Archive for the ‘Recent developments’ Category

Cyber Security: A Question of Risk

Cyber security has been in the headlines recently with high profile incidences of hacking of various organisations’ IT systems and their supposedly secure data.

The ‘UK Corporate Governance Code (2016)’ discusses risk management and internal control stating ‘ The directors should confirm in the annual report that they have carried out a robust assessment  of  the  principal  risks  facing  the  company, including  those that would threaten  its  business  model,  future  performance,  solvency  or  liquidity.  The directors should describe those risks and explain how they are being managed or mitigated’, para C.2.1.

The UK’s Financial Reporting Council (FRC) placed cyber security firmly on the agenda for companies’ risk management strategies when, in October 2016, they wrote to audit committee chairs and finance directors, commenting “we encourage companies to consider a broad range of factors when determining the principal risks and uncertainties facing the business, for example cyber security and climate change”.

The Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) published a joint report ‘At the Junction of Corporate Governance & Cyber Security (2017).’  The report recommends that the fundamentals of a cyber risk management framework should be based on the OECD  principles contained in ‘OECD  Recommendation – Digital Security Risk Management for Economic and Social Prosperity (2015)’ and the ‘Three  Lines  of  Defence’  model  promoted  in the joint FERMA-ECIIA publication ‘Audit and Risk Committees – News from EU Legislation and Best Practices (2014)’.

The FERM-ECIIA (2017) report’s conclusions include: beyond IT, cyber-security is also becoming a matter of corporate governance, and the right governance framework is crucial to an efficient management of cyber risks; organisations should create a “Cyber Risk Governance Group”, reporting to the Risk Committee and chaired by the Risk Manager, to determine with other functions the cyber risk exposure, expressed financially, and establish the possible mitigation plans. The Group should cooperate with Internal Auditors to avoid silos; Internal Auditors review the controls implemented and give an independent assurance to the Audit Committee about the cyber risk, the efficiency of the controls and the mitigation plans; the Risk Committees and the Audit Committees must collaborate to present a common view to the Board about cyber risk management.

Cyber security in large FTSE companies

In February 2017, Deloitte published its ‘Cyber Reporting Survey (2017)’ which is available here.  It provides useful insights into the cyber reporting practices of the UK’s FTSE 100 companies. The outcomes of their review of FTSE 100 annual report disclosures include that 87% companies disclose cyber as a principal risk; the value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputation damage; detailed disclosure highlights the risks to shareholders and the better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders; boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk; companies should take credit for what they are doing, including describing who has executive  responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans. The Deloitte’s Cyber Reporting Survey also points out that the UK does not have a specific cyber security disclosure framework but that the USA may provide helpful guidance on such disclosure as the Securities and Exchange Commission (SEC) issued disclosure guidance as far back as 2011.

In July 2017, HM Government published their ‘FTSE 350 Cyber Governance Health Check Report 2017’. The Government has undertaken a regular survey of the UK’s top 350 companies since 2013, to understand how they are managing their cyber risks. Overall 105 companies responded to the 2017 Health Check survey with the majority being the Chair of their company’s audit committee. Cyber risk is now seen as a top, or group-level risk, among the majority of Boards (54%) when compared with all the risks faced by their company. Only 13% of respondents now say cyber risk is viewed as a low, or an operational-level risk for their Boards. Whilst 31% of boards receive comprehensive and informative management information on cyber risks, 68% say they have not received any training to deal with a cyber incident.

Concluding thoughts

The reports discussed above indicate a common theme that cyber security is of increasing importance, that cyber risk is recognized as a major risk facing companies, and that managing that risk is part of a robust corporate governance structure.  There is still a consensus to be reached on whether the risk committee, the audit committee, or a cyber risk governance group is the most appropriate to manage this risk and how they might work together to do so. However it seems clear that in the near future more attention will have to be paid to training in cyber security issues and the appointment of qualified individuals with relevant knowledge of this area to corporate boards/board committees.

Chris Mallin

November 2017

New Developments in UK Corporate Governance

New Developments in UK Corporate Governance

In previous blogs, I discussed the Department for Business, Energy & Industrial Strategy (BEIS) Green Paper on Corporate Governance Reform issued in November 2016 and the BEIS report which detailed its recommendations and conclusions based on the consultation of this Green Paper.  On 29th August 2017, the UK Government published ‘Corporate Governance Reform, The Government Response to the Green Paper Consultation’, available at:

In the Executive Summary, it states that ‘The purpose of corporate governance is to facilitate effective, entrepreneurial and prudent management that can deliver the long-term success of a company. It involves a framework of legislation, codes and voluntary practices.  A key element is protecting the interests of shareholders where they are distant from the directors running a company. It also involves having regard to the interests of employees, customers, suppliers and others with a direct interest in the performance of a company. Good corporate governance provides confidence that a company is being well run and supports better access to external finance and investment.’

The Executive Summary goes on to say that there are nine headline proposals for reform across the three specific aspects of corporate governance on which they consulted, ‘these being executive pay;  strengthening the employee, customer and supplier voice; and corporate governance in large privately-held businesses. It also takes into account the need for effective enforcement of the corporate governance framework.’

Of particular note are that all listed companies will have to reveal the pay ratio between bosses and workers; all listed companies with significant shareholder opposition to executive pay packages will have their names published on a new public register;  and new measures will seek to ensure employee voice is heard in the boardroom.


George Parker highlighted the emphasis on boardroom pay in his article ‘May maintains focus on boardroom pay’ (Financial Times, 26th/27th August 2017, page 2). The High Pay Centre welcomes the requirement for all listed companies to publish their pay ratios ‘Most significant of all, from our point of view, was the announcement that the pay ratio between the CEO and the average UK employee will now have to be published by every listed company. We have never claimed that this measure will solve the problem of excessive pay at the top, nor that it will suddenly halt and reverse a trend that has developed over 20 years and more. Unfair or misleading comparisons between pay ratios in very different businesses or organisations should not be made. But finally we will have a meaningful way of tracking the gap in pay between the top and the average employee. Shareholders and other stakeholders will be able to scrutinise these gaps and apply pressure to close them. And this can be done, of course, not just by restraining pay at the top but raising pay for those lower down the scale.’ (Stefan Stern September Update, High Pay Centre).

The Financial Reporting Council (FRC) will be undertaking a consultation on a fundamental review of the UK Corporate Governance Code later this year as the 25th anniversary of the UK Corporate Governance Code approaches later in 2017.


Chris Mallin

September 2017

Tax avoidance

Recent developments in corporate governance policies and practices

Since the third edition of Tricker – Corporate Governance: Principles, Policies, and Practices published in February 2015, the subject has continued to evolve in regulation, policy, and practice. Some of the more significant developments include:

Tax avoidance

The notion of aggressive tax avoidance, in which corporate groups generating profits around the world transfer profits made in high tax regimes to low-tax havens, was addressed in case 15.2 (3E, p404). This topic has continued to excite interest.

In the UK, Facebook was criticised for paying less than £5,000 in tax, despite having UK sales of more than £100 million. Facebook (UK) channels profits to its international headquarters in Ireland, which then moves them to the Cayman Islands, avoiding corporation tax. Google, Apple, and other multinational groups were also criticised for using tax avoidance devices, such as charging intellectual property and brand image rights to their subsidiaries in high tax countries, transferring the proceeds to regimes with low or no corporate taxes.

Companies resident in the USA are taxed on their global profits at relatively high rates. Some US-based companies, generating taxable profits around the world, have sought opportunities, often through M&A activity, to shift their headquarters and their tax domicile to other countries which have less demanding tax rules. Known as ‘tax inversion,’ international groups re-organize to reduce their exposure to tax. Though strictly legal, such manoeuvres are, predictably, frowned upon in the US.

Tax avoidance that exploits loop holes in the international tax system are typically compliant with local tax law, but considered by many to raise ethical questions. However, for anti-tax avoidance measures to work, nations need to cooperate. In October 2015, the G20 and the OECD, institutions representing developed nations, published a set of new measures in an attempt to stop companies exploiting tax avoidance opportunities. The OECD’s ‘base-erosion and profit-shifting project’ tries to bind multi-nationals with a set of global tax rules. Sceptics, though, wonder whether nations will be prepared to harmonize their tax laws. For example, the UK introduced a scheme in 2013, which taxed the transfer of intellectual property rights, such as patents, at a substantially lower rate. Ireland and the Netherlands have similar, but different schemes. See

The European Union has also produced a blacklist of tax haven countries, but the rather arbitrary grounds on which countries have been included has been challenged.

Bob Tricker, January 2016

G20-OECD Principles of Corporate Governance

Recent developments in corporate governance policies and practices

Since the third edition of Tricker – Corporate Governance: Principles, Policies, and Practices published in February 2015, the subject has continued to evolve in regulation, policy, and practice. Some of the more significant developments include:

G20-OECD Principles of Corporate Governance

On 5 September 2015, the G20 Finance Ministers endorsed a new set of corporate governance principles developed by the OECD. The aims of these principles are to reinforce business integrity, improve trust in capital markets, unlock investment, and boost long-term economic growth. The intention is to provide governments and those who publish codes of corporate governance throughout the G20 nations and beyond with recommendations on shareholder rights, financial disclosure, executive remuneration, and the activities of institutional investors and stock markets.

The first OECD corporate governance principles were published in 1999 and updated in 2004 (3E, p129). Following the global financial crisis, which began in 2007, the OECD standards have been recognized as key to sound financial systems. The study leading to the 2015 revision began in 2013 and involved major international institutions including the Basel Committee on Banking Supervision, the Financial Stability Board (FSB), and the World Bank.

Details of the revised principles can be accessed at G20/OECD Principles of Corporate Governance. In launching the new principles, the authorities emphasized that ‘good corporate governance is not an end in itself, but a means to support economic efficiency, sustainable growth, and financial stability. It facilitates companies’ access to capital for long-term investment and helps ensure that shareholders and other stakeholders who contribute to the success of the corporation are treated fairly.’

Bob Tricker, January 2016

Corporate governance by principle or rule

Recent developments in corporate governance policies and practices

Since the third edition of Tricker – Corporate Governance: Principles, Policies, and Practices published in February 2015, the subject has continued to evolve in regulation, policy, and practice. Some of the more significant developments include:

Corporate governance by principle or rule

In its drive to create a single capital market, the European Commission (EU) has continued its quest to harmonize corporate governance rules across member states. Inevitably, it has had to face the dilemma (3E, p477) of whether corporate governance practices should be based on principles, as in the UK’s ‘comply or explain’ approach, or determined by rules backed by law, as in Germany and many other EU states.

This is not a new problem: in 1972, the draft 5th directive, from what was then the European Economic Community would have required major companies in all member states to adopt the German two-tier board system of corporate governance, with employee directors on the supervisory board. It failed, not least because of British commitment to their unitary board system. The EU is now working on a shareholder rights directive that would apply across all member states. If enacted, it would have to be enshrined in the laws of each member state.

Around the world, if any trends can be seen, they are towards corporate governance by rules backed by legislation; for example in the Sarbanes-Oxley and the Dodds-Frank Acts in the United States. Nevertheless, the UK remains strongly committed to the principles not rules approach. In other words, companies should comply with the corporate governance code or explain why they have not done so. Britain is trying to extend this approach to the rest of Europe.

Sir Winfried Bischoff, chairman of the UK’s Financial Reporting Council (FRC), wrote (September 2015): ‘The UK Corporate Governance code recognizes the collective role of the board and makes specific mention of board members and their responsibilities – chief executives, chairmen, and non-executive and executive directors. This is the UK approach and one that Europe is now coming round to. In the last 20 years corporate governance codes have emerged across Europe as public perceptions of boardroom behaviour has widened and come under increasing scrutiny. These codes set out best practice principles for boards and generally operate on a ‘comply or explain’ basis, on the assumption that good corporate behaviour can be accomplished through transparency rather than through hard rules and unnecessary (bureaucratic) burdens.’

The FRC wrote formally to the EU on 26 June 2015 explaining that the FRC sets the framework in the UK of codes and standards for corporate reporting, accounting, auditing, and actuarial and investor communities, including the corporate governance and stewardship codes. It explained how the stock exchange listing rules for major listed companies required them to follow the codes, under the supervision of the Financial Conduct Authority. Details of the work of the FRC and their latest report is available at

Bob Tricker, January 2016

UK reporting on ‘going concern’ taking risk into account

Recent developments in corporate governance policies and practices

Since the third edition of Tricker – Corporate Governance: Principles, Policies, and Practices published in February 2015, the subject has continued to evolve in regulation, policy, and practice. Some of the more significant developments include:

UK reporting on ‘going concern’ taking risk into account
Following the global financial crisis, the UK’s Sharman Report called for companies to give greater clarity to assurances that their company was a ‘going concern’, by identifying liquidity and solvency issues existing in potential long-term risks. In September 2014, the FRC updated the UK corporate governance code to take account of these recommendations, and issued guidance information. See and

The code now calls for companies to monitor risk management and internal controls and, at least annually, to carry out a review of their effectiveness, and further to report on that review in the annual report. Since boards are unlikely to want to report on their exposure to risk, it is likely that external auditors will include such reviews in their audit programmes.

However, these changes applied only to companies coved by the code. In October 2015, the FRC issued a further consultation paper for all companies, including those not covered by the corporate governance code, on the assessment and reporting of the ‘going concern’ basis of accounting, taking solvency and liquidity risks into account (3E, p194 onwards).

Bob Tricker, January 2016

Corporate governance in China

Recent developments in corporate governance policies and practices

Since the third edition of Tricker – Corporate Governance: Principles, Policies, and Practices published in February 2015, the subject has continued to evolve in regulation, policy, and practice. Some of the more significant developments include:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Corporate governance in China

I lived in Hong Kong (now a special administrative region of China) for 14 years and have been visiting regularly since 1982. Over that time, China has changed from an essentially agrarian economy, through massive labour-intensive, low-tech manufacturing, to become the world’s second largest economy, second only to the United States. A substantial car and property owning middle class are now moving the economy from an industrial towards a consumer and service orientated society. Nevertheless, China remains a key manufacturer, increasingly in high-tech fields, backed by R&D. The double-digit economic growth seen in recent years was clearly not sustainable indefinitely, but the economic slow-down has produced some interesting corporate governance issues.

The two Chinese stock markets, in Shenzen (just across the border from Hong Kong) and Shanghai, are predominantly retail markets – institutional investors such as pension funds are relatively new. The markets are also relatively small compared with stock markets in Europe and North America. Seeing dramatic increases in share values and believing government assurances, many individuals borrowed to fund their investments. When the market began to fall, reflecting a slowing economy, and crashed in July 2015 with many shares suspended, the government panicked. In fact, the market had only fallen back to the levels of a year earlier. Yet the government tried to slow the fall by ill-judged interference – prohibiting initial public offerings and providing funds to buy-back shares in an attempt to prop up the market. An unanticipated devaluation of the currency by 2% compounded the problem by triggering panic selling of the yuan around the world.

State-owned enterprises (SOEs) still play a fundamental role in China, even though some of them are partially privatised and quoted on the stock market (3E, p297). The government maintains a tight control over industries which it feels are strategically important, such as oil, steel, and communications. Control is exercised through enmeshed relationships between government and party officials at every level: from the approval of strategic developments, the appointment and remuneration of senior executives, and the oversight of finances at the state or province level, down to Communist party cells in each plant at the employee level.   Bureaucracy can hinder corporate development.

Private companies play an increasingly important role in China; for example, the e-business firm Alibaba, the vast conglomerate Dalian Holdings, and computer company Lenovo, (although Lenovo is a subsidiary of Legend Holdings, a conglomerate with SOE characteristics). In such firms, the founding entrepreneurs and top executives, working with shareholders, play the dominant role in setting strategic direction, the appointment of top management, and financial oversight. Private firms have more freedom than SOEs to innovate, respond to market opportunities, and stimulate change. Nevertheless, relationships with the state and party (the often mentioned guanxi) remain essential if a private firm is to prosper.

A recent IMF report in August 2015 calls for a transition in China from slower to better growth. It notes growth slowing as vulnerabilities, particularly credit growth, are reined in, and calls for policies calibrated to ensure orderly slowdown, and structural reforms to create new sources of growth (

Bob Tricker, January 2016