Principle C of the FRC Corporate Governance Code 2018 (the Code) states:
The board should ensure that the necessary resources are in place for the company to meet its objectives and measure performance against them. The board should also establish a framework of prudent and effective controls, which enable risk to be assessed and managed.FRC Corporate Governance Code 2018
The word ensure is unambiguous. It means that the board must to put in place the resources necessary to achieve its objectives.
This puts the ball in the CFO’s court.
But neither the words objectives, goals nor any other synonym are defined in the Code save the implied definition that the board’s objectives and/or goals are contained within its purpose, values and strategy statements “aligned” with its culture (Principle B) in order to “promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.” (Principle A)
It follows that to comply with the Code the board, through the CFO, must ensure that the necessary resources are in place to comply with Principles A & B.
So, using my working example – GSK’s Annual Report 2019 – GSK’s CFO would be required to ensure, for example, that the necessary resources are in place to improve the “quality of life” (its stated purpose) of its customers, to “promote long-term sustainable success” and to “contribute” to wider society.
How do you evaluate all of that accurately, let alone report it?
In particular how do you evaluate contribution to wider society in advance and how do you budget the ‘necessary resources’ to achieve that contribution?
The second sentence in Principle C is about establishing a risk framework which, one assumes, includes both business and legal risk.
That means the GC’s legal risk register must identify top and emerging risks that threaten purpose, strategy, values, culture, etc. and must have the necessary resources in place to mitigate those risks and, in theory, the CFO must satisfy the GC that the resources are in place to do so. Good luck with that.
Turf wars between Finance, Legal, Risk and Compliance in respect of the issues above functions are common place. Some are legendary. I suspect none of these dramas are reflected in Annual Reports.
For example, one of the chief risks on any risk register which is likely to threaten the ‘long-term sustainable success” of a company is conduct risk. The long list of corporate failures in recent memory resulting from conduct risk events are testimony to the reality of those risks.
Conduct is defined as behaviour over time. Board behaviour is comprehensively addressed in the Code. It follows that a board evaluation should address the behaviour of the board in relation to conduct risk. Good luck with that, too.
In summary, Principle C of the Code is an evaluation and reporting minefield which the accompanying Guidance doesn’t fully address but it is nevertheless an excellent framework for private discussions on relevant ‘matters arising’ which could mitigate significant risks if boards have the courage to have those discussions.