20 minute read
UK Governance Code – the next 25 years
The UK’s framework for corporate governance is respected worldwide but needs to evolve with changing circumstances
Since its inception 25 years ago, the UK Corporate Governance Code has been a major force for good and it makes an important contribution to the high regard in which the UK business framework is held globally, which in turn is a key reason why global investors commit their capital to the UK.
Advertisement
In short, the Code has made a significant and important contribution to sustainability in the UK economy and the creation of jobs, growth and prosperity. Nonetheless, after a quarter of a century and with the apparent decline in public trust in business it is time to review the Code and its framework to ensure it is fit for the future.
The Cadbury Report was published in 1992 as a response to corporate scandals at the time involving BCCI, Polly Peck and Maxwell, and was followed by the creation of the UK’s Corporate Governance Code. A key aspect of the Code from the onset has been the ‘comply or explain’ approach. This has allowed companies to respond confidently and effectively to evolving market circumstances, because it offers flexibility in how companies apply the principle to their own particular situations and business models. Hard rules don’t cope
Stephen Haddrill
Chief Executive Officer of the Financial Reporting Council
easily with the variety of British business and are inevitably more difficult to change.
As well as the ‘comply or explain’ approach, the strength of the unitary board and strong shareholder rights are important planks of the framework. These factors have long delivered economic success and must be preserved. But more can be done. While compliance with the Code’s provisions is high, our monitoring shows that some explanations when boards choose not to follow provisions are of poor quality. We have called on shareholders to challenge companies where they do not believe that explanations given are sufficiently persuasive.
Evolving framework
As we look to the next 25 years, it is important that our framework of corporate governance continues to evolve. The demands on business and the expectations of stakeholders are growing.
Inevitably, we are looking at the risks and opportunities presented by Brexit. If we maintain the advantages gained over the last quarter of a century, investors will continue to look to the UK as a destination of choice for their capital. Businesses will continue to see the merit in being listed in the UK. A proportionate, principles-based framework for corporate governance will help to achieve these outcomes.
Codes put forward principles for best practice that make bad behaviour less likely to occur; and public reporting can make it harder to conceal such behaviour. But, on its own, a code does not prevent inappropriate behaviour, strategies or decisions. The commitment of people, particularly the leaders within a business is required.
Our report Corporate Culture and the Role of Boards and our work to tier the signatories to the Stewardship Code are good examples of fresh thinking. There are certain principles mentioned earlier that underlie corporate governance in the UK and which we feel must be retained. The law holds all directors equally responsible for the decisions of the board. But their responsibility now needs to be more closely aligned to the broader factors in section 172 of the Companies Act and should be reported on and effectively monitored.
Our report on promoting good corporate culture helps them in this regard and sets out several key observations as well as case study examples, some of which I will highlight. In particular, it encourages boards to:
■ Recognise the value of culture
A healthy corporate culture is a valuable asset, a source of competitive advantage and vital to the creation and protection
BUSINESS IN BRITAIN
Evolving the Code will ensure investors continue to look to the UK
of long-term value. It is the board’s role to determine the purpose of the company and ensure that the company’s values, strategy and business model are aligned to it. Directors should not wait for a crisis before they focus on company culture. ■ Demonstrate leadership
Leaders, in particular the chief executive, must be seen to live the desired culture, embedding it at all levels and in every aspect of the business.
Boards have a responsibility to act where leaders do not deliver. Remuneration decisions must be consistent with the desired culture. This includes decisions on appointments and remuneration incentives, and disincentives. ■ Be open and accountable
Openness and accountability matter at every level. Good governance means a focus on how this takes place throughout the company and on those who act on its behalf. It should be demonstrated in the way the company conducts business and engages with and reports to stakeholders. ■ Seek to measure behaviours
Metrics should be tailored to the behaviours and include external as well as internal stakeholder views.
Another observation from the report calls on investors to exercise stewardship. Increasingly investors, in looking at the long-term, have recognised the importance of culture and are asking questions about it in their stewardship meetings with companies. They and we are finding that reporting of culture is an area where more can be done.
To further encourage good stewardship, we have recently categorised signatories to our Stewardship Code into tiers.
The tiering exercise was undertaken to improve the quality of reporting against the Code, encourage greater transparency in the market and maintain the credibility of the Code. It distinguishes between signatories who report well and display their commitment to stewardship, and those whose reporting needs further improvement. Code signatories were encouraged to improve their statements and thereby reaffirm their commitment to stewardship.
There are nearly 300 signatories to the Code. More than 120 are in Tier 1 – the top tier, representing nearly 90 per cent of assets under management by members of the Investment Association. Asset owners are now better able to discuss with asset managers their different approaches to stewardship and ensure that these best meet their needs. Signatories will be encouraged to engage in continuous improvement of their reporting and stewardship activities.
Consultation process
With all this considered and after a programme of engagement with many stakeholders from many different sectors, we will issue a consultation on reforms to the UK Corporate Governance Code later this year. This consultation will broadly look at whether the Code should be amended to encourage boards better to take account of a wider group of stakeholders, whether we can do more to encourage engagement on remuneration issues and whether more needs to be detailed in the Code about culture.
Looking at the guidance on board effectiveness, which we released in 2011, we will again assess if it is addressing the issues relevant to board and company governance and how it could be amended to raise standards. We will also look at how the guidance could be amended to take account of the role of boards in setting, assessing and embedding a company culture.
Reputation in business is also key to this success, and corporate governance can help to instil this in an organisation. Business has a duty to its stakeholders to be transparent, true and fair, because without it, our economy will not thrive.
Twenty-five years after Sir Adrian Cadbury’s report, the UK remains in a good position globally with high levels of trust and confidence among investors. Corporate governance must help to maintain that trust. At a time when geopolitics and world economics look less certain, both are ever more important.
Will US investors diverge from Trump on climate change?
Donald Trump’s decision to pull the United States out of the Paris Agreement on climate change was unwelcome, but not unexpected, by many US business leaders.
The decision, it seems, was not the consequence of deeply held beliefs about climate science (or, rather, disbelief in climate science). To cheers from his audience in the White House Rose Garden, President Trump spoke of keeping the promises he made to the American people during his campaign by ridding citizens of a burdensome agreement “that disadvantages the United States to the exclusive benefit of other countries”. The Paris Agreement, in Trump’s words, is “less about the climate and more about other countries gaining a financial advantage over the United States”.
Most public company CEOs had a different view. Lloyd Blankfein, CEO of Goldman Sachs, tweeted that Trump’s decision was “a setback for the environment and for the US’s leadership position in the world”. Two members of Trump’s business advisory council, Bob Iger of Walt Disney and Elon Musk of Tesla and SpaceX, left the council after the decision. Many of the remaining
Despite the US president’s withdrawal from the international climate accord, shareholders will always have Paris
Professor Paul Rose
Bazler Designated Professor in Business Law at the Ohio State University’s Moritz College of Law
members took an opportunity to distance themselves and their companies from Trump’s position, even though they remained engaged with the advisory council.
The small business response
A different chorus emerged from small business owners and managers. Instead of expressions of dismay and defiance, small business owners largely cheered Trump’s decision to withdraw from the Paris accord. This comes as no surprise to observers of Trump’s interactions with small business owners on the campaign trail: these business owners – and many of their employees – quickly warmed to Trump’s promise to lower taxes and reduce the regulatory burdens that often disproportionately impact smaller businesses. To many of these small business owners, the Paris accord represented another costly set of regulations imposed by detached, urban elites.
While public company executives in urban America operate within a global economy in which climate change and sustainability are issues of undeniable importance, small business owners in suburban and rural America operate in local economies in which the more pressing concerns lie much closer to home. The weather, rather than climate, is much more likely to be the topic of conversation. Donald Trump did not win the election by persuading the public company CEO, but by appealing to rural Americans – business owners and employees alike – who felt ignored and disrespected by the urban elite. A recent New York Times report notes that the withdrawal from the Paris accord has “opened up a fissure between smaller companies and some of the biggest names in business”. A more accurate characterisation would be that Donald Trump recognised an existing fissure between small and large businesses and their owners and managers; the Paris Agreement is a wedge that further widens the divide.
CLIMATE DISCLOSURE
Shareholders will pay attention to the evolving regulatory environment
The impact of shareholder engagement on climate change
Even if small businesses may rightly complain of disproportionate impacts from environmental regulation, large businesses are no less vocal about costly regulatory measures. Why, then, were large businesses eager to publicly distance themselves from Trump’s decision to withdraw from the accord? The answer does not seem to be merely because they are better able to bear the costs of regulation, compared to small businesses; no business gladly accepts a regulatory burden (although, admittedly, some regulatory burdens may be welcome if they serve as barriers to entry for new competitors).
There is another significant difference between small businesses and most of the large companies that took public positions against the withdrawal from the Paris accord: shareholders. The small firms that cheered the withdrawal tend to be sole proprietorships, partnerships, limited liability companies and closely held corporations in which ownership is concentrated in a single person or a small group of individuals. The vocal corporate dissenters, on the other hand, tended to run very large, publicly traded firms with a broad investor base.
Perhaps even more importantly, most of the shares of these large firms tend to be owned by institutional investors, some of which control billions or even trillions of dollars in shares. And, it is these shareholders, the large (and often relatively passive) institutional investors, who are beginning to tilt the scales in favour of a concerted corporate response to climate-related risks.
The ExxonMobil vote: a tipping point?
the shareholder vote, the 2014 slate a little more than 20 per cent, and the 2016 slate less than 22 per cent. ExxonMobil’s shareholder proposal may mark a turning point in shareholder proposals on environmental issues, not because shareholders have finally recognised the risks associated with climate change, but because governments are recognising these risks. And because governments have recognised these risks and have begun to implement mitigating efforts, such as the A significant, recent example of this shift Paris accord, institutional investors have may be seen in the ExxonMobil shareholder begun to adjust their votes accordingly. vote. In the same week that President Trump Because the regulatory risks appear initiated the process to withdraw the US from to be driving shareholder support for the Paris climate accord, the shareholders at least some environmental and climate of ExxonMobil approved a shareholder change proposals, there should be no resolution, calling on the company to suspicion that institutional investors are disclose the “long-term portfolio impacts of basing their support on social policy technological advances and global climate preferences. Indeed, large institutional change policies”. In particular, it wanted investors, such as BlackRock, have typically to know the impact on ExxonMobil’s oil been clear that support for a given and gas reserves and resources as a result environmental or climate change-related of a reduction of demand consistent with shareholder proposal will depend on the the ‘globally agreed upon two degree target’ company at issue. For a company that has set out in the Paris accord. Although a similar little to no identifiable regulatory exposure proposal only received approximately to climate change risk, they will be less likely 38 per cent of the vote in 2016, the to support such a proposal, consistent with shareholders approved this year’s proposal their fiduciary obligations to maximise with more than 62 per cent of the vote. returns for their investors. As we learn more
What changed between 2016 and 2017? about the potential effects of climate change The turning point appears to be the support (and particularly if we discover greater of several large institutional risks from climate change), investors, including Vanguard and BlackRock. These investors are developing a clearer picture of Even with the potential US institutional investors must update and adapt their policies. Even with the potential how climate risks are likely to withdrawal US withdrawal or attempted impact their portfolio companies. BlackRock, for example, noted or attempted renegotiation of the Paris Agreement, the regulatory in 2016 that while “some may renegotiation environment has changed question the science behind [climate change], all are faced with a swelling tide of regulations of the Paris accord, the significantly for many international companies, such as ExxonMobil. If the and technological disruption”. The key point, then, is this: for BlackRock and other large regulatory environment Trump administration reduces the federal government’s commitment to environmental institutional investors, climate has changed regulation, international and change is not merely about the physical risks associated with significantly even US state regulations will continue to affect markets in rising global temperatures, such for many which these companies operate. as less predictable weather and rising sea levels, but also – and perhaps even primarily – about international companies California, for instance, recently passed the Clean Energy and Pollution Reduction Act. the regulatory risks faced by The act dramatically reduces companies like ExxonMobil. “The resulting demand for fossil fuels by energy producers regulatory risks,” the BlackRock Investment in a state that, on its own, would rank Institute explains, “are becoming the key as the world’s sixth largest economy. drivers of investment returns.” Shareholders will be paying attention
The law firm Simpson Thatcher & Bartlett to the evolving regulatory environment. counted 90 environmental shareholder Even if Trump turns his back on the risks proposals in 2016 among the broad Russell of climate change, large, multinational 3000 index of US-listed public companies, companies and their shareholders will up from 58 in 2014 and 42 in 2012. And yet always have Paris and the myriad of support for these proposals, while improving other climate change agreements, codes, incrementally, remains weak. The 2014 slate standards and regulations to take into of proposals garnered less than 18 per cent of account in the coming years.
The executive board’s role in cybersecurity
As the recent WannaCry ransomware attacks proved, there is no doubt that cyberattacks and data breaches are growing – in number, sophistication and severity – and are a great cause for concern for small and large businesses alike.
John Riggi
Former FBI Executive and Head of BDO USA’s CybersecurityPractice
to four per cent of annual global turnover or €20million (whichever is greater). Similarly, in the US, the New York Department of Financial Services (NYDFS) recently issued a first-of-its-kind cyber regulation impacting all New York-regulated financial institutions, including New York
The increasing number of major breaches branches of foreign banks. The NYDFS across the globe has prompted regulators to regulation mandates the implementation act. In many jurisdictions, businesses are of a risk-based cyber risk management now required to meet strict cyber risk programme, the appointment of an individual management mandates or face penalties. New to oversee the programme and, in an regulations not only require organisations to unprecedented step, the ground-breaking put appropriate security measures in place to regulation holds company board members protect personal information (of their people, and senior officers personally liable for their clients/customers and their suppliers), annual compliance certification. but also to have mandatory data breach notification systems in place to report privacy Taking on responsibility breaches to authorities and individuals whose Approximately three-quarters of public information was compromised. The tightening company directors say that their board is regulatory environment has prompted boards more involved with cybersecurity than it was of directors to take an 12 months ago and 80 per cent increasingly active role in Organisations say they have increased implementing effective cyber risk management programmes within their have adapted to new cyber company investments by an average of 22 per cent over the past year to defend Generally, larger organisations with well-funded and mature cybersecurity programmes are well-positioned to contribute organisations in an effort to mitigate the risk of disruption to their business operations, requirements in a very pragmatic against cyberattacks. This is the third consecutive year that board members have valuable technical cyber threat intelligence along with a cyber adversary’s identified tactics, techniques and procedures, avoid costly fines and damage way, often relying reported increases in time and which would assist in the defence all of to their brand as well as significant financial losses. on compliance dollars spent on cybersecurity. Additionally, the number of organisations… and the defence of nations.
The EU General Data criteria to boards with cyber incident Protection Regulation comes into force in May 2018 and significantly expands the determine their corporate response plans in place has increased from 45 per cent to 63 per cent. Nevertheless, scope and enforceability of the EU’s data privacy regime. Companies are required to cybersecurity policies barely one-quarter are sharing information and threat intelligence on cyberattacks inventory all personal data, with entities outside of their incorporate risk-based cybersecurity business – a practice that must become measures and report any data breach to the more prevalent for reasons of public safety, supervisory authority within 72 hours. protection of a nation’s critical infrastructure, Non-compliant organisations may be fined up national security and economic security.
The ascension of cybersecurity
There is no doubt that cybersecurity continues to move up on the boardroom agenda. Corporate directors are briefed more frequently on the organisation’s cybersecurity posture and related vulnerabilities. They are responding with increased budgets to address this critical area of enterprise risk, However, significant vulnerabilities remain, as less than half of board members surveyed worked with their organisations to prioritise the identification and development of solutions to protect their critical
digital assets. Even fewer organisations have put cyber risk requirements in place for third-party vendors – a major source of data breaches.
Beyond ticking the boxes
Executive boards allocate resources and provide management with the necessary tools to identify and mitigate cyber risks. Cyber-responsible boards go beyond checking policy, overseeing, verifying and advancing cybersecurity measures so that they keep – or better yet, exceed – pace with the latest developments in cybercrime.
Organisations have adapted to new cyber requirements in a very pragmatic way, often relying on compliance criteria to determine their corporate cybersecurity policies. This approach to cybersecurity often results in a ‘tick the box’ security posture, failing to appropriately address the organisation’s greatest vulnerabilities and identify areas for
TAKING ACTION
Board members have reported an increase in time and dollars spent on cybersecurity
improvement. A compliance-driven stance on cybersecurity can jeopardise its effectiveness.
It is the responsibility of board members to ensure their companies strike a balance between effectively meeting compliance requirements and implementing a risk-based cyber programme that addresses the areas of vulnerability unique to each organisation. In a position to command resources and influence strategy, boards should push their organisations to new levels of innovation, not only in service and product offerings, but also in cyber risk management in order to ensure adequate protection from cyber threats.
Guarding the ‘crown jewels’
A board’s cybersecurity responsibilities are among its most complex – requiring members to actively engage in informed oversight of the organisation’s overall cybersecurity. Among their responsibilities, board members should:
1Develop a deep understanding of the business’ critical assets
Quantify these assets by modelling the potential financial impact if the organisation experiences a cyberattack that disables, limits access to, or destroys these assets.
2Understand the risk to those business assets
In order to understand how to mitigate risk, boards must determine the current state of their organisation’s cyber risk profile. And performing a cybersecurity risk assessment is far less expensive than the cost of reacting to a breach, which can not only cause reputational harm, but can also find them in breach of regulation for not having been prepared. By conducting a risk assessment and gap analysis, boards can quickly assess current policies and operations, identify holes and prioritise remediation initiatives.
3Take inventory of sensitive company data
Information is often an organisation’s most valuable asset. And today, more than ever before, the confidentiality, integrity and access to that information is at risk. The increased threat of cyberattacks in recent years, along with the creation of new data privacy regulations, only emphasise the need for boards to implement strong policies to achieve compliance and mitigate information-related risks. Understanding what information the organisation has, where it resides, and its purpose, are key factors in identifying the highest risk areas and developing a mitigation strategy.
4Develop and implement an incident response plan
A rapid response during a data breach can make all the difference. Boards should oversee the development of a comprehensive, regularly tested and updated incident response plan that not only outlines immediate action, but also considers company processes, internal and external communications, legal and regulatory issues, contact with law enforcement, crisis management plans, and the roles and responsibilities of individuals throughout the firm in order to manage and mitigate the impact of a breach.
5Examine insurance plans to ensure adequate levels of cyber coverage
Cyber insurance may be purchased as a stand-alone policy or included as an additional coverage under a professional liability policy. However, coverage levels and terms can vary greatly and work in conjunction or conflict with other insurance policies held by the organisation. Boards should evaluate current policies and levels of coverage, particularly if cyber coverage is added to another policy, to ensure their organisations are properly protected from the potential losses from a cyber incident.
