Blog
/
Boards & Governance
Tim Le Mare Image
Tim Le Mare
Solutions Sales Director

UK Corporate Governance Code brief: Identifying material controls

October 24, 2024
0 min read
Folders and pens on meeting table

From January 2026 the UK Corporate Governance Code will contain a new reporting provision relating to risk management and internal control.

Provision 29 requires boards to “monitor the company's risk management and internal controls framework and carry out a review of its effectiveness, at least annually”. They must provide a declaration on the effectiveness of material controls, report any instances where those controls have failed and what has been done to address this. Crucially, the provision covers both financial and non-financial controls, bringing non-financial controls into the Code’s sphere of influence for the first time.

This provision remains within the code’s non-prescriptive ethos and the FRC has emphasised that the “comply or explain” principle should be used, giving organisations a degree of flexibility. However, this very flexibility raises questions for boards and the internal audit and risk professionals who will be taking the lead in complying with the new provision. Namely, how to determine what controls fall into the “material” category – especially in the non-financial area.

This was top of mind for attendees at Diligent’s recent briefing at the London Stock Exchange. Steven Brown of Brave Within Consultancy explored how organisations can approach the challenge of determining materiality.

Be clear on what matters to the business

One of the traps organisations fall into when thinking about risks and controls is establishing too broad a scope for “material” risks. While it is natural to want to address as many risks as possible, it is essential that they are placed in a hierarchy, with the most important, or “material” at the top. When too many risks are identified, it becomes impossible for the organisation to manage them all. So how should the initial list of important controls be identified?

Steven advises organisations start by identifying the business’s strategic objectives. Why does it exist, what does it want to achieve, and what makes it stand out from the competition? This should result in five to six core business objectives that sit at the heart of the organisation.

Then, ask what are the principal risks threatening these objectives? What would stop the company achieving these aims and damage the business model, liquidity, competitive position, or the company’s reputation? Steven advises that these should number no more than approximately a dozen.

When these dozen principal risks have been identified, the controls designed to address them are, by default, the material controls that should be monitored, reviewed and reported on by the board.

In addition to identifying risks based on strategic objectives, Steven also advises organisations to look at the principal processes the business depends on to generate revenue and operate smoothly. These might reside within technology infrastructure, or supply chain management, for example, and if risks to those processes are designated material, they will also need material controls.

Finally, he advises that organisations assess their regulatory environment and establish which regulatory or disclosure failures would have a material impact on the business.

Further materiality assessment: the “failure” test

Once the above “top down” exercise has been completed, organisations can further assess the materiality of controls by looking from the other direction and asking what would happen if they fail? Will control failure directly hurt the business from an operational, reputational, or regulatory perspective?

How about stakeholders? Will the control failure result in incorrect reporting, leading to misinformed decision-making by investors? If the answer is “yes” that control is material.

The buck stops (and should also start) with the board

Internal audit and risk managers have an important role to play in identifying potential material controls, but ultimately the decision over which are officially designated “material” for the purposes of Corporate Governance Code compliance rests with the board. It is therefore critical to engage with directors at the start of the process to ensure that they understand the process and principles for identifying the material controls that they will eventually be expected to provide assurance over.

It's also valuable to rigorously document the methodology and rationale that has been employed during the identification phase, so there is a clear reference point should the validity of control selection be queried in future.

Once the material controls have been identified, Steven suggests that companies consider assigning a senior owner to each control to ensure they have the right degree of oversight.

Find the “Golden Thread”

The process outlined above is designed to find the golden thread linking company strategy and CEO priorities with the risks and controls needed to ensure the business has the strongest chance of achieving its goals. Once that thread has been discovered, the next challenge lies in ensuring the controls are effective, and that the business can provide the board with the visibility and confidence it needs to make the required declarations.

Want to learn more? Discover all the significant changes introduced in the 2024 U.K. Corporate Governance Code, focusing on director accountability, risk management, internal controls and board leadership, by downloading our U.K. Corporate Governance & Audit Reform report.

security

Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2025 Diligent Corporation. All rights reserved.