₂e | 2021 tCO₂e\* |
|:----------------------------------------------|:------------------------------------|:-------------|:-------------|
| 1. Purchased goods & services | Relevant, calculated | 659,775 | 580,050 |
| 2. Capital goods | Relevant, calculated | 9,149 | 11,686 |
| 3. Fuel & energy related activities | Relevant, calculated | 41,601 | 43,472 |
| 4. Upstream transportation & distribution | Relevant, calculated | 141,282 | 110,679 |
| 5. Waste generated in operations | Relevant, calculated | 17,457 | 17,408 |
| 6. Business travel | Relevant, calculated | 14,029 | 1,976 |
| 7. Employee commuting | Relevant, calculated | 8,631 | 6,258 |
| 8. Upstream leased assets | Not relevant, explanation provided | 0 | 0 |
| 9. Downstream transportation & distribution | Relevant, calculated | 78 | 21,477 |
| 10. Processing of sold products | Not relevant, explanation provided | 0 | 0 |
| 11. Use of sold products | Relevant, calculated | 37,530,503 | 36,087,680 |
| 12. End of life treatment of sold products | Relevant, calculated | 1,061 | 915 |
| 13. Downstream leased assets | Relevant, calculated | 7,530 | 0 |
| 14. Franchises | Not relevant, explanation provided | 0 | 0 |
| 15. Investments | Relevant, calculated | 6,248 | 0 |
| **Total** | | **38,437,344** | **36,881,601** |
</div>
**Source:** Weir Group Annual Report, 2022, p.55
</blockquote>
As they continue to develop their business strategies to meet the challenges of climate change and the climate transition, companies need to set out their targets and progress against them. For example:
* **Commitments** – providing clarity on what the commitment includes and importantly what is not included.
* **Impacts** – explaining how the targets may impact the company's strategy and business model, including information on transition plans, risks and opportunities, any assumptions made and uncertainties.
* **Performance** – how progress will be measured in the short, medium and long-term and how data quality and accountability will be ensured and by whom.
#### Board expertise
Similar to last year we found that only around one quarter of companies disclosed senior management expertise or knowledge in the report. Although some companies did highlight board members had expertise, there was little to no description of what the expertise or knowledge was.
<blockquote markdown="1">
**Example**
'Having actively worked in climate research and pioneering women in STEM careers, sustainability and corporate ethics are key areas of interest. As Chair of the Safety, Ethics & Sustainability Committee, draws on her experience as a member of two other listed companies' sustainability committees which is invaluable to the Group as it develops its sustainability strategy.'
**Source:** Rolls-Royce Annual Report, 2022, p.63
</blockquote>
While it is not a requirement to have a board member with climate and sustainability expertise, good reporting explains how the board and its committees get their decision useful information on sustainability.
#### Assurance
Different forms of assurance are being sought by companies. This year 65% of our sample obtained some form of external assurance over at least some aspect of their TCFD data disclosure, which is an increase on last year. Of the external assurance sought, less than 25% was from audit firms while others used specialist environmental consultancies.
#### Climate change and risk
Similarly, to last year's review, we looked at how companies are considering climate-related risks, and found that in this year's sample:
* 60 companies identified climate change as a principal risk.
* 17 companies identified climate change as an emerging risk.
<div class="table-container" markdown="1">
| Year | Principal risk | Emerging risk |
|:----------------------|:--------------:|:-------------:|
| | 2021 | 2022 | 2021 | 2022 |
| Number of companies | 41 | 60 | 30 | 17 |
</div>
While the data in the table shows that significantly more companies in 2022 had climate change as a principal risk compared to 2021, only one company in our sample reported elevating climate change from an emerging to principal risk during the reporting period.
## 2 and 3. Division of Responsibilities/Composition, Succession and Evaluation {: #section-2-and-3-division-of-responsibilities-composition-succession-and-evaluation }
### Diversity
#### Diversity policy
Provision 23 of the Corporate Governance Code states that companies should disclose 'the policy on diversity and inclusion, its objectives and linkage to company strategy, how it has been implemented and progress on achieving the objectives; and the gender balance of those in the senior management and their direct reports'.
It is positive to see that the number of diversity policies included in annual reports has risen, with 99 companies disclosing that they have a company-wide diversity policy.
The approach to diversity and inclusion policies differed between companies in our sample. Below are examples of different ways in which companies reported on their respective diversity and inclusion policies:
* Providing specific targets and objectives.
* A link to the diversity policy on their company website.
* Providing information on gender and ethnicity pay gaps.
* Providing a link to workforce or senior leadership initiatives.
* Generic statements on the importance of diversity and inclusion.
In line with Provision 23, better reporting included progress made on achieving objectives and targets, and improvements year on year. For example one company reported the increase in women in management roles and senior leadership roles from 2021 to 2022.
#### Link to company strategy
Despite improvements in this disclosure, we continue to find weaknesses in reporting against this provision, particularly regarding the link between diversity and inclusion policy and company strategy. The overall links to company strategy are hard to find, however, we did see references to diversity strategies.
For example, one company noted that it will continue to deliver on its inclusion and diversity strategy by appointing a new executive committee sponsor for inclusion and diversity strategy. This new Chief Culture and People Officer elevates the strategic focus (of their company) on having a diverse culture.
#### Gender and ethnicity targets
As a part of our analysis, we examined how diversity targets were reported in annual reports. Most companies were aligned with the FTSE Women Leaders Review and Parker Review targets, and progress has been made in accordance with both.
The Hampton Alexander Review set a target of 33% of board positions held by women for FTSE 350 companies, not including Small Caps. From our sample of 100, 83 FTSE 350 companies met this target.
The FTSE Women Leaders Review (which updated the Hampton Alexander Review) has set updated targets which are 40% women representation on the board by end of 2025, and it is encouraging to see companies already achieving this target. 40 FTSE 350 companies within our sample of 84 FTSE 350 companies have already met this 40% target. It is also encouraging to see that 35 noted that they aim to meet these by
2025. However, few provided information on how they proposed to achieve this or had any milestones for doing so.
The 2024 Parker Review encourages FTSE 250 companies to have at least one ethnic
minority director on the board. It has been encouraging to see that out of the 45 FTSE 250 companies in our sample, 33 have met the Parker Review 2024 targets. In 2023, the Parker Review set new targets for FTSE 350 Companies to reach by
- Companies will need to set their own target for the percentage of senior management who self-identify as being an ethnic minority. It will be interesting to see how companies report on their progress against these targets in future reports.
In 2022, the Financial Conduct Authority published their diversity proposals. The targets operate on a comply or explain basis and aim to improve the representation of women and ethnic minorities at board and executive level. One of the measures encourages certain listed companies to have at least one of the senior board positions (Chair, CEO, Senior Independent Director (SID) or CFO) to be a woman. The following table sets out our findings for our sample of 100 companies.
| Women in senior leadership roles | |||
|---|---|---|---|
| Senior Independent Director (SID) | Chair | CEO | CFO |
| 31 | 13 | 8 | 21 |
Sector specific diversity trends
Although reporting on gender and ethnicity diversity statistics is increasingly prominent, only a small number of companies reported on diversity targets other than gender and ethnicity targets by considering social mobility, disability and LGBTQ+ people in senior management.
Our analysis found that telecommunication and entertainment companies have the most expansive list of diversity targets and objectives for senior management and boards.
We also investigated if companies were reporting beyond gender and ethnicity targets. One telecommunication organisation provided a metric disclosing disability in senior leadership. We also found one company that had a specific neurodiversity plan aimed at improving neurodiversity at senior management level. It is positive to see some companies move beyond gender and ethnicity and address diversity from different angles.
Initiatives
The best reporting on initiatives described improving diversity at board and senior management.
For example, Flutter Entertainment noted that it has an initiative targeted at women in senior management:
Example
We have an initiative titled the Rising Leaders and the first cohort of 15 women were selected to participate in the six-month programme. The aim of the programme is to increase the pipeline of female leaders and to enhance talent development and retention...
Source: Flutter Entertainment Annual Report, 2022, p.65
ITV noted its initiative to improve disability and neurodiversity in senior management:
Example
ITV completed the second year of ITV's Step Up 60 initiatives, creating a further 61 opportunities (123 over two years) for People of Colour and/Deaf, disabled and neurodiverse people to step up to more senior roles in production. Additionally, 30 Deaf, disabled and neurodiverse people received virtual training across departments working on Ralph and Katie, which is co-produced by ITV Studios.
Source: ITV Annual Report, 2022, p.54
Most companies also reported on several other initiatives and targets they have in place to improve their talent pipeline in the workforce as whole.
For example, some financial organisations disclosed their involvement in initiatives such as Women in Finance to improve their diversity at workforce level.
Many companies do not specifically refer to initiatives of their subsidiaries. Therefore, it was positive to see that one parent company set out targets for one of the subsidiaries.
The following example is from RELX Group, the parent company of Elsevier:
Example
In 2022, Elsevier launched its Enabled Mentoring Programme with the aim of matching seven pairs of employees who have a disability, including those who are new to the organisation or those who have been recently diagnosed with a disability and foster confidence at work.
Source: RELX Group Annual Report, 2022, p.50
Some companies only refer to their employee networks, with one company specifically referring to its LGBTQ+ network and Black History Month event. However, this included no explanations into how these resource groups have helped to promote diversity. We encourage companies to provide a sufficient explanation of how these employee networks have contributed to improving their diversity targets.
Overall, companies have improved in disclosing certain aspects of diversity reporting within their annual reports. It has been positive to see the objectives, targets and progress companies have made to develop diverse boards and senior management. More can be done by companies to ensure that there is a link between company and diversity strategy. We continue to ask companies to define their business strategy clearly and link this to their diversity objectives.
Board Evaluation
This year only three companies within our sample had neither an internal nor external evaluation, two companies deferred their external evaluation to the following year due to changes to the board and one company gave no explanation for this. Of the 97 companies that did conduct an evaluation, almost a third (30) of these were externally evaluated.
Reporting approaches
In our 2021 review, we reminded companies that the Guidance on Board Effectiveness states that questionnaire-based external evaluations are unlikely to give a high-quality assessment of board effectiveness. Since then, there has been some improvement in the reporting of companies' evaluation processes.
This year our analysis showed that of the 30 companies that conducted an external board evaluation, more than two-thirds used questionnaires and/or one-to-one interviews. Similarly, of the companies that had an internal board evaluation, almost two-thirds used questionnaires and/or one-to-one interviews. Most companies highlighted that a report was prepared as a result of the external evaluation and, in the majority of cases, was discussed with the chair and discussed by the board and each of the committees. In some instances, the SID met the directors and the company secretary to review the chair's performance.
While it was good to see an improvement in reporting approaches, many companies continued to use only questionnaires to conduct their evaluation and some companies gave no detail on how the evaluation took place.
Example
2022/23 evaluation Board Outcome Key themes and areas for focus Action Strategic oversight KPIs To include a dashboard of key financial metrics in Board papers for each meeting – also covering markets in which we operate. Digital and data developments The Board will strengthen the IT function, cybersecurity and disaster recovery plans. Risk Strengthening of financial internal controls. Stakeholder oversight Partners, customers and suppliers Our directors will engage with stakeholders in more ways during the year. Our Board seeks more direct engagement with our key partners, customers and suppliers. The management team and company secretary have been tasked with identifying meaningful opportunities to engage and manage relationships with our suppliers. Workforce engagement The Board will identify and create more opportunities to engage directly with our wider workforce across geographies and for monitoring employee sentiment and culture. Governance and compliance Board composition We'll review the size and composition of the Board, with a view to including more telecom/fintech experience and African resident members with specific finance skills. Board agenda The evaluation identified topics to be added to the rolling forward agenda, the need for sharper focus on areas where management require Board input and suggestions for various improvements to the content and presentation of papers. More focus on talent, succession and career planning. Sustainability strategy Ensuring that our sustainability agenda is central to the Board's discussions and decisions, and the company's business practices and processes The Board has requested one meeting a year be allotted specifically to discussion of the sustainability strategy – which will be followed up with regular updates at each meeting. Source: Airtel Africa Annual Report, 2022, p.116
Some companies did set out the outcomes from the review and the agreed actions for the coming year.
This year, 65 companies referred to a previous evaluation, with many companies setting out the actions and outcomes against the prior year's recommendations in a table. An example can be seen in the following:
As with the findings from our 2021 Review of Corporate Governance Reporting, reporting on actions and outcomes arising out of the board evaluation was mixed. Many companies continued to use boilerplate statements such as 'the board and each of its committees are operating effectively.' Some companies did, however, accompany these statements with areas of board strengths, which provided some additional insight. It was also encouraging to see many companies include recommendations to improve effectiveness and areas of focus for the following year.
| Themes identified end of 2021 | Progress in 2022 |
|---|---|
| Board composition and diversity | |
| Opportunity for enhancing skills on the Board. | The Nomination Committee considered Committee membership requirements at its April 2022 meeting and reviewed Non-executive Director skills and updated the Board's list of desirable skills in October 2022. |
| • Further actions around succession planning have been set for 2023. | |
| A request for another member of the Audit Committee. | • ...joined our Board in May 2022 and joined both the Audit and Risk Committees. |
Example
Whilst the report did not identify any significant areas of weakness in the effectiveness of the Board and its Committees, it provided recommendations to the Board as opportunities to enhance its current operations. The Board has considered these recommendations and in response has proposed to take the following actions:
- Consider ways in which the Board's review of strategy should evolve over the coming years as the Group approaches the next stage of its diversification.
- Review the whistleblowing processes and channels to the Board and re-launch an awareness campaign of whistleblowing procedures to all groups of the workforce.
- Identify ways in which the Board could more regularly, and informally, engage with various groups of stakeholders, including shareholders and the wider workforce.
- Develop a mentoring programme for potential future leaders in the Group and Board members.
Source: STV Group Plc Annual Report 2022, p.65
There continues to be less insight into the outcomes of committee evaluations. However, we did see one good example of the committee evaluations outlined in the relevant committee reports. The following is an example from the nomination committee report:
Committee evaluation
Companies are reminded that there should be a formal and rigorous annual evaluation of the board, its committees, the Chair and individual directors. We recognise that the findings of the evaluation and recommendations for actions are sensitive and confidential and cannot be disclosed in the annual report. Nevertheless, companies should describe aspects of the board's performance where they have concluded there is a need for improvement.
Evaluation confirmed
- A robust process supports the review of Board composition and capabilities and has resulted in effective succession planning across non-executive roles.
- Work on senior leadership pipelines with Group HR strengthened and enabled deeper discussion surrounding talent and capability.
- A clear rhythm of work had been established to review the impact of inclusion and diversity strategy at all levels, creating a platform to drive progress.
Actions for 2023/24
- Board composition. Focus should be maintained on the collective and individual skills of the Board, in the context of tenure and SSE's long-term growth, with support for transitions in membership.
- Executive succession and talent pipeline. Positive challenge should continue surrounding the depth and breadth of succession plans for senior leadership, alongside work on internal and external talent pools.
- Inclusion and diversity. The amplification of the inclusion and diversity agenda should be supported; assessing progress and identifying where targeted action is needed to deliver change.
Unfortunately, many companies in our sample did not mention the extent to which composition and overall diversity were considered by the review. While these companies often set out the composition of the board and their diversity policy in other areas of the report, we would like to remind companies that, in line with Principle L, composition and diversity should be considered at the annual evaluation of the board. Enhanced reporting could include focus areas for the review and link these to the evaluation outcomes and recommendations.
4. Audit, Risk and Internal Controls
Audit
Provision 26 asks the audit committee for 'an explanation of how it has assessed the independence and effectiveness of the external audit process and the approach taken to the appointment or reappointment of the external auditor, information on the length of tenure of the current audit firm, when a tender was last conducted and advance notice of any retendering plans'.
Independence
Every company provided at least some information relating to independence of the external auditor, this is compared with ten companies which did not address it last year. As we found last year, two companies indicated that their audit committee's assessment of independence was solely based on assurances provided by the external auditor themselves.
Better reporting included detailed discussions of the safeguards used to protect the external auditor. These included:
- Restrictions on the employment of certain employees of the external auditor.
- Rotation of the lead audit partner.
- Independent professional standards review of the work carried out by the external auditor.
Example
The Committee received an overview from EY of the policies and procedures in place to safeguard auditor objectivity and independence. These included annual confirmation by all EY professionals of compliance with independence policies and procedures, and wider processes and systems to monitor potential threats to auditor independence throughout the year. EY gave the annual confirmation of its independence to the Committee, confirming in particular that no partners or staff held any financial interests in the Beazley Group and that its ethics and independence policies are consistent with the requirements of the FRC's ethical standard.
Having taken into account the following factors, the Committee concluded that EY was independent from the Group throughout the year and to the date of their audit report:
- Non-audit services provided by EY complied with the Group's non-audit policy and the requirements of the FRC's ethical standard.
- EY had complied with the FRC's requirements around rotation of the audit partner and senior members of the audit team.
- The Group has not employed members of the EY audit team or any EY partners during the year.
- EY has confirmed compliance of its staff and partners with EY's internal policies and processes around independence, in particular that no partners or staff held financial interests in the Group.
Source: Beazley Annual Report, 2022, p.96
There is still room for improvement in reporting. Many companies focused on their non-audit services policy. We expect companies to discuss this, given that there is a risk to an auditor's independence where they are permitted to provide significant non-audit services that are not clearly audit-related. However, the operation of the policy was often discussed in the abstract, without an explanation of why the auditor was permitted to provide certain non-audit services in the year (if any), and why the auditor was considered independent despite providing those services. Also, information on the non-audit services policy was often provided at the expense of an explanation of independence – including how it was assessed and safeguarded.
Overall, boilerplate reporting was still common. Companies should strive to be more specific when reporting on independence.
Effectiveness
Only two companies did not report on effectiveness of the external auditor process. This has reduced from nine last year and 12 in
- In addition, only four companies merely confirmed that their external audit process was considered effective.
Most companies provided at least some information on how their audit committee assessed effectiveness. However, many companies focused on the broad process followed in this assessment by providing a list of issues considered or actions taken. They did not include detail on the outcomes of these considerations/actions, how these issues were factored into the committee's conclusions, or what those conclusions were. This might include a list of general points without elaboration:
- The efficiency with which the audit team was able to understand the company and its systems and processes.
- The experience and expertise of the audit team.
- The scope and eventual fulfilment of the detailed audit plan.
- The robustness and perceptiveness of the audit team in its handling of key accounting and audit judgements.
- The nature and quality of the content of the external auditor's report.
Better reporters provided a higher level of specificity, not only in relation to their processes, but also conclusions/findings. Last year's review highlighted that better reporters discussed at least some of the following issues:
- Levels of professional scepticism and challenge displayed by the external auditor.
- The number of meetings the external auditor had with the Audit Committee.
- Feedback from committee members and internal stakeholders on the external auditor.
- The levels of technical skills and experience of the external auditor.
- Response or engagement with FRC Audit Quality Review (AQR) reports.
We found 11 companies that provided good discussions. Better quality reporting is set out in the example on the following page.
Example
'The Committee held private sessions with the external auditor three times during the year. The Committee schedules the private sessions on an alternating basis to ensure the Committee meets with both the internal and external auditor in the absence of executive directors or senior management. This facilitates the ability of the external auditor to raise any issues of concern. In addition to this, the Chair of the Committee meets with the external audit partner quarterly and additional meetings or private sessions are available upon request.
The annual assessment of the external auditor requires the feedback of the Committee and Group and Divisional Heads of Finance. The scores and feedback are shared with the external auditor and an action plan to address remediation needs is developed. The main remediation need identified in relation to the 2021 audit was the need to allow sufficient time for testing and management response ahead of deadlines, though the overall conclusion was that Deloitte LLP remained effective. The FRC conducted an inspection of the 2021 financial statements for Vanquis Bank Limited, the results of which were published in December
- The report concluded that 'limited improvements' were required and all findings were addressed by Deloitte during its 2022 audit.
Throughout the year, the external auditor challenged management and demonstrated professional scepticism. One notable example related to the IT controls in the vehicle finance business during the interim period before the systems upgrade; Deloitte debated with management regarding the appropriateness of interim risk acceptances'.
Source: Vanquis Banking Group Plc Annual Report, 2022, p.106
Tender and tenure of the external auditor
Previously, we have highlighted room for improvement in the reporting on the date that the external audit was last tendered and the length of tenure. This year, many companies only reported on one of these issues, and five failed to report on either. We found that 33 companies did not provide any information to indicate the date of the last tender. Additionally, 22 companies did not explicitly state when the last tender was carried out, but provided other information, on the basis of which this might be implied (usually, the planned date for the next tender). Eight companies failed to disclose the length of tenure. Overall, 20 companies provided comprehensive reporting on both tenure and tender, that is reporting that covers each of the following:
- When the external audit contract was last tendered.
- When the current auditor was appointed.
- When the external audit contract will likely next be tendered.
Reporting on tender processes
Where a company stated that it had conducted a tender process during the financial year, we reviewed the reporting on that process. We were pleased to see that reporting was generally of a good standard, with most companies attempting to provide readers with detail on the process followed. There were a number of examples of very good reporting, such as this example from Informa Plc. Not only is the timetable for the process and the appointment of the auditor set out, it also details of the number of challenger firms approached.
Risk Management
Principle O
The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.
Similar to previous years, we were pleased to find that many companies provide good quality reporting on their procedures to manage risk, with an increased number of companies providing good and specific disclosures.
Reporting on procedures to manage risk should demonstrate how the company identifies, assesses and mitigates its internal and external principal risks. As we have said in our previous reviews, good reporting describes the company's governance structure, which should include the individuals and units within the company and their risk-related duties and responsibilities.
Reporting on Risk Governance
Pie chart showing distribution of reporting quality: * 4% - No information * 9% - Brief or vague explanation * 29% - Generic information * 23% - Good level of information but could be more specific * 35% - Specific and insightful explanation
Reporting on Risk Processes
Pie chart showing distribution of reporting quality: * 3% - No information * 13% - Brief or vague explanation * 22% - Generic information * 31% - Good level of information but could be more specific * 31% - Specific and insightful explanation
Good reporting should also include an explanation of the processes in place. For example, it should describe how different groups with risk-related responsibilities interact, discuss and share information, and how the company maintains and reviews documentation. When describing these processes, good reporting includes information about the frequencies, for example, of interactions and meetings between each group, frequency of risk assessments and risks register's updates.
Reporting on actions, not just procedures
Nearly half of the companies provided specific and high-quality explanations on their governance structures, while more than half did so on their processes in place. In addition to those, best reporters also provided information of how the governance structure and processes were put into action during the year, for example:
- How did individuals discharge their duties and responsibilities and how were processes performed during the year?
- How many times during the year did the board meet to discuss principal risks?
- How was the risk register evaluated or were new risks added to the register?
Repetition
The majority of companies explained their risk management procedures in the strategic report with some information also provided in the corporate governance report, whether in the general section about governance arrangements, the report of the audit committee or the report of the risk committee. We found some companies, including some that provided good reporting in this area, that repeated information within these sections of the annual report.
Repetition increases the length of the annual report and makes it more difficult for the readers of the annual to understand a company's approach to risk management.
Principal Risks
Provision 28 states that the board should carry out a robust assessment of the company's principal risks, describe these risks in the annual report and explain how they are being managed or mitigated. The Code states that principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company's business model, future performance, solvency or liquidity and reputation.
It is for the board to agree the risk appetite and decide which risks are considered 'principal' by considering the potential impact and probability of the related events or circumstances, and the timeline over which they may occur.
All companies in our sample described their principal risks and actions to manage or mitigate. The disclosures in this area were generally of a good standard.
Number of principal risks disclosed
Infographic showing percentages of companies disclosing different numbers of principal risks: * 18% - 5 to 9 * 51% - 10 to 12 * 24% - 13 to 15 * 7% - More than 15
When reporting on principal risks, companies should provide a balanced overview of the most significant risks for the company, considering the impact if these risks materialised and the probability of them occurring. Many companies provided high-quality reporting on their principal risks and actions to manage or mitigate them.
However, almost a third of our sample disclosed over 13 principal risks. Such a high number of risks makes it difficult for the users of the annual report to assess which are the most important to the company and how these could threaten its business model, future performance, solvency or liquidity and reputation.
The impact on the company if the risk materialises should be central to reporting. To provide reporting that investors and other stakeholders will find useful and insightful, the focus should be on the most significant risks to the company.
Changes to principal risks
Good reporting on principal risks should not be static but show how risks have changed during the year. Better reporters provided information on:
- Changes to the principal risks from the previous reporting year.
- Why these have changed.
- How the planned managing or mitigation actions have changed accordingly.
- How new risks were introduced and how previous risks were removed from the register.
This gives confidence to shareholders and other stakeholders that the board is regularly monitoring risks, updating the risk registers and adjusting accordingly the controls to manage or mitigate these risks.
Emerging risks
In our previous reviews we have emphasised the importance of good reporting on emerging risks. As demonstrated by the events of the past few years, companies should have procedures in place to identify and monitor emerging risks before they escalate to principal risks.
Provision 28 asks companies to confirm that they have carried out a robust assessment of emerging risks and explain the procedures in place to identify these risks. Reporting in this area continues to remain vague, with 21 companies not confirming in their reports that they carried out an assessment of their emerging risks, whereas 22 companies did not explain their procedures to manage these risks.
Only 17 companies provided insightful or specific information about their procedures to manage emerging risks. Good reporting demonstrates that the board is regularly conducting horizon scanning for new risks and that the company has effective procedures to identify and monitor these risks.
Example: A summary of changes to principal risks during the year
In 2022/23, the economic situation remained as uncertain as the previous year, with the continued crisis in Ukraine and shocks to the market from UK Government announcements. Although we performed strongly and managed risks well in 2021/22, this year we amended our principal and emerging risks to account for changes in the market, in society and with our vendors.
As we describe in the following table, this includes:
- The additional financial risk of an increased aged debt profile, with customers slower to pay and the possibility of bad debts
- Amending the Security of supply risk to be called the Vendor concentration risk. By taking the emphasis off hardware, which is a small part of our business, we have highlighted a risk where we are over-reliant on a single vendor
- Merging the two separate risks called Commoditisation and Disintermediation into a single risk called Competition, because the risk and mitigating actions overlapped
- Merging the Keeping pace with digital change risk with the Technology failure risk into a single risk called Business continuity failure, because these risks are core to our business activities
- Evolving the Attract and retain staff risk by adding the element 'while keeping our culture'.
Source: Bytes Technology Annual Report, 2022, p.60
Last year we said that if any emerging risks are identified following an assessment, good reporting would include an explanation of these risks in the annual report. We were pleased to see this year an improvement in the reporting of emerging risks.
| Disclosure of emerging risks |
|---|
| 48 disclosed at least one emerging risk identified during the year |
| 3 said that following an assessment no emerging risks had been identified |
| Explanation of emerging risks |
| 38 gave at least some level of explanation of their emerging risks |
| 15 provided specific and insightful information |
| 9 disclosed management or mitigation actions |
Example of reporting an emerging risk
| Emerging Risk | Owner |
|---|---|
| Technology disruptors | Chief Marketing Officer and Chief Digital Information Officer |
Risk description
The risk that the Company does not manage its response to evolving technologies effectively. This may include losing competitive advantage as rivals deploy advanced manufacturing technologies, artificial intelligence and robotics to strengthen product development, marketing, production, distribution and support functions. In addition, the rapid emergence of alternative materials might affect demand for our products.
Mitigation
We continue to monitor and review developments in the external market through our networks. This includes innovation and futures sessions with existing suppliers. We are also involved in a range of external technical focus groups to support the identification of future technology trends.
Source: Essentra Annual Report, 2022, p.58
Monitoring and reviewing the effectiveness of the risk management and internal control systems
The Guidance on Risk Management, Internal Control and Related Financial and Business Reporting explains: 'The existence of risk management and internal control systems does not, on its own, signal the effective management of risk. Effective and ongoing monitoring and review are essential components of sound systems of risk management and internal control.' Provision 29 of the Code states that 'The board should monitor the company's risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.'
Annual Review – Scope
In our previous reports, we have emphasised the importance of reviewing the effectiveness of the risk management and internal control systems at least annually. The board should define the processes to be adopted for its ongoing monitoring and review, including specifying the requirements, scope and frequency of reporting.
When reviewing effectiveness, the board should consider the systems as a whole. According to the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting: 'A company's systems of risk management and internal control will include: risk assessment; management or mitigation of risks, including the use of control processes; information and communication systems; and processes for monitoring and reviewing their continuing effectiveness.' The review of the effectiveness should evaluate all these components and ensure they are performing effectively.
Regular monitoring of the risk management and internal control systems is important to ensure they remain fit for purpose and are managing risk appropriately. As such, an important part of the review should include the evaluation of the company's processes for regular monitoring of these systems.
Every company is different, therefore the nature of the review of effectiveness will vary. The board should determine the scope of the review and decide on the processes to be adopted. It should determine what reports, documentation and evidence it requires to achieve a conclusion about the effectiveness of the company's systems.
When carrying out the review the board should at least consider:
- The company's willingness to take on risk (its 'risk appetite'), the desired culture within the company and whether this culture has been embedded.
- The operation of the risk management and internal control systems, covering the design, implementation, monitoring and review and identification of risks.
- The determination of those risks which are principal to the company.
- The integration of risk management and internal controls with considerations of strategy and business model, and with business planning processes.
- The changes in the nature, likelihood and impact of principal risks, and the company's ability to respond to changes in its business and the external environment.
- The extent, frequency and quality of the communication of the results of management's monitoring to the board, which enables it to build up a cumulative assessment of the state of control in the company and the effectiveness with which risk is being managed or mitigated.
- Issues dealt with in reports reviewed by the board during the year, in particular the incidence of significant control failings or weaknesses that have been identified at any time during the period and the extent to which they have, or could have, resulted in unforeseen impact.
- The effectiveness of the company's public reporting processes.
The board should also review the effectiveness of the company's material controls, including financial, operational and compliance controls. When monitoring and reviewing the effectiveness of these controls the board should determine which controls are material for the company. As a baseline, these should at least include controls in place to manage or mitigate the company's principal risks. It should also include the controls over matters that could have a material impact on the interests of the company, investors and other stakeholders.
Board responsibility for monitoring and review
The board is ultimately responsible for the effectiveness of these systems. As per Provision 26, the board can delegate the monitoring and review to the Audit Committee, or a board-level risk committee, if it has one. The committee responsible should then report on this review and its findings to the board.
Two companies reported that the review had been undertaken by the management who then reported to the board, whereas three other companies reported that the review was carried out by the internal audit function which then reported its results to the board.
The board should not rely wholly on the management or the internal audit to perform its responsibilities prescribed in the Provision 29 of the Code. It should consider the reporting, documentation and evidence from other parts of the company, such as the management of the company, other supporting functions and lines, internal assurance functions (e.g. internal audit), external auditor ; but the board should not delegate its responsibility to anyone else, except for the board committees (e.g. audit, risk or other committee).
The internal audit function can help the board by providing information about its findings. However, its responsibilities relating to the effectiveness of the risk management and internal control systems should be limited to providing independent advice and assurance. When reviewing the effectiveness of the internal audit function, the board should evaluate the ability and the resources of this function to provide independent assurance and advice on the design and operation of the risk management and internal control systems, including the company's material controls.
Reporting on the review
Provision 29 asks the Board to report on its review of the effectiveness of risk management and internal control systems. A total of 84 companies in our sample specifically stated that they had reviewed the effectiveness of their systems. The other 16 companies either did not report a review or it was unclear from their reporting if a review had been carried out during the reporting period which is an increase from last year, when only 7 companies did not.
To avoid confusion and ambiguity, companies should avoid using general language such as:
Example
"The board (or a relevant committee) reviews the effectiveness of risk management and internal control systems.”
General statements like these, and without any explanation of how the review has been carried out, do not provide a reader with certainty that the board has discharged this responsibility. Disclosures such as the one below makes it easy and clear for the reader to understand that the board has carried out a review (the annual report should also explain how the board has done so).
Example
The Board confirms that it has conducted its annual review of the effectiveness of Shell's system of risk management and internal control in respect of 2022, and that this review covered all material controls, including financial, operational and compliance controls.
Source: Shell Plc Annual Report, 2022, p.217
a) Process for the review
Although Provision 29 does not specifically state what companies should report in their annual report about the review, the “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting" is more specific and states that: 'The Board should summarise the process it has applied in reviewing the effectiveness of the system of risk management and internal control. The board should explain what actions have been or are being taken to remedy any significant failings or weaknesses.'
Last year we said that reporting in this area needed considerable improvement. Unfortunately, we have not seen an improvement in this year, as demonstrated by the graph below:
| Reporting on the review of the effectiveness of the risk management and internal control systems carried out by the board | |
|---|---|
| 2022 | 2023 |
| • 20 companies – provided insightful information on how their review was carried out and/or what areas it covered. | • 20 companies – provided insightful information on how their review was carried out and/or what areas it covered. |
| • 45 companies – some basic or generic detail of what areas was covered or a simple statement of who carried the review (e.g. the audit committee). | • 39 companies – some basic or generic detail of what areas was covered or a simple statement of who carried the review (e.g. the audit committee) |
| • 38 companies – said a review was carried out but no detail provided about the review. | • 27 companies – said a review was carried out but no detail provided about the review. |
| • 7 companies – did not report a review or it was unclear from their reporting if a review had been carried out. | • 14 companies – did not report a review or it was unclear from their reporting if a review had been carried out. |
While some companies offer good levels of information about the process carried out for the review, many appear to report minimally or not provide any detail in this important area. We found twenty companies that provided insightful information on how their review was carried out and/or what areas it covered. On the other hand, we found 27 other companies which confirmed that the board carried out a review during the reporting year but did not provide any detail on the process undertaken for the review.
From those companies that provided some information, 26 only gave a simple explanation consisting of one or two sentences, for example, stating who has carried out the review or what functions were consulted for these purposes:
Examples
'The audit committee, supported by the Risk Committee and the internal audit reviewed the effectiveness of the risk management and internal control systems.'
'We conducted a formal review of the effectiveness of the companies risk management and internal control systems, considering reports from management, external audit and the Risk and Internal Audit functions.'
Simply stating who carried out the review as in these examples does not give any information about the extent of the review or what aspects of the risk management and internal control systems are covered by it. It does not demonstrate the scope of the work carried out by the board and how the board has discharged its responsibilities. Such an example, though it suggests, it does not show if the board had the information necessary to be confident that these systems have been effective.
Good reporting on the process should include details of how the board, or the relevant committee(s) on its behalf, have undertaken the review, who was consulted, what reports, or evidence was received and what areas were covered by the review. In the following example, Weir Group demonstrates how the board carried out the review, receiving updates and reporting from various units or functions within the company and the areas that this covered.
Example
AUDIT COMMITTEE REPORT CONTINUED
their published thematic review report as an example of better practice. We can also confirm that some improvements have been made to existing disclosures in this report in response to minor recommendations from the FRC.
In November 2022, the Group received a letter from the FRC highlighting their intention to use some of the disclosures in the Group's 2021 Annual Report as examples of better disclosure within their 'What makes a Good Annual Report and Accounts' publication. The FRC is committed to improving the quality of corporate reporting and their publication is intended to set out the FRC's view on the attributes of a good annual report and accounts in order to drive continuous improvement in the quality of reporting. The FRC's role is not to verify the information. We are pleased to report that the FRC did include an extract from the Group's 2021 Annual Report and Financial Statements in their published report as an example of better practice in relation to the requirements of IAS 37 'Provisions, contingent liabilities and contingent assets'.
(ii) Internal control and risk management While overall responsibility for the Group's risk management and internal control frameworks rests with the Board, the Audit Committee has a delegated responsibility to keep under review the effectiveness of the systems supporting risk management. Further details on accountability for Risk Management are provided in the Corporate Governance Report on page 93.
Our work in this area was supported by reporting from the Group Head of Internal Audit on the results of the programme of internal audits completed; the overall assessment of the internal control environment, with reference to the results of their work and the results from the self-assessed Compliance Scorecards; and in addition, reporting, either verbal or written, from Senior Management covering any investigations into known or suspected fraudulent activities. We continue to note the work undertaken for the Board on a review of the sources of assurance, which are mapped against the principal risks (see (iii) Internal audit below). In addition, the Committee take comfort from the audit work performed and conclusions reached by PwC over the controls environment of the Group's critical IT systems.
COMPLIANCE SCORECARD The Compliance Scorecard is a control mechanism whereby each operating company undertakes self-assessments, every six months, of their compliance with Group policies and procedures, including key internal controls across a range of categories including finance, anti-bribery and corruption, tax, treasury, trade and customs, HR, cybersecurity, IT and legal. As far as the elements relating to finance are concerned, these cover (but are not limited to) management accounts and financial reporting, balance sheet controls, employee costs and other financial policies. During 2022, the scorecard process was extended to cover scope 1&2 emissions reporting. Each operating company is expected to prepare and execute action plans to address any weaknesses identified as part of the self-assessment process. Operating companies are required to retain evidence of their testing in support of their self-assessment responses. Internal audit has responsibility for confirming the self-assessment during planned audits. Any significant variances are reported to local, Divisional and Group management. Any companies reporting low levels of compliance are required to prepare improvement plans to demonstrate how they will improve over a reasonable period of time. The overall compliance scores (as a percentage) are tracked over time and reported to the Audit Committee twice a year, with the Committee paying particular attention to the variances between self-assessed and Internal Audit assessed scores as well as trends and the performance of newly acquired companies.
The Committee also receives regular reporting on the Group's Ethics and Compliance related activities from the Chief Compliance Officer, as well as the Group Head of Internal Audit. This includes reviewing compliance with the Group's Ethics Hotline programme, which provides a mechanism for employees with concerns about the conduct of the Group or its employees to report their concerns. The Committee ensures that appropriate arrangements are in place to receive and act proportionately upon a complaint about malpractice. The Committee takes a particular interest in any reports of possible improprieties in financial reporting.
During 2022, the Committee were updated on the work performed in the year by the Compliance team. With many core programme elements in place, this included focus on driving continuous improvement through training in areas such as the Group's Code of Conduct, anti-trust and anti-bribery regulations, as well as a continued focus on Human Rights legislative requirements. In addition, the Committee were updated on the unprecedented array of sanctions in place in response to the conflict in Ukraine and the Compliance team's role in managing sanctions risk.
The Committee also received presentations from each Divisional Finance Director. These presentations included a review of the Divisional risk dashboards, significant findings from the internal audit visits and the Compliance Scorecard process over the last 12 months, as well as an overview of their Divisional finance leadership teams. In addition, the Committee were updated on progress of strategic initiatives, such as the transition of core accounting processes to global shared services in the Minerals Division and the integration of Motion Metrics in the ESCO Division.
Focus is given to the strength and depth of the finance team's capability; the quality and efficiency of responses to findings of internal audit visits, including whether learning has been shared more widely across the Group to mitigate the risk of recurrence and to share good practice; the quality of the discussion around Divisional risk dashboards; and, progress against strategic initiatives.
The Committee also received annual updates from the Group Head of Tax and the Group Treasurer, covering Tax and Treasury Strategy and Risk respectively.
Finally, in response to recommendations from the external Board and Committee evaluation process performed at the end of 2021, the Committee also agreed to introduce an annual update, or more frequently if considered necessary, from the Group Head of Risk and Insurance and the Group Chief Information Security Officer. The first of these updates took place in the October Committee meeting.
The risk update provided the Committee with an overview of the holistic risk management process, designed to complement the existing risk reporting, which is managed via a separate Risk Committee with reporting direct to the Board. This also allows the Committee to consider the adequacy of the overall risk management process.
The update from the Group Chief Information Security Officer focussed on the Group's Crisis Management Plan and lessons learned from recent crisis incidents, such as Covid-19, the cybersecurity incident and the Ukraine conflict. The Committee were advised a crisis management working group had been established to assess and update the current Crisis Management Plan.
Source: Weir Group Annual Report, 2022, p.120
In the following example, Weir Group demonstrates how the board carried out the review, receiving updates and reporting from various units or functions within the company and the areas that this covered.
Example Governance
AUDIT COMMITTEE REPORT CONTINUED
their published thematic review report as an example of better practice. We can also confirm that some improvements have been made to existing disclosures in this report in response to minor recommendations from the FRC.
In November 2022, the Group received a letter from the FRC highlighting their intention to use some of the disclosures in the Group's 2021 Annual Report as examples of better disclosure within their 'What makes a Good Annual Report and Accounts' publication. The FRC is committed to improving the quality of corporate reporting and their publication is intended to set out the FRC's view on the attributes of a good annual report and accounts in order to drive continuous improvement in the quality of reporting. The FRC's role is not to verify the information. We are pleased to report that the FRC did include an extract from the Group's 2021 Annual Report and Financial Statements in their published report as an example of better practice in relation to the requirements of IAS 37 'Provisions, contingent liabilities and contingent assets'.
(ii) Internal control and risk management
While overall responsibility for the Group's risk management and internal control frameworks rests with the Board, the Audit Committee has a delegated responsibility to keep under review the effectiveness of the systems supporting risk management. Further details on accountability for Risk Management are provided in the Corporate Governance Report on page 93.
Our work in this area was supported by reporting from the Group Head of Internal Audit on the results of the programme of internal audits completed; the overall assessment of the internal control environment, with reference to the results of their work and the results from the self-assessed Compliance Scorecards; and in addition, reporting, either verbal or written, from Senior Management covering any investigations into known or suspected fraudulent activities. We continue to note the work undertaken for the Board on a review of the sources of assurance, which are mapped against the principal risks (see (iii) Internal audit below). In addition, the Committee take comfort from the audit work performed and conclusions reached by PwC over the controls environment of the Group's critical IT systems.
COMPLIANCE SCORECARD
The Compliance Scorecard is a control mechanism whereby each operating company undertakes self-assessments, every six months, of their compliance with Group policies and procedures, including key internal controls across a range of categories including finance, anti-bribery and corruption, tax, treasury, trade and customs, HR, cybersecurity, IT and legal. As far as the elements relating to finance are concerned, these cover (but are not limited to) management accounts and financial reporting, balance sheet controls, employee costs and other financial policies. During 2022, the scorecard process was extended to cover scope 1&2 emissions reporting. Each operating company is expected to prepare and execute action plans to address any weaknesses identified as part of the self-assessment process. Operating companies are required to retain evidence of their testing in support of their self-assessment responses. Internal audit has responsibility for confirming the self-assessment during planned audits. Any significant variances are reported to local, Divisional and Group management. Any companies reporting low levels of compliance are required to prepare improvement plans to demonstrate how they will improve over a reasonable period of time. The overall compliance scores (as a percentage) are tracked over time and reported to the Audit Committee twice a year, with the Committee paying particular attention to the variances between self-assessed and Internal Audit assessed scores as well as trends and the performance of newly acquired companies.
The Committee also receives regular reporting on the Group's Ethics and Compliance related activities from the Chief Compliance Officer, as well as the Group Head of Internal Audit. This includes reviewing compliance with the Group's Ethics Hotline programme, which provides a mechanism for employees with concerns about the conduct of the Group or its employees to report their concerns. The Committee ensures that appropriate arrangements are in place to receive and act proportionately upon a complaint about malpractice. The Committee takes a particular interest in any reports of possible improprieties in financial reporting.
During 2022, the Committee were updated on the work performed in the year by the Compliance team. With many core programme elements in place, this included focus on driving continuous improvement through training in areas such as the Group's Code of Conduct, anti-trust and anti-bribery regulations, as well as a continued focus on Human Rights legislative requirements. In addition, the Committee were updated on the unprecedented array of sanctions in place in response to the conflict in Ukraine and the Compliance team's role in managing sanctions risk.
The Committee also received presentations from each Divisional Finance Director. These presentations included a review of the Divisional risk dashboards, significant findings from the internal audit visits and the Compliance Scorecard process over the last 12 months, as well as an overview of their Divisional finance leadership teams. In addition, the Committee were updated on progress of strategic initiatives, such as the transition of core accounting processes to global shared services in the Minerals Division and the integration of Motion Metrics in the ESCO Division.
Focus is given to the strength and depth of the finance team's capability; the quality and efficiency of responses to findings of internal audit visits, including whether learning has been shared more widely across the Group to mitigate the risk of recurrence and to share good practice; the quality of the discussion around Divisional risk dashboards; and, progress against strategic initiatives.
The Committee also received annual updates from the Group Head of Tax and the Group Treasurer, covering Tax and Treasury Strategy and Risk respectively.
Finally, in response to recommendations from the external Board and Committee evaluation process performed at the end of 2021, the Committee also agreed to introduce an annual update, or more frequently if considered necessary, from the Group Head of Risk and Insurance and the Group Chief Information Security Officer. The first of these updates took place in the October Committee meeting.
The risk update provided the Committee with an overview of the holistic risk management process, designed to complement the existing risk reporting, which is managed via a separate Risk Committee with reporting direct to the Board. This also allows the Committee to consider the adequacy of the overall risk management process.
Source: Weir Group Annual Report, 2022, p.120
b) Reporting the outcome(s) of the review
In our last year's annual review, we said that good reporting should demonstrate the results of the review of the effectiveness of the systems. If the board determines that the risk management and internal control systems have been effective, they should report this in the annual report.
Reporting on the results of the review
- 32 companies – stated that their systems are effective
- 22 companies – stated that no weaknesses were identified
- 8 companies – only stated that their financial reporting controls are effective
- 7 companies – identified weaknesses
- 31 companies – no reporting on the outcome
Example
The Committee has completed its review of the effectiveness of the Group's system of internal control, including risk management, during the year and up to the date of this Annual Report. The review covered all material controls including financial, operating and compliance controls. The Committee confirms that the system of internal control operated effectively for the 2023 financial year.
Source: Vodafone Annual Report, 2022, p.81
Good reporting should also provide an explanation of any material weaknesses identified and any actions that board has undertaken to address these.
Example
Reporting on weaknesses identified and actions taken by the board to address these.
Assessment of control environment
In the Audit and Risk Committee report in 2021, control findings were highlighted in relation to the review of journal entries and the formality of controls over certain revenue contracts. The Committee was satisfied with the plan to address these controls findings primarily through the implementation of new IT systems.
During the year, the IT system implementation led to operational disruption which had an associated impact on the control environment, including the timely recording of certain supplier invoices and certain customer statements not being produced. The external auditor also identified necessary adjustments during its work in preparation for the half-year results, including those related to the potential new revenue stream highlighted above where the specialist external investigation identified further control findings.
The new IT systems cannot address the control improvement requirements in the near term for the wider Group which has necessitated management to establish alternate remediation plans as part of an internal control reset.
Company response to control findings
As a result of the matters noted above, a targeted internal control project was instigated utilising specialist external resource, reporting directly to the interim CFO, to review all aspects of the internal control framework.
The findings of this review focuses on key overarching themes of the project: - Design and implementation of enhanced controls including process and control mapping. - This has included a specific focus on improved documentary evidence of journal entries, procure to pay processes and enhancing revenue recognition models. - Structure and organisation of the Finance function including process and compliance training. - Clear documentation and verification of processes and controls.
The Audit and Risk Committee is being updated regularly with respect to progress related to remediation activities as well as reviewing ongoing control improvements identified.
The Committee has assessed that the Group still relies on controls that require enhanced documentation and formalisation, and in specific areas, redesign. The control improvement plan is ongoing, and the Committee is engaged in ensuring that management have the appropriate resource and an appropriate remediation timeline.
Management, based on the controls review detailed above, have provided the Committee with assurance that where controls were not designed, implemented or operating effectively there were appropriate mitigating actions in place to conclude that the Financial Statements do not contain material errors. It is recognised that improvements in the control environment are required in 2023 and the Audit and Risk Committee will continue to support management and review the remediation activities.
Source: RM Annual Report, 2022, p.114-115
Some companies stated that their systems were effective while indicating that some weaknesses had been identified during the year, though these were not considered to have a significant impact on the company.
Example
Example of weaknesses identified with no significant impact on the company's objectives.
Overall, no control failings or weaknesses were identified that would have a significant impact on the Group, however, recommendations were raised where necessary at specific sites to strengthen existing processes and controls, and follow-up audit visits were carried out to ensure that agreed corrective actions were being progressed by management.
In view of the work of Internal Audit, external audit, Group Finance and Site management teams, it was considered unlikely that a weakness at an individual site would have a significant impact on the Group.
Source: Cranswick Annual Report, 2022, p.102
c) Consolidating and improving reporting in this area
Similar to previous years, our review has found many companies which provide statements rather than meaningful reporting. For example: - Stating that 'the board has reviewed the effectiveness of the company's risk management and internal controls systems' but not explaining how. - Stating the outcome, e.g., 'the systems have been effective' but not explaining how the review process is carried out and how the board achieved this conclusion. - Stating that 'weaknesses were identified', but not explaining what these were and what actions have been or will be taken to address them. - Stating that 'actions have been taken to remedy any weaknesses or inefficiencies', but not explaining what these weaknesses were.
Companies should not just give statements without providing evidence to demonstrate how the board has discharged its responsibilities effectively. We have set out, in previous Reviews of Corporate Governance Reporting, what constitutes good reporting for the purpose of Provision 29, advising companies to consolidate their reporting by: 1. Give a full description of the process for reviewing the effectiveness of risk management and internal control systems. 2. Explain the outcome of the review: Are these systems operating effectively? If not, what weaknesses or inefficiencies were identified? 3. If any weaknesses or inefficiencies were identified, explain what actions the Board has taken, or will take, to remedy these.
5. Remuneration
As part of last year's review we identified key questions that remuneration committees should take into account when reviewing their current remuneration arrangements. We continue to encourage companies to report clearly on remuneration, including how they deliver company strategy, long-term success, and alignment with workforce remuneration.
We are pleased to see that the quality of remuneration reporting has significantly improved since the implementation of the 2018 Code, and we continue to see positive practices in various areas of the remuneration reporting. However, further improvements to Code disclosures in some areas are needed from some reporters.
Discretion
Principle R
Directors should exercise independent judgement and discretion when authorising remuneration outcomes, taking account of company and individual performance, and wider circumstances.
We were particularly interested in whether the renumeration committee had considered the impact of any prospective 'windfall gains' in respect of vesting results, including any references to any adjustments or lack thereof, and the rationale for not making any adjustments. Many awards granted under long-term incentive plans in 2020, during the COVID-19 pandemic were made following significant share price falls, meaning a greater number of shares were granted in comparison to previous years.
Overall, while there were multiple references to windfall gains within our sample, few companies highlighted the use of a discretionary downward adjustment to reduce the vesting outcomes. In those cases where adjustments were not made, almost all companies were able to provide a rationale as to why they did not make any adjustments. It should be noted that not all companies in our sample were adversely impacted by the COVID-19 pandemic and some had implemented formulaic procedures/ mechanisms to reduce the possibility of windfall gains for participants.
Thirty-three companies referred to windfall gains within their remuneration report. Two of the 33 companies used their discretionary powers to adjust their long-term incentive plan (LTIP) award in relation to windfall gains.
An example of this is Aviva, which included three clear reasons for doing so.
Example
Consistent with our commitments in the 2020 DRR, the Committee carefully reviewed whether this vesting outcome was appropriate, being mindful of the guidance from proxy agencies and investors around the issue of 'windfall gains'. In doing so, the Committee recognised three key factors: - Firstly, there was a fall in the share price in the period prior to grant. The extent to which this fall was driven by COVID-19 is ultimately a subjective judgement, but the overall magnitude was not wholly out of line with that seen in the wider market or sectoral peers. - Secondly, Aviva's performance over the last three years, and particularly in the period since Amanda Blanc's appointment in July 2020, has been outstanding. From a total shareholder return perspective, we outperformed our sector median by c.14 percentage points and the broader FTSE 100 by c.13 percentage points. The strategy which Amanda announced with our Half Year 2020 results has delivered strong financial performance – we have seen robust growth across targeted areas, while continued progress on our cost base has driven greater efficiencies throughout the business. We also sold businesses in continental Europe (France, Poland and Italy) and Asia (Singapore and Vietnam). This strong performance allowed us to return £4.75 billion to shareholders, and we have announced a new share buyback scheme beginning in March 2023. - Thirdly, in determining the LTIP award made to Amanda on joining Aviva, the Committee at that time decided on an extremely conservative approach, resulting in an award of 147% of salary. This represented 49% of a full award despite Amanda being in role for 83% of the performance period.
Taking all of the above into consideration, the Committee concluded that a downwards adjustment of 10% was appropriate. This reflects the Committee view that there had been an impact from COVID-19 on the share price at the time of grant, but also recognises both the outstanding performance delivered over the last three years and the significant reduction which had already been applied to Amanda's award.
Source: Aviva plc Annual Report, 2023, p.247
Such explanations take into account the spirit of Principle R, recognising company and individual performance as well as externalities, which in this case relates to a sudden impact on the organisation share price.
There were other reasons beyond windfall gains, where around 16 companies reported the use of their discretionary powers. Rationale for the use of discretion varied but in most cases resulted in downward adjustments as opposed to upward adjustments.
Along with descriptions of the use of discretion companies also clarified their committee's approaches to discretion, Croda International Plc set out the discretionary framework it applies when assessing bonus and performance share plan outcomes.
Example
What is the formulaic result following consideration of the existing underpins?
What is the single figure outcome? Committee to consider year-on-year change and whether this mirrors the trend in performance
How does the outcome compare with wider shareholder experience? Committee to consider Total Shareholder Return in both relative and absolute terms over a number of different periods
How does the outcome compare with overall Company performance? Consider performance against other KPIs, for example ROIC and EVA
| Sales | Profit growth | Sustainability
Culture and conduct Culture
| Conduct | Health and safety | Systems and control
Are there any external headwinds or tailwinds which need to be considered?
Are there any other events that should be factored in? Other events could be reputational/risk related or a change of accounting standards
As an additional reference point, are the bonus and PSP outcomes consistent?
Input from others? Draw on input from other Committees as well as other management teams including HR, Legal, Internal Audit and Risk
Consider shareholder response to results
Compare with historical use of discretion
Does the outcome appear reasonable/fair, or should an adjustment be considered?
Source: Croda International Plc Annual Report, 2022, p.124
This approach to discretion demonstrates decision-making based on clear criteria and aims to remove subjective and inconsistent outcomes. This approach also demonstrates to stakeholders the issues considered and reassures them that the remuneration committee has both considered company and individual performance and much wider circumstances.
In addition to setting out how discretion is used within the remuneration committee report, companies should also take into account the last element of Provision 41 and state clearly, to what extent discretion has been applied to remuneration outcomes along with the rationale.
Strategy
Principle P
Remuneration policies and practices should be designed to support strategy and promote long-term sustainable success. Executive remuneration should be aligned to company purpose and values, and be clearly linked to the successful delivery of the company's long-term strategy.
Provision 41...remuneration reports should include an explanation of the strategic rationale for executive directors' policies, structures and any performance metrics....
Companies should offer a clear strategic rationale for their performance-based incentive plans as part of the first aspect of this provision. This year, we looked at how well performance metrics were communicated and how they supported a company's strategy. While all companies included some reference to their metrics, not all included information on how it related to their strategy.
When examining references to performance metrics, 68 companies stated that their measures were aligned to the company strategy. The majority of disclosures simply stated that the measures reflected the long-term priorities of the group, others would use icons as a form of explanation. The better reporters explained their chosen financial and non-financial metrics each linked to strategy, these though were in the minority.
Some companies inserted icons to demonstrate there was a strategic link, but this approach did not always provide readers with an explanation of how the performance metrics benefit the organisation in supporting the company strategy and key priorities. Better reporters used narrative to explain the significance of the chosen metrics and their connection to company strategy, along with the use of icons. See AstraZeneca's disclosure on one of its performance metrics with a key identifying its link to the KPIs in the strategic report, evidencing a direct link between its strategy and chosen metrics.
Example
Key: - Annual bonus - PSP - KPI
Strategic pillar: - Science and Innovation
Remuneration performance measures: Science indices Our science measures incentivise the development of NMEs and the maximisation of the potential of existing medicines.
Bonus performance is assessed on pipeline progressions through Phase II and Phase III clinical trials. These reflect the outcome of nearer-term strategic investment decisions, whereas, in contrast, PSP performance is assessed on the volume of NMEs in Phase III and the registration stage, which reflects the outcome of longer-term strategic investment decisions.
Additionally, we measure regulatory submissions and approvals for bonus, and regulatory approvals for PSP to drive the conversion of scientific progress into commercial revenue over the short term (bonus) and the longer term (PSP).
Together, these science measures incentivise innovation and sustainable success along the length and breadth of the pipeline, leading to commercial growth.
Source: AstraZeneca Annual Report, 2022, p.109
Incorporating ESG metrics into the executive remuneration framework continues to be an evolving trend. The most common metrics in annual bonuses continue to be aligned with social issues and focus on matters such as employee engagement, diversity and inclusion, safety and culture related matters.
We also found that many companies reported on environmental metrics. This year we found that over 70% of our sample had ESG targets integrated into executive incentive plans, which included environmental targets often relating to reducing carbon emissions, and in some cases, reducing waste, or water and energy intensity. Companies that reported well in this area had clear linkage between climate-related targets reported in TCFD disclosures and ESG targets. Where environmental metrics were used these were generally included in long-term incentive plans.
Example
Increase diversity on and off-screen by the end of 2022 To hit the following targets for representation on the senior leadership team, managers, all employees and those on screen: - 50% Women - 15% People of Colour - 12% d/Deaf, disabled or neurodiverse - 7% LGBTQ+ In 2022 good progress was made towards our all employee and on-screen targets, exceeding or close to hitting targets for all characteristics
- exceeding targets for LGBTQ+ colleagues and women, and increasing representation to 14.9% for People of Colour (from 12.1% in 2019) and 11.4% d/Deaf, disabled and neurodiverse colleagues (from 7.0% in 2019). Although we did not meet all of the stretching targets for Manager and Senior Leadership levels, the Committee noted the continuing work in this area to achieve the remaining targets.
- ITV emissions reduction targets and performance are validated and published as part of the Science Based Targets initiative (SBTI). Further information on ITV's Climate Action targets and scope can be found at itvplc.com/social purpose and in the Social Purpose section on page 47.
- albert certification is an externally audited process that recognises programmes that have embedded sustainability not only within the production process but also through considering sustainability messaging included in programmes.
- On-screen diversity is measured via Diamond, a single online system delivered through the Creative Diversity Network (CDN) and used by UK broadcasters to obtain consistent diversity data on UK-originated productions they commission (https://creativediversitynetwork.com/diamond/).
Source: ITV Plc Annual Report, 2022, p.144
One company noted that ESG performance forms part of the annual bonus, and as part of the consultation of its proposed policy the committee proposed that ESG metrics should be included in the LTIP, illustrating company remuneration committees being mindful of the changing market practice. Regardless, companies should ensure their targets are strategically aligned and they need to be reliable and credible to satisfy shareholders.
Along with the recommendation that such metrics be credible and achievable, organisations should seek to describe the award's objectives and current progress towards them. An example is ITV plc's annual report, which emphasises its annual ESG target, which includes a diversity goal with an explanation of the overall objective, and progress towards the goal. Within the footnotes, ITV has also highlighted how this goal is measured.
Purpose and values
Principle P notes
...Executive remuneration should be aligned to company purpose and values, and be clearly linked to the successful delivery of the company's long-term strategy...
As mentioned last year, the narrative on how remuneration relates to the company's purpose and values should be clear and transparent, and we recommended that companies give higher quality disclosures on how this Principle is applied.
Our assessment this year, albeit with a different sample, revealed that 41 companies did not declare whether their remuneration was connected with corporate purpose. This was a substantial increase from last year. Furthermore, 35 companies did not state whether their remuneration aligned with company values.
Where there were references to purpose and values, the statements remained high-level, and references to both were frequently found as boilerplate statements inside Provision 40 statements when emphasising alignment to culture within the annual report, for example:
'The remuneration arrangements we have put in place are clearly aligned with the Company's purpose and values.'
Although such statements satisfy the Principle, they do not provide particular explanations and do not explain how the framework is designed to connect with purpose and values. Better reporters provided a more comprehensive, in-depth description of how an organisation linked its purpose and values with its remuneration. We would like to restate our main message from last year.
Recover and withhold provisions (malus and clawback)
We have looked at references to recover and withhold provisions within company annual reports. Within our sample, 95 companies highlighted that they had malus and clawback provisions in place, of these 95 companies 15 did not list the circumstances under which the provisions applied in their annual report. It was encouraging to see most companies describe the circumstances in which the Provisions apply, as these often corresponded with the suggestions given in the Guidance on Board Effectiveness.
In addition to the references to the circumstances under the provisions we did closely look at the minimum period in which clawback could be used. This varied outside of the financial institutions and most companies within our sample had an application period of two or three years. However, again not all companies provided information on the period and would instead use general language:
'...recovery and withholding provisions will apply in line with our approved policy.'
To help investors and improve transparency, an explanation of how malus and clawback might be enforced adds high-quality information to reports.
Companies should take into account the need of investors and set out within their reports how they tend to enforce malus and clawback in the event that the mechanism is needed. One example of a clear reference to clawback is shown here:
Example
A clawback provision applies to vested awards granted under the 2014 LTIP, vested awards under the Deferred Bonus Plan and annual bonuses paid previously. This would allow the Committee in its absolute discretion to claw back from individuals some or all of the vested awards or paid bonus in certain circumstances... Clawback will normally apply for a period of three years following vesting of shares/deferred cash bonus and/or payment of bonus, unless the Committee determines otherwise.
Source: Morgan Advanced Materials Annual Report, 2022, p.102
Reporting on engagement with the workforce
Twenty-two percent of our sample provided details of their workforce engagement mechanisms in the remuneration report without explaining that they engage with their workforce on remuneration. Often, this can lead to repetition with companies outlining their workforce engagement arrangements in both their stakeholder engagement section and in their remuneration report. Copying and pasting the explanation of how the board engages with the workforce into the remuneration section adds unnecessary length to the report and little value to the reader. Companies should cross-reference relevant sections of the report to avoid repetition and improve readability.
Companies that reported insightfully in this area included examples of the specific topics that they discussed with the workforce in relation to remuneration and have provided information on what issues were raised.
Example
We undertake an annual engagement survey, 'Your Voice', in order to better understand the views of a wider range of employees. The engagement survey includes a range of specific questions on the Company's pay practices and presents an opportunity for the workforce to share feedback and ask its own questions about employee or executive reward. Through the feedback from the engagement survey, supplemented with the learnings from the employee listening sessions, the voice of Morgan employees is heard at Remuneration Committee meetings. This enables the Remuneration Committee to take into account the views of employees when considering executive remuneration and the pay and employment conditions throughout the wider workforce. Laurence Mulliez, our Senior Independent Director and a member of the Remuneration Committee, attended a listening session in March 2023 with employees on the Ignite Catalyst leadership programmes specifically focused on reward and executive remuneration. It was a useful session; employees were reassured to hear about the Board's rigour around fairness for the consideration of reward for the Executive Directors in line with that of the wider workforce. In the UK, engagement is further facilitated by the Sharesave programme, which enables UK employees to become shareholders and provides them with the same voting rights as other shareholders in relation to resolutions for approval at the AGM.
Source: Morgan Advanced Materials Annual Report, 2022, p.102
Only 18% of companies disclosed how they explained to the workforce how executive remuneration aligns with wider company pay policy, as required by Provision 41 of the Code. Companies that disclosed non-compliance with this element of Provision 41 provided weak or no explanation as to why they have not complied with the Provision.
6. Cyber and Information Technology
This year we looked at reporting on Cyber and Information Technology (IT) issues for the first time as part of our review. Although the Code does not specifically ask for reporting on these areas, it was encouraging to see most companies in our sample outline the risks, opportunities and medium to long-term importance of cyber security to their business and market. With cyber security incidents on the rise globally, it is expected that the frequency and sophistication of these threats will increase in the future.
Certain industries have already seen an increase in cyber attacks, in particular healthcare and financial services. It is, therefore, likely that companies will do more to increase their cyber resilience, leading to further and potentially more in-depth reporting.
Cyber security risk
Roughly 85% of companies in our sample outlined cyber security and/or information technology as a principal risk, some of which had escalated these from emerging risks during the year. Often cyber security was classified as an operational risk. This led to a focus on the risk of a cyber attack and its effects on business operations, supply chains, business reputation and financial controls.
Similarly, those that described IT as a risk mentioned the consequences of failing to understand and react to new technologies. They also highlighted the importance of maintaining a resilient IT system to guard against potential data breaches resulting in data loss, reputational damage and or regulatory penalties.
Cyber security was also discussed in relation to other principal risks. For example, one company outlined reputation and responsibility as a standalone principal risk and noted the risk of serious reputational harm through failure to meet obligations to key stakeholders, including the possibility of breaches of customer trust.
It is clear from our sample that cyber and technology issues, including ensuring cyber resilience, is usually addressed through the company's risk functions and procedures. Approaches vary from standalone principal and emerging risks to underpinning of a number of different risks. The approach taken by companies demonstrates a flexible approach, recognising how these risks are managed, mitigated and updated through the internal control processes.
Cyber governance
As part of their cyber security risk management and governance, many companies in our sample aligned their cyber security-related controls with the Information Security Forum Standard of Good Practice, ISO27001 and the NIST Cybersecurity Framework. Some companies also referred to their cyber security policies and disaster recovery plans within the Strategic Report under risk management, and in some cases under the risk and/or audit committee report. Further steps taken by companies to mitigate the risk of a cyberattack included regular patch testing and internal and third-party penetration testing of the security network and systems. Some companies reported having cyber insurance. Several companies also reported having cyber security groups/committees in place including sub-committees of the risk and/or audit committee as seen on the following page:
Example The Data & Technology Committee was established in 2022, and the first meeting was held in February
- During the year, the Committee set strategic technology, data and cybersecurity goals and ensured that the critical success factors of these are clear and transparent. Alongside this, the Committee has augmented awareness among the Supervisory Board members in technology, data and cybersecurity strategies, as well as assisting senior management in considering the scope of coverage from the subsidiary to the Group level.
The Committee has also steered the improvement of cybersecurity resilience across the Group's subsidiaries by unifying IT processes and frameworks with the common technology strategy and frameworks of the Group.
Activities of the Committee during the year include: - increasing Director awareness of the data, technology and infosecurity landscape by reviewing the current position and the three-year Target Operating Model - Approval of four major policies – Group Technology Policy, Group Information Security Policy, Group Global Data Protection Policy and the Data Governance Policy. - recommending a three-year technology strategy for the Group and ensuring alignment with the overall business strategy supported through the IT Group Governance framework - monitoring of risk metrics relating to software incidents, which led to the approval of a plan to mitigate the risks of service disruption - execution of the plan led to a significant reduction of software incidents since Q2 2022 - undertook an analysis of technology investments and identified areas for improvement - Reviewed and supported the vision of future data architecture and the decision to move analytics in the cloud environment. - Reviewed the cybersecurity systems of the Group and the state of preparedness against potential threats - Worked jointly with the Risk Committee where overlaps exist.
In addition, the Committee undertook a deep-dive analysis of the Business Continuity Plan and Disaster Recovery capabilities and subsequently initiated a program focused on creating additional infrastructure for the critical systems of the Bank.
Source: TBC Bank Annual Report, 2022, p.219
Many companies reported that the audit and/or risk committee held responsibility for reporting to the board on cyber security. The following example of a company's governance structure chart shows the different teams and committees responsible for the management and oversight of cyber security risk. In this example the director of the company's cyber security, technology, assurance and strategy leadership team is responsible for managing and overseeing the cyber security programme on a day-to-day basis and reports to the Chief Technology Officer (CTO).
Example
Management structure
Updated via ARC Board Monthly Executive Committee 2-3 times per month Technology leadership team Weekly CTAS leadership team Risk governance
Twice in FY23 Audit & Risk Committee ('ARC') As required Group Risk & Compliance Committee Quarterly Technology Audit & Risk Committee Quarterly Cyber Risk Council (includes all market & entity Heads of Cyber) Source: Vodafone Annual Report, 2022, p.5
In many instances, the audit and/or risk committees information came from the risk owners including the Chief Information Security Officer (CISO), CTO, and in some instances, the CFO. We also found that throughout the year, cyber security was the subject of a deep-dive session between the board, the audit and/or risk committee, and the relevant officer. These deep-dive sessions looked at areas including data privacy, operational resilience, cyber risk and data infrastructure.
Example
'The Audit Committee has recommended we increase our focus on cyber and data security through our internal and external audits and in Board-level discussion. We received our latest update in January 2023, during which our Group CISO set out the overall cybersecurity strategy, and our Group CTO gave a presentation on key cyber and technical security issues, including the results of a cybersecurity survey we conducted with our customers.'
Source: Bytes Technology Annual Report, 2022, p.75
Culture
Most companies mentioned that cyber security training was mandatory for all employees. It was good to see many companies also report that continuous awareness campaigns including simulated phishing attacks were carried out throughout the year. In addition, one company held an information security week to raise awareness among employees.
Example
Source: Airtel Africa Annual Report, 2022, p.40
Twelve companies in our sample mentioned that board training in 2022 included sessions on cyber security. These sessions, which were carried out throughout the year, included training on technology and enterprise risk as well as cloud strategy – risks and opportunities. One company also reported that as part of the induction programme, board members met with the CISO to discuss cyber risk and the digital safety programme.
Board expertise
Almost all companies reported having access to relevant expertise relating to either cyber security or technology whether it be a board member with specified skills or through training. As mentioned earlier boards should be comfortable understanding cyber risks within the organisation and how they are managed. Please see the National Cyber Security Centre's Cyber Security Toolkit for Boards for further information.
Cyber breach
Two companies in our sample from the engineering and manufacturing sector suffered a disruptive attack in 2022/23. For one company the preventative and mitigation defences in place, including robust system and data recovery plans meant that operations were quickly restored. The other company was able to limit the damage through rapid compartmentalisation of the network.
While another two companies reported a cyber-related incident in previous years, it was good to see that they had taken further steps to mitigate the risk of one happening again. This information was mostly reported in the Strategic Report under risk management, although one company mentioned it in the CEO's review.
Artificial Intelligence
Roughly 49% of companies mentioned artificial intelligence (AI) in their reports, a few of which outlined the accelerated progression of AI as an emerging risk. Most companies discussed AI in the context of their business operations, although limited detail was given at this stage. Some companies did, however, note the ethics of AI and the associated risks.
We did not see any discussion of how the board was notified or had oversight of the use of AI within the company, or their approach to using AI. It is important that boards have a clear view of the responsible development and use of AI within the company and the governance around it. Boards should consider the potential of AI as well as risks
- including risks to people and wider society. This requires boards to increase their knowledge on AI, whether it be through training or tapping into management and external expertise.
Example
'Some emerging risks also present opportunities that we are actively addressing and responding to. For example... the accelerated progression of artificial intelligence, which has the potential to support the development of our digital services but also to disrupt aspects of the publishing industry.'
Source: Informa Annual Report, 2022, p.62
Financial Reporting Council 8th Floor 125 London Wall London EC2Y 5AS
+44 (0)20 7492 2300 www.frc.org.uk
Follow us on Twitter @FRCnews or Linked in