Articles - Strengthening risk governance for sustainable success

 By Harshil Shah, Principal and Head of Risk and Resilience Services at Barnett Waddingham

 Achieving this requires boards to establish a clear purpose with strong values and align these with a well-communicated organisation strategy and risk management framework that helps ensure strategic objectives are met.

 BW is supporting The Risk Coalition’s Raising your Game guidance which is aimed at helping boards and audit and risk committees understand what good risk governance should look like. While the guidance helps organisations that must comply with the UK Corporate Governance Code, it will also benefit any organisation, whether it be in the public, private or not-for-profit sector.

 This principles-based guidance outlines how organisations can strengthen their risk management to mitigate threats and seize opportunities for growth. We recommend all boards and senior leaders adopt the principles and tailor them accordingly depending on the organisation’s sector, size and complexity. The guidance also offers risk managers a clear way to influence and gain buy-in from their executive leadership on the benefits of adopting the principles.

 Principles of risk governance and oversight
 The eight principles of risk governance and oversight set out in the guidance are:

 Board accountability.
 Committee purpose.
 Committee composition and membership.
 The organisation’s approach to risk.
 Risk culture and behaviours.
 Navigating risks and pursuing opportunities.
 Risk management, internal control systems and reporting.
 Independent risk oversight and challenge.

 The FRC has focused on a limited number of changes in the updated code in the areas of:

 Section 1 - Board leadership and company purpose.
 Section 3 - Composition, succession and evaluation.
 Section 4 - Audit, risk and internal control.
 Section 5 - Remuneration.

 The majority of changes came into effect on 1 January 2025 with first reporting requirements in 2026. However, the new Provision 29, under Section 4: Audit, risk and internal control has been delayed by a year, with reporting requirements starting in 2027.

 Provision 29 does mark a significant shift in the level of effort needed by organisations to maintain compliance. The FRC seems to have recognised this and that most organisations will need this additional time to ensure they can comply.

 Provision 29 requires the board to “monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness”. This means boards are no longer just responsible for establishing the framework, but also for maintaining its effectiveness.

 Monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The board should provide in the annual report:

 A description of how the board has monitored and reviewed the effectiveness of the risk management framework.
 A declaration of effectiveness of the material controls as at the balance sheet date.
 A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.

 The aim of Provision 29 is to foster a culture of improved board accountability and transparency around risk management and control. Therefore, they will need a process of continuous oversight and assurances throughout the year, as well as undertaking an annual rigorous review of the effectiveness of the framework.

 Modernising the regulator
 The Government plans to modernise the remit of the FRC, building upon the regulators progress over recent years to be more robust and effective.

 At the centre of the Government’s plans is the draft Audit Reform and Corporate Governance Bill which will transform the FRC into the Audit, Reporting and Governance Authority (ARGA) giving the regulator statutory status.

 The primary purpose of ARGA is to strengthen transparency, integrity, investor confidence and public trust in organisations to help drive UK economic growth, stability and global competitiveness.

 Enhancing risk governance and oversight: What can boards do?
 Essential to enhancing risk governance and oversight is the board’s ability to clearly communicate the organisation’s values and purpose, as well as articulate the purpose of the risk management and internal controls framework. Boards need to be able to authentically judge and where relevant, report on the framework’s effectiveness.

 Boards need to be explicit about what assurances they want and what they are trying to achieve. There needs to be a culture where difficult questions can be asked. Board members must take an active role in understanding the business so they can constructively challenge and be challenged from both internal (risk management, internal audit, risk owners) and external stakeholders (investors, regulators, customers, the public).

 Improve skills and behaviours
 A vast range of skills, knowledge and behaviours are required of boards, audit and risk committees and across the organisation more widely to be able to manage the increasingly complex emerging risks, such as cyber, climate change, AI, geopolitics, and shifts in societal attitudes, while considering moral conundrums and meeting greater reporting expectations around ESG, diversity and Provision 29. This is even before consideration has been given to any interconnectedness of risks and navigating new opportunities.

 It is essential boards are continuously reviewing the capabilities needed as these are critical for effective risk governance and oversight. Examples of capabilities needed include:

 leadership;
 integrity;
 data analytics;
 critical thinking;
 technology;
 change management;
 constructive challenge;
 active listening and communication;
 scenario analysis; and
 horizon scanning.

 Organisations where everybody has access to the right information and is driving in the same direction are the ones that succeed.

 Immediate priorities for boards
 Boards of listed companies should start addressing Provision 29 now to ensure they are ready. Smaller organisations should also prepare early, to continue to demonstrate their commitment and align with best practice. This is particularly important where smaller organisations provide services to listed or compliant ones, as often there will be an expectation for the same level of robustness in their approach to risk governance.

 Start challenging whether your organisation has:

 The right board members charged with risk management and internal controls accountabilities.
 The right risk and audit committee composition and if the terms of reference need updating.
 A need for a chief risk officer (or equivalent) and whether there are the right risk management skills and capabilities across the organisation.
 A risk management framework and culture that is fit for purpose and is designed to help achieve strategic objectives.
 A process for continuously seeking assurances the risk management framework is effective.
 The right level and frequency of risk reporting to ensure the board has a comprehensive overview of its current risks and material controls.
 A good understanding of its operating environment in the short to long-term and the potential impact of threats and opportunities from emerging risks.
 Any skills gaps and training needs whether that be at board level or general awareness training across risk and resilience related topics, from cyber, business continuity, crisis management, risk appetite, emerging risks and more.

 The path to resilient growth: Strengthening risk governance
 The ability to take risk is essential for sustainable growth, but it does require effective risk governance and oversight. Effective risk governance is more than a compliance exercise — it is a strategic enabler that empowers organisations to navigate uncertainty, seize opportunities, and achieve long-term goals.

 By adopting principles-based guidance, aligning purpose with robust frameworks, and fostering a culture of collaboration, boards can strengthen their oversight and meet the evolving demands of corporate governance.

 Whether preparing for the changes brought by Provision 29 or addressing emerging risks, prioritising strong risk governance today will position organisations for a resilient and successful future.