The Companies Act 2006 requires the majority of companies to publish a strategic report as part of its annual accounts that must include “a fair review of the company’s business, and a description of the principal risks and uncertainties facing the company”. The Code states that the board should carry out a robust assessment of the company’s emerging and principal risks and confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated.

In addition, the Code provides that the board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.