UK Corporate Governance Code

The UK Corporate Governance Code (Code) is considered the gold standard of corporate governance in the UK. Companies admitted to a premium listing on the Main Market of the London Stock Exchange are required to follow it on a “comply or explain” basis, but it is a useful reference point for all companies.

The Code identifies one of the board’s responsibilities as being “to establish a framework of prudent and effective controls, which enable risk to be assessed and managed.”

In its related Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, the Financial Reporting Council identifies the duty of the board to ensure:

the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust assessment of the principal risks… When determining the principal risks, the board should focus on those risks that, given the company’s current position, could threaten the company’s business model, future performance, solvency or liquidity, irrespective of how they are classified or from where they arise. The board should treat such risks as principal risks and establish clearly the extent to which they are to be managed or mitigated. The strategic report should include a description of the principal risks and uncertainties facing the entity together with an explanation of how they are managed or mitigated.

The guidance emphasises the need for appropriate expertise amongst relevant personnel, and the ultimate responsibility of the board:

The board should consider whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively… To the extent that designated committees or the management group carry out, on behalf of the board, activities that this guidance attributes to the board, the board should be satisfied that the arrangements for the work carried out, for the coordination of their work (if more than one is involved), and for reporting to the board are appropriate and operating effectively. The board retains ultimate responsibility for the risk management and internal control systems and should reach its own conclusions regarding the recommendations it receives.

The Wates Principles

The Wates Corporate Governance Principles for Large Private Companies were published in December 2018. It was published as part of the Government’s framework to improve corporate governance in unlisted companies. It contains the following guidance:

A board has responsibility for an organisation’s overall approach to strategic decision-making and effective risk management (financial and non-financial), including reputational risk. This requires oversight of risk and how it is managed, and appropriate accountability to stakeholders.

The size and nature of the business will determine the internal control systems put in place to manage and mitigate both emerging and principal risks….Responsibilities may include:

  • developing appropriate risk management systems that identify emerging and established risks facing the company and its stakeholders. Such systems should enable the board to make informed and robust decisions…
  • determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives (determining its ‘risk appetite’);
  • agreeing how the principal risks should be managed or mitigated and over what timeframe to reduce the likelihood of their incidence or the magnitude of their impact;
  • establishing clear internal and external communication channels on the identification of risk factors, both internally and externally; and
  • agreeing a monitoring and review process.