News round-up: July 2023 A&R magazine Jul Aug 23

FRC launches public consultation on revised Corporate Governance Code

The Financial Reporting Council (FRC), the UK’s corporate governance regulator, has launched a public consultation on proposed revisions to the UK Corporate Governance Code. This follows the UK government's response to the White Paper, Restoring Trust in Audit and Corporate Governance, which identified areas needing reform – particularly directors' responsibilities for internal control, risk, audit and corporate reporting.

This limited revision of the code is the first for five years and is intended to enhance its effectiveness at promoting good corporate governance.

The primary focus is on parts of the code dealing with the framework of controls that provide a basis for reporting on, and providing evidence of, board effectiveness. Its revisions are intended to reflect the responsibilities of the board and audit committee for sustainability and ESG reporting.

The revised code will also seek to improve the way the “comply-or-explain” principle functions where reporting is currently weak, to strengthen reporting on malus and clawback arrangements, and to take account of the new standard on the duties of the audit committee relating to external audit.

The FRC will review the existing guidance supporting the code – the guidance on audit committees, guidance on board effectiveness and guidance on risk management, internal control and related financial and business reporting.  

Businesses failing to grasp supply chain risk

Over two-thirds of businesses do not have sufficient visibility into their supply chains. Research by Moody’s Analytics found that three-quarters of businesses surveyed described their third-party risk management processes as either “poor” or “mediocre”.

Key factors included a lack of data, difficulty evaluating every organisation in a supplier network, and responsibility for supply chain visibility being spread across different departments.

COSO guidance on sustainability reporting

Standard-setter COSO has released guidance to help organisations achieve effective internal control over sustainability reporting using its globally recognised Internal Control-Integrated Framework (ICIF).

CAEs rate financial risks as more important than cyber security

Financial, liquidity and insolvency have overtaken issues such as cyber security as key business risks, according to a new poll by the Chartered IIA. Three-fifths of chief audit executives (CAEs) reported that the uncertain economic outlook fuelled by high interest rates and energy prices and the rising cost of living had pushed financial risks to the top.

In a similar poll last year, financial, liquidity and insolvency risk ranked only ninth in the list of key business risks.

The other risks listed by CAEs in the top five were: market changes, competition and changing consumer behaviour; macroeconomic and geopolitical uncertainty; human capital, diversity, talent management and retention; and supply chains, outsourcing and third-party risks.

The results of this poll of 799 CAEs highlight the need for business leaders to work with their internal audit functions to ensure they are prepared for the unexpected. This should include reviewing business continuity and crisis-management plans to ensure they are fit to cope with economic shocks in the months ahead. They should also undertake economic simulation exercises and financial stress testing based on a range of different economic scenarios.

The Chartered IIA is using the research to urge the government not to delay further plans to reform the audit and corporate governance framework. The institute argues that these reforms are vital to enhance the resilience of our major businesses and protect them from future economic shocks.

“This research underlines the need for boards to collaborate with their internal audit functions to ensure they have identified, managed and mitigated the myriad business-critical risks they now face. Internal audit has an important role to play in supporting the board in this,” said Anne Kiem OBE, Chief Executive of the Chartered IIA. “We urge the government to publish the statutory instruments for Resilience Statements and Audit and Assurance Policies without further delay, as well as to ensure there is a commitment to an Audit Reform Bill in the King’s Speech. These reforms are vital to enhancing the resilience of our economy.”

Disruption creates challenges for risk culture

While risk cultures have improved since the pandemic, disruption presents new challenges for risk and finance leaders, according to a report published jointly by ACCA, Airmic and PRMIA. “Risk culture: building resilience and seizing opportunities” found that risk and finance professionals believe “tick-box” approaches and short-sighted views of risk are preventing organisations from fully embedding risk management into decision-making and strategy.

Regulatory, compliance and legal risks were ranked as top risk priorities, with technology, data and cyber security placed second. Respondents generally considered climate change and its social and economic implications as a compliance issue and ranked it second to last. In North America, technology, data and cyber security risks topped the list.

UK companies becoming less resilient to cybercrime

A UK government survey has found that UK organisations are becoming less resilient to cybercrime. Its Cyber Security Breaches Survey suggests that smaller organisations are taking cyber resilience less seriously than in the past. It found that “cyber hygiene” (including password and user-access policies) is poorer, organisations are failing to carry out cyber security risk assessments, and corporate reporting of cyber risks remains relatively uncommon. Board engagement and corporate governance approaches to cyber security tend to be more sophisticated in larger organisations.

Tips on managing ChatGPT risks

The Cloud Security Alliance (CSA), which promotes safe cloud and technology use, has released a paper offering guidance for using ChatGPT and suggesting ways that organisations can manage the risks while leveraging the technology.

Security Implications of ChatGPT provides guidelines for using the technology responsibly. It covers the ways in which ChatGPT could benefit cyber security as well as the ways it could benefit malicious attackers and be attacked.

NCSC updates cyber risk guidance for boards

NCSC, the UK’s National Cyber Security Centre, has issued new guidance as part of its Cyber Security Board Toolkit, intended to enable executives to give cyber risks the same prominence as financial or legal risks.

The latest guidance is designed to help board members, CEOs and senior leaders make informed decisions about cyber risks and adopt a systematic and practical attitude towards cyber security.

The updated toolkit lists the benefits of cyber security alongside essential activities for the organisation and indicators of success. 

Business leaders likely to overestimate their organisation's resilience

Business leaders tend to overestimate their organisation’s resilience, despite most stating that this is a high priority, according to PwC’s bi-annual Global Crisis and Resilience Survey. Data from 1,812 respondents worldwide showed that, while 70 per cent expressed confidence in their ability to recover from disruption, many lack the necessary foundational elements of resilience.

Nine out of ten organisations reported that they have experienced at least one disruption other than the Covid-19 pandemic. On average, organisations had experienced three-and-half disruptions over the past two years. Three-quarters said their most serious disruption had a medium to high impact on operations.

PwC recommends that organisations should take an integrated approach to align capabilities around protecting what matters most and embedding the programme into operations and the corporate culture. They also need an experienced, well-resourced leadership team with executive input and support.

This article was published in July 2023.