Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Review of Corporate Governance Reporting 2024

Contents

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

© The Financial Reporting Council Limited 2024 The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number

  1. Registered Office: 8th Floor, 125 London Wall, London EC2Y 5AS

Executive summary

This annual review of corporate governance reporting has been published as companies prepare to implement the new 2024 UK Corporate Governance Code next year. Our focus has been on showcasing examples of good reporting and exploring areas of improvement to help with those preparations. The 2018 UK Corporate Governance Code (the Code) remains in effect for annual reports in

  1. Companies will be preparing now for the transition to the new Code, which is applicable for financial years from January 1, 2025. Reporting against the new Provision 29 on the effectiveness of risk management and internal controls will start from 2027. We hope this review will support companies and other stakeholders to navigate these upcoming changes effectively.

Flexibility remains a key feature of the new Code. While the UK Listing Rules require companies to apply the Code's principles, these are written at a high level and allow for interpretation by companies in a way that suits their particular circumstances. Companies can either comply with the provisions or explain their departures. The FRC supports departures from the Code where there is a cogent explanation given, and indeed an explanation can give additional insight into the governance of the company.

This year we found fewer companies chose to depart from the Code. This can be primarily attributed to increased compliance with the Provision related to alignment of pension contributions, where companies have, over the years, been able to move away from non-compliant contracts. When departing from the Code, we would like to remind companies that the explanation should be clear and provide sufficient detail.

This year's review paid particular attention to risk management and internal controls reporting, including a year-on-year analysis of risk disclosure practices. It was encouraging to see many companies did update their reporting over time, particularly in relation to the mitigations put in place to manage their principal risks.

Despite existing requirements under the 2018 Code, reporting on the effectiveness of internal controls remains at an early stage. There is work outstanding for many companies ahead of the commencement of the new Provision 29, particularly in relation to reporting on non-financial controls. There were 25 companies in our sample that did not report at all, or did not report clearly, on whether a review of the effectiveness of internal controls had been carried out. On the other hand, although there were no early adopters of Provision 29 within the sample, a number of companies did refer to the new Provision and outlined the work ongoing to prepare for it, which was encouraging.

In our review of shareholder and stakeholder engagement, including workforce engagement reporting, we focused on whether companies report effectively on the outcomes of their engagement, as this is also a key area of focus in the new 2024 Code. We found some examples of good practice in this area, and we encourage companies to read the section of the review where these are set out.

This year, our review included reporting by audit committees on the Audit Committees and the External Audit: Minimum Standard, which is referenced in the new Code. We found some evidence of early adoption of the Minimum Standard which is encouraging.

We also considered how companies report on Audit Quality Reviews and found there has been an increase in the level of disclosure by audit committees of these inspection results.

While our 2024 Code consultation initially explored proposals in relation to 'over-boarding' – where directors' multiple board commitments potentially compromise their effectiveness – we ultimately decided against implementing new requirements to avoid increasing reporting burdens. Nevertheless, our review examined how companies currently address this issue in their annual reports. We were pleased to see good reporting in this area with companies generally setting out clearly the other commitments of their board members.

Overall, while reporting quality remains strong, there is still a need for more concise, outcomes-focused disclosure and enhanced reporting on risk management and internal controls. We encourage companies to read this review to inform their work. The FRC is also making available a series of podcasts, webinars and other materials to support the implementation of the 2024 Code, which can be accessed alongside this review.

Introduction

This review provides an overview of corporate governance reporting based on the annual reports of a sample of 100 randomly selected companies that follow the Code. However, given the focus this year on risk management and internal control, and as companies prepare for changes in the Code in this area, we have looked into this area in more depth and considered the annual reports of 130 companies. The sample of companies reviewed changes year-on-year and is a mixture of FTSE 100, FTSE 250 and Small Caps.

In July 2024, the Financial Conduct Authority (FCA) updated its UK Listing Rules, including the categories under which securities are listed on the Official List. As a result, there was a change in the companies required to follow the Code. Previously, the Code applied to premium-listed companies. Going forward, all those listed in the commercial companies category or the closed-ended investment funds category1 will need to follow the Code. All companies in the sample will continue to follow the Code after these changes.

The Code is flexible and enables reporting that is specific to each company. We do not expect a 'one-size-fits-all' approach, and in this review we have highlighted examples of good reporting that move away from boilerplate statements and provide meaningful information about governance activities and outcomes suited to their particular situation. Where we have included examples of good reporting in relation to specific areas of the Code, it is important to note that the FRC does not endorse these annual reports, as other aspects of reporting may require improvement.

The new 2024 Code, which becomes applicable from financial years starting on or after 1 January 2025, emphasises the importance of outcomes-based reporting. We were encouraged to see some strong examples of this already as part of this year's review.

A key feature of the Code's flexibility is its 'comply or explain' approach. This means companies can depart from a provision when circumstances warrant it, provided they offer a high-quality explanation of why their chosen approach constitutes good governance. This year has seen a decrease in the overall number of companies departing from the Code, which is explored in greater detail in the Code Compliance section of this review. It is encouraging that companies continue to use departures from the Code in other circumstances, However, as noted last year, there remains some room for improvement in the quality of explanations.

This review is the penultimate assessment of corporate governance reporting against the 2018 Code. We hope it proves informative for companies and other stakeholders, both in continuing to drive up the quality of corporate governance reporting in the UK and in helping companies prepare for the new 2024 Code.

Code Compliance

Compliance statement

It is important that users of an annual report are able to quickly understand how a company has applied the principles of the Code and the extent of compliance with the provisions. We found that most companies in our sample included a separate statement that confirmed they had applied the Code's principles and outlined whether they had complied with the provisions. A separate compliance statement can make it easier for the users of the annual report to understand the company's approach to following the Code and its use of the flexibilities offered.

In addition, many companies provided a table as part of their compliance statement or at the beginning of the governance report, often signposting to other pages of the report where an explanation of how they applied the principles could be found. However, in a few cases, such a table was ineffective in fulfilling its purpose. We found companies signposting to sections of the report rather than the actual page (for example, 'see our strategic report') or giving a short explanation that simply copied excerpts from the Code. We found the approach to reporting non-compliance and setting out explanations against the provisions to be inconsistent and unclear. Some companies that gave an explanation for non-compliance included it in their compliance statement. However, others directed readers to another part of the annual report without specifying exactly where the explanation was, for example, 'The explanation for non-compliance can be found in the governance section of the annual report'.

Key message

There is no single approach for how companies report their compliance with the Code in the annual report. However, good reporting helps a reader to understand how the company has applied the principles and determine whether it has complied with all the provisions of the Code. If the company has not, it also informs readers which provision the company has not complied with, and where to find the explanation for this.

Application of the principles

The Listing Rules require companies to explain how they have applied the principles of the Code in a manner that would enable shareholders to evaluate how the principles have been applied. Companies should apply each principle of the Code and report on how they have done so in the annual report.

The principles are high-level and not prescriptive, allowing companies to customise and apply them to their unique structures and circumstances. For instance, due to size, business model and geography, a UK FTSE 100 company may interpret the principles differently to an overseas-registered Small Cap company. the broad nature of the principles allows for a more nuanced and practical application.

In general, we found that while reporting on some principles is good quality, there are other areas where it could be improved.

Compliance with the Provisions

We have consistently emphasised that the provisions of the Code are not about rigid compliance. The FRC has steadfastly advocated against a one-size-fits-all approach, recognising that good governance can take various forms. Instead of demanding strict adherence, the Code is designed to provide companies with flexibility, aligning with their specific circumstances and allowing them to provide a valid explanation. This adaptability empowers companies to adopt bespoke governance arrangements.

Therefore, it is vital that, shareholders, service providers and other stakeholders support the flexibility of the provisions and do not anticipate complete compliance. When making investment and stewardship decisions, they are asked to assess the explanation provided by the company to determine whether it has implemented a governance approach that serves its interests, while also demonstrating good governance. While the Code sets out a framework there may be situations where good governance for a company requires a different approach than that outlined by the Code's provisions. In addition, sometimes non-compliance is unavoidable. It is, therefore, important to remember that the Code does not prescribe a rigid set of rules.

This year, fewer companies disclosed non-compliance with the Code's requirements. This can be primarily attributed to a growing number complying with Provision 38 (executive pensions aligned with those of the workforce). There was also a noticeable increase in compliance with Provision 19 (chair tenure), and a decline in non-compliance with other provisions, such as Provisions 9 (chair independence), 11 (board composition), 24 (audit committee composition), 32 (remuneration committee composition), and 41 (description of the work of the remuneration committee).

It appears this year that more companies have fully complied with the requirements of Provisions 24 and 32 regarding the membership of the audit and remuneration committees. Non-compliance with these provisions is generally temporary, often due to the sudden departures of directors from the board, The company is then brought to full compliance once new directors have been appointed. Non-compliance with these provisions is usually unavoidable rather than a choice. In these scenarios, an explanation would generally set out the reason for non-compliance and the time frame for returning to full compliance once a new director has been appointed.

Annual review 2021 2022 2023 2024
Number of companies 64 73 63 28

Again, this year we found a small number of companies that did not disclose non-compliance with a provision in the annual report. This includes Provision 19 (chair tenure) and Provision 38 (pension alignment). The number of companies failing to disclose non-compliance is much lower than the previous one. Nevertheless, transparent reporting is important, and disclosure of non-compliance is a requirement of the Listing Rules.

Provisions with the highest non-compliance

Grid of horizontal bar charts showing categorized data with numerical values for multiple metrics.

Explanations

In our previous annual reviews, we have defined what makes a good explanation for non-compliance. Despite this, as in other years, we observed instances where companies:

  • Did not explain non-compliance.
  • Provided an explanation for one of the provisions they did not comply with, but no explanation for non-compliance with others.
  • Acknowledged non-compliance and said that it had been rectified or would be rectified but did not explain the reasons behind it.

Explanations that were provided were often vague and lacked a clear rationale for why the company did not comply with the provision. In some instances, it was difficult to determine how the departure from the provision was in the company's interests.

We are told that companies have concerns about explaining against a provision, as this will lead to voting against resolutions at the AGM. Providing a clear and meaningful explanation is important as it influences shareholders' decisions and enables them, along with other stakeholders, to make informed choices about the company's approach to complying with the Code. We hope that dialogue with key stakeholders would mitigate votes against where good governance is upheld following an explanation.

A brief explanation can sometimes be understandable, particularly when non-compliance with a provision is unavoidable. For example, a sudden departure of a board member may lead to a short period where the number of independent non-executive directors (NEDs) is below what is expected. In these circumstances, it is important to provide information on the actions the company has taken to return to full compliance, including how effective challenge is encouraged at the board in the intervening period.

However, in other situations, more detail may be necessary. For example, some companies explained that the reason for the chair staying in their position beyond nine years (Provision 19) was their valuable experience or knowledge.

It may be difficult for investors and other stakeholders to accept non-compliance with such a simplistic explanation. You would expect a board member to have experience and knowledge, so why is the extension necessary? Without context, it is almost impossible to support such an explanation. Above all, it may be difficult to understand why the company has selected non-compliance with the Code, and it may fail to persuade the readers of the annual report that this is necessary or beneficial for the company.

In this instance, a good explanation demonstrates how the company benefits from the chair over another person, how the board has assessed any risks and any mitigation actions if needed.

We know that proxy agencies and some investors have policies that follow compliance with the Code. A good explanation will aid their understanding of why a provision is not being followed either for a short time or a longer period.

Pie chart showing proportions across four categories, represented by different shades of blue.

  • 11 companies complied with the Provision during the year
  • 3 companies said that they will comply with the Provision in a specified timeline
  • 3 companies said that they will comply with the Provision in the future but did not provide a specific timeline
  • 9 companies did not provide any indication as to whether the company plans to comply with the Code in the near future

Period of non-compliance

The Listing Rules require companies to explain 'the period within which, if any, it did not comply with some or all of those provisions'. If the company has not complied with the provision during the year, good reporting specifies the period in which the company was not compliant. If the company is planning to comply with the provision in the near future, it is valuable to give some indication as to when and under what conditions or circumstances. When non-compliance is indefinite, good reporters state this when explaining the reasons.

1. Board leadership and company purpose

Corporate culture

Disclosure of corporate culture continues to evolve. While the breadth of reporting has widened, the depth is lagging and in some cases, for example, culture assessment and monitoring, has decreased.

Overall, it is encouraging to see more organisations recognising the value that a positive culture brings to the business. One stated that culture lies at the heart of robust and effective governance while others expressed the view that culture drives organisational success and impact. A few companies attempted to demonstrate the positive outcome of their culture quantitively, for example see Weir Group below.

Source: Weir Group, p. 82

Table detailing cultural actions and their associated outcomes during 2023, linked to culture statement aspects.

More companies are also extending their culture reporting beyond workforce to other stakeholder groups, such as customers and suppliers. Those two developments could be a result of greater interest expressed by investors and regulators in corporate culture, purpose and values, and how they are demonstrated by company leadership and linked to business model and strategy, as reported by some organisations. However, it is recommended that companies avoid turning the word 'culture' into a label or marketing tool, as observed in some annual reports this year. Overuse could negatively impact its meaning and importance.

Companies are being noticeably more transparent when the need for a greater focus on culture has been identified, for example during a board performance review, and when certain actions have been taken but outcomes are not yet known, which is commendable. However, clear signposting between the strategic report, where most culture reporting is usually placed, and the governance report is still a challenge for many organisations.

This may be one of the contributing factors behind the very limited disclosure in governance reports around how boards are promoting the desired culture (Principle B). Better reporters talked about it explicitly. They said, for example, how their boards were involved in reverse mentoring, directly engaged with the workforce and kept culture, purpose, values and strategy under regular review to ensure their alignment.

Promotion of desired culture by the board, as disclosed in the governance report

Pie chart showing proportions across four categories, represented by different shades of blue.

  • 46 companies made no direct reference to culture promotion
  • 22 companies made a reference but not in a board context
  • 28 companies referenced the board but provided no narrative
  • 4 companies supplemented their disclosure with a narrative

A few companies included a statement in their governance report saying that following their external board performance review, the evaluator concluded that the board has been effective in promoting the desired culture. Unfortunately, such statements lacked any evidence for the basis of this finding. We would encourage more transparency and rigour in reporting.

Key message

Disclosure in governance reports around how boards are promoting the desired culture is generally very low. More thorough reporting in this area and better signposting in the strategic report, where most of culture reporting is usually placed, is urged.

Corporate purpose and values

Year on year we have observed a slight increase in disclosure of corporate purpose, from 89 companies to

  1. However, only 33 organisations reported insightfully in this area this year, compared with 48 last year. Unlike last year, the number that explained their purpose in one sentence, often repeated in several places across the annual report, is greater than those that provided insightful explanations.

Better reporters explained each element of their corporate purpose and provided supporting narrative, at times even demonstrating direct links to the strategy and Key Performance Indicators.

Reporting of corporate values is steadily increasing from 73 companies three years ago to 76 last year and 79 this year. Meanwhile, the number of organisations referring to corporate values without disclosing what they are remains unchanged this year, after improving last year. Better practice in values disclosure is demonstrated by not only listing the values but also ensuring they are company-specific, explained and supported by a disclosure of matching behaviours.

Thoughtful reporting was demonstrated by those businesses that not only described in detail how they conducted the review of their corporate values but explained how the values were subsequently embedded (see next section). A bespoke approach to disclosure which is encouraged by the Code, was shown by some boards that reported on their activities in the year alongside values they demonstrated.

Assessment, monitoring and embedding

Bar chart comparing two different metrics across multiple categories using different shades of blue bars.

Disclosure around the alignment of corporate culture, purpose, values and strategy (Principle B) continues to fall, from 60 organisations three years ago to 40 this year. Among those that did explicitly discuss it, only a quarter did so insightfully, compared with around half last year and a quarter three years ago. On a more positive note, the number of reports without any references to the alignment between corporate culture, purpose, values and strategy has fallen year on year, from 23 companies to just nine.

Current wording in Provision 2 leaves room for interpretation as to whether organisational culture, purpose, values and strategy should all be aligned or just individual elements. The revised 2024 Code clarifies it is the former. Some businesses already report in this manner by providing a narrative, while others chose visual tools.

Source: Rathbones Group, p.19

Visual framework outlining company purpose, strategic priorities, and value creation for stakeholders with links to further details.

Despite more organisations than ever reporting on culture assessment and monitoring, every year only a small number stand out in terms of high-quality disclosures. At the same time, 42 businesses disclosed a fair amount of detail for the last two years, which is an increase from 35 three years ago. However, compared with last year, we have observed more disclosure of policies and practices, rather than actions during the year. Better reporters evaluated effectiveness of each monitoring method and disclosed outcomes from their actions, see the example of Henry Boot Plc, a FTSE Small Cap company on the next page.

Source: Henry Boot, p.92

Table describing how the Board monitored culture in 2023, including actions, methods, values, and outcomes.

approach to culture assessment and monitoring, which might stem from greater understanding of what constitutes a desired culture for their companies.

Explicit references to culture embedding – not in relation to risk management – have increased from 37 companies three years ago to 53 last year and 61 this year. However, most disclosures are limited, with 19 organisations including a simple narrative and 24 only referring to culture embedding among other things. Those that reported in this area insightfully explained the embedding process in detail, including different methods, action points, timeline and outcomes.

The 2024 Code asks boards to report, on a comply or explain basis, how they are assessing and monitoring the embedding of desired culture (revised Provision 2). We found some companies that have already acknowledged the new reporting requirement with a few even positioning their board's direct engagement with the workforce as their monitoring mechanism. Currently, culture embedding appears to be primarily described in the context of health and safety and ethics and compliance, with a few reporting on it through the lens of corporate values and behaviours.

Key message

While reporting on culture assessment and monitoring keeps increasing, this year more companies opted for disclosure of policies and practices, rather than board's actions during the year. We would encourage more transparency and rigour in reporting.

Metrics, targets and progress

In line with last year, over 20 companies disclosed a clear set of culture metrics and targets. In addition, we found that more companies this year also reported on progress against those targets.

Source: Tate & Lyle, p. 48

Diagram outlining cultural objectives and targets for 2023 and 2026 related to equity, diversity, and inclusion.

Most metrics used for culture reporting are related to health and safety (for example, work-related accidents or workforce engagement), Net Promoter Score and diversity and inclusion (mostly gender-related). Targets linked to customers and suppliers are rare. However, we noticed a slight increase in disclosure of metrics, some of which are then used by boards to assess and monitor organisational culture, for example the promptness of payments to suppliers. We also observed more disclosure around the use of culture dashboards, with some companies helpfully explaining the makeup of metrics.

A couple of organisations started using technological innovations including artificial intelligence (AI), to enhance board's strategic decisions by highlighting intersectional trends from received feedback. This is encouraging to see.

The FRC's 2021 report Creating Positive Culture – Opportunities and Challenges identified better use of data and insights as one of the key enablers in a high-quality culture assessment and monitoring.

Despite the Code not requiring culture assurance, 28 businesses reported on it. When culture assurance is undertaken, it is mostly done by the internal audit function or conducted externally. Only a few companies engaged their external auditor.

When conducting culture assurance, internal auditors tend to assess standards, training and conduct around compliance and ethics, risk and internal controls health and safety, speak-up arrangements and whistleblowing reports. Their findings often feed into the board's assessment and monitoring of culture. A small number of companies also reported on how their internal audit function assesses the extent to which behaviours reflect company purpose, ambition, values and strategy.

Source: Virgin Money, p. 96

Insights are also provided from the Culture Assessments conducted by Internal Audit which provide an independent analysis of the culture in specific business areas supplementing other culture measurement tools. Culture Assessments use a combination of surveys, leadership and broader colleague focus groups and selective in-depth interviews to measure the alignment between Virgin Money's intended culture and the culture that colleagues experience on the ground. Actionable insights and areas of good practice are identified. During the year the Culture Assessment approach was refreshed and a review was undertaken in the Business Operations area with the outcomes reported to the Audit Committee.

Shareholder engagement

Principle D

In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure effective engagement with, and encourage participation from, these parties.

We are pleased to see that all companies reported on engaging with their shareholders during the reporting year, with 97 reporting on engagement that occurred outside of the AGM. However, like previous years we found little improvement in the quality of reporting on shareholder engagement. Most companies offered few details on the engagement, feedback received from shareholders or examples of outcomes.

Most companies provided details of the events they hosted for their shareholders during the reporting year. For example, one said they hosted 'regular market updates, investor presentations, 1x1 and group meetings, site visits and shareholder consultations'. As we have noted before such events offer some insight into the type of information that companies give their shareholders and illustrate their engagement plans during the reporting year.

However, good reporters went a step further and discussed how the information was received by shareholders and the issues raised. The best reporters explained the: * Frequency of the engagement. * Methods of engagement. * Topic engaged on, and whether this was a priority for their shareholders. * Feedback from investors. * Outcome of the engagement and whether it has made a difference in the decision-making process.

Source: Mondi Group, p. 95

Alongside this, Philip Yea (chair) held meetings with a number of Mondi's major shareholders during the year. There was no specific agenda for these meetings, but instead they were designed to offer open discussion and engagement. Topics covered included capital allocation, the disposal of Mondi's Russian assets, Mondi's approach to governance and culture, diversity and progress against Mondi's MAP2030 targets. In 2023, our Board also continued to engage with a cross-section of shareholders on developments and external expectations relating to executive pay. As a consequence, further meetings with investors were held to discuss particular features of the Directors' Remuneration Policy. Constructive feedback from investors is taken into account in determining the structure and operation of our remuneration policy.

This type of engagement in the example above shows how the company considered the views of its shareholders when developing its remuneration policy.

Reporting in more detail on activities and outcomes of the engagement with shareholders offers more insight to report readers.

Source: Costain Group, p. 67

Costain Group noted that during the reporting year, they consulted with their shareholders to discuss their remuneration policy renewal. As a result of "listening to feedback from the remuneration policy consultation, the remuneration committee made appropriate adjustments and (their) new policy received a vote in favour of 97%.”

The FRC plans to consult on changes to the Stewardship Code, which will cover a number of areas including greater emphasis on the importance of high-quality reporting on investor engagements.

Provision 3

In addition to formal general meetings, the chair should seek regular engagement with major shareholders in order to understand their views on governance and performance against the strategy. Committee chairs should seek engagement with shareholders on significant matters related to their areas of responsibility. The chair should ensure that the board as a whole has a clear understanding of the views of shareholders.

As described in Provision 3, engagement with major shareholders is an important element of good governance. We recognise that most 'business as usual engagement' is undertaken by investor relations teams, but it is essential that both the chair and committee members hear for themselves the issues that are important to their key investors. Such engagement can support future resolution and offer insight following a significant vote against a resolution.

Number of engagements
Annual review 2023 2024
Chair 52 68
Remuneration committee chair 63 75
Senior independent chair 13 20
Nomination committee chair 4 7
Audit committee chair 5 6

However, much of the reporting on engagement by committee chairs did not include specific outcomes. While outcomes can take time to materialise, it is important to include these where possible. It is good to see the number of engagements with board members and committee chairs has improved compared with last year's review.

Eighty-five companies in our sample noted that their investor relations function remained the first point of contact for shareholders. We encourage committee chairs to engage directly with their significant shareholders particularly in the event of a 20% vote against. Companies are reminded that a 20% vote against can provide an opportunity to help companies better understand reasons for voting against a resolution, and the extent to which pre-applied voting policies may have had any influence.

Key message

Explaining the outcome of engagement activities with shareholders adds meaning and purpose to reporting, although it is understood that outcomes can take time to materialise.

Stakeholder and workforce engagement

Principle D

In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure effective engagement with, and encourage participation from, these parties.

Provision 5

The board should understand the views of the company’s other key stakeholders and describe in the annual report how their interests and the matters set out in section 172 of the Companies Act 2006 have been considered in board discussions and decision-making.

A significant number of companies in our sample identified governments and regulators as key stakeholders (see below).

Bar chart showing distribution of numerical values across several categories.

Reporting on stakeholder engagement is of generally high quality and we continue to see more valuable reporting year on year

Engagement

This year, companies identified other types of stakeholders in addition to those specifically mentioned in section 172 of the Companies Act. Although not currently referenced in the Companies Act, it is important that organisations identify the stakeholders most important to their operations and explain how they engage with them.

While reporting on engagement is generally high quality, it is sometimes unclear how the board specifically (rather than management or other employees) engages with different stakeholders. However, we did see some good examples this year. One company (see below) was transparent in its explanation of how the board engages with customers.

Source: OSB Group, p. 120

The Board’s engagement with customers is indirect and Directors are kept informed of customer-related matters through regular reports, feedback and research.

We were pleased to see that one company explained how it measured the effectiveness of its engagement with each stakeholder group. Companies are encouraged to report on the effectiveness of their engagement with stakeholders to ensure they continue to be effective as their company evolves.

Source: Persimmon, p. 55

How do we measure the effectiveness of our engagement?

The following metrics are regularly reviewed by the Board when considering progress against our five key priorities: * HBF eight-week and nine-month customer satisfaction survey scores. * Trustpilot scores. * Speed of resolution of any customer issues. * Number of visitors to sites and levels of website traffic. * Volume of sales. * FibreNest's achievement of timely connections.

Outcomes

Reporting on outcomes could include how the feedback obtained during engagement was considered in board discussions and decision-making (which is also in line with the requirements of Provision 5 of the Code), as well as any actions taken by the board.

Key message

To demonstrate the effectiveness of the engagement, it is important to explain the engagement undertaken during the year and any outcomes.

Reporting on outcomes also aligns with the new Principle C in the revised 2024 Corporate Governance Code, which states that 'governance reporting should focus on board decisions and their outcomes in the context of the company's strategy and objectives.'

The 2024 Code places greater emphasis on the importance of outcome-based reporting which we hope will reduce boilerplate reporting and the length of annual reports. We have previously discussed the importance of companies reporting on outcomes of stakeholder engagement to demonstrate the impact of governance practices. We hope that introducing this principle will help companies make greater progress in this area. It is important to emphasise that we do not expect an outcome to arise or to be included in the annual report, for every engagement with stakeholders. We encourage companies to use outcomes-based reporting where it demonstrates an effective engagement mechanism that they wish users of the annual report to be aware of.

Many companies provided a section that lists issues of importance for each stakeholder group. However, without explaining the engagement undertaken and the feedback received, these issues seem to be arbitrarily chosen by the company rather than determined through meaningful dialogue between the board and stakeholders. In addition, many companies did not give further detail about the action that the board or the company will take to address them.

Source: Indivior, p.30

Suppliers and distributors

Indivior has a small supply chain which is critical to effectively conduct its day-to-day business.

Key stakeholder issues

  • Product quality requirements and terms of business.
  • Contractual terms and payment timings.
  • Product pipeline and development plans.
  • Tender process details.
  • Climate change information.

Key issues for Indivior

  • Product quality is essential for regulatory and compliance purposes and to ensure patient safety.
  • A reliable supply chain is critical to the effective and regular distribution of treatments.
  • It will be necessary to work closely with suppliers to collect Indivior's Scope 3 emissions data.

It was interesting to see that Indivior noted the key issues for stakeholders from the perspective of both the company and the stakeholder groups.

Many companies reported on the outcomes of the engagement, particularly engagement with their workforce. This covered how the feedback received was considered in board discussions or decision-making, and/or any actions that were taken as a result.

It is important to note that engagement does not always require the board to take action.

However, when action is taken, it is considered good governance practice to explain it in the annual report. Companies do not need to provide excessive detail, but they could demonstrate in a concise way, that the board is considering the views of the workforce and addressing any areas of concern or improvement, as seen in the Spirax-Sarco example.

Source: Spirax-Sarco Engineering, p.131

Management actions arising from our colleague engagement

We share and discuss the general themes from each meeting with local and divisional management and we ask them to share with the Committee any actions that arise from the feedback. This has proved to be very effective and we set out just a few examples of action taken:

Discussion Group Feedback: Management Action:
A sales team requested greater autonomy to support customers with faults or replacement parts and questioned layers of approval required. Local managers met with Divisional Sales Managers to understand their concerns. As part of the Group Finance G3 governance project, the Delegation of Authority (DoA) was updated to empower within the context of G3 and to ensure clarity for managers on the approval process.
Challenges in understanding and implementing the business strategy in day-to-day roles. We heard the message: "show me the strategy, don't tell me; I want to understand my role in these strategies." One of our Businesses created 'stand up' meetings in supply sites; these were shorter learning sessions on topics such as the strategy goals and implementation. 'Purpose workshops' were developed for managers to focus on personal contribution to Company strategy.
Colleagues requested greater clarity on pay structure/progression and rewards. The Company took a series of steps, including setting up a working group, making use of an app for colleagues to communicate directly with the payroll team and introducing HR surgeries/ clinics for colleagues to drop in with queries and concerns.
Remote roles such as Sales and Service Engineers are working more independently than before, and there is limited downtime and no opportunity to speak whilst driving etc. The Group refreshed and reinvigorated its focus on National Sales Manager monthly 'check ins' with all field-based Sales Teams as well as a quarterly collaboration event among Service the teams.

Some companies included a segment in the stakeholder section of the annual report under the heading 'outcomes'. However, it was unclear whether and how the outcomes were related to the engagement undertaken during the year. Good reporters demonstrated a clear link between engagement activities with their stakeholders and the outcomes reported.

The new Code guidance suggests ways in which companies might demonstrate how stakeholder engagement impacted board decision making. Following the stakeholder engagement feedback cycle, companies are encouraged to report on the inputs, outputs and outcomes of their engagement.

Workforce

Effective engagement, for purposes of Principle D, includes two-way workforce engagement. Employees are important stakeholders. Direct meetings, where the board actively seeks people's views and responds to their feedback, benefit both parties. Board members can gain valuable understanding by actively engaging with employees and taking their feedback into account. They can get a direct overview of their experiences and interests, the company's culture and how the company's values have been embedded throughout the business.

It also presents a great opportunity for the board to develop a deeper understanding of the company's operations, business model, and strategy, including risks and opportunities, as well as environmental and social matters. For instance, conducting site visits can give the board an overview of workforce conditions, management efficiency and the impact of business on the wider community. We were pleased to find that two-way engagement, such as meetings between board members and the workforce or board site visits, is a common practice.

Eighty-five companies reported engaging in this way during the year. It was conducted either via one of the mechanisms set out under Provision 5, an alternative method or through both.

Methods of engagement

Provision 5 states that the board should select one of the Code's prescribed methods for engagement, or it could choose another way to engage with the workforce and explain why this is effective. Companies are not required to disclose their engagement method, however, most did.

Pie chart illustrating the proportional distribution of an unknown whole across several categories.

  • 55 companies engaged using a designated NED
  • 8 companies engaged using a Workforce Advisory Panel
  • 9 companies engaged using both designated NED and Workforce Advisory Panel
  • 20 companies engaged using alternative method(s)
  • 8 companies did not state or it is unclear if they adopted one of the mechanisms prescribed by the Code (this does not mean that they have not complied with the Code as it is not a requirement to disclose this specific information)

As in previous years, a designated NED was the most popular method of engaging with the workforce. This can be a practical approach, with a NED having a clear and focused role as a link between the board and the workforce, and sharing employee insights with the board.

Most companies indicated in their report that the designated NED had directly engaged with the workforce during the year to gather their perspectives on various matters. However, some companies did not disclose whether their designated NED had engaged directly or conducted other activities to understand the workforce's viewpoint. If such engagement has occurred during the reporting period, companies could consider disclosing it in the annual report. This not only illustrates compliance with the Code, it aligns with good governance practice.

Seventeen companies reported having established workforce advisory panels, with eight of these also having a designated NED for workforce engagement. A panel can be a useful mechanism as it brings together various workforce perspectives, particularly when the company operates across different markets and geographies.

Most companies explained how the panel communicated the workforce's views to the board. Good reporting outlined the frequency of the panel's meetings during the year and how their views were conveyed to the board. Companies with both a workforce panel and a designated NED explained that the NED regularly attended the panel's meetings, while other companies reported attendance at the meetings by other NEDs, including the board chair and committee chairs. Two companies reported that panel members had been invited to attend board meetings.

As in previous years, we did not have a company in our sample with a director elected from its workforce. This can add value to the boardroom by incorporating workforce's experience directly into board discussions and decision-making. It may also be easier for employees to share information and honest opinions with someone nominated directly by them. Through our engagements, we have found that some investors support workforce-nominated directors on boards.

Alternative arrangements

Provision 5 states that if the board has not chosen one or more of these methods, it should explain what alternative arrangements are in place and why it considers them effective. This ensures a company can still fully comply with Provision 5 even if it has not selected one of the methods set out by this provision.

It is important that engagement mechanisms are tailored to the company's circumstances including its structure and strategy. Twenty companies had chosen an alternative arrangement than those set out in the Code to engage with the workforce. Fifteen of them explained that due to their geographical reach, it would be difficult to have a single designated NED to cover the engagement. Therefore, it was more practical for the company to have several or all of the board members engaged with the workforce in different locations. In addition, three other companies had established board committees responsible for workforce engagement.

Only two companies did not explain how their alternative engagement methods were effective, so did not comply with Provision 5.

Source: Spirax-Sarco Engineering, p.131

Benchmarking – Each year, the Committee undertakes an evaluation of its effectiveness and at least one benchmarking activity to ensure our activities reflect best practices and are in line with the regulatory requirements. Additionally, we use this as an opportunity to review what other opportunities for colleague engagement might be feasible and effective for our Group. This year, the Committee reviewed the colleague engagement approaches implemented by a selection of peer businesses within the FTSE 100 and considered whether some of those approaches might be beneficial for our own Committee agenda. In general, the Committee believes that it is working well and that it is adding value to the Board and this is supported by feedback from the Board, the executive and the wider organisation. Committee members are keen to interact with even more colleagues when undertaking site visits in 2024.

Provision 5 of the Code states that companies should keep their mechanisms under review so they remain effective. The above example is also a good illustration of how a company can evaluate its engagement mechanisms and describe its approach in the annual report.

Board engagement

One company reported that it had decided to carry out an employee survey as an alternative way of engagement, and another said it engaged through senior management reporting periodically to the board. Surveys may be a good opportunity to obtain more detailed and honest (if carried out anonymously) feedback from the workforce. In addition, engagement by senior management can be beneficial for both the workforce and the company.

However, to meet the requirements of Principle D and Provision 5, and as a matter of good practice, the board should carry out its own engagement with the workforce in addition to any engagement undertaken by senior management. The board can delegate this responsibility to one or more NEDs or a board-level committee, but it cannot delegate it to senior management or rely solely on surveys carried out by the management or external parties.

Reporting on workforce engagement in the Annual Report

To demonstrate how their engagement has been effective (as per Principle D), good reporters provided an overview of the engagement undertaken during the year, the themes discussed or feedback received, and the actions taken by the board to address that feedback.

Many companies provided a good overview of their activities, for example, meetings with the designated NED and site visits by different NEDs.

Source: Associated British Foods, p.84

Since my last report I have spent face-to-face time with our people in their offices, factories, stores, and out in the field. In these discussions I have been able to understand how they view our Group and their specific business and location. I have spoken with: * operations, commercial and management teams from Twinings Ovaltine in Andover and New Jersey; * employees from the Argo factory and the Chicago Head Office in ACH; * retail assistants, store supervisors, managers, and regional HR * business partners at Primark's Chicago store and at two different Primark stores in New Jersey; * employees across a range of teams and departments at SPI Pharma in Grand Haven, Michigan; * participants of the Thrive development programme at George Weston Foods businesses in Australia; * employees from operations and product merchandising from Tip Top in New South Wales, Australia; * a wide variety of employees from our Don business in regional Victoria, Australia; and * the team in our Yumi's business based in Port Melbourne, Australia.

My visits also enable me to connect with our people through unions or other local collective arrangements, for example with the union representative for our Don business. I am also grateful for the input from fellow Board members who have visited our businesses including Acetum, Illovo and Primark during the year.

Only 30 companies reported on the outcomes of the engagement. Good reporters provided a summary of how feedback received impacted board discussions and decision-making and any actions taken as a result.

Communities

Section

  1. (d) of the Companies Act 2006 stipulates that companies should have regard for the impact of the company's operations on the community and the environment.

We have previously observed that reporting on the impacts of companies' operations on local communities is boilerplate and provides very little valuable information for the users of reports. Only 63% of companies identified the community as a stakeholder, independent of the environment.

The majority of companies only shared positive community and charitable initiatives without explaining the impact of their operations. Some companies used phrases like, 'we wish to minimise the negative environmental and social impact that we may have' without explaining what those impacts may be and any action they are taking to achieve this objective.

Board discussions and decision-making

While engagement with some stakeholders, such as the workforce, may be straightforward for the board, it can be more difficult to engage directly with other stakeholder groups, for example consumers or communities. It is understandable that the board may not engage with these stakeholders to the same extent as it does with the workforce.

Nevertheless, the board, for the purposes of Provision 5, should be kept updated about these stakeholders' interests and viewpoints and consider them in their discussions and decision-making.

Section 172 of the Companies Act 2006 lists a number of stakeholders. However, the board can also engage with other stakeholders or consider them in their discussions or decision-making. For example, some companies reported engagement with their lenders, regulators or governments.

For the purposes of Provision 5, the board does not need to provide considerable detail on how these stakeholders and the matters under section 172 have been considered. Good reporting provides a concise summary demonstrating that the board considers these during meetings and when making decisions.

Many companies provide case studies or examples of decisions to show these considerations. However, it is often unclear whether these are simply decisions taken by the company as part of its strategy or actual decisions made by the board. Often, companies just use icons to point out which stakeholders had been considered but do not explain how.

In addition, under a 'Section 172' heading, some companies provided information on what the company does for groups of stakeholders, such as employee training or charity and environmental initiatives. However, they did not refer directly to the board discussions or decision-making.

Good reporting for the purposes of this provision demonstrates how the board has considered the company's stakeholders and other factors under section 172 in their discussions and decision-making.

Source: Chemring, p.87

Overview of key investments in Roke and Energetics businesses, ESG strategy implementation, and executive remuneration

Source: Curry's, p.29

Case study: Sale of Kotsovolos

During the year, the Group completed a strategic review of Kotsovolos. On 10 April 2024, the Group completed the sale of Dixons South East Europe A.E.V.E., the holding company of Currys' entire Greece and Cyprus retail business, trading as Kotsovolos, to Public Power Corporation S.A. for an enterprise value of €200m (£175m).

Case study detailing the strategic review and sale of Kotsovolos, including financial and stakeholder considerations

Environment

In line with previous years, environmental matters, including climate change, continue to be a prominent subject in the annual reports. The Code does not have specific reporting requirements on environmental issues other than the requirement under Provision 5 asking companies to disclose how the board has considered Section 172 matters in its discussions and decision-making. The environment is one of the factors listed under Section 172 of the Companies Act, and most companies provided some indication of how it was considered in board discussions and decision-making.

Forty-eight companies reported having a designated board-level committee responsible for environmental matters (including climate change), many of which were created in the past two to three years.

These committees were often designed as ESG, CSR or sustainability committees and also had responsibilities for other matters such as stakeholder engagement, health and safety and company reputation.

While having such a committee is not a Code requirement, it is encouraging to see boards developing bespoke governance arrangements to oversee environmental matters.

Committee responsibilities differed between companies and included: * Reviewing environmental policies. * Monitoring environmental impact and performance, for example energy and carbon emissions, and waste management. * Reviewing environmental-related risks and opportunities. * Overseeing compliance with applicable government and industry Standards. * Overseeing environmental-related reporting, including Taskforce on Climate-Related Financial Disclosures (TCFD) reporting.

For most companies, this designated committee was made up entirely of NEDs. Some companies reported that senior managers, such as the CEO, were part of this committee. In two companies, the committee included a mix of NEDs and senior managers (for example, the CEO, CFO, CRO and company secretary).

Companies that did not have a designated committee reported that the board as a whole had responsibility for environmental matters. Many said their audit committee had some delegated responsibilities, usually for environmental-related risks and reporting. One company reported that the audit committee was also responsible for overseeing the level of carbon emissions. We were pleased to see some companies reporting cross-work between different board committees on environmental matters, for example, the audit and sustainability, risk or remuneration committees.

In addition, 37 companies reported having a committee at the management level with responsibilities for environmental matters. Good reporters provided details on how such a committee worked with the board. However, for some companies, it was unclear how the work of the management-level committee was reported to the board or its committees.

While it is not a Code requirement, 35 companies provided a summary of the activities of the designated committee during the year. This may be helpful for users of the annual report to understand the board's role and its approach to dealing with environmental matters.

Source: Compass Group, p.91 During the year, the Committee reviewed with management the Group's sustainability strategy including the plans to reach climate net zero by

  1. The Committee reviewed the progress made during the year on reducing the Group's Scope 1 and 2 emissions. The Committee also considered the Group's key activities to reduce Scope 3 emissions which centred around food waste reduction, re-engineering menus and collaboration with suppliers. The Committee also received an update on progress on the UK&I business' commitment to reach climate net zero by 2030, and reviewed the roadmap in detail. More detail of Compass' progress on its sustainability strategy and net zero commitments can be found in the Purpose report on pages 38 to 44.

In September 2023, the Committee reviewed the Company's proposed TCFD disclosures to be included in the 2023 Annual Report and Accounts. In addition, the Committee received a training session led by the Sustainability team, external advisers and the Company's external auditor on the wider ESG landscape, including forthcoming sustainability disclosure requirements. Further information can be found on page

  1. To better understand and mitigate the Group's food waste footprint, the use of food waste tracking technology has been expanded across the Group's operations to help towards Compass' commitment to halve food waste in its operations by 2030. Aligned to this commitment, the Group introduced a non-financial food waste performance measure related to the number of sites across the Group's businesses adopting the technology for the financial year ended

  2. Achievement of the food waste performance measure is linked to 5% of the annual bonus of executive directors and senior management. The Committee is pleased to report that excellent progress has been made during the year with 7,943 sites globally now employing food waste tracking technology to record food waste.

Suppliers

The relationships companies have with their suppliers are crucial to long-term success. Ways in which companies maintain good relationships with their suppliers include working together on workforce issues such as modern slavery, agreeing approaches to environmental and climate change challenges and ensuring payment practices align with their policies and contractual obligations.

Targets linked to customers and suppliers are rare. However, we noticed a slight increase in disclosure of metrics, some of which are used by boards to assess and monitor organisational culture – for example, the promptness of payments to suppliers, as one company reported.

Source: Spirax-Sarco Engineering, p.119

The Board monitors and assesses culture using the following mechanisms: promptness of payments to suppliers, approach to regulators.

In our sample, 42% of companies referenced supplier payment terms. Eighteen companies explicitly defined their prompt payment policy, 16 companies noted that they are signatories to the Prompt Payment Code (PPC) and five said prompt payment is a priority for the board. This information gives an indication as to the importance a company gives to paying suppliers in a timely manner.

Barclays, for example, noted that it is a signatory to the PPC and its board is committed to the fair payment and treatment of its suppliers.

Source: Barclays, p.238

Prompt payment is critical to the cash flow of every business, and especially to smaller businesses within the supply chain as cash flow issues are a major contributor to business failure. We aim to pay our TPSPs within clearly defined terms, and to help ensure there is a proper process for dealing with any issues that may arise.

We measure prompt payment globally by calculating the percentage of TPSP spend paid within 45 days following invoice date.

The measurement applies against all invoices by value over a three-month rolling average period for all entities where invoices are managed centrally. At the end of 2023, we achieved 93% on-time payment to our TPSPs compared to 93% at the end of 2022, exceeding our public commitment to pay 85% of TPSPs on time (by invoice value). The need to promptly pay our diverse TPSPs became even more important during the COVID-19 pandemic. Barclays established a process to expedite the payments for diverse TPSPs at this critical time. This process remained in place during

  1. Barclays is proud to be a signatory of the Prompt Payment Code in the UK and we also work closely with the Small Business Commissioner and other organisations, including Good Business Pays, to educate the public on late payments and the impact they can have on businesses and business owners, and to raise the social conscience of larger businesses who do not pay on time.

2. Division of Responsibilities

Over-boarding

Principle H:

Non-executive directors should have sufficient time to meet their board responsibilities. They should provide constructive challenge, strategic guidance, offer specialist advice and hold management to account.

Directors must have sufficient time to carry out their roles and to fulfil their responsibilities under section 172 of the Companies Act 2006 to promote the long-term success of the company, generating value for shareholders and wider stakeholders. The Code does not specify a maximum number of board appointments that can be held by a NED as the time commitments for each role will vary depending on their responsibilities and whether for example, a director is part of a board committee or is the chair of a board. It is important that full-time executive directors do not take on more than one non-executive directorship in a FTSE 100 company or other significant appointment.

Nearly half of the companies in our sample stated that all directors have sufficient time to carry out their role effectively, while a further 15 only specified that their NED's have sufficient time to fulfil their duties. The majority of other companies explained that they review the commitments of directors to ensure they have sufficient time to fulfil their duties.

No executive directors in our sample had more than one non-executive role in a FTSE 100 company, in line with provision 15 of the Code.

Encouragingly, over 90% of companies in our sample provided specific information on the external commitments of directors and over 65% listed all directors' other appointments. The majority of companies simply listed directors' external appointments in the directors' biographies section of the annual report. However, some companies provided specific information on their considerations of individual directors' time commitments and explained the actions taken to manage their time commitments.

One company explained that as a result of concerns about the number of appointments of a director's other listed directorship, it contacted major shareholders who voted against the re-election of the director to understand their views. The company explained that the director's attendance record was exemplary and that they participated in a number of additional opportunities throughout the year.

Key message

Companies are encouraged to be transparent in their annual report and disclose information about the time commitments of their directors.

Good reporting will include factors that the board took into consideration when reviewing the time commitments of a director.

A small number of companies in our sample said they note the views of a variety of investor bodies and institutional investors to foresee any perception of over-boarding.

Although some good reporting was identified, there is still a significant amount of boilerplate reporting. Many companies used phrases such as 'no instances of over-boarding were identified during the year' with no further discussion around the time commitment of their directors.

Several companies disclosed information about their consideration of approving a change to their external appointments.

Source: BAE Systems, p.90 In compliance with Provision 15 of the Code, the Nominations Committee considered [a director's] other commitments prior to his appointment to the Board as a non-executive director in

  1. In particular, it noted his other listed company board appointments, being his role as non-executive Chair of James Fisher & Sons and non-executive director positions at Ashtead Group and STS Global Income & Growth Trust. Prior to his appointment, it was confirmed that he would be stepping down from the STS Global Income & Growth Trust at its AGM this year. Recognising that [the director] will be stepping down from a listed company board later this year (most likely in July) and that all of his other corporate interests are non-executive in nature, the Board is satisfied that he has sufficient time to undertake his duties as a non-executive director of the Company.

Board committees

Disappointingly, companies in our sample did not disclose much information about the board committees their directors serve on in their external appointments. Fewer than 10% of companies listed whether their directors are part of a board committee in their external roles and a further 26% only disclosed this information if the director was a board committee chair. Serving on a board committee can be time consuming and can involve a wide range of responsibilities that can be intensive and call for additional involvement. Boards are advised to take this into consideration when reviewing the time commitments of their directors.

Over-boarding policy

We found that the majority of companies included some consideration of the time commitments of directors in their annual report. Most companies explained that directors' external commitments are considered on appointment and that additional appointments require prior approval of the board.

One company disclosed its over-boarding policy which stipulates how many external appointments a NED should have. However, the vast majority of companies were not as specific in their policies. Examples like the one below, demonstrate some factors that are considered by companies when assessing the time commitments of their directors. In compliance with Provision 15 of the Code, the Nominations Committee considered [a director's] other commitments prior to his appointment to the Board as a non-executive director in

  1. In particular, it noted his other listed company board appointments, being his role as non-executive Chair of James Fisher & Sons and non-executive director positions at Ashtead Group and STS Global Income & Growth Trust. Prior to his appointment, it was confirmed that he would be stepping down from the STS Global Income & Growth Trust at its AGM this year. Recognising that [the director] will be stepping down from a listed company board later this year (most likely in July) and that all of his other corporate interests are non-executive in nature, the Board is satisfied that he has sufficient time to undertake his duties as a non-executive director of the Company.

Source: Dr Martens, p.98 The Board considers the number of board positions that the Director holds at other public companies alongside the likely 'size' of their new role. It also takes into account externally published guidance and proxy voting guidelines to ensure the principles of major investors in respect of 'overboarding' are considered.

When calculating the expected time commitment, boards are advised to consider the additional commitment needed when the company is experiencing increased activity, for example during a period of distress, and the role that individual directors are likely to play on committees of the board, including possibly chairing these, form part of this consideration.

Board performance review

Fewer than 30% of companies disclosed that they considered directors time commitments to other organisations as part of their annual board performance review. Those that did provided very little information on what they considered to determine whether each director has sufficient time to fulfil their duties.

Reviewing the external appointments of directors as part of a company's annual board performance review can be an effective way of monitoring any change to the time commitments of directors.

Companies in our sample reviewed directors' external appointments through, for example: - A register of directors' commitments maintained by the company secretary that is reviewed at each board meeting. - Their nominations committee. - One-to-one discussions with the chair. - An annual review by the board of NEDs' external appointments.

Diversity

Provision 23

The annual report should describe the work of the nomination committee, including: [...] - the policy on diversity and inclusion, its objectives and linkage to company strategy, how it has been implemented and progress on achieving the objectives

Similar to previous years, the approach to reporting on diversity policies varied. Some companies cited that they had diversity policies but did not provide a description of what the policy entails. Others gave generic descriptions of what their diversity policy includes without referencing any specific targets or objectives for how they aim to improve their diversity.

However, it was encouraging to see 59 companies provide clear information about what their board diversity policy covers, their targets and objectives and the progress they have made to achieve these. Convatec Group noted its diversity targets and objectives and documented the current progress. They noted that they aim to achieve higher representation of women in senior management through a leadership development programme.

Source: Convatec Group, p.108 - As part of our ongoing diversity and inclusion strategy, our target is to achieve 40% of senior management roles to be held by women by 2025. - By 2023...women represented 44% of board members and 44% of their Senior Management team. This was previously 40% in 2022 for the board and 38% in 2022 for Senior Management.

It has been very encouraging to see a minority of companies provide forward-looking explanations to show how they will continue to monitor progress in the year ahead to meet their targets.

Source: Shell Plc, p.173 Women representation in the top 1,200 roles ("Senior Leadership" positions) has strengthened by 2% during 2023 to 32%, and we continue to progress towards our aim of achieving 35% women senior leadership representation by 2025.

Gender and ethnicity targets

A key component of our analysis was to investigate how gender and ethnicity targets were reported in annual reports. Many companies align their own targets with the FTSE Women Leaders Review and Parker Review targets. The FTSE Women Leaders Review target is to have 40% women representation on the board by the end of 2025 for FTSE 350 companies. Fifty-five FTSE 350 companies within our sample of 84 companies already meet this, which is an 18% increase from last year's sample. We anticipate a rise in the number of companies that will achieve these targets in the year ahead.

The 2024 Parker Review encourages FTSE 250 companies to have at least one ethnic minority director on the board. Out of 41 FTSE 250 companies, we found that 32 FTSE 250 companies have met this target.

This year we examined whether companies had stated whether they were working towards the 2027 Parker Review targets for FTSE 350 companies. The 2027 targets will require companies to set their own targets for the percentage of senior management who self-identify as being from an ethnic minority background. Twenty-two FTSE 350 companies and one Small Cap company referenced their aim to work towards these targets, demonstrating the importance of achieving greater diversity within their organisation.

We also assessed the extent to which the 2022 Financial Conduct Authority's Listing Rules (LR 9.8.6R(9) and LR 14.3.33R(1)) were reported on. The targets operate on a comply or explain basis. Like last year, one measure we explored was whether the companies in our sample had a woman appointed to at least one of the senior board positions (Chair, CEO, Senior Independent Director, or CFO). The table below shows the total number of women in the top four senior leadership roles in our sample of 100 companies.

Chair Senior independent director CEO CFO
18 49 6 13

Initiatives and objectives beyond Parker Review and the FTSE Women Leaders Review targets

Eighty companies reported on diversity initiatives targeted at senior management, boards and the workforce. The quality of information provided for these initiatives and objectives varied. However, most of these companies reported on employee resource groups for example the LGBTQ+ Network that advocate for the workforce.

Good reporting on initiatives described the contribution towards improving diversity at board level and senior management.

Source: HSBC, p.77 In our 2023 Accelerating into Leadership programme, which prepares high potential, mid-level colleagues for leadership roles, 43% of participants were women. More than 5,200 women also participated in our Coaching Circles programme, which matches senior leaders with a small group of colleagues to provide advice and support on the development of leadership skills and network building.

One company described an initiative designed to address the needs of the level of leadership below the executive committee and directors.

Source: Henry Boot, p.105 The Committee has oversight of the Company's Senior Leadership Development Programme (SLDP) through which we have given development opportunities to a significant number of senior management. Our Leadership Development Programme (LDP)... is a cohort-led development opportunity to address the needs of the next level of leadership below Executive Committee and Director level.

However, companies in our sample rarely reported on the outcomes of their initiatives or disclosed their impact on improving representation on boards or among senior leadership.

We have made changes to the 2024 UK Corporate Governance Code that included the removal of a list of diversity characteristics, to encourage companies to think about diversity more widely. We have also added a new reference to diversity initiatives to help companies to think beyond formal policies when it comes to diversity and inclusion.

It was encouraging to see some companies report on targets and initiatives for diversity characteristics beyond gender and ethnicity. For example, Lloyds Banking Group noted, it has a target to double the number of disabled colleagues in senior management by 2025.

Overall, it has been positive to see the progress companies have made in reporting on objectives and targets, and on developing diverse boards and senior management teams. We hope to see organisations continue to report on their progress and set out the outcomes of their diversity initiatives.

Key message

Many companies reporting clearly on their diversity and inclusion policies, and encouragingly some companies also explain diversity initiatives which they have put in place.

4. Audit, Risk and Internal Controls

Audit

Provision 26:

The annual report should describe the work of the audit committee, including: [...] - an explanation of how it has assessed the independence and effectiveness of the external audit process and the approach taken to the appointment or reappointment of the external auditor, information on the length of tenure of the current audit firm, when a tender was last conducted and advance notice of any retendering plans.

In May 2023, the FRC published the Audit Committees and the External Audit: Minimum Standard (the Minimum Standard). The Minimum Standard was developed in response to the Competition and Markets Authority's market study on statutory audit, in particular the recommendation on audit committee scrutiny. From financial years starting on or after 1 January 2025, the Minimum Standard will form part of the Corporate Governance Code. Provision 25 sets out the main roles and responsibilities of the audit committee, which includes following the Minimum Standard, Provision 26 states that annual reports should describe the work of the audit committee including the matters set out in the Minimum Standard. Following the Minimum Standard was voluntary for financial year ending

  1. Despite this, nearly half of the companies in our sample referred to the Minimum Standard in their annual report for this period. We encourage audit committees to include updates about the Minimum Standard in future annual reports.

Source: Associated British Foods, p.99 The FRC's 'Audit Committees and the External Audit: Minimum Standard' (the Minimum Standard') was published in May 2023, eight months into the financial year. Between its publication and the end of the financial year on 16 September 2023, one Audit Committee meeting has taken place, at which the Minimum Standard was considered. The Audit Committee's assessment is that there is nothing of note in the Minimum Standard that differs from how the ABF Audit Committee currently operates. However, this is being reviewed further, including to the extent that there may be useful points to consider in relation to the assessment of the effectiveness of the audit process and to the audit tender process.

Seventeen companies reported that they already fully or partially follow the Minimum Standard. However, most companies in the sample are at earlier stages, which is understandable given the standard is not yet formally part of the Code". The Minimum Standard is being added to audit committees' terms of reference. Audit committees are being briefed about the Minimum Standard and overseeing gap analyses which compare current approaches with the Minimum Standard.

Independence

The independence of NEDs who sit on audit committees is pertinent to the important role they play in assessing the independence of external audit. On this basis, the independence of each member of the audit committee should be referenced in their biography, or an explanation should be provided. A small number of companies did not cover independence explicitly, and it could not be implied from the narrative. We did further work on these cases, and in some instances individuals' independence was unclear.

Audit committees often report on the independence of the external audit process by referring to the company's policy for the provision of non-audit services (NAS) by the external auditor. Fifteen companies published their NAS policy in full. Published terms of reference for audit committees often refer to the NAS policy regardless of whether it has been published.

The Corporate Governance Code and Minimum Standard set out the responsibilities of audit committees. This includes developing a policy on NAS, ensuring there is prior approval of NAS, considering the impact this may have on independence, taking into account relevant regulations and ethical guidance, and reporting to the board on any improvement or action required.

Not all companies require their audit committees to approve all NAS Some policies for NAS set out a chain of approvals that escalates depending on the level of the fees involved. This starts with approval by Chief Finance Officers, followed by the chair of the audit committee, with approval by the whole audit committee being reserved for maximum fees. Some companies have reached a comprise on the level of approval required.

Source: Auction Technology Group, p.89 - Provision of non-audit services To preserve objectivity and independence, the external auditor is asked not to provide other services except those that are specifically approved and permitted under the Group's non-audit services policy. Non-audit services are generally not provided by the external auditor unless specific circumstances mean that it is in the best interests of the Group that these are provided by Deloitte rather than another supplier. To ensure the continuing independence of the auditor, during the year the Committee reviewed and approved a policy on non-audit services. The key principles of this policy are: - The Audit Committee has adopted the FRC's list of permitted services for UK incorporated EU Public Interest entities (“EU PIEs”) as set out in the Revised Ethical Standard 2019 (“Ethical Standard"). These services are allowed under UK statutory legislation and comply with the European Union directive on audit and non-audit services. - Permitted services include those that are required by law and regulation, loan covenant reporting, other assurance services closely linked to the audit or Annual Report and reporting accountant services. - For any non-audit permitted services the following levels of authority apply: a) up to £50,000 requires the approval of the CFO b) in excess of £50,000 and up to £150,000 requires the approval of the CFO following consultation with the Chair of the Audit Committee c) in excess of £150,000 requires the approval of the Committee.

Some companies have gone beyond what is required by the FRC Ethical Standard for auditors by imposing a ratio of NAS to audit services of less than 70%.

Companies typically assess independence with reference to the restrictions that apply to auditors. For example, companies commonly refer to audit partners' tenure. However, companies are advised to bear in mind that true independence is demonstrated through auditors' challenge of management and professional scepticism.

Source: Trustpilot, p.130 In reviewing the independence of the External Auditor, the Committee took into consideration: - confirmation from PwC that they had adhered to their policies and procedures to safeguard independence and had followed necessary guidance and professional standards in relation to auditor independence; - the Committee's monitoring of PwC's processes for maintaining independence; - the Committee's assessment of PwC's challenge and professional scepticism; - the absence of any threats to PwC's independence including the absence of any relationships between PwC and the Company (other than in the ordinary course of business) which could adversely affect PwC's independence and objectivity;

Effectiveness of external audit

We found good reporting on the effectiveness of the external audit process included: - The number of meetings between the external auditor and audit committee. - Feedback from committee members and internal stakeholders on the external auditor. - Auditors' awareness of the commercial environment in which the company operates.

Source: London Stock Exchange, p.112 The Committee assessed the effectiveness of the external audit throughout the year in accordance with principal M of the Code. The Committee relied on its own judgement supported by the following evidence: - a report from management on their own evaluation of the effectiveness of the external auditor based on a questionnaire prepared in accordance with the Financial Reporting Council's (FRC's) guidance and completed by key stakeholders; - a review of the FRC's 2022/2023 Audit Quality Inspection and Supervision Report, specifically the report related to EY. The Audit Committee also reviewed the results of the FRC's inspection of the LSEG 2021-year end audit which highlighted limited improvements required; and - the separate meetings held with EY at each Committee meeting without management being present.

Based on all evidence presented, the Committee satisfied itself that the external audit has been conducted effectively, with appropriate rigour and challenge, and that EY had applied appropriate professional scepticism throughout the audit.

Tender and tenure of the external auditor

The Minimum Standard and the Code cover tendering. The Minimum Standard specifies that challenger firms (non-Big Four) must be given fair and objective consideration. Encouragingly, a number of companies that tendered for external audit during the 2024 financial year, or will tender next year, have said that they take account of the Minimum Standard when tendering. One company that tendered during the reporting period sent a formal invitation to eight audit firms with relevant sector experience.

Source: Diageo, p.112 In determining the process for the audit services tender, management took into consideration and followed the FRC's guidance on audit tendering, with the Audit Committee making robust decisions to ensure that the requirements of the FRC's minimum standard for Audit Committees were met.

The clearest way to report the tenure of the external auditor is to state the number of years they have audited numerically, with an accompanying reference to the first financial year they audited.

It is important to bear in mind that readers cannot always accurately ascertain the tenure of the audit firm from other information such as when a tender was last conducted, and/or when the auditors' appointment was agreed by shareholders at an AGM. The time that elapses between these events and the first financial year audited by new auditors varies between companies.

This lack of clarity is compounded by initial appointments of audit firms not being differentiated from either the incumbent auditor's reappointment for a second term following a tender, or shareholders' annual votes on the auditor's continuation. Consistent references to 'financial year ends' would be helpful. The use of terms such as 'fiscals' and other alternative terminology could be confusing to UK readers.

Reporting on tender processes

A flow chart is ideal.

Source: Pennon Group, p.140 Timeline outlining key steps and dates in the audit tender process from May 2023 to February 2024.

Internal audit

The vast majority of companies run their internal audit function in-house. Of the five companies in the sample that outsource their internal audit, two are considering bringing it in-house. One company provided an explanation for why it does not have an internal audit function.

Source: Gym Group, p.89 The Committee reviewed the requirement for an internal audit function during the year, as it does annually, and has concluded that, given the relatively straightforward nature of the Group's operations and the low levels of portable assets such as cash in hand and inventory, an internal audit function is not necessary at this time. This will be kept under review as the Group continues to grow.

Key message

Early adoption of the Audit Committees and the External Audit: Minimum Standard (the Standard) is optimum because it facilitates timely design and testing of new processes and an evolutionary approach to enhancing audit committee practices, for example around audit tenders. Companies can support their audit committees by making their responsibility for following the Standard explicit in terms of reference. This is one of the ways that companies can encourage their audit committees to focus on the content of the Standard.

Audit Quality Review inspection results

Principle M

The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.

For the 100 annual reports we reviewed, we considered the level and clarity of disclosure by audit committees, of any Audit Quality Review (AQR) inspection in the year. A relevant inspection report had been issued for 17 of the reports. All of these referred to the AQR inspection.

Among the companies included in this review, there is clearly a high level of disclosure by audit committees of the results of AQR inspections. The quality of reporting has improved over recent years.

The graph below shows breakdown information for the 68 companies among the 100 reviewed whose audits were inspected by AQR within the past five years.

Pie chart illustrating the proportional distribution of a whole across three main categories.

Bar chart showing distribution of numerical values across several categories.

In a separate review, the AQR team considered the level and clarity of disclosure by audit committees of the findings of inspections completed for the 2022/23 inspection cycle. This has given us a snapshot of the quality of disclosures across all companies whose audits are in the remit of AQR inspection. The FRC publishes a list of the inspections which we have carried out.

Our review found clear information disclosed in 41 cases and 23 examples of no disclosure where we would have expected it. There were a further 28 examples where we felt the information given was not sufficiently clear, or could be misinterpreted by the users of the annual report.

There were 73 cases where no disclosure had been made. Among these, there were 50 cases where we understood the reasons for this, for example the company did not have an audit committee).

To assist audit committees in improving the usefulness of their disclosures, we encourage them to consider disclosing the scope of our inspection as well as the results and any actions taken or being taken in response to the findings.

One example – Compass Group – clearly explained the scope of the work as well as the results:

Source: Compass Group, p.128 The Financial Reporting Council (FRC) Audit Quality Review (AQR) selected the external audit by KPMG LLP of the Group's financial statements for the year ended 30 September 2020 for review as part of its annual inspection of audit firms. The AQR covered the audit work at a Group level, including goodwill, going concern, the oversight of the US audit work by the Group team, communication with the Audit Committee and matters relating to planning, completion, ethics and quality control.

The Audit Committee reviewed and discussed the scope of the AQR, the AQR report and actions that will be taken as a result of the findings of the AQR.

The AQR highlighted good practice in respect of certain aspects of the Group audit work which was noted by the Committee. The report included one observation, requiring limited improvement which was not considered significant by the Committee. The Committee is satisfied with the response of KPMG to the finding in the audit for the year ended 30 September 2021

The FRC's Standard on Audit Committees and the External Audit (May 2023); paragraph 24 states that information on the findings of an audit inspection, and any remedial action the auditor is taking in response, should be provided in the next annual report. 2

Key message

There has been an increase in the level of disclosure by audit committees of AQR inspection results. There is room for improvement in the quality and clarity of the disclosures, to demonstrate how the work of audit committees supports overall improvements to audit quality.

Risk

Principal risks

Provision 28

The board should carry out a robust assessment of the company's emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated.

The footnote to Provision 28 states that principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company's business model, future performance, solvency or liquidity and reputation.

The board has ultimate responsibility for an organisation's overall approach to risk management and internal control. It is for the board to agree the risk appetite and decide which risks are considered 'principal' by considering the potential impact and probability of the related events or circumstances, and the timeline over which they may occur. This should not inhibit boards from taking risks that are proportionate to their risk appetite and in complying with regulatory requirements to achieve their strategic objectives.

When reporting on principal risks, good reporters provide a balanced overview of the most significant risks for the company, considering the impact if these risks materialised and the probability of them occurring. Like last year, all companies in our sample described their principal risks and actions to manage or mitigate.

Many companies provided high-quality reporting in this area.

However, also like last year almost a third of our sample disclosed over 13 principal risks. Companies are reminded that to provide reporting that investors and other stakeholders will find useful, the focus should be on the most significant risks to the company.

Number of principal risks disclosed

Almost all companies in our sample indicated the impact the risk would have on the company. This was outlined mostly within the risk description, although these were often minimal. Around a quarter of companies also included the likelihood of the risk materialising through a heat map or residual rating indicator.

  • 32% 4 to 9
  • 39% 10 to 12
  • 21% 13 to 15
  • 8% More than 15

Changes to principal risks

Good reporting on principal risks demonstrates that risks are not static but shows how they have changed during the year, and over years.

Most companies' descriptions of principal risks remained similar to the previous year with some risk descriptions being updated where changes had occurred. Companies were more likely to update their risk mitigations.

Source: Trustpilot, p.94 People - People and culture

Risk description Our continued success depends upon our ability to attract, recruit, retain and develop a highly skilled workforce, particularly in the fields of technology, data, product, systems development, digital marketing and sales.

In addition to this, we recognise that preserving our diverse, energetic, collaborative and entrepreneurial culture, in a competitive environment, is very important as we continue to grow the business. Failure to do so could negatively impact our ability to develop new technologies, products and services, execute our strategy and/or reputation as an employer.

Key actions and risk mitigation - Adrian Blair's appointment as CEO is an exciting development, bringing fresh perspectives. Recognising the potential impact of leadership changes on culture, Trustpilot has introduced a weekly 'stand-up' meeting with the CEO and a weekly download message. These initiatives aim to enhance transparency, encourage open communication, and keep the workforce informed about the Company's direction. - We've made meaningful impact in improving first year resignation rates through 2023, dropping from 21% in 2022, to 10.6% in 2023. We attribute this improvement to the roll-out of our new Trustpilot Way of Recruiting. We have also made huge improvements in our overall resignation rate, dropping from 23.1% to 13.9% from 2022 to 2023. - The launch of our new employer brand - At the Heart of Trust - has delivered a strong response which enhances our ability to attract and retain great talent. We have seen an increase in LinkedIn engagement up 93% (6 month average, post-employer brand launch) and are seeing an increase in our view-to-apply rate.

It was encouraging to see that 83% of companies indicated the residual risk profile change during the year. Most companies used a symbol to indicate whether the risk had stayed the same, increased or decreased. Better reporters in this area also included a description of how the risk had changed during the year.

Source: Weir Group, p.66 How we are mitigating the risk Promotion of the Weir Group values and behaviours, Code of Conduct and HR policies sets the standards and expectations for all our staff, reinforcing our stated commitment to attracting and retaining the very best people.

High performer assessments are undertaken to identify and develop our very best talent.

Succession plans are in place and periodically reviewed for all of our key management.

Personal development plans are set and reviewed for the effective development of all our staff.

We continue to offer competitive compensation and benefits packages.

Key changes during 2023 To further support the development of our high performance culture and organisational capability, the Group implemented a range of new initiatives in 2023.

In the areas of inclusion, diversity and equity we undertook deeper listening and insight analysis including gender focus groups, ongoing allyship building, expansion of affinity groups, launch of a second reverse mentoring programme and continued support for under-represented groups in STEM.

In the pursuit of our agenda to build a sustainable workforce which allows employees to grow, we expanded the scope of our talent development cycle to now include 900 people in order to provide the visibility of our diverse talent pipeline through the organisation.

Over the course of the year, our people risk was assessed as remaining stable.

Key message

Good reporting on principal risks is not static but shows how risks have changed during the year, and over years.

Chief risk officer

While there is no requirement in the Code to have a chief risk officer (CRO), 21% of companies in our sample had appointed one, half of which were financial services and insurance firms. This aligns with the Prudential Regulation Authority expectation that capital requirement regulation firms should, taking account of their size, nature and complexity, consider whether their risk control arrangements could include appointing a CRO.

Of those companies that had made such an appointment, many reported that the CRO updated the board regularly on key risk management and internal control matters, including discussion of key risks and risk reduction activities. These updates were designed to strengthen governance and compliance.

Source: Lloyds Banking Group, p.93 At Group level, a consolidated risk report, risk appetite dashboard and report by the Chief Risk Officer are reviewed and regularly debated by the Group Risk Committee and the Board Risk Committee, with formal updates provided to the Board to ensure that they are satisfied with the overall risk profile, risk accountabilities and mitigating actions. The report and dashboard provide a view of the Group's overall risk profile, key risks and management actions, together with performance against risk appetite and an assessment of emerging risks which could affect the Group's performance over the life of the operating plan.

In most cases companies reported that the CRO provided reports to the audit and/or risk committee, and in some instances the remuneration committee. Some companies also reported that the CRO was invited to attend the committee meetings. For some companies the CRO was also responsible for the company's approach to managing climate-related risks. Companies are reminded that boards operate most effectively as a unitary function.

Board committees and other key senior management roles support and assist these unitary functions, including the role of the CRO. For further guidance on board committees, such as the roles of risk and audit committees, please refer to the Good Practice Guidance for the Successful Management of Board Committees.

Source: Direct Line, p.122 Chief Risk Officer's report At each scheduled meeting, the Committee received a report from the Chief Risk Officer (“CRO”) which outlined the challenges and risks being faced across the Group's financial, operational and organisational resilience pillars. The CRO's report provided an overview and status of the top and principal risks against the Group's appetite, as well as: key activities undertaken by the Risk function to further embed risk management across the Group; outputs of regular risk monitoring activities; and details of any current and specific financial, non-financial or regulatory and compliance risk matters. Alongside the CRO's report, the Committee regularly assessed the Group's emerging risks. It challenged management on the identification of all possible significant emerging risks during the year and on the Risk function's role in ensuring that such emerging risks were being monitored and managed appropriately. The most notable emerging risks identified included those relating to geopolitical tension, disruptor emerging risk, data ethics, digital disruption, the transition to a low carbon economy, changing customer needs, cyber threats and the transition to Electric Vehicle ("EVs"). In addition, the Committee reviewed the plan of risk assurance activities to be undertaken for each quarter and the year ahead to support the Group's key strategic objectives and to ensure adherence to prevailing legal and regulatory requirements, as well as the Group's enterprise and risk management framework

Key message

The board has ultimate responsibility for an organisation's overall approach to risk management and internal control.

Risk Management and Internal Control

Monitoring and reviewing the effectiveness of the risk management and internal control systems

Provision 29

The board should monitor the company's risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

During 2023, the FRC consulted on amending Provision 29 to strengthen reporting on risk management and internal controls. In January 2024, an updated Provision 29 was published as part of the new UK Corporate Governance Code. Under this provision, boards will in future make a declaration regarding the effectiveness of material controls at the balance sheet date and provide more information on how this effectiveness has been reviewed.

The updated Provision 29 will apply from financial years starting on or after 1 January 2026, to give companies time to prepare for implementation. In this annual review, we have looked at reporting against the current Provision 29 in more detail, using an extended sample of 130 annual reports. We have focused on good practice that already exists, and areas where improvement will be needed, especially in preparation for the new Code.

Scope of the review of effectiveness of risk management and internal control systems

As highlighted in past years and in line with the current Provision 29, it is important that there is a robust annual process for the review of the effectiveness of risk management and internal control systems. This review must encompass all material controls, including financial, operational and compliance controls. The Code and its supporting guidance do not prescribe a particular methodology for this review, as it is recognised that each company is different and that the nature of reviews of effectiveness may vary.

It is important that reviews include all materials controls. In this year's review, we have focused on the type of controls covered by companies' reviews and the way in which these are described. We have found that 61 companies specifically stated that they reviewed their operational and compliance controls as part of their annual review of effectiveness.

As part of the monitoring and review process, all material controls should be examined, including financial, operational and compliance controls. Material controls are company-specific and therefore different for every company depending on their features and circumstances. In determining materiality, consideration should be given to the impact of the controls on the interests of the company, shareholders and other stakeholders. The review should make clear what the material controls are, whether the review has covered these, and to what extent. A good example of company-specific material controls can be seen on the following page.

Summary of key control framework detailing processes for investment, valuations, people and culture, balance sheet, change management, IT systems, and third-party suppliers.

Board responsibility and assurance mechanisms

Another area of focus for this year's review was the roles of the board, board committees, internal audit and external audit. It is important to emphasise that the board remains ultimately responsible for the effectiveness of risk management and internal control systems, although the Code does permit, under Provision 26, the delegation to board committees. Good practice is for any delegation to be accompanied by regular reporting back to the board as to how these responsibilities have been carried out.

The Code is neutral regarding the sources of assurance commissioned by the board or the relevant board committee in assessing the effectiveness of risk management and internal controls systems, and this will continue to be the case when the new Provision 29 takes effect. In this year's review, we found that 124 companies out of the extended sample of 130 had an internal audit function and used this when carrying out a review of the effectiveness of the internal control systems. Good reporters explain the scope of the internal audit and how this work is communicated to the board and relevant committees. Forty-seven companies reported using the 'three lines of defence' model for risk management and internal control review. Most of these used internal audit as the third line of defence.

In terms of external audit, 102 companies included the findings or input of the external audit in the review of effectiveness of risk management and internal control systems. The nature of the work undertaken by external audit was varied across the sample. Examples include:

  • Audited financial controls which is a requirement for US listed companies under the Sarbanes-Oxley Act 2002.
  • Results and controls observations as part of the annual external audit.
  • Specialist assurance over specific controls where the board has determined this is required.

The external auditor does have a responsibility under ISA 720 to consider whether there are material inconsistencies between the other information (which includes the directors' statements on material controls and their effectiveness) and the financial statements or the auditor's knowledge obtained in the audit. This responsibility does not change in respect of the revisions to Provision 29 that come into effect in January 2026.

Key message

It is up to boards to determine whether they review the risk management and internal control systems more frequently than once a year. The aim of the review is to identify strengths, gaps, deficiencies and areas for improvement, and be followed up by a plan to take forward any actions.

Reporting on the review of effectiveness of risk management and internal control systems

Provision 29 also asks boards to report on their review of the effectiveness of risk management and internal control systems. In our extended sample of 130 companies, 59 reported on their review in some detail, including what areas were covered or a simple statement of who carried out the review, and we identified 13 examples of good reporting. Good reporting explains the process of the review, including information on who carried out the review and what information was provided to the board or relevant committee. It also explains which key or material controls were looked at, and from where the information on these controls was sourced.

The diagram on the next page sets out the elements that good reporting on risk management and internal control often consists of. This is based around the who, what, how and when approach.

Who? (Who reviewed the information, committee, management etc)

Audit committee reviews, and reports to the Board on the effectiveness of the internal control environment and risk management systems. Convatec Group Plc, p.77

What? (What areas/controls were reviewed)

These formal reviews, conducted either in person or on-line, cover:

  • Health and safety;
  • Operational performance;
  • Risk reviews, including climate-related risks;
  • Employee Engagement activities; and
  • Investment decisions, including atmospheric carbon dioxide reduction activities.

The Executive Directors visit all operations regularly to perform reviews. Porvair, p.60

When? (frequency of the review)

The Executive Directors, meet online weekly with the divisional senior management as a group to discuss operating performance and the near-term outlook. There is also a formal programme of quarterly reviews with each division's senior management team. Porvair, p.60

How? (How did the parties receive and review the information)

The Committee also received an annual update on cyber security and key IT projects. There were no serious cyber incidents reported in the year and the Committee noted the steps taken to improve 3i's detective and protective controls, and maintain staff training and awareness on cyber security risks. The update on IT projects covered a new AI policy and related oversight process; the continued migration of "on-premise" data and services to cloud-based solutions; the device refresh strategy; resilience and continuity planning; and the roadmap for key systems projects, including the replacement of the Treasury Management, HR and ERP systems. 3i Group PLC, p.124

Seventy-one companies in our sample of 130 either confirmed that a review had been carried out without providing further disclosures, did not mention the review, or were unclear in their reporting as to whether a review had been carried out. Phrases such as 'The committee (or board) reviews the effectiveness of the risk management and internal controls framework' or 'review and challenge management's reports on the effectiveness of the internal control and risk management systems', do not provide readers of annual reports with information on what the review involved, and how the board monitors the effectiveness of risk management and internal controls systems.

Due to the updates to Provision 29 of the Code, reporting on the review has been an area of focus for the FRC and we have produced new guidance and other materials to support reporting against this provision. Given this, it is disappointing that fewer than half of our sample companies reported appropriately on this area.

Key message

When reporting on the review, good disclosures provided a summary of how the board had monitored and reviewed the effectiveness of the framework. This could include the type of information the board has received and reviewed; who it has consulted with; any internal or external assurance received; and if relevant, the name of the framework, standard or guideline the board has used to review the effectiveness.

Reporting on the outcome of the review of effectiveness of risk management and internal control systems

In past years' annual reviews, we have emphasised the importance of reporting the outcome or results of the review of the effectiveness of risk management and internal controls systems. This aspect of reporting will become even more critical from 1 January 2026 onwards, when the outcome of the review will be reported by companies in the form of a declaration.

Pie chart displaying data distribution across multiple categories regarding the outcome of the review of effectiveness of risk management and internal control systems. Legend: 23 companies stated that their systems are effective and that no weakness was identified; 39 companies stated that their systems are effective; 20 companies stated that no weaknesses were identified; 7 companies only stated that their financial reporting controls are effective; 16 companies identified weaknesses; 34 companies did not report on the outcome.

A good example of reporting on the outcome of a review is shown below:

Source: Coats Group, p.82

The annual review of the effectiveness of the Company's risk management and internal control systems covering all material controls was conducted, including operational and compliance controls. Following the robust assurance process, the Committee was satisfied that these systems operate effectively in all material respects with no significant weaknesses identified and others remediated appropriately.

Some companies also provided insightful reporting on areas of internal control which the review had found were not working effectively.

Source: Mobico Group, p.104

During the 2023 year end process, a number of significant weaknesses were identified in respect of our German business and how it has historically managed, communicated and accounted for its long term rail contracts. The issues related to inadequate documentation of the key assumptions underpinning the contract models and consequent lack of understanding about how changes to these assumptions could impact the performance of the business. Oversight, challenge and review performed at local, divisional and Group level did not identify these issues in a timely manner. The year end process has now established a sound basis for the management of these contracts going forward and we will look to implement additional controls in these areas. Management has assessed and the Committee concurs, that these particular issues relate to the German business only.

Where duplication of information regarding the review of the risk management and internal control systems occurs, the report can include cross-referencing or signposting information.

Viability

Viability statement

Under the Code, companies should assess their prospects and the resilience of their business model over a longer period, often referred to as the viability statement. Introduced into the Code in 2014, its primary objective is to provide shareholders with an improved understanding of the board's views on risk management and the longer-term viability.

Historically, reporting under this provision has been relatively poor, often with statements providing insufficient qualitative and quantitative information regarding the inputs and assumptions used. Recognising this, the Government, under 'Restoring Trust in Audit and Corporate Governance', outlined its plans to introduce a Resilience Statement for Public Interest Entities (PIEs). This would have required these entities to set out their approach to managing risk and developing resilience over the short, medium, and long term, thereby enhancing disclosures.

Although the government has decided to withdraw these plans, we still recognise that this is an important provision and as a result, have refined the viability statements section within our updated Corporate Governance Code Guidance.

Period of assessment

Provision 31

Taking account of the company's current position and principal risks, the board should explain in the annual report how it has assessed the prospects of the company, over what period it has done so and why it considers that period to be appropriate. The board should state whether it has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions as necessary.

Some companies in our sample clearly undertook the recommended two-stage process for developing their viability statements, as outlined in our guidance. These companies highlighted how they assessed their viability, referencing the scenarios considered and linking them to principal risks. Conversely, other companies provided only basic disclosures on the rationale behind the appropriateness of the assessment period.

Trends in the period of assessment generally range from three to five years. Although it is not possible to comment on the average assessment period by industry given the limitations of our sample, there is some evidence that the viability assessment period varies by industry and for this reason we have provided an overview of the industries featured in our sample, including industrials, financial services and travel and leisure.

Pie chart showing viability assessment periods. Legend: 3 years (78), 4 years (2), 5 years (18), 7 years (2).

Pie chart showing sampled industries. Legend: Construction (3), Medical Services (3), Real Estate (3), Retailers (6), Financial Services (15), Travel and Leisures (11), Personal Goods (7), Industrials (33), Food and Beverages (7), Electronics (9), Media (3).

Not all companies provided solid justifications for the chosen periods for their statements, However, one noted that it acknowledges the commentaries provided by the FRC on viability statements and highlighted that it did not consider it appropriate to alter its timeframe due to the operational environment:

Source: MoneySuperMarket, p.71

The Board noted the commentaries issued by the Financial Reporting Council suggesting that Viability Statements should be extended beyond a period of three years; however, due to the nature of our economic, technological and regulatory environment, the Board did not consider it appropriate to alter its current time frame due to the following reasons:

  • the expected life cycle of the Group's technology is three years, and this reflects the frequent changes in the way that consumers choose to use technology;
  • it is difficult to forecast revenue and costs beyond three years given that the Group's revenue and costs are not materially covered by long-term contracts;
  • within three years costs could be substantially restructured to compensate for a major fall in revenue. As such, the Board proposes to keep the time frame as three years rather than extending beyond this.

The approach to explaining chosen timeframes, however, was not entirely consistent. Other reports that included explanations often failed to fully identify and consider all relevant factors in determining the chosen period.

Scenarios

Most companies in our sample had stated that they had modelled a number of scenarios which included inputs and assumptions with references to principal risks. Good reporters mapped this out within their statement illustrating what was modelled, references to assumptions and a side column linking it clearly to principal risks. One company adopted this approach. It also included five severe but plausible combinations of the individual scenario events that were tested to assess the potential combined downside impact on the liquidity and covenant headroom of its group over the three-year viability period:

Source: Croda International, p.59

Table detailing risk scenarios, key assumptions, principal risks, and their combinations, from Croda International.

The principal risks to which these scenarios relate are as follows:

  1. Revenue generation; 2. Product and technology innovation and protection; 3. Digital technology innovation; 4. Delivering sustainable solutions - Climate and Land Positive; 5. Management of business change; 6. Our people-culture, wellbeing, talent development and retention; 7. Product quality; 8. Loss of significant manufacturing site (major safety or environmental incident); 9. Ethics and compliance; 10. Security of business information and networks

The specific detail provided within this example is helpful to interested stakeholders as it enables them to understand the risks have been considered and which risks and uncertainties pose the greatest threat to the company's business model, future performance, solvency and liquidity.

Reverse stress testing

Thirty-six companies noted the use of reverse stress testing within their statement. Often, disclosures related to reverse stress testing stated that reverse stress tests had been carried out, but little information was provided on the approach. Instead, there was a simplistic statement highlighting that the reverse stress test covered multiple concurrent risks. Details regarding the inputs and assumptions in relation to reverse stress testing were also lacking. Similarly, the disclosure of the outcomes of reverse stress testing could be improved and we encourage companies to consider enhancing their disclosures by including this information in reference to the reverse stress test scenario.

Key message

It is clear that there is significant scope for improvement in this area. By clearly outlining the rationale for the assessment period and providing longer-term information where possible, companies would offer valuable insights to investors. Additionally, including sufficient qualitative and quantitative information is crucial for enabling readers to fully understand the assessment.

Cyber and Information Technology

Although the Code does not specifically ask for reporting on cyber matters, it does consider the governance of principal and emerging risks. As technology becomes more integral to business operations many boards are viewing cyber security as a risk that requires specific attention. Therefore, we have considered reporting on these matters for a second year.

Cyber and IT risk

This year 89% of companies included cyber security as a principal risk and a further 7% included it as a risk within their operational principal risk. One company identified it as an emerging risk.

Meanwhile, 27% of companies outlined technology as a separate standalone principal risk with descriptions of the risk including failure to innovate, reliance on IT systems and new technologies disrupting the market in which the company operates.

In total, 23% of companies had both cyber security and technology as a principal risk.

Cyber governance

Many companies within our sample included good descriptions of the governance arrangements they have in place to help mitigate cyber risk. For example, one reported that the company's cyber security risks and strategy were regularly discussed by the chief information security officer, the company's information and digital technology leadership, the executive committee, the audit and risk committee and the board of directors.

Source: Haleon, p.21

Cyber-security As detailed in our approach to risk and risk factors, there is a risk that a cybersecurity attack could compromise our ability to manufacture, distribute and sell our products and services to our customers. Our commitment to cybersecurity is reflected in our ongoing investment into this area, which includes the use of advanced technologies and engagement of third-party experts to provide additional support and guidance. We have a dedicated cybersecurity threat intelligence function focused on the threat landscape and attack vectors that are targeting healthcare providers, including ransomware threats. Cyber intelligence is integrated into our cyber-security risk management and governance processes. Haleon's Chief Information Security Officer is responsible for the cybersecurity function, and provides frequent updates including current threats, operational key risk indicators, and cyber-security maturity improvements to the Executive Team and Audit & Risk Committee, who have oversight of our information security and cyber risk strategy. Cyber-security risk updates are shared with the wider Board by the Committee.

Our Chief Information Security Officer has over 25 years of information technology and security experience. External consultants are engaged to assess our cyber-security maturity against the US National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). They help guide our plans and processes to best protect Haleon from threats including a framework for data controls which covers our digital supply chain.

We have a third-party risk management process in place ensuring that inherent risk assessments are completed for third-party suppliers with additional due diligence assessments completed for higher-risk suppliers. Processes include identification and mitigation of risks, risk assessments, adherence to information and control standards, and incident notification requirements in contracts.

We constantly look to mature our cyber-security systems and controls to keep pace with the threat landscape. Our preparedness activities include testing our response procedures and processes by performing simulations and crisis management exercises, and penetration testing to develop our response to potential incidents, such as ransomware attacks. Vulnerability management, monitoring and alerting processes are in place to help protect the Company against cyber attacks. Our annual awareness campaigns promote our global cyber-security policies and procedures, handling of confidential data, social media and cyber-security practices, and remind employees of resources available to protect themselves, Haleon and consumers. Internal policies for protecting Company assets include protection of information, acceptable use of technology resources, AI and related procedures. We are focused on minimising risks through fostering secure practices and behaviours, for example, constant programmes aimed at recognising and reporting suspicious online behaviour or phishing.

During 2023, Haleon did not identify any significant cyber-security incidents.

>> See also our approach to risk, Audit & Risk Committee Report and Risk factors on pages 53, 72 and 193.

Nineteen companies in our sample this year had either a steering committee, forum or group for matters related to digital governance, data protection, cyber security and IT. Two companies also had board-level technology committees. Some companies described oversight of cyber security and IT controls within their audit and/or risk committee report.

The following example is taken from the company's audit committee report.

Source: Compass Group, p.85 Information systems and cyber-security risk Information systems and cyber-security risk continues to pose a threat to the Group and remains a principal risk. The Committee received reports from the Group CIO on progress made on the implementation of the IT controls framework, including enhanced security operations, threat intelligence, the Group's response to the increased threat of ransomware, and the continued drive on cyber-risk awareness and training across the Group. In November 2022, the Committee reviewed IT systems back up and restoration, crisis management and phishing benchmark data, and the Group CIO briefed the Committee on the resilience of the Group's technology estate. The briefing provided the Committee with a more detailed overview which included business continuity, the IT control framework, cyber insurance, public cloud resilience and the arrangements to protect information assets of the greatest value to the Group. The Committee reflected on the arrangements in place and the steps taken to further enhance the Group's resilience capabilities, and its ability to respond to cyber-attacks and noted the priorities for

  1. At its meeting in May 2023, the Committee considered examples of IT security incidents that had occurred in the Group's businesses together with the preventative measures and subsequent actions taken to limit the impact on operations. The Committee was also briefed on the outcome of a proactive ethical hacking exercise that had been conducted in conjunction with its cyber-security providers and advisers in over half of the Group's top 10 countries in order to identify potential weaknesses. The Committee was advised that the exercise had identified some operational weaknesses which had been addressed and the solutions validated by the Group's independent external adviser to ensure that the remedial actions had been appropriately implemented. The Group's proactive efforts to limit exposure to phishing attacks were also discussed, including the roll out of additional technology, implementation of regular phishing simulations to help educate colleagues, the annual Cyber Awareness Week, and ongoing weekly advocacy messages from 'cyber champions' across the Group's businesses.

Culture

Almost 70% of companies outlined how they foster a digitally secure culture. This was mostly done through awareness training programmes for employees on topics such as phishing and the handling of information. As mentioned in the National Cyber Security Centre's Cyber Security Toolkit for Boards a positive cyber security culture is essential because it is people who make an organisation secure, not just technology and processes.

Almost a fifth of companies reported having a board member with specific cyber security expertise. A further 16 companies reported that the board had training specifically on cyber security topics. Although board members don't need to be technical experts, they should have a sufficient understanding of cybersecurity to participate in meaningful discussions with key members of the workforce.

Cyber breach

Only two companies reported having cyber incidents in

  1. One said that these incidents did not have a material impact on the company, including its business strategy, results of operations, or financial condition. The other company reported experiencing only a minimal level of business interruption after instigating its Cyber Incident Plan and shutting down its IT systems to contain the incident. The company also reported that while cyber security remains a matter for the full board, the audit committee considers the effectiveness of its cyber controls in mitigating the risk of further incidents that might impact financial controls in the future.

Only one company reported that through continuous monitoring, it identified several attempted cyber-attacks on the company. However, no leaks, thefts, or losses of customer data were identified.

A company that had experienced a cyber-attack in previous years reported the mitigations in place to prevent a further attack. These included promoting good behaviours and stressing the importance of maintaining vigilance through regular communication. It also reported encouraging an open and prompt reporting culture so that appropriate remedial action can be taken as soon as possible.

Key message

With cyber security incidents on the rise globally, it is good to see that almost 90% of companies in our sample are treating cyber security as a principal risk.

Artificial intelligence

Last year we found that 49% of companies mentioned AI in their report although limited detail was given on its impact to the company.

Index of companies within our sample discussing AI in the annual report:

  • 12 Small Cap
  • 26 FTSE 250
  • 35 FTSE 100

This year we saw a significant increase in reporting on AI with 73% of companies discussing AI related matters including its risks, opportunities, and use within the company's business operations. Almost a third of these companies were in the financial and industrials sectors. We appreciate companies are differentially affected by AI, and therefore some may report on it more than others.

Risk and opportunities of AI

Twenty-six companies disclosed AI as an emerging risk and a further 13 companies mentioned AI under other principal risks such as model risk, new technologies and cyber security. Descriptions of AI-related risks included moral, legal and ethical issues, falling behind competitors and data being compromised or distorted. One company also highlighted that the increasing use of Generative AI could have an impact on the recruitment process for both clients and candidates. Further risks included automated intelligence and learning deployed within operational processes developing faster than government regulations and standards.

Some companies also mentioned the opportunities that would arise from deploying AI such as driving change to work more efficiently, enhancements in testing and innovation, and creating a better consumer experience.

Source: Schroders, p.39

Managing the risks associated with Artificial Intelligence (AI)

As a business we are harnessing the power of AI to boost productivity and decision-making. As well as starting to test and adopt third-party products such as Microsoft365 Copilot, we have developed an internal AI tool leveraging models such as ChatGPT, that enables employees to interact with and query data efficiently while maintaining the security of our client and proprietary information. While AI provides opportunities, there is a risk it increases the effectiveness of cyber threats such as deep fakes (where a video/audio recording of a person is digitally manipulated) or produces inaccurate information. Consuming this information could impact investment decisions or our reputation. To manage potential risks, we have established a set of principles and guidelines that govern the use of AI within Schroders. They support our goal to use AI in a way that aligns with our corporate values and complies with relevant laws and regulations including data confidentiality obligations. A Steering Committee has been set up to provide strategic direction, supported by a Responsible AI Working Group for oversight and guidance, and an AI Use Case Working Group which provides a central review of our use of AI throughout the firm. A core principle of our approach to AI is that all outputs are reviewed for accuracy and reliability prior to being used.

It is important that boards have a clear view of the responsible development and use of AI within the company and the governance around it. To do this they may need to upskill, improve access to training or draw on the expertise of management and specific company knowledge. This will support any additional oversight in this area

This year only eight companies disclosed having a specific policy on AI. Some companies disclosed having specific board updates and training on AI and one company disclosed that their board performance review highlighted that board members would benefit from more training in areas such as AI. One company also established a Generative AI Governance Committee.

No companies in our sample mentioned the use of AI in their reporting, although many may be using it in this way.

Key message

It is important for boards to have a clear view of the responsible development and use of AI within the company and the governance around it.

5. Remuneration

We have consistently encouraged companies to report clearly on their approach to remuneration. This includes detailing how remuneration policies and practices are designed to support strategy and promote long-term sustainable success, as well as ensuring there is a formal and transparent procedure for developing executive remuneration policy. We continue to see strong evidence of high-quality remuneration reporting within company reports. Many company practices remain at a very high standard, including how the remuneration policy is explicitly linked to delivery of strategy as well as acknowledgements of the external economic environment and how these have been factored into pay policy. We hope this level of transparency remains paramount with the new edition of the Code.

Key message

Clear and transparent disclosures regarding remuneration and the activities of the remuneration committee are essential for enabling shareholders to engage effectively on remuneration. It is essential that the rationale behind key decisions on remuneration is clear and understandable.

Discretion

Principle R:

Directors should exercise independent judgement and discretion when authorising remuneration outcomes, taking account of company and individual performance, and wider circumstances.

We once again monitored the use of discretionary powers by company remuneration committees. In our sample, 31 companies noted the use of discretionary powers in their annual reports, primarily involving downward adjustments related to performance, operational issues, and fatality incidents. We continue to observe good descriptions when these powers are exercised, as companies should do under Provision 41, clearly stating the extent to which discretion has been applied to remuneration outcomes along with the rationale.

Source: Haleon, p.85

2023 was a year of strong financial performance. The 2023 AIP was subject to a set of ambitious targets which were defined at the beginning of the year, in line with our stretching business plan. The outcomes were at the upper end of the improved guidance provided by the Company at Half Year. Organic revenue growth was achieved at 8.0%, and adjusted operating profit growth was achieved at 10.4% (this compares to the reported organic operating profit growth of 10.8% for 2023; from 2024, the AIP measure will be aligned with the organic operating profit growth).

Given that targets were set in a high inflation environment, the Committee considered whether the incentive outcome fairly reflects the underlying business performance. This analysis included determining the level of impact of higher-than-expected inflation experienced in several markets on the outcome of the 2023 AIP.

Having discussed this impact, the Committee considered it appropriate to apply discretion to the 2023 AIP outcome which resulted in a reduction to the organic sales growth outcome from 8.0% to 6.8% and the adjusted operating profit from 10.4% to 9.2% to reflect the high inflationary impact. This has reduced the outcome of the 2023 AIP for the Executive Directors by c. 10 percentage points, from 85.1% of maximum for the CEO and 87.6% of maximum for the CFO to 75.2% of maximum for the CEO and 77.7% of maximum for the CFO respectively

This example is helpful as it illustrates that the committee has thoroughly assessed the impact and clearly communicated their rationale for the reduction.

Provision 36 and 38

This year we examined whether companies had developed a formal policy for post-employment shareholding requirements.

Provision 36

Remuneration schemes should promote long-term shareholdings by executive directors that support alignment with long-term shareholder interests. Share awards granted for this purpose should be released for sale on a phased basis and be subject to a total vesting and holding period of five years or more. The remuneration committee should develop a formal policy for post-employment shareholding requirements encompassing both unvested and vested shares

Within our analysis we identified three companies that did not have a long-term shareholding approach in place and did not have post-shareholding requirements. Both provided explanations for this, with one company noting the following:

> "In association with the remuneration committee's judgement to retain a policy without LTIP share awards, we maintain our position where the executive directors are not subject to in-employment nor post-cessation minimum shareholding requirements. We have chosen not to impose these conditions as, based on their conduct, long service and consistent outstanding performance, the committee is satisfied that our executive directors' behaviour is focused on the long-term and is aligned with shareholder interests. It should also be noted that our executive directors must purchase shares at market rate from any bonus received, at a minimum level of 67% of that cash bonus post tax. Executive directors are expected to hold such shares for three years."

The above approach illustrates the flexibility the Code offers companies when they depart from a provision, with the company providing a clear and helpful explanation as to why their alternative approach is better suited to the organisation.

We also examined whether companies had aligned their executive director pensions with the workforce. Only seven companies disclosed non-compliance and did not align their executive remuneration with the workforce. Explanations were provided for not complying with the Code, including one example noting that 'the annual bonuses of our U.S. executive directors, consistent with U.S. pay practices, form part of their pensionable salary' as the reason for not following the Code's recommendation.

These examples serve as helpful reminders to companies that departures from the Code offer flexibility, allowing them to tailor their governance practices to better suit their unique circumstances and strategic goals. This enables them to adopt a more proportionate approach to governance, focusing on what is most relevant and beneficial for their operations.

For more insight into the importance of providing a clear and meaningful explanation, please see page 9.

Recover and withhold provisions (Malus and Clawback)

We continue to monitor references to recovery and withholding provisions within annual reports, and we also track whether companies have used these provisions during the reporting year. Notably, only one company within our sample reported the application of its provisions as a result of serious misconduct. Enhanced reporting on malus and clawback under the 2024 Code will apply to companies with financial years beginning on or after 1 January

  1. Provision 37 has been amended to require that directors' contracts and/or other agreements or documents covering director remuneration include malus and clawback provisions. New Provision 38 now asks companies to provide further descriptions of their malus and clawback provisions.

Provision 37 (2024 Code)

Remuneration schemes and policies should enable the use of discretion to override formulaic outcomes. Directors' contracts and/or other agreements or documents which cover director remuneration should include malus and clawback provisions that would enable the company to recover and/or withhold sums or share awards, and specify the circumstances in which it would be appropriate to do so.

Provision 38 (2024 Code)

The annual report on remuneration should include a description of its malus and clawback provisions, including:

  • the circumstances in which malus and clawback provisions could be used;
  • a description of the period for malus and clawback and why the selected period is best suited to the organisation; and
  • whether the provisions were used in the last reporting period. If so, a clear explanation of the reason should be provided in the annual report.

We observed early reporting against these new provisions within our analysis this year. The Bank of Georgia Group demonstrated early compliance, noting in its annual statement by the remuneration committee chair that it is already ahead of market practice and was able to disclose early in accordance with the 2024 Code:

Source: The Bank of Georgia Group, p.230 There is an increased focus on clawback and malus in the forthcoming changes to the UK Corporate Governance Code to be effective from

  1. We believe that this is an area in which the Company is already ahead of market practice and so is able to disclose early ahead of the forthcoming Code:
  • Malus and clawback provisions are extensive, and were expanded further in 2022 – see page 246 for a summary.
  • Clawback applies for two years from date of vesting, an increase from one year under the previous Policy.
  • There are additional 'bad leaver' provisions in the Executive Director's contract, allowing for the forfeiture of all unvested discretionary deferred shares in certain circumstances.

The period of two years is appropriate as it allows enough time for matters to come to light and be considered. Malus and clawback were not utilised in the last reporting period. The Executive Director's contract includes the malus and clawback provisions.

As noted in previous reviews, a high number of companies already had these provisions in place within their director incentive plans as well as the circumstances in which they can be applied. However, it is positive to see companies are examining their malus and clawback arrangements and are preparing for the new reporting Provisions under the Code. We hope the changes to this area of the code will enable further transparency in future disclosures. Ultimately, this will provide investors with greater visibility into the mechanisms available to companies for addressing serious failings, and whether and how companies have made use of them.

Financial Reporting Council 8th Floor 125 London Wall London EC2Y 5AS +44 (0)20 7492 230

www.frc.org.uk

Follow us on LinkedIn or X @FRCnews

  1. Closed-ended investment funds can also follow the Code developed by the Association of Investment Companies. 

  2. Under the UK Corporate Governance Code 2024 (effective from 2025 financial years), the Standard applies on a comply or explain basis to all companies listed in the commercial companies category or the closed-ended investment funds category. 

File

Name Review of Corporate Governance Reporting 2024
Publication date 25 November 2024
Type Report
Format PDF, 3.2 MB
Download original
Back to top