In January the Financial Reporting Council (FRC) unveiled the latest 2024 UK Corporate Governance Code (the Code), which places requirements on the board to consider the effective management of risks, including those related to or managed by third parties. Here we explain exactly what these changes are, what they mean for you and what you should do next.
The transition to enhanced governance standards
What relevant changes have been made to the Code?
The Code update asks companies to report on the effectiveness of their material controls and is now sharpening the focus on how material third party risks are managed.
This shift is reshaping compliance oversight in boardrooms, emphasising the need for transparency and accountability and moving beyond financial controls and into material reporting, operational and compliance controls.
As we approach the effective date of January 1, 2025, and subsequent board declarations for periods starting after January 1, 2026, it's evident that global governance reforms are gaining momentum. Organisations must assess the impact of these changes on their operations and level of controls, adapt accordingly, and assess that they’re operating effectively by the end of the year.
Annual reports are expected to comprehensively detail third party risk management strategies, aligning with the FRC's commitment to transparency. Proactive engagement, tailored strategies, and diligent implementation are vital for organisational operational readiness and compliance.
Complying with the regulations requires careful assessment and strategic planning to ensure resilience and compliance.
The key change is the inclusion of the newest provision, Provision 29. The focus of its inclusion is primarily on evaluating material controls, emphasising the need for organisations to prioritise key aspects of their governance processes. The board must include:
Pragmatic guidance on how to get the most out of your reporting while preparing for the upcoming revisions to the Financial Reporting Council (FRC)’s Code.
Please complete the form to download your copy of the 2023 Corporate Governance Review
Thank you for submitting this form. Our team will be in touch with you shortly.
It's crucial to understand the implications of these changes for how you manage third party risk. Key aspects to consider include:
Our latest Corporate Governance Review revealed that while 94% of FTSE 350 companies identify operational risks, including third party and supplier risks, as a principal risk, only 10% assure aspects of their third-party controls, for example, in relation to their supply chains. This indicates a need for increased scrutiny and action by boards and management.
Boards and management often lack sufficient visibility into the risks managed by third parties and existing levels of assurances provided by them.
The benefits of allowing third parties to deliver services that support your organisation do not come risk free. There are many examples of ongoing cyber exposure in the media, including a report from the UK government, which found that 32% of businesses recalled experiencing breaches or attacks in the last 12 months. Whether you are in direct control or have outsourced services, you need to demonstrate that you have understood and documented the controls and that you maintain an understanding of their potential impact on you if they fail.
Outsourcing processes and controls doesn’t outsource the risks being managed so it’s important to understand the quality (design and operation) of those being managed by others on behalf of your organisation. Often, third party questionnaires are relied upon to provide detail on controls, but these do not provide sufficient assurance to support a declaration under the enhanced code requirements.
Many businesses lack a comprehensive inventory of their current third party suppliers, which is essential for understanding who key third parties are and whether they carry material risks to internal controls and regulatory compliance. Before engaging any key third party service provider, due diligence should be conducted to ensure that they have adequate controls in place to support recent code reforms.
Recent Code reforms underscore the importance of overseeing controls maintained by key suppliers. Like practices observed in the US SOX world, it is critical to ensure that key service providers understand their role in maintaining internal controls and supporting them on an ongoing basis. This needs to be reflected in communications between the company and key third parties
Here are three key steps you can take to help you manage third parties’ material risks and help to ensure you’re ready for the effective date of January 2025:
To discuss these updates and how you can prepare your business, contact our experts. They can help you navigate the regulatory landscape's intricacies and ensure you remain compliant.
