What you need to know about the revised UK Corporate Governance Code and Guidance

The main changes relate to risk management and internal controls, audit committee reporting, governance reporting, DE&I and remuneration.

On January 22, 2024, the Financial Reporting Council (FRC) published the new version of its UK Corporate Governance Code (the 2024 Code). The stated aim was to enhance the transparency and accountability of UK plc and to help support the growth and competitiveness of the UK and its attractiveness as a place to invest.

The 2024 Code focuses on a limited number of changes, prioritizing revisions relating to internal controls. The main substantive change is that the board must now include a declaration in the annual report as to the effectiveness of the company’s material controls (including financial, operational, reporting and compliance controls).

Concurrently with the 2024 Code, the FRC also published a summary of the key changes of the 2024 Code and a 2024 Code myth buster (the 2024 Mythbuster). On January 29, 2024, the FRC also published its revised guidance on the 2024 Code (the Guidance), which is considered in further detail below.


The FRC kicked-off a 16-week consultation on extensive changes to the UK Corporate Governance Code (the Code) back in May 2023, in response to the Government’s paper on restoring trust in audit and corporate governance, which called on the FRC to strengthen the Code in certain areas.

These changes were widely expected to be adopted by the FRC, largely wholesale, until it announced on November 7, 2023 that, in light of feedback from stakeholders during the consultation process, its new policy objectives and the Government’s focus on reducing red tape, it would drop over half of its proposals and just focus on changes to internal controls (see our earlier briefing here and also news on GRIP Reform of UK boardrooms diluted as ‘competitiveness’ prioritised).

The 2024 Code reflects the FRC’s policy update in November 2023.


The 2024 Code will apply to financial years beginning on or after January 1, 2025 (except for Provision 29 (which relates to the board’s declaration on the effectiveness of material controls), which will apply to financial years beginning on or after January 1, 2026). The current 2018 iteration of the Code (the 2018 Code) will apply until such time.

The Code is applicable to all issuers (whether UK or overseas incorporated) with a premium listing on the London Stock Exchange. The Code comprises a set of principles (Principles) supported by detailed provisions (Provisions). It is not a rigid set of rules but, instead, operates flexibly and allows company boards to adopt different approaches to demonstrate compliance. The Listing Rules require premium listed companies to apply the Principles of the Code in a manner that shareholders can evaluate and to comply or explain against its Provisions in the company’s annual report and accounts.

It is expected that, when the premium listing and standard listing segments of the London Stock Exchange are replaced by a single listing category for equity shares of commercial companies, all companies listed on the proposed single segment would be required to adhere to the 2024 Code on a “comply or explain” basis.

Key changes

The key changes in the 2024 Code relate to:

  • risk management and internal controls;
  • audit committee reporting;
  • governance reporting and company culture;
  • diversity and inclusion; and
  • remuneration.

Risk management and internal controls

The most significant change in the 2024 Code is new Provision 29 (which will not apply until financial years beginning on or after January 1, 2026). This requires the board to monitor the company’s risk management and internal control “framework” (replacing “systems”, which is a narrower term), and, at least annually, carry out a review of its effectiveness. Provision 29 requires the following disclosures in the annual report:

  • a description of how the board has monitored and reviewed the framework’s effectiveness;
  • a declaration of effectiveness of material controls as at the balance sheet date; and
  • a description of any material controls which have not operated effectively as at the balance sheet date, and the action taken or proposed to address these issues.

The board should make its own judgment as to which controls are “material”. This is a recognition of the increasing importance of non-financial disclosures for many companies. The FRC is mindful that the needs for each business may vary and that the level of maturity of non-financial controls for some businesses may not be, or need to be, as mature as for their financial controls. It is for the board to determine what level of maturity is right for its business and its own levels of required assurance in relation to the effectiveness of these controls.

Provision 29 will come into effect one year after the rest of the changes in the 2024 Code. This is to accommodate feedback received during the consultation that many companies will have significant work to do on the design and operation of their risk management and internal control frameworks.

Provision 30 now requires the board to state, in all annual and interim financial statements (not just annual and half yearly per Provision 30 of the 2018 Code), whether it considers it appropriate to adopt the going concern basis of accounting and identify any material uncertainties to the company’s ability to continue to do so over a period of at least 12 months from the date of approval of the financial statements.

Audit committee reporting

Principle O now provides that the board should not only establish, but also maintain, an effective risk management and internal control framework.

Provisions 25 and 26 have been updated to reflect the Audit Committees and the External Audit: Minimum Standard (the Minimum Standard), which was published in May 2023, and duplicative language has been removed. Provision 26 states that the annual report should describe the work of the audit committee, including “the matters set out in” the Minimum Standard.

The Minimum Standard applies to audit committees of premium listed companies included in the FTSE 350. By including the Minimum Standard in the 2024 Code, all companies subject to the 2024 Code (which extends beyond premium listed companies in the FTSE 350) are now required to report on the matters set out in it on a “comply or explain” basis.

Governance reporting and company culture

The 2024 Code sets out a new Principle C, which states governance reporting should focus on board decisions and their outcomes in the context of the company’s strategy and objectives. The 2024 Mythbuster explains that outcomes-based reporting means providing stakeholders with information on how decisions taken by the board have, and will, affect the company’s strategy, objectives and long-term viability.

Provision 2 has been updated to include that the board should assess and monitor how the company’s desired culture has been embedded. This encourages a proactive approach from the board to foster such culture through examining the day-to-day practices within the company.

Diversity and inclusion

Principle J has been amended to provide that board appointments and succession plans should promote diversity, inclusion and equal opportunity, removing the previous wording which specifically listed gender, social and ethnic backgrounds, cognitive and personal strengths. This acknowledges that diversity policies can be wide ranging and need not stem from specific categories.

Provision 23 widens the diversity-related disclosure requirements for the nomination committee in the annual report, by requiring a description of any diversity and inclusion initiatives, in addition to the diversity and inclusion policy.  


Provision 37 has been amended to state that agreements relating to director remuneration should include malus and clawback provisions (not just clawback provisions per Provision 37 of the 2018 Code).

Provision 38 now expects the board to include a description of malus and clawback provisions in the company’s annual report on remuneration, including:

  • the circumstances in which they could be used;
  • a description of the period for them and why the selected period is best suited to the company; and
  • whether the provisions were used in the last reporting period and, if so, a clear explanation of the reason.

Maintaining the ‘comply or explain’ regime

The FRC has reinforced that the 2024 Code continues the “comply or explain” regime, as it gives companies the scope to communicate salient and pertinent information to stakeholders, whilst recognizing that there is no one size fits all approach for companies reporting on their governance.

There has been some criticism from market participants that the Code is a “comply or else” regime, as companies are seen to be penalised if they do not fully comply with the Code.

Whilst the FRC’s 2023 Review of Corporate Governance Reporting found that well over 50% of companies departed from one or more provisions of the Code, the FRC found that companies could be better at providing clear and meaningful explanations for any departures from the Code. The FRC also reminded investors and proxy advisers that they should not favour strict compliance with the Provisions of the Code but focus on individual company circumstances and the explanations companies provide for their non-compliance.

With the FRC’s focus now turning to engaging with stakeholders on how best to review the UK Stewardship Code (as set out in its announcement on November 7, 2023), which sets stewardship standards for asset owners and asset managers, as well as service providers that support them, we expect to see reform on how investors and proxy advisers can support the “comply or explain” regime.

Revised FRC Guidance

The Guidance contains suggestions of good practice to support the board and its advisers in applying the 2024 Code. The FRC has emphasised that the Guidance is not prescriptive, and the intention is not to set out a “right way” to apply the 2024 Code, but instead to stimulate thinking on how the board can carry out its role effectively.

The Guidance combines and updates previously published FRC guidance so that it is all in one place: The Guidance on Board Effectiveness, Guidance on Audit Committees and Guidance on Risk Management and Related Financial and Business Reporting. The Guidance is also more user-friendly than previous FRC guidance as (i) the digital version of the 2024 Code now includes links to the relevant sections of the Guidance, and (ii) the digital version of the Guidance includes links to other materials which may be helpful, such as the Chartered Governance Institute’s guidance note on reporting on board performance reviews.

The Guidance includes an executive summary, and aligns itself with the 2024 Code’s Principles and Provisions by splitting itself into the following sections:

  • Section 1 – Board leadership and company purpose;
  • Section 2 – Division of responsibilities;
  • Section 3 – Composition, succession and evaluation;
  • Section 4 – Audit, risk and internal controls; and
  • Section 5 – Remuneration.

Each section also includes a series of questions and concepts that the board may wish to consider depending on the size, complexity and maturity of the company.

Finally, there is an appendix which sets out how disclosures required by the 2024 Code overlap with the FCA Handbook, in particular, the Listing Rules and the Disclosure Guidance and Transparency Rules.

Notable changes in the Guidance include:

Section 1 – Board leadership and company purpose

Given the emphasis on the importance of outcome-based reporting in new Principle C in the 2024 Code, the Guidance includes a list of questions relating to objectives, decisions and actions taken to achieve those objectives, and the impact these actions have had (or are expected to have) on stakeholders and the company.

Section 2 – Division of responsibilities

There is a new sub-section headed: Good practice guidance for the successful management of board committees. This includes guidance on board committees, highlighting that they play an important role in supporting the board’s operation as a unitary function. There is also guidance on the roles of each of the nomination, audit and remuneration committee. Recognizing that there is increasing growth in risk and/or sustainability committees, there is additional guidance on these, notwithstanding they are not required by the 2024 Code.

Section 4 – Audit, risk and internal controls

This section includes extensive new guidance relating to Provision 29 of the 2024 Code.

On establishing the risk management and internal control framework (the “Framework”), the Guidance states that:

  • the board should use a recognised framework or standard as part of its process for designing and maintaining the effectiveness of the Framework (for example COSO, ISO or COBIT); and
  • the roles and responsibilities of all key functions and individuals in respect of risk and internal control should be made explicit.

On maintaining the Framework, the Guidance states that:

  • the company should have systems in place to carry out the monitoring of the design, implementation and operation of the Framework;
  • an effective Framework must be responsive and able to adapt to change;
  • where a significant issue has been identified, it should be reported to the board, even if it has been remedied, including action(s) taken; and
  • the board should conduct its own monitoring, based on the regular reporting and other communication with management, internal audit, external audit and other appropriate functions and units.

The Guidance does not define “material controls”, noting that these will be company-specific and therefore different for every company depending on their features and circumstances, including size, business model, strategy, operations, structure and complexity. When determining which controls are material, the board should consider how a deficiency in control could impact the interests of the company, shareholders and other stakeholders.

The Guidance notes that material controls could include controls over (i) risks that could threaten its business model, future performance, solvency and reputation; (ii) external reporting that is price sensitive; (iii) fraud; or (iv) information and technology risks such as cyber security, data protection and AI.

On reviewing the effectiveness of the Framework, the Guidance notes that whilst there is no single way of carrying out a review, the board may wish to define the processes to be adopted. The review should also evaluate the effectiveness of the processes for ongoing monitoring of the Framework. The Guidance includes a detailed list of important issues to consider at paragraph 284. Neither the 2024 Code or the Guidance expects companies to obtain external advice or assurance over the effectiveness of the Framework.

On the declaration on the effectiveness of the material controls in the annual report, the Guidance states that:

  • the board should form its own view, based on the evidence it obtains, exercising the standard of care generally applicable to directors in the exercise of their duties;
  • if applicable, the board may wish to use the “comply or explain” nature of the 2024 Code to provide an explanation where perhaps a control system is less established or mature, or the effectiveness of a new control system has not yet been proven; and
  • when reporting on areas for improvement, or actions that have been or are being taken, the board is not expected to provide any disclosures which in its professional judgment contain confidential information or any other information that could inadvertently affect the company’s interests if publicly reported.

The Guidance also includes a sub-section on cyber security, noting that to govern cyber security effectively, companies need to implement a top-down approach and the board is responsible for ensuring that risks to delivering the strategy are identified, evaluated, and mitigated in line with the business risk appetite. Whilst board members do not need technical expertise, they need enough knowledge for constructive discussions with key personnel, so they can be confident that cyber risk is being appropriately managed.

The FRC will be keeping the guidance under regular review to ensure it is relevant and up to date, and to ensure the links included work effectively. Any updates or changes to the guidance will be clearly signposted.

Jack Shepherd is a partner in the Corporate Team and Yee Rou Quah is an associate in the Corporate/M&A team at CMS London.