There have been a number of corporate governance developments since our last newsletter. We report elsewhere on the latest from the FRC on its announcement that it is to revise its going concern guidance and on the detail of the final regulations in relation to directors' remuneration reporting. Below are brief details of other items that may be of interest.
Remuneration of directors of quoted companies: indicative timetable for commencement of relevant ERRA provisions
The Business, Innovation and Skills Department (BIS) has published indicative timetables for the commencement of the provisions of the Enterprise and Regulatory Reform Act 2013. The ERRA contains, among other things, the new provisions relating to the disclosure and approval of remuneration of directors of quoted companies. As expected, the timetables confirm that sections 79 to 81 of the ERRA will be brought into force by commencement order on 1 October 2013, affecting companies with a financial year ending on or after that date.
A useful policy paper summarising the content and objectives of the ERRA which covers a number of other areas, including the new competition regime (see our article in our June newsletter for details), has also been published.
ICSA guidance for boards on managing cyber risk
The Institute of Chartered Secretaries and Administrators (ICSA) has published a guidance note for company boards on issues to consider in managing cyber risk. The report was commissioned by BIS. ICSA flags up that cyber risk should now be considered a business-critical risk to be considered by the board in the same way that other key risks are considered from both a strategic and operational standpoint rather than being considered an IT issue.
The guidance note sets out a number of points boards might want to consider, including:
- carrying out a comprehensive, business-wide risk assessment in relation to cyber attacks to consider both current and potential risks
- when reviewing the risk assessment the board and audit committee should focus on the consequences of a cyber attack and the note includes a list of key questions the board may wish to ask of management
- ensuring the board has direct contact with the Chief Risk Officer (or equivalent)
- regular monitoring and review of control procedures by the board and the appointment of key individuals to ensure a quick response to a cyber attack
- assessment of identified cyber-attacks to understand weaknesses in internal controls and procedures and improvements that need to be made.
The ICSA guidance note can be accessed here.
If you have any concerns about cybersecurity and data security, Hogan Lovells has a dedicated Cybersecurity and Data Security Practice – you will find further details here.
Joint research report from Airmic and ICSA on risk reporting and disclosure
Airmic, which is a UK-based organisation representing risk managers, and ICSA have published the findings of research which assessed the approach to risk management and reporting of a number of FTSE350 companies by reviewing their annual report and accounts.
The findings from the research suggest that the standards of risk reporting vary between companies and particularly between different business sectors. Eight different business sectors were looked at and it was found that firms in the leisure industry had a generally high standard of risk reporting, whilst those in sectors such as food and drink were generally uninformative. Risk reporting among chemical and pharmaceuticals companies and among mining and energy companies was not generally of a high standard even though they are generally regarded as relatively high risk industries. It also found that risk reporting tends to be seen as a stand-alone item rather than being considered as part of the wider corporate strategy of a company
The report suggests elements that should be covered to achieve successful risk management which should then be evidenced through a company's risk reporting. Examples of good risk reporting are identified with the aim of promoting awareness of the benefits this can bring such as enhanced shareholder confidence that a company has a robust risk management plan.
Narrative reporting update
A revised draft of the Companies Act 2006 (Strategic Report and Directors' Report) Regulations 2013 has been published. These regulations set out details of the new structure for narrative reporting which replaces the requirement for a business review as part of the directors' report with a requirement for a stand-alone Strategic Report. We reported in detail on the proposals in our November newsletter.
This revised draft makes some changes to the draft regulations we reported on in November. These include:
- new requirements for a quoted company to make certain disclosures in the directors' report relating to greenhouse gas emissions (see below)
- for quoted companies, the gender split, in number, for its senior managers. This was included previously but the definition of what is meant by senior manager has been widened
- if a copy of the Strategic Report is to be provided to those who have requested it instead of a full version of the account (the Strategic Report replaces summary financial statements), certain additional information is required to be provided
- the regulations will apply to financial years ending on or after 30 September 2013.
The draft regulations are intended to come into force on 1 October 2013 and can be accessed here.
Defra has now published guidance to help companies comply with the mandatory greenhouse gas reporting requirements set out in the regulations, including an example of a corporate greenhouse gas emissions report. The guidance supersedes the government's 2009 guidance on greenhouse gas reporting and also covers wider environmental reporting on areas such as water, waste and biodiversity. We reported in more detail on the proposals for greenhouse gas emissions in our August 2012 newsletter.