What’s on the horizon? New UK governance and regulatory requirements coming up in 2024
The UK’s governance and regulatory horizon is crowded, to say the least. Governance, risk and compliance professionals will have their work cut out in the months ahead to keep a steady hand on the tiller and navigate their organisation through a sea of complexity. Expert guidance is invaluable, and that was the reasoning of delegates who joined Diligent and our panel of specialists for a briefing at the London Stock Exchange (LSEG).
Attendees heard Michael Lucas and Carrie Stephenson, of BRAVE Consultancy, alongside Simon Small of AI & Partners, present overviews of the recently agreed EU AI Act, the Economic Crime and Corporate Transparency Act (ECCTA), and the FRC’s UK Corporate Governance Code update. The wealth of practical information provided was put into colourful context by GRC Pundit Michael Rasmussen who joined a lively panel discussion alongside Diligent’s Senior VP and General Manager International, Keith Fenner. Here’s a snapshot of the topics covered.
The EU AI Act — guardrails for responsible AI development and use
Simon Small compared the EU’s AI legislation with the introduction of traffic lights and road use conventions after the introduction of motorised transport. He described the Act as “coming out early and bold and saying ‘these are the rules of the road’ and seeking to clean up the potential risk of rogue AI, while facilitating a lot more traffic to travel down that road in the future.”
The Act applies to any organisation with an EU presence that is involved in development, marketing and/or using AI systems in the EU. It encompasses the full spectrum of AI, including machine learning, deep learning and generative AI and classifies use cases into unacceptable risk, high risk, limited risk and low risk. Organisations involved in developing high-risk applications will need to satisfy a rigorous set of obligations before they may be marketed.
From the UK perspective, the Government is taking a ‘wait and see’ approach and has developed a cross-sector framework for regulating AI in consultation with around 90 UK regulators. Further guidance will be issued later this year, but a valuable first step for compliance with the EU AI Act and any future UK legislation is to adopt a “Know Your AI System” approach by identifying the systems you use, risk classifying their use cases and developing an outline for your safe, trustworthy and secure enterprise AI adoption.
The Economic Crime and Corporate Transparency Act (ECCTA) 2023
BRAVE Consultancy’s Carrie Stephenson introduced the purpose and objectives of the ECCTA and focused on its three key elements:
- Companies House reforms
- The broadening of the identification doctrine
- The introduction of a new corporate Failure to Prevent Fraud (FTPF) offence for large companies
Carrie noted that the broadening of the Identification Doctrine (already in force under the phased introduction of the Act) from those having a “directing mind and will” — which typically referred to board directors — to include those in senior management positions “acting within the scope of actual or apparent scope of their authority,” means organisations must ensure senior managers understand their responsibilities to act ethically and prevent fraud.
The planned reforms to ID verification at Companies House depend on Government investment in digital systems that will enable face recognition. Delegates shared their scepticism that such a system would be in place in the near term, highlighting the current challenges of registering directors who hold positions in multiple organisations where there are discrepancies in areas such as preferred names. A significant data cleansing activity and processes for maintaining centralised records will be essential to a successful system.
Recommended areas of focus for ECCTA compliance, Brave Consultancy
The scope of the ECCTA creates considerable compliance burden for companies. Carrie notes: “Compliance cannot fall on one person’s shoulders. There needs to be action from audit, risk, legal, and, importantly, HR departments. HR are people managers, and this is all about people.”
UK Corporate Governance Code changes
When the Government withdrew legislation on UK corporate governance and audit reform in November 2023, many of the planned changes to the UK Corporate Governance Code went with it. However, some elements remain, not least of which is the declaration on the effectiveness of internal controls.
BRAVE Consultancy’s Michael Lucas guided delegates through the changes that come into effect from 2025. These require boards to report on the outcomes of decisions, not just the process for making them. They must also report on how they embed the desired culture in the business. There are changes to diversity and inclusion reporting, focusing more broadly on diversity of thought, rather than prescribing specific diversity factors. Principle O establishes the board’s duty for maintaining rather than merely establishing internal controls, and there is a provision specifying malus and clawback in director remuneration.
The main change is Provision 29, which requires an annual board review of the effectiveness of internal controls. Required from 2027, reporting must include a description of how the board has monitored and reviewed the effectiveness of all material controls — not just financial controls but also operational controls in areas such as health and safety and ESG — and a declaration of their effectiveness. It must also include reporting on any controls identified as ineffective, what has been done to address this and what the result has been.
Michael urged organisations to use the Code’s provision for “comply or explain” to engage with the FRC on this new area. He noted the opportunity for enterprise risk management teams to step up in managing internal controls to tighten up the risk management processes that are going to be tested.
Slide courtesy of BRAVE Consultancy
At a more strategic level, Michael noted that “there is clearly a golden thread running through strategy and objectives to risk management and internal controls. If you are going to define what is material to the organisation, you need to understand what the strategy and objectives are. Risk appetite is then key to determining what is a material risk for controls.”
Addressing uncertainty in a volatile environment
A lively panel discussion covered a wide range of topics centring on the challenges of reliably achieving objectives by addressing uncertainty and acting with integrity — in other words, as GRC Pundit Michael Rasmussen neatly summarised — by implementing effective governance, risk, and compliance. Michael went on to highlight the challenge of achieving visibility over the full risk environment, saying: “We have a lot of risks in siloes at the moment. We need risk orchestration across all departments and a GRC function that operates across them to ensure they are all playing the same tune.”
On the topic of AI, the panel shared their personal views on the evolving challenges and opportunities related to AI, such as ChatGPT. It was clear that the subject of AI, and AI governance in particular, was top of mind for many of our audience.
Commenting on the inherent risk of uploading corporate governance data into public AI platforms, Diligent’s Keith Fenner explained: “At Diligent we see the need to balance innovation with regulation to deliver better information to the board in a timely manner. Now AI is in the mix and our team will build frameworks for managing cyber (and AI) risk so it can be effectively used.”
For more information on what’s on the UK governance and regulatory horizon, download the event presentation here.
The best way to get the latest information on corporate governance, risk management, and compliance – while also building your professional network – is to join one of our events. Our Diligent One platform World Tour reaches Dublin on April 24th and London – back at the Stock Exchange – on June 13th. Sign up to save your space!