Introduction

The UK Corporate Governance Code 2018 is the primary structure of organisational governance. It stems from the 1992 Cadbury Committee and is not compulsory for organisations to adhere to. The UK code gives a perspective on the director role, its responsibilities, and duties within an organisation. This is extended to organisational structure and features of governance that are desirable in a stable organisation. It speaks to the requirement of independence for NEDs, remuneration, required disclosures for conflict of interest, and gives good coverage of the expectations of that role. Extending from this to the wider organisation there are legal, and regulatory requirement for business to adhere to as well as the discretionary aspects from UK code. But the evolution of the UK code has introduced some significant problems with regards to how well alignment can be achieved with legal duties.

It is the UK Corporate Governance Code and the recommendations within that code that form much of the basis for contemporary professional thinking on the matter. Do companies even measure up to the UK Corporate Governance Code? Is this even a good standard to measure against? I’d assert an answer in the negative on both counts.

Degradation in trust

Trust in companies is low. Very low. Does this surprise you?

PwC conducted a survey in 2023 relating to business trust. 84% of executives believe that consumers highly trust their company, but only 27% of consumers say they highly trust that company. Furthermore, what drives trust in organisations differs between an executive and consumer perspective. Current company culture is ranked as the top challenge by executives. While that is important in setting the emotional context of the organisation and therefore informing the behaviours of employees, this does not align to a consumer perspective. Only 43% of consumers consider this to be very important, the lowest ranked category in the survey. Interestingly the highest category from a consumer perspective is the protection of customer data at 79%. This is similarly valued by employees at 75% showing a similar disconnect between what the executive and the consumer think.

As PwC note, companies have prioritised communicating about their purpose, values and ‘what their company stands for’. It's interesting then how much organisations place importance on communicating their political perspectives yet take a laissez-faire approach to protecting customer data and processing it in an appropriate and lawful manner. After successive failures it does not seem like the priority of organisations is anywhere near aligned to what consumers or employees want.

So, what causes this disconnect?

Codified conflicts

Where considering the UK Code, there are two distinct world views in play, fundamentally misaligned in many ways. One talks to the responsibilities and duties to the company being meritocratic and the other speaks to a set of wider societal issues. The tone of 1992 Cadbury Code is one concerned with organisational governance and there has been a shift towards organisations that are increasingly involved in external impacts to wider society. If we compare the following statements, we see a clear illustration of how the focus has changed.

“The board should include non-executive directors of sufficient calibre and number for their views to carry significant weight in the board’s decisions.”

Cadbury Code - 1.3 Code of Best Practice

“Annual evaluation of the board should consider its composition, diversity and how effectively members work together to achieve objectives. Individual evaluation should demonstrate whether each director continues to contribute effectively.”

UK Corporate Governance Code 2018 – Composition, Success and Evaluation L.

It’s fascinating to see the evolution of expectations of organisations moving away from statements of competence towards statements of DEI. Furthermore, the UK Code recommends that the nomination committee publishes reports including its policies on DEI and how it links to the company strategy. This ultimately relates to an erosion in competence as the priority metric is not one based on ability or skill. This leads to situations as Professor Bob Garratt outlines like ‘golden skirts’ and ‘black diamonds’ where tokenism is favoured over meritocratic principles. This is essentially the appointment of a small population based on diversity criteria to multiple boards, so many that they become ineffective in their roles and bounce from meeting to meeting having insufficient time to execute their duties. Of course, we can consider the Peter Principle will factor more heavily as competence loses primacy.

But this means that the code itself is not beyond reproach and contains embedded values that guide what a director should and shouldn’t uphold as virtues. The conventional thinking in this regard does seem to be in conflict with the Companies Act 2006 requirements for directors to act with reasonable ‘skill, care, and diligence’ or to ‘promote the success of the company’. It also comes into conflict with consumer and employee perspectives. This change in conventional thinking is a candidate as to why there has been a break down in trust. Conventional thinking promotes the notions that companies adopt these embedded values via the structures they mandate.

The external political factors are ones that we cannot escape. If we abstract up from Garratts view that the board sets the emotional context for their organisations, then we could consider the external political influence with embedded values to set the emotional context of the board. We understand that the environment created informs the behaviour of the boards and consequently of those within the organisations as we see demonstrably within the Stanford Prison Experiment and Milgram Experiment. These are wider societal problem that are manifested within organisations.

The key point here is that the conventional thinking against which directors are measured is changing and has changed in subtle yet significant ways since the Cadbury Code was first issued. Professional thinking has been usurped by contemporary political thinking in conflict with the duties laid out under statute. This is a notable point of conventional professional thinking as it means it is not a definitive standard on which to measure the role of director against, it’s somewhat of a bent ruler.

2018 Independent Review

We know there is a problem with trust in organisations has been punctuated by successive corporate failures which are referenced in an independent review of the FRC. The FRC being ‘custodians of the code’ receive a striking condemnation in the 2018 review.

“What this spotlight has revealed is an institution constructed in a different era – a rather ramshackle house, cobbled together with all sorts of extensions over time. The house is – just – serviceable, up to a point, but it leaks and creaks, sometimes badly. The inhabitants of the house have sought to patch and mend. But in the end, the house is built on weak foundations.”

And this only reaffirms the weakness in corporate governance in the UK. Comply or explain, right? The review calls for more rigor and standardisation within reporting, auditing, and risk management as well as a number of specific recommendations around board appointments becoming more open. Whilst some of the recommendations are sensible it is building from the same paradigm, one that has debatable utility i.e. the UK code and deals with matters of measurement and enforcement of the code via a new regulator rather than challenging the axioms of the code.

Leadership Oversight

The 2023 Global State of Risk Oversight, 6^th edition by Beasley and Branson deals exclusively with risk management. No reference is made as to the methodology of collecting responses, or what responses were available for selection. The scope is limited to that area of board responsibility and doesn’t speak to other areas of consideration when looking at the professional thinking of the role of director against reality. That being said, we can make a number of inferences about the shortcomings of organisational structures based on how well certain aspects are implemented in the context of risk management and how this reflects on the responsibilities of a director role.

The Beasley and Branson report gives us some insight as to how directors stack up against the conventional thinking. The report gives quite a damning condemnation of the current state of risk oversight in organisations. Less than half of organisations have a CRO (43%), just over half (57%) have management level committees. Beasley and Branson make the observations that ‘Messaging from the organisation’s leaders may be negatively impacting the “tone at the top” about the value of risk oversight’. ICSA refer to the UK code to emphasise the recommendations about how risk management oversight should be treated which indicates how the ‘board should establish procedures to manage risk’ and how the board should ‘establish and audit committee of independent non-executive directors’. We can draw for this that risk oversight is lacking in many organisations in any meaningful capacity.

The picture gets even more ambiguous if we look to the FRC Review of Corporate Governance Reporting 2022. Half of the FTSE 350 report their risk oversight is effective yet provide no qualification as to how they arrived at this. But there is no standard for this other than organisations deriving their own perspective on the matter. The review is even more perplexing as the narrative is favourable yet also report that in a two-year period the number of companies who are reporting full compliance to the code has halved. Again, we arrive at problems with conventional professional thinking. Irrespective, there is a stark deviation from conventional professional thinking when we look at the implementation. It seems that boards are not interested in risk management other than the bare minimum required to fulfil a check box.

But why is it the case?

There is a risk that . . .

There is a clear lack of board engagement relating to risk yet paradoxically respondents to the Beasley and Branson survey hold the perception that the volume and complexity of risks is increasing. There is also an implication that the directors in these organisations are failing at horizon scanning activities such as those Garratt outlines as part of the self-learning board. As we see a lack of visibility of internal risk, we see a more significant self-reported lack of visibility of external risk. Beasley and Branson make the observation that ‘the focus of risk management practices on emerging/strategic/market/industry risks is the lowest among all categories’. Organisations report that they are blindsided by risk events which are ‘symptom of limitations in the organisation’s approach to anticipating and managing risks’. We conclude that the reality of Director’s application of the measure is not aligned to professional thinking.

But can risk management claim efficacy in a wake of failures in the practice? Where it is applied, it doesn’t seem to work particularly well for anticipating unforeseen risk events. It has an inability to make predictions about existential problems for an organisation. We may then argue that although Directors may deviate from the UK code in this regard, they still are upholding their duties outlined in the Company Act 2006. Nassim Taleb makes the point relating to the 2008 economic crisis and his criticism is unilateral. He speaks of assessing the fragility as having measurable utility within systems rather than predicting risk. Risk management from Taleb’s perspective is ill equipped to identify significant disruptive events. The Beasley and Branson survey asks a question but it’s one that is not soluble with the methods it prescribes.

‘How rapidly are uncertainties in the global business environment changing in complexity and volume and is your organisation’s approach to risk management at a level of robustness necessary to manage that changing reality?’

The WEF Global Risk Report 2024 deals with risks however this a report based on respondent surveys, 52% of which are not answering from the perspective of risks as they relate to business. The methodology is that the risk is selected from a pre-defined list collated by the WEF. The focus of the Global Risks Report is one that is oriented to wider societal considerations such as climate change as opposed to risks that business may face directly.

If we look to the WEF report about uncertainties in the global environment we see that 63% of respondents to the survey believe that the ten-year outlook will be ‘turbulent’ or ‘stormy’ (the terminology here raises an eyebrow). The WEF report discusses a number of key areas, these being climate related, financial stability, and societal concerns. If we look to the risk regarding degradation of societal cohesion and the references of increasing polarisation, the document itself is articulating one end of that polarised spectrum. It lacks self-awareness. Reports such as the WEF one and the risks it articulates do place expectations upon directors that they need to be aware of in terms of values and also in terms of regulatory reporting. The WEF reports might just be the canary in the coalmine when it comes to upcoming regulatory changes and goes some way as to explaining why companies are promoting ‘what their company stands for’.

We have to consider that risk management will not serve company boards in the way conventional professional thinking perceives they will. We can say with some fidelity that directors of boards do deviate from the conventional professional thinking due to a lack of requisite committees and roles within the organisation as outlined by the code and the FRC, it might transpire that this is the valid response to the code.

Companies are becoming more politicised, and these considerations do need to be a factor in understanding the role of a director as external factor become an increasing part of organisational governance. Metrics like ESG also will impact a company’s ability to obtain investment so they are financially incentivised to conform to the conventional professional thinking and adopt politically acceptable values. Even the 2018 Independent review gives a critique that FRC forums are too “heavily focused on Environmental, Social and Governance (ESG) specialists as opposed to investment decision-makers”.

Conclusion

If we take the UK code as a representation of effective organisational governance and the reports as accurate representations of the current state, we are left with one conclusion. The reality of what is implemented is a partial execution of the UK code, if we are to be generous.

Comply or explain allows latitude for directors to nominally engage with the UK code but in a way that lacks any kind of meaningful execution. Self-defined standards of reporting or assessment such as those for ESG give far too much latitude for directors to ‘game the system’. Although it’s clear based on the FRC report that the standard of explanation is poor, there are no recourse for this so there is no motivation to comply which is affirmed by the independent review into the FRC.

Director reviews are also somewhat subjective and prone to abuse and maybe we then need to consider how more rigour can be applied. Chairman selection is critical as they perform the review is directors and then greater scrutiny over how that role is performed might be beneficial.

We might consider that greater specificity or consequences for non-conformance could be an appropriate way to bring organisational governance under tighter control but then we are encumbering them with possibly ineffective shackles. What is not clear is the performance and longevity of organisation who conform vs those who don’t. So, we are consigned to talking in general terms about the whole population. But the problem is, that misalignment to professional thinking by directors does not mean they have not met their legal responsibilities.

Perhaps then the professional thinking and the legal framework require some aspect of harmonisation. But I can’t help but think that should these be measured with more specificity or would this be undesirable. I can’t decide.

Coda

The introduction of wider social context via the WEF report makes considerations around conventional thinking somewhat awkward to frame. There are many shortcomings, and we can look at examples of where conventional thinking and reality don’t align. We could postulate that either we value competence, or we value diversity. These are built from mutually exclusive paradigms and cannot coexist coherently.

But the conflicting values is something that is unashamedly human and flawed in a way that reflective of the human experience. Rationally, it’s uncomfortable but maybe if there is value in diversity, it is within the inherent disagreement in perspectives that a singular paradigm would lock away from us. It gives rise to a Machiavellian style of political philosophy in order to be effective, it allows leaders to emerge, it creates the problems from which we can choose. A company director must navigate these concerns and understand them. Professional thinking where it is to the UK Code one of compliance, where it is of social concerns it is one of conformance.

Hierarchies of competence exists because difference exists. Success or failure of a company can depend on its culture which can be flexible to many contexts and take a longer view than professional thinking requires. This isn’t about the next quarter, or the next board meeting, or the next audit committee. This is about taking a long-term perspective. Perhaps then, a better measure would be the longevity of the organisations. c75% of FTSE 100 companies have closed in the last 30 years and the rate of failure is increasing.

The solution to these problems is reasserting the values of individual sovereignty, and the reassertion of living to those values. The concentric circles of conflicted political influence asserting confused ideology forces us down a path where the narrative conclusion can only be destructive. Organisations that have longevity are those that influence society more than they are influenced by society. But they need to have a strong sense of their own values and that comes from the individuals who make up the board. Those individuals must hold to their own set of values that are broadly aligned to the organisation and demonstrate the leadership ability to hold the course.

The standards of leadership are not those that are defined in statute, or by governance code, or a risk management process. They are an intangible component of the human condition. As organisations and their directors are subject to the wider societal context perhaps there is utility in organisations seeking societal engagement to create a better standard of future leaders, not to regulate or measure to an inherently flawed structure as the problems then become compounded.