‘It doesn’t change anything really’ … ‘We do it anyway’ … ‘We just need to make sure we have the documentation in place’. Whilst far from all-encompassing, these are some of the more typical responses we’ve heard to the latest version of the Corporate Governance Code.

For some these may be a reasonable response. Well-run companies will be checking material controls constantly and have tried-and-tested risk management frameworks. And regulated financial services companies have been needing to stand up to scrutiny for a long time.

But the opportunity to use the new Code requirements to bring more discipline should not be underestimated. If tackled constructively, it should bring value too.

As with many aspects of governance standards, the benefit comes from the nudge. Being required to make sure that you can support what you’re saying involves a rigour that might need a refresh. Or maybe prompt a rethink to see whether you can do more or do it better.

And if you think there’s not much benefit to be had from yet more ‘governance burden’ you’re starting from the wrong place.

Don’t think of it as ‘what do we need to do to comply with the Code?’ Instead, think of what you need to have in place so that you can be confident that risk management and internal controls are achieving what the business needs. And that you can answer the ‘how do we know?’ question.

The opening gambit needs to be ‘what should we be doing anyway to benefit the business?’ Because if you’re doing what you need to do to run the business optimally, compliance with the Code should then simply fall out of that at no great extra cost or effort. It just becomes a question of making sure you have enough documentation to support your conclusion should push come to shove. And often there are also business benefits to that from the discipline, structure and confidence that comes with evidencing.

If you’re not doing what you need to do, then it should be obvious that, regardless of Code requirements, you should make improvements in any case.

So, having got in the right frame of mind, what are the next steps for Audit (and/or Risk) Committees? It’s still early days. Along with many boards, our thinking is still developing. But here are some initial thoughts to get the discussion started. These are some of the ingredients that we think will be needed. But it’s not the full recipe – that needs to come from further thought and testing. And they are not consecutive steps as such: in practice, these sorts of questions will need to be asked and considered in parallel.

Work out the target business benefits.

Put the Code to one side for a while and ask what you want to gain from a fresh look at how you know that risk management and material controls are working effectively. And what you might also gain from documenting and evidencing: will it give you more coherence and structure as well as greater comfort?

Pin down what ‘effective’ risk management looks like

There’s often an assumption that everybody knows what ‘effective’ means. But can you actually set out clearly what impact risk management should have? How should it influence decision-making? How does it get factored into day-to-day work and decision-making? And into strategic plans and initiatives? What should an effective response look like? Along with a strong risk culture to underpin it all?

Set out a model to help assess risk management effectiveness

It’s useful to have a framework to structure and challenge your thinking. That might be one of the established models such as COSO. Or it might be more strategic and at a much higher level. Either way, it’s important that you make sure it covers three elements we often feel get neglected: the risk culture, the management controls and the approach to learning from things that didn’t go to plan. Typically, there’s an over-emphasis on checking that you have the sort of Enterprise Risk Management structure and process that everybody expects you to have. Audit & Risk Committees regularly do not go far enough in looking more widely at whether risk management is having an impact on how the business is run; if it’s not making enough of a difference, it surely cannot be ‘effective’.

Work out the link between material controls, principal risks and risk appetite

Too often we see the principal risk discussion being relegated to confirmation of the externally reported list rather than as an opportunity to tie in the threats and headwinds to the strategy. The need to confirm the definition of the material controls presents an opportunity to both check the relationship and also to rethink how the principal risk discussion (and probably risk appetite definition too) fits in with risk management and material control effectiveness. And whether you’re getting what you need from the discussions.

Define what ‘material controls’ mean for you

There’s no single definition – and each business and board needs to work it out in their own context. It’s going to be key for Code compliance, given that the board will have to make a declaration on the effectiveness of material controls at the balance sheet date (or ‘explain’ why you’re not complying). So, the number, extent and nature of the material controls will determine the extent of the challenge. That might be tricky to do in a short space of time, particularly for large, complex businesses. The solution will be to rely on the controls working well throughout the year.

Make sure day-to-day working of controls helps you make the declaration

A quick reaction to the Code is ‘how can we do the work needed between year-end reporting dates?’. It may well be unrealistic within the time frame and resources available – but that’s not the question. Instead, you’re going to have to rely on controls working well as business-as-usual – and getting the assurance throughout the year. And that’s where the business benefits come in. Knowing that they work well matters continually and not just making sure they work at year end.

Know where you’re going to get the assurance from

There are many possible sources of comfort for the board to draw on. Internal audit is an obvious one. To a degree, external audit review of certain controls should also help. But there are others too, especially if the business benefit is to be optimised. The annual review could be a good opportunity to do internal stakeholder reviews in order to garner opinions on how well risk management is working in the eyes of those who are part of it. The same with material controls: do people see them working in practice? Likewise, a risk culture survey might well surface issues – and we’ve seen this work well when the survey is anonymous and focused on the respondent’s day-to-day work rather than through overlygeneric questions. Management certification may well play a role, along with, for many financial institutions, the board looking more closely at how well the senior managers’ regime is working in practice. This all adds up to taking a good look at how the risk-controls-assurance mapping can be applied in a value-adding way.

Check how well the assurance sources are working

There’s not so much comfort to be gained from the assurance sources if the committee cannot be fully confident that those sources themselves are working well. The Code change might be the time to check that the review of the quality of internal audit work is as structured and probing as it might be: is it all about a check against international standards or is the insight coming from the organisation too? Does the committee really look at the nature and quality of external audit work on internal controls? And how does the executive satisfy itself that its second and third lines are working well?

Determine what evidencing and documentation you’ll need

As a starting point some legal advice might well be needed on what making ‘a declaration’ might mean: What are the risks? What evidencing and documentation might be required to mitigate the risks? And how does all this fit with ‘comply or explain’? The board will need to make a call on what the declaration entails. And ask management to set out what more is needed to align processes and evidencing with the agreed risk appetite. And to do this whilst not losing sight of the benefits that can be gained from the discipline that might come with making sure statements can be supported. It will be a question of balance, but one that needs discussing and pinning down rather than just being assumed or left illdefined.

So, there is a lot to think about – and these are just some of the questions to start asking.

We would not like to think that the new Code will generate big new demands or introduce complications and processes that bring little value. And companies and advisers alike must make sure that costs are kept under control and are justified. Hopefully, the run up to 2026 will not evolve into programmes that take on a life of their own and start distracting management from running the business and boards from keeping a strategic focus.

But it’s still better to start asking these questions now. This will help the board and executive set out a well thought through path to their first declaration. And give them time to really work through the benefits to the business rather than drift into what becomes a push for compliance as the deadline looms.