2025: The Year of Stricter Corporate Governance—Is Your Organization Prepared?

Introduction

Corporate governance aims to ensure that companies are managed with accountability, transparency, and integrity. These frameworks evolve over time, with regulators changing and adding new rules in response to events in the macroeconomic environment. In 2024, the UK government updated the Corporate Governance Code, and the US Department of Justice updated the Evaluation of Corporate Compliance Programs. Here’s what the updates include.

UK’s Updated Corporate Governance Code

First established in 1992 by the Cadbury Committee, the UK’s Corporate Governance Code established Principles that stress the importance of good corporate governance and its impact on long-term sustainable success. In 2018, the Financial Reporting Council (FRC) issued some revisions focused on improving corporate culture, increasing board accountability, and fostering long-term value creation. Since then, the country witnessed a number of corporate scandals that highlighted the need for strengthening corporate governance frameworks. As a result, in January 2024, the FRC published the revised UK Corporate Governance Code (the 2024 Code).

The 2024 Code aims to “enhance transparency and accountability of public limited companies in the UK and support their growth and competitiveness.” Companies listed on the London Stock Exchange will have to start complying with the 2024 Code from 1 January 2025.

While the 2024 Code does not vary drastically from the 2018 revisions, it operates on a “comply or explain” basis. It presents five separate sections, each of which encapsulates some Principles and lays down some detailed provisions. Here is a short summary of each section:

• Board Leadership and Company Purpose: The board is responsible for defining a clear company purpose aligned with its values and strategy to drive long-term sustainable growth. This includes engaging stakeholders and shareholders to ensure transparency and integrity, aligning workforce policies with company values and goals, and monitoring company culture. It also empowers the board to take corrective action as needed.
• Division of Responsibilities: The UK Corporate Code emphasizes balancing power and oversight by clearly defining board roles. It advocates separating the chair and CEO roles to prevent authority concentration and ensuring sufficient independent non-executive directors to challenge and support management. 
• Composition, Succession, and Evaluation: The 2024 Code outlines provisions for board structure, succession planning, and performance reviews. It calls for a diverse, skilled board, transparent succession plans, and regular evaluations of effectiveness.
• Audit, Risk, and Internal Control: The Code requires boards to implement transparent corporate reporting and robust risk management systems to safeguard assets and shareholder interests. It underscores the role of an audit committee in overseeing compliance and integrity.
• Remuneration: The updated Code stresses fair, transparent remuneration aligned with long-term goals, introducing malus and clawback provisions to recover payments in cases of misconduct, poor performance, or miscalculations.

What Must Organizations Do to Ensure Compliance with UK’s Updated Corporate Governance Code?

Compliance with the five sections of the 2024 Code is mandatory, with a focus on outcomes-based governance reporting. Key steps for aligning with the 2024 Code should include:

• Reviewing current governance practices to align with the 2024 Code’s principles and provisions.
• Assessing and monitoring organizational culture, ensuring it is embedded across the organization.
• A clear understanding by HR and legal teams to understand remuneration principles and establish clear compliance processes and policies.
• Developing a common risk and control nomenclature and collaborating with stakeholders to identify and record key risks, both existing and emerging.
• Documenting comprehensive risk management and internal control frameworks with clear processes for:
  • Risk identification
  • Risk and control assessment
  • Risk mitigation
  • Risk and control monitoring
  • Issue management

The US Department of Justice’s (DOJ) Updates to the Evaluation of Corporate Compliance Programs (ECCP)

The US Department of Justice introduced the Evaluation of Corporate Compliance Programs (ECCP) in February 2017. It was built to be a set of guiding principles for prosecutors to use when deciding whether to prosecute an organization for misconduct. Since then, the ECCP has been updated and revised several times to incorporate evolving standards and address new and emerging compliance challenges. And in September 2024, the DOJ announced some updates to the ECCP. The 2024 updates introduce the following key points:

• Navigating Risks of Emerging Technology: The 2024 updates include criteria for companies to assess and manage AI-related risks and emerging technologies risks in their business operations and compliance strategies.
• Protecting and Encouraging Whistleblowers: The update focuses on encouraging and protecting whistleblowers and individuals who report misconduct. As per the update, the DOJ will assess how corporate policies and training programs encourage a culture of speaking out, how the organization treats those who do report misconduct, and how it protects them from retaliation. Organizations must ensure there are clear and accessible channels for reporting misconduct.
• Leveraging Data for Compliance: The DOJ will evaluate organizational compliance functions based on data access and the analytics tools available to leverage data to improve compliance processes.
• Lessons Learned: The updates to the ECCP expect companies’ training modules to include takeaways from previous incidents within the organization and other companies in the region or within the same industry. 
• Compliance Integration Post M&As: The updates cover mergers and acquisitions (M&A) and highlight the importance of effective compliance processes in the post-M&A phase.

The 2024 updates to the ECCP also place greater emphasis on clear, comprehensive, and documented policies and procedures and consistent enforcement of policies and disciplinary measures where required. They also highlight the importance of third-party risk management and require organizations to ensure due diligence and monitoring of third-party risks.

What Must Organizations Do to Ensure Compliance?

To realign compliance strategies in line with the 2024 ECCP updates, companies must:

• Conduct comprehensive risk assessments, customized to industry and geographical operations
• Document policies and processes clearly to ensure seamless compliance
• Communicate policies to employees and ensure they understand the risks and mitigation strategies
• Provide continuous training with relevant use cases to reinforce compliance.
• Establish anonymous reporting processes for misconduct and protect whistleblowers from retaliation
• Enforce policies consistently, ensuring appropriate disciplinary actions are taken
• Conduct regular audits to assess program effectiveness and drive continuous improvement

Leverage data effectively to identify trends, detect issues, and proactively manage risks

How MetricStream Can Help

The MetricStream Corporate Compliance solution provides a centralized platform for overseeing various components of an ethics and compliance program, such as policy management, a unified library of compliance obligations, compliance assessments, surveys, third-party compliance, and case and incident management. The Regulatory Change Management product allows customers to automate the identification, curation, and extraction of relevant regulatory changes and obligations while mapping these obligations to policies, risks, and controls.

With MetricStream, your organization will be empowered to:

• Foster a positive ethics and compliance culture while driving policy adoption through a consistent communication and adoption strategy.
• Mitigate regulatory fines by proactively identifying risks, issues, and blind spots within the compliance framework and related controls.
• Ensure third- and fourth-party compliance with targeted compliance surveys and assessments.
• Enhance the efficiency of the compliance function by automating control assessments and testing processes. 

Want to find out more? Request a personalized demo today!