We have recently held a number of highly insightful conversations with firms operating across multiple sectors on their progress with meeting the new material controls requirements of the updated 2024 UK Corporate Governance Code (the code).
As might be expected, we are seeing a range of approaches deployed to address Provision 29 of the code in terms of how a material control is defined, particularly with regards to scope and granularity, as well as the type and frequency of monitoring and assurance that is being (or planned) to be deployed.
A common theme nonetheless is clearly to be as pragmatic as possible, which in general is driving a top-down approach to how control materiality is defined in practice, with broader entity level controls and frameworks that map to areas of in-scope risks being prioritised for focus over individual sub-controls; monitoring and assurance is accordingly then being directed at this level. Leverage of SOX insights and data, where available, as well as other existing financial reporting control frameworks, are also typically being used as a foundational input.
Outlined below is a summary of MERC & CO’s five step approach to managing the code’s material controls requirements, which we found broadly reflects the approaches being taken that were shared with us.
There are, however, still a number of questions and scenarios that we feel should be explored by firms, particularly as sophistication in approaches develop, including:
Are metrics actually needed to evaluate / quantify control materiality or, for simplicity, should all controls that map to risks of significance, such as those that constitute a framework, be captured and considered material?
Should the basis of control effectiveness ratings focus only on measuring their operational performance and compliance criteria, or is actual risk manifestation and near miss events better proof of control failure / lack of effectiveness?
If entity level / framework controls are recognised as a ‘singular’ material control rather than focus being on the underlying control activities, how is effectiveness determined and measured in practice? Should risk materiality drive exceptions to be made to this approach?
Should a control that applies to / affects multiple risks and offers redundancy be recognised as a material control, even if its effects on individual risks is limited and/or those risks are not, for example, principal? Similarly, how should controls that apply to risks with high correlation potential be recognised? What are the trigger thresholds for inclusion as ‘material’?
How should changes in risk exposure levels be reflected in the context of ratings of control effectiveness? For example, if the design and operation of a control is functioning as intended, but the risk changes in such a way to neutralise / overwhelm its effect, is that control then deemed ineffective or is the weakness in the wider ICF? How will this be disclosed?
In navigating the evolving landscape of the code, it is clear that firms are striving to balance compliance with practicality. As approaches mature, the questions above may become increasingly pertinent in shaping a robust yet pragmatic framework for material controls. We look forward to further discussions as these control systems progress.