Desktop Banner

Mobile Banner

Private healthcare providers and the UK Corporate Governance Code

On 22 January 2024, the Financial Reporting Council (FRC) published the Corporate Governance Code 2024 (the Code) to 'enhance transparency and accountability of UK plc and help support the growth and competitiveness of the UK and its attractiveness as a place to invest.'

The FRC has made minimal changes to the Code, prioritising changes concerning internal controls (Provision 29 of the Code). Other minor changes to the Code were aimed at better streamlining expectations or clarifying language.

But what does this mean for premium-listed organisations and those voluntarily applying the Code, particularly from the perspective of internal controls requirements? These internal controls include financial, reporting, operational and compliance controls.

Internal controls specialist, Shingo Soga, and private healthcare specialist, Samuel Abbas, explore the impacts on the healthcare industry.

What key change does the Corporate Governance Code 2024 introduce?

The Code states that the board should provide the following in the annual report:

The key change from the 2018 Code is the explicit declaration requirement. Previously, boards were only required to monitor the company’s risk management and internal control systems, carry out an annual review of their effectiveness and report on that review in the annual report.

Based on our interactions with organisations, many believe the effort required is going to be significant. This is primarily because declaring effectiveness is significantly different from confirming the board has monitored and reviewed effectiveness.

What does it mean by 'material controls'?

The Code states that the board is responsible for determining what should comprise its material controls. The FRC has clarified that it is not able to determine what is material for each company, as this will vary from one organisation to another, and that the board is best placed to make this judgement. It also stated that the FRC’s role is not to be prescriptive as the Code is principles-based.

The FRC guidance states that material controls could include those related to addressing:

We believe that the FRC has made it clear that a more prescriptive guidance will not be forthcoming. Although most companies disclose their principal risks and mitigating controls, often including cyber risk, organisations must make a clearer assessment and link between the material controls in place and those needed to mitigate these risks and evaluate their effectiveness. With this in mind, providers should be thinking more broadly about their material controls in relation to areas such as recruitment and workforce planning, sustainability reporting, payment and insurance data and regulatory compliance.

When is the compliance deadline?

Provision 29, which pertains to internal controls, will apply to financial years beginning on or after 1 January 2026. The FRC has explained that organisations need time to establish the internal controls framework.

Key recommendations

The Code is principles-based, meaning organisations will be required to determine their material controls framework themselves. Organisations could have different viewpoints on where they should start, but the following may be a suitable approach:

How we can help

Organisations have just under two years to put an internal controls framework in place that covers their material controls. These organisations will need to carry out a risk and objectives assessment to identify the material controls. The assessment needs to include financial, operational, reporting and compliance areas, and should be reviewed and signed off by the board.

We are helping various organisations set up internal controls frameworks and can help you on your journey to meet the requirements of the new Code.

authors:shingo-soga,authors:samuel-abbas