Driven by several high-profile corporate failings, the UK Government have introduced new corporate governance reforms which will place greater focus on organisations and their directors to be responsible for monitoring and reporting on their risk management and internal control environment.

The new reform brings a greater focus on controls with regards to the management of operational resilience, cyber security and third-party risk management.

 

What are the new UK Corporate Governance Reforms ('UK SOx')?

‘UK SOx’ is the unofficial name given to the UK new corporate governance regime. The Government has announced details of its corporate governance reforms, designed to align the UK’s regulations more closely with those of the US Sarbanes-Oxley regulations.

The introduction of UK SOx represents a significant transformation in corporate governance practices, aiming to strengthen transparency, accountability, and trust.

To put it briefly, the new UK corporate governance reforms, which is now anticipated to come into force in 2026 or 2027, requires Directors to demonstrate their role with regards to overseeing the company’s risk management and internal control environment. Additionally, they will be required to conduct an annual review and issue a report on the effectiveness of their risk and control management efforts and systems. If these standards are not adhered to, Directors will be held personally liable.

 

Who is affected?

If approved by Parliament, the new corporate reporting requirements will be introduced for large Public Interest Entities (PIEs) with 750 employees or more and an annual turnover of £750 million or more.

“For the avoidance of doubt, this includes all of the following companies at or above this size threshold:

  • public companies (whether admitted to trading or not)
  • private companies

But it does not include:

  • limited liability partnerships
  • charities, third sector organisations and public organisations if they are not incorporated as a company under the Companies Act 2006.”

It’s important to highlight that the UK government aims to gradually broaden the application of these regulations to encompass various other types of organisations in the future.

Source: Corporate reporting: The Draft Companies (Strategic Report and Directors’ Report) (Amendment) Regulations 2023 - GOV.UK (www.gov.uk)

 

Considerations when preparing for UK SOx

  • Compliance Framework: Develop a compliance framework that outlines the steps and processes necessary to adhere to the new regulation, including internal controls, financial reporting, and corporate governance practices.
  • Internal Controls: Review and strengthen your internal control systems to ensure they meet the requirements of the new regulation.
  • Governance Structure: Assess and, if necessary, modify your corporate governance structure to align with the anticipated reforms, including board oversight and director responsibilities.
  • Audit & Accounting: Consider the potential impacts on your audit and accounting procedures, including the need for enhanced audit practices, auditor independence, and financial disclosure.
  • Technology & Data Management: Evaluate whether your current technology systems and data management practices are sufficient for compliance. You might need to invest in updated technology solutions.
  • Risk Assessment: Conduct a thorough risk assessment to identify areas of potential non-compliance and areas that require extra attention.
  • Training & Awareness: Ensure that your employees and relevant stakeholders are aware of the new regulation and provide training as needed to support compliance efforts.
  • Communication: Communicate your readiness and commitment to compliance to your shareholders, investors and other stakeholders.

 

View our latest on-demand webinar for more information on the Corporate Government Reforms - UK Corporate Governance Reforms – ‘UK SOx’: Building a solid foundation for success.

 

Stay tuned for news and insights on the theme of operational resilience.

 

The introduction of the new UK corporate governance reforms marks a pivotal moment for businesses operating in the UK. While the precise details are still evolving, the overarching goal is to create a more transparent, accountable and resilient corporate landscape.

According to Financial Times, the government is reportedly preparing to postpone the primary legislation necessary to establish the Audit, Reporting, and Governance Authority (ARGA), which is supposed to replace the Financial Reporting Council (FRC). The Audit Bill won't be in the King's speech in November 2023, and there will be a general election before the next King's speech. This uncertainty could mean that ARGA may not start operating until 2026 or 2027. Nevertheless, preparations should be made.

If organisations decide to sit and wait until everything is nailed down, it is going to be too late, and these organisations will fall behind the curve. To successfully navigate this new era of corporate governance, organisations must take a pragmatic approach, and stay proactive, informed and adaptable to meet the changing regulatory landscape.

A key component of a organisations approach to risk management will centre on its approach to cyber risk. To support this, the National Cyber Security Centre (NCSC) has provided a toolkit to support board members to help govern cyber risk. This toolkit offers bite-sized videos, essential activities and indicators of success to help board members on their journey. The cyber security toolkit is a useful resource from the outset and can be found here: https://www.ncsc.gov.uk/blog-post/refreshed-toolkit-helps-board-members-to-govern-cyber-risk

 

 

If you are looking for additional support or guidance in this area, please reach out to our knowledgeable team.

Get in touch

Also see...

Change Portfolio Governance: Is Your Change Portfolio Really 'Green'?

If you're a change leader with responsibility for change portfolio management, Head of Internal Audit (HOIA), Chief Risk...

Regulatory Oversight, PRA ‘Dear CEO’ Letters – IT Change and Outsourcing

If you're a Head of Internal Audit (HOIA), Chief Risk Officer (CRO), Board member (incl. Non-executive Director), Audit ...

DORA Explained & How to Ensure Compliance

On 27 December 2022, the Digital Operational Resilience ACT (DORA) was published in the Official Journal of the EU. The ...