Board Priorities in 2025: Internal controls
16 January 2025
Enhancing investor confidence through effective risk management and disclosures
The accelerating pace of change in cross-industry dynamics exposes companies to new and escalating risks, whether in response to the adoption of advanced technologies, globalisation (or de-globalisation), geopolitics or new market entrants.
This underscores why well-run Boards are devoting more resources to overseeing enterprise risks - and challenging executive management on whether internal control frameworks are suitably designed to limit risk impacts.
From a UK perspective, from 1st January 2025, an updated version of the UK Corporate Governance Code comes into effect. This reinforces the Board's obligation to establish and maintain an effective risk management and internal controls framework, specifically its accountability for overseeing: (i) the assessment of principal and emerging risks; (ii) how these risks are proportionately managed, mitigated and monitored; and (iii) accurate and balanced disclosures of how the company's enterprise risk profile could affect the company's prospects.
These are foundational activities for all companies, particularly for Code companies considering the Provision 29 expectation that they will declare the effectiveness of their material controls in the 2027 reporting season.
Put another way, for some, the Code changes reinforce existing risk management practices. For others, it heralds work to do.
To ensure sound foundations are laid, we recommend:
- A measured, data-driven assessment of company-wide risks, to identify risks that could threaten the company's strategy, business model, future performance or reputation. The results should be evaluated to assess the impacts of concentration risks and other risks that either in isolation or in aggregate are deemed to exceed or be close to exceeding the Board's appetite or assessment of its risk tolerance defined within the Board's risk appetite framework.
- A detailed review of the company's internal controls framework for each principal risk having regard to: (i) the interests of key stakeholders who could suffer harm; (ii) the source of each risk in the company's strategy, business model and value chain; and (iii) the appropriate balance of controls (including the designation of controls deemed to be material), proportionate to the potential impact severity of each risk to key stakeholders and whether the control environment meets the Board's risk prevention and mitigation objectives.
- Evaluation of existing Board structures to assess whether adequate time is given to overseeing executive management's assessment and treatment of risk.
- Establishing formal and outcomes-led policies for each principal risk, defining the Board's objectives and the key expectations of executive management within the Board's risk appetite limits.
- Evaluating the robustness of the company's risk appetite framework, ensuring the appropriate use of quantitative and qualitative measures to direct risk-taking and reporting.
We recognise every company is at a different stage in their risk management maturity; our view is that 2025 is the year to ensure solid foundations are laid and tested to meet the challenges ahead.
