Financial Reporting Council Review Points to More Transparent UK Governance Reporting

Key Takeaways

• Meaningful Explanations Over Box-Ticking: More companies are using clear, context-specific explanations when they depart from the 2018 UK Corporate Governance Code, rather than relying on boilerplate language.
• Common Areas of Departure: Audit committee composition, chair independence on appointment and chair tenure remain the main areas where companies explain rather than strictly comply with the Code.
• Push for Concise, Outcomes-Focused Reporting: The FRC urges companies to streamline annual reports, particularly stakeholder engagement sections, by cutting duplication, generic statements and narrative that does not add governance insight.
• Early Preparation for Provision 29: More than half of the companies in the sample already reference the new Provision 29 on risk management and internal control and outline how they are preparing for the 2024 Code’s enhanced expectations.
• Cyber Risk as a Principal Focus: Sixty-six percent of companies highlight board-level oversight of cyber risks, and the vast majority classify cybersecurity as a principal or operational risk amid rising threat levels.

Deep Dive

The Financial Reporting Council has released its final assessment of how UK-listed companies report under the 2018 Corporate Governance Code, and the picture that emerges is one of boards becoming more comfortable using the Code’s flexibility rather than hiding from it.

Published 13 November 2025, the Annual Review of Corporate Governance Reporting looked at 100 companies for the last time under the old Code, with the 2024 version now in effect for financial years beginning this year. What stood out most was not how many companies chose to depart from individual provisions (25 did) but how they explained those decisions.

Companies are increasingly giving clearer, more specific reasons for departures, particularly around audit committee composition, chair independence and chair tenure. Instead of relying on stock language, many companies outlined why their arrangements made sense for their structure, what safeguards were in place and how long the departure was expected to last. The FRC called this a positive development, framing these explanations as a strength of the UK’s “apply and explain” model rather than an exception to it.

Mark Babington, the FRC’s Executive Director of Regulatory Standards, put it plainly in the review, "The UK Corporate Governance Code's flexibility is one of its greatest strengths. Companies have never been expected to follow a one-size-fits-all approach."

Reporting That Gets to the Point

The review also notes a steady shift toward more useful governance storytelling. Companies have become better at describing what the board actually did during the year and what impact those actions had, instead of padding the report with policy text and familiar phrases.

That said, the FRC still sees room for annual reports to be leaner and more focused. Stakeholder engagement sections are highlighted as an area where many companies could trim length and remove duplication, especially where similar information is scattered across different chapters. The regulator also flags the lingering presence of boilerplate language, the kind that sounds polished but adds little insight.

The message is not about writing less, but about writing more deliberately. If a sentence doesn’t help readers understand governance, it probably doesn’t need to be there.

Early Preparation for Provision 29

Although the review centers on the 2018 Code, it also looks forward. More than half of the companies in the sample referenced the new Provision 29—the enhanced requirement on risk management and internal controls that begins for financial years starting in 2026, with reporting to follow in 2027.

Some companies went beyond acknowledgement and provided detail on their preparation work, including updates to control frameworks and changes to board oversight. The FRC sees this early movement as encouraging, given the significance of the provision.

Cyber and IT reporting continues to trend upward as well. Sixty-six percent of companies reported board-level oversight of cyber risks, and nearly all identified cybersecurity as either a principal risk or an operational one. In a year of escalating geopolitical and criminal cyber threats, the regulator calls this level of attention appropriate and necessary.

Explanations as Part of Good Governance

Much of the review focuses on how companies can improve the explanations they provide when they diverge from specific provisions. In areas such as chair tenure, board evaluations and audit committee membership, the FRC highlights examples where companies clearly laid out the rationale, timing and governance safeguards behind their decisions.

Where explanations fell short, the issue was often lack of detail. For example, not specifying when an external board evaluation was last carried out, or giving no indication of whether one is planned in the future. The FRC encourages companies to be more open about the context and duration of departures so that readers can better understand how the board has approached its responsibilities.

Ultimately, the review reinforces a theme that runs through the UK governance model, which is that transparency matters more than strict uniformity. As the 2024 Code takes hold, the quality of explanations, not the number of departures, will remain one of the clearest signals of how seriously a company approaches governance.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.