The Connected Risk Playbook for Provision 29 Compliance and Beyond

Provision 29 of the UK Corporate Governance Code represents a crucial step in strengthening corporate governance through robust risk management and internal controls. In simple terms, Provision 29 requires a company’s board to monitor and annually review the effectiveness of the company’s risk management and internal control framework. This blog post breaks down what that means in practice – from the technical requirements for internal control systems, to how boards should evaluate and report on their effectiveness – and illustrates how global banks are meeting these obligations. We’ll also explore how a “Connected Risk” approach (an integrated, enterprise-wide risk management system) is helping organizations comply, with anonymized case studies, visual roadmaps, and a comparison of traditional vs. connected risk management. Finally, we’ll wrap up with a clear call-to-action on strengthening your governance, risk, and compliance (GRC) systems.

What Does Provision 29 Require?

Provision 29 in a Nutshell: “The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness.” In practice, this means the board of directors holds ultimate responsibility for making sure the company has an effective system of internal controls and risk management – and that this system is working as intended. The board must not only establish and maintain these controls, but also regularly monitor them, review their effectiveness at least once a year, and take action where improvements are needed.

This requirement is part of a broader focus in the UK Corporate Governance Code on managing risk and ensuring long-term viability. It goes hand-in-hand with the Provision 28 mandate that boards carry out a “robust assessment” of the company’s principal and emerging risks and confirm this in the annual report. Essentially, Provision 29 picks up where risk identification leaves off: it asks, “We know our risks – now are we effectively controlling them?”

The goal of Provision 29 is to elevate risk management from a box-ticking exercise to a dynamic, board-level priority. It pushes companies to have strong internal controls embedded in their daily operations and to be transparent about how those controls are managed. In the sections below, we break down the key technical components of Provision 29 compliance:

• The internal control framework companies need to have in place.
• How to assess and review the effectiveness of these controls.
• What must be disclosed publicly in the annual report about risk management and internal controls.

Throughout, we’ll keep the tone approachable and advisory, providing examples to illustrate concepts. Let’s start by looking at what an effective internal control system under Provision 29 looks like.

Building an Effective Internal Control Framework (Provision 29 Requirements)

For companies, the first step in complying with Provision 29 is having the right internal control framework in place. The UK Corporate Governance Code doesn’t mandate a one-size-fits-all framework, but it does set clear expectations about what a good system should cover and how it should function.

Board Responsibility for Internal Controls: The board is explicitly charged with “establishing and maintaining an effective risk management and internal control framework.” This framework isn’t just about financial controls or compliance checklists – it’s the entire ecosystem by which a company manages risk. According to the Code’s guidance, an effective risk management and internal control framework encompasses the company’s policies, culture, organizational structures, behaviors, processes, and systems. In other words, it spans everything from tone-at-the-top and corporate culture, to specific control activities and reporting processes. The framework should collectively:

• Support the company’s strategic objectives: Controls should help the company achieve its goals, not unnecessarily hinder progress. Good risk management enables sensible risk-taking in pursuit of growth.
• Safeguard assets and operations: Internal controls protect against inappropriate use or loss of assets, fraud, and operational failures by enabling the company to assess current and emerging risks and respond effectively.
• Ensure reliable reporting: They help ensure the quality of internal and external reporting, with timely and accurate information flowing through the organization.
• Ensure compliance: They help the business comply with applicable laws, regulations, and internal policies in day-to-day operations.

In short, the internal control system should cover all material aspects of the business – financial reporting, operational processes, regulatory compliance, and more. The Code’s guidance even encourages boards to use recognized control frameworks or standards (such as COSO’s Internal Control-Integrated Framework or ISO 31000 for risk management) to design and assess their systems. Using a well-known framework can provide a structured approach and common language for internal controls (for example, COSO outlines components like control environment, risk assessment, control activities, information & communication, and monitoring). However, the Code stops short of prescribing a specific model; it acknowledges that one size doesn’t fit all, and boards should tailor the system to their company’s needs.

Coverage of “Material Controls”: A phrase you’ll hear in Provision 29 compliance is “material controls.” These are the key controls that the board will focus on when evaluating effectiveness. Since the Code does not strictly define which controls are “material,” companies must use judgment to identify the critical controls that need board-level attention. Typically, material controls are those that:

• Address risk of material errors in reporting: This includes controls over financial reporting (similar to Sarbanes-Oxley requirements in the US) and important non-financial disclosures. For example, controls ensuring accurate reporting of safety data or ESG metrics might be considered material if investors rely on that information.
• Mitigate principal risks to the business: If the company has identified certain principal risks that could threaten its long-term sustainability or viability, any controls that mitigate those risks are likely “material.” For instance, if a bank’s principal risk is cybersecurity threat, then its key IT security controls would be material.

There’s no fixed number of material controls a company must have – it depends on the size, complexity, and risk profile of the business. A large multinational might identify dozens of critical controls across various risk areas, whereas a smaller firm might focus on a shorter list of high-level, entity-wide controls. What matters is that the board clearly defines what it considers material controls and ensures those are well-designed and in place.

Key Characteristics of the Control Framework: Whatever shape it takes, the internal control framework should meet several quality criteria highlighted by regulators and best practice guidelines:

• Tailored and Integrated: The framework should be tailored to the company’s circumstances and embedded in its overall strategy, business model, and day-to-day operations. Rather than existing as a parallel “compliance project,” it should be part of the company’s DNA and culture. Front-line staff, management, and the board all play a part in this framework.
• Cultural Embedment: A strong risk culture underpins effective controls. The board sets the tone by promoting values like integrity, accountability, and openness in discussing risks. When risk management is part of the culture, employees are more likely to adhere to controls and report issues. (Think of culture as the soil in which your control processes grow.)
• Agility: The control framework must be capable of responding quickly to evolving risks and changes in the business environment. For example, if a new cybersecurity threat emerges or a new regulation comes into force, the company’s risk management system should adapt – adding or adjusting controls as needed. Stagnant controls that worked last year might not be sufficient for new challenges.
• Continuous, Not Periodic: Perhaps most importantly, risk management shouldn’t be seen as just an annual compliance drill. The Code emphasizes that the framework “should not be seen as a periodic compliance exercise, but instead as an integral part of the company’s day-to-day business and governance processes.”​ In practice, this means risk management is ongoing: risks are monitored throughout the year, controls are refined on an as-needed basis, and the board engages with risk information regularly – not just once a year at the annual review.

By establishing a solid internal control framework with these characteristics, a company lays the foundation for meeting Provision 29. Global banks, in particular, have extensive risk management frameworks due to heavy regulation – they often have dedicated risk committees, internal audit functions, and risk departments all contributing to the control environment. But regardless of industry, every company subject to the Code must have a comparable focus on internal controls scaled to their operations.

Next, we’ll discuss how boards assess the effectiveness of these internal controls, which is the core activity Provision 29 expects annually.

Assessing Internal Control Effectiveness (Annual Review Process)

Having good controls is not enough – under Provision 29 the board must evaluate whether those controls are working effectively at least once a year (and ideally on an ongoing basis). This “annual review of effectiveness” is a key obligation, and it involves careful planning, evidence gathering, and judgment.

Ongoing Monitoring: Throughout the year, management should be monitoring risks and controls, with regular reporting to the board (often via the Audit Committee or a Risk Committee). By year-end, the board should ideally have a cumulative view of control performance. Typical inputs to this monitoring include: internal audit reports, risk management reports, compliance reviews, incident reports (e.g. any control failures or near-misses), and updates on remediation of previously identified issues.

The Annual Effectiveness Review: At least once annually – often in conjunction with finalizing the annual report – the board (or Audit Committee on its behalf) will formally review the effectiveness of the risk management and internal control framework. According to the Code’s guidance, the board should “form its own view on effectiveness, based on the evidence it obtains,” exercising appropriate care and diligence.

What does this involve? In practical terms, an effective assessment process might include:

• Collating Reports and Evidence: Management will present an assessment of internal controls to the board. This might include a summary of key controls and whether they operated as intended, results of any control testing, any control issues identified, and management’s certification or attestation of controls. Many companies leverage their Internal Audit function heavily here – for example, Internal Audit may test a sample of controls and give an independent view of where controls are sound or where there are weaknesses. External auditors may also flag control deficiencies (though in UK they don’t provide an official attestation of internal controls as in US SOX compliance, they do report any major failings they observe in the course of auditing financials).
• Consultation and Discussion: The board or committee will discuss control effectiveness with key individuals and units. The Code specifically suggests that the review may include “the units and individuals [the board] has consulted with” in assessing controls. For instance, the board might speak with the Chief Risk Officer, Head of Internal Audit, CFO, and business line leaders to get qualitative input on how well controls are working and where pain points exist.
• Use of Assurance and Frameworks: Many companies use assurance maps or a “Three Lines of Defence” model to evaluate controls. The first line (operational management) might perform self-assessments of controls; the second line (risk management/compliance) might monitor and report on controls; the third line (internal audit) provides independent testing. The board can consider all these sources. The Code guidance notes that the board’s review may include “any internal or external assurance received” on the effectiveness of controls. It also encourages stating “the name of the recognised framework, standard or guideline” used in conducting the effectiveness review. For example, a board might report that it evaluated controls in line with the COSO framework or ISO 31000 standards, which lends credibility and structure to their assessment.
• Focus on Design and Operation: Effectiveness means not just that no big incidents occurred, but that controls are well-designed and operate as intended. Boards are advised that when determining if a control is effective, they should consider “its effective design and implementation,” not simply whether an error happened or not. A control could be poorly designed yet by luck the company avoided issues – that control would still be deemed ineffective and in need of improvement. Conversely, a well-designed control might fail once due to an anomaly, but still be fundamentally sound. The board’s review should weigh these nuances.
• Documentation and Evidence: All findings and discussions should be documented. By the end of the review, the board needs sufficient evidence to support whatever statement they will make publicly about internal controls.

Outcome – Concluding on Effectiveness: Based on this process, the board will conclude whether, to the best of their knowledge, the company’s risk management and internal controls were effective over the year and at the year-end date. Importantly, the Code expects only “reasonable” assurance – the board can only provide a reasonable conclusion on effectiveness, based on the work done and evidence obtained, not an absolute guarantee. Business risks are dynamic, and no system can catch 100% of issues, so this language recognizes that boards are making a good faith statement, not a perfect one.

If the board concludes everything is effective, great – but if not, Provision 29 doesn’t allow sweeping problems under the rug. Let’s see what must be disclosed publicly, including how to handle any identified weaknesses.

Public Disclosure Requirements (Transparency Under Provision 29)

Provision 29 significantly raises the bar on transparency around risk management and controls. Under the UK Corporate Governance Code’s comply-or-explain regime, companies need to publicly report how they are complying with the provisions. For Provision 29, that means the annual report must include a candid discussion about the internal control framework and its effectiveness. Here are the key disclosure elements:

• Description of the Internal Control Framework: The board should “describe the main features of the [risk management and internal control] framework” in the annual report. This is an overview that gives investors and stakeholders insight into how the company approaches risk management. According to guidance, this description should include: the governance structures in place for risk management (e.g. is there a Risk Committee? Who oversees what?), how the company assesses risks (the processes for identifying and evaluating risk), how it manages or mitigates those risks (the strategies or controls in place), and how information flows and is shared across the organization. Essentially, stakeholders should be able to read this section and understand, at a high level, “this is how risk and internal control are handled at Company X.” For example, a company might disclose that it has a risk management framework aligned to COSO, with a centralized risk function, quarterly risk reviews by the board, an internal audit program that tests controls, and a risk management software that allows issues to be reported upward. The Code encourages avoiding boilerplate here – the description should be tailored and insightful, not generic compliance jargon.
• How Effectiveness Was Monitored and Reviewed: In addition to describing the framework itself, the annual report should provide a summary of how the board monitored and reviewed the effectiveness of that framework during the year. This is basically a disclosure of the process the board followed. For instance, did the Audit Committee review reports from management every quarter? Did the board have a special session on risk controls? Did they commission any external reviews? The disclosure may mention “the type of information the board has received and reviewed; the units and individuals it has consulted with; any internal or external assurance received; and (if relevant) the name of any recognized framework or standard used” in conducting the review. By sharing this, the company provides evidence to shareholders that the board didn’t just passively trust that “all is fine” – they actively kicked the tires on the control systems. For example, a bank’s annual report might state: “Throughout the year, the Board (via the Risk Committee) monitored the internal control framework through quarterly risk reports and compliance updates. In its annual review, the Board considered the results of 20 internal audit reviews of key controls, consulted with the Head of Compliance and CRO, and benchmarked our controls against the ISO 31000 risk management standard. These activities informed the Board’s assessment of our internal control effectiveness.” This level of detail builds trust that the board is doing its job diligently.
• Declaration on Effectiveness of Controls: Perhaps the most significant new disclosure under Provision 29 is that companies must include a **clear statement (declaration) on whether the company’s material controls were effective as of the year-end. The guidance states: “The annual report should include a declaration on the effectiveness of the material controls at the balance sheet date.”​ In plain language, the board has to say, “We believe our controls were effective as of 31 December 2025” (for example), or if not, say “we have weaknesses.” This is somewhat analogous to the U.S. Sarbanes-Oxley Section 404(a) requirement where management must certify the effectiveness of internal control over financial reporting – but the UK’s Provision 29 goes broader (all material controls, not just financial reporting) and is framed as part of the governance code rather than hard law. It’s a big deal because it forces directors to publicly take accountability for the state of controls. Knowing they must make this statement likely spurs more rigorous oversight during the year (nobody wants to declare a failure unless unavoidable). The statement is to be made with reasonable assurance (as noted earlier, not an absolute guarantee).
• Disclosure of Any Weaknesses or Failures: If the board’s review finds that any material control was not operating effectively at year-end, the company must disclose this fact, along with actions taken or planned to remedy the issue. For example, the annual report might say: “During the year, a weakness was identified in our IT access controls resulting in some unauthorized access incidents. The Board has disclosed this material control issue and confirms that a remediation program (including a new access management system and policy changes) is underway to address it.” This honesty can be painful in the short term (no board wants to advertise control failures), but it’s required under the Code’s ethos of “comply or explain.” By addressing it openly, the board can maintain credibility – and stakeholders will expect updates on improvements next year. In fact, the guidance says the annual report should also summarize how the board has addressed any issues that were reported in prior periods. So if last year a weakness was revealed, this year’s report should say whether that was fixed. This creates a feedback loop of continuous improvement and accountability.
• Comply or Explain Flexibility: The Code allows some flexibility if a company truly cannot make a full positive statement. In rare cases, if the board is unable to determine the effectiveness of certain controls or cannot in good conscience give an overall declaration, they can resort to an explanation. The guidance notes that the board could “utilise the ‘comply or explain’ nature of the Code” and explain the situation in the annual report. For instance, a company might explain that a recent acquisition has controls not yet fully integrated or evaluated, so they cannot assert effectiveness for that portion and will address it next year. This is essentially a safety valve to avoid forcing boards into making potentially misleading positive statements; however, using this escape clause might draw scrutiny, so it’s likely only used in exceptional circumstances.
• No Disclosure of Sensitive Details: While transparency is required, the Code does not ask companies to reveal information that would be genuinely harmful to their competitive position or security. The guidance reassures boards that they are “not expected to provide any disclosures which, in [the board’s] professional judgment, contain confidential information or information that could inadvertently affect the company’s interests if publicly reported.” In practice, this means you should describe issues in general terms and outline actions, but you don’t need to publish, say, the exact technical specifications of a security vulnerability or the names of specific employees disciplined for control failures. A balance between candor and prudence is encouraged.

These disclosures usually appear in the Risk Management and Internal Control section of a company’s annual report, often as part of the Audit Committee or Board report on governance. Additionally, many companies include a “viability statement” (required by a separate provision of the Code) where the board assesses the company’s prospects over a longer term (say 3-5 years) in light of its principal risks. The work done under Provision 29 – robust risk management and strong internal controls – provides the foundation for that viability statement. For example, companies use their risk and control assessments to inform scenarios in the viability statement. While the viability statement is beyond the scope of Provision 29, it’s worth noting that all these governance pieces interconnect.

By fulfilling the above disclosure requirements, companies demonstrate to shareholders and regulators that “yes, we have a solid handle on our risks and controls, we’ve checked carefully, and here’s how we’re being open about it.” This transparency is intended to build trust and signal that the company is well-governed.

Now that we’ve covered what Provision 29 entails – both internally and in public reporting – let’s look at how companies, especially complex global banks, are actually implementing these practices. In particular, we will focus on the concept of Connected Risk and how leveraging integrated risk management systems can make meeting Provision 29 obligations easier and more effective.

Meeting Provision 29 Through a Connected Risk Approach

Complying with Provision 29 can be challenging, especially for large organizations with complex operations. Global banks, for example, deal with a vast array of risks – financial, operational, compliance, technological, and beyond – often managed by different teams across different regions. Traditionally, risk management in many organizations has been siloed: one system for operational risk incidents, another for compliance tracking, spreadsheets for internal controls, separate reports for different risk types, etc. This fragmentation can make it difficult for the board to get a clear, enterprise-wide view of risk and control effectiveness when it comes time for that annual review. Gathering the necessary information becomes a resource-intensive exercise, and things can fall through the cracks.

Connected Risk is an emerging solution to this problem. The term refers to an integrated, holistic approach to governance, risk, and compliance – often enabled by a single technology platform – that “connects” all the dots of risk management. A Connected Risk platform unites various risk and control processes in one place, providing a big-picture view. For instance, Thomson Reuters (now Refinitiv) offers a Connected Risk software platform that many financial institutions use. According to Thomson Reuters, Connected Risk delivers “optimal risk management through an enterprise-wide view of risk”, integrating data from multiple sources into a single aggregated perspective. By using advanced mapping, tagging, and a common taxonomy, it makes complex risk information easier to understand and navigate at both detailed and big-picture levels. In short, it breaks down silos: “Connected Risk removes the limitations that often emerge when aligning an off-the-shelf system to existing risk processes or reporting standards.” In other words, instead of forcing the company to fit into a rigid risk software, it adapts to how the company operates and connects the pieces.

How does this help with Provision 29 compliance? Let’s draw a quick comparison between traditional risk management systems and a Connected Risk system:

Traditional vs. Connected Risk Management Systems (Comparison)

As the table suggests, a Connected Risk approach aligns perfectly with the spirit of Provision 29 – which is about having a comprehensive, effective, and continuously monitored risk management framework. By leveraging technology and integrated processes, companies can more easily fulfill the requirements (and demonstrate they have done so).

In fact, Connected Risk platform was explicitly designed to help organizations “demonstrate strong governance and sound internal controls in the face of intense, enterprise-wide regulatory scrutiny.”​ Global banks, with regulators and stakeholders demanding ever more assurance, have been early adopters of such solutions. They use Connected Risk or similar GRC (Governance, Risk & Compliance) systems to ensure that from the boardroom down to individual departments, everyone is looking at the same integrated risk information. This makes the annual effectiveness review far less daunting because the groundwork – consistent risk monitoring and control evaluation – is laid throughout the year.

To illustrate how this works in practice, let’s look at a couple of anonymized real-world case studies of global banks that implemented a connected risk approach to meet their internal control compliance obligations.

Case Studies: How Global Banks Leverage Connected Risk

Below we present two anonymized case studies based on global banks (composite examples drawn from industry experience) that implemented Connected Risk systems. Each “case study box” highlights the bank’s approach and the outcomes achieved in strengthening internal controls and complying with Provision 29.

Case Study 1: Large International Bank – Breaking Down Risk Silos
Challenge: A large international bank operating across 40+ countries found its risk management processes heavily siloed. Operational risk events were tracked in one tool, compliance issues in another, and internal control documentation in spreadsheets. When the board asked, “Are our controls effective?” it took weeks of coordination to gather partial answers from different departments. The bank faced upcoming Provision 29 requirements and needed a more efficient, consolidated approach to monitor risk and controls.

Approach: The bank adopted a Connected Risk platform to serve as a central hub for all risk and control information. They began by uploading their enterprise risk register and mapping each principal risk to key controls and responsible owners. Departments that previously used separate systems now fed their data into the Connected Risk platform – for example, internal audit integrated their findings, and compliance integrated regulatory breach logs. The platform’s dashboards were configured for different audiences: operational managers could see detailed risk indicators for their unit, while the board and risk committee had an enterprise-wide risk dashboard highlighting top risks, control status, and outstanding issues. The bank established a cross-functional risk governance team to oversee the system and ensure data quality (e.g. no risk update gets siloed).

Outcome: Within a year, the bank saw a step-change in its risk oversight. Information that once took weeks to compile was available on-demand. In the first annual effectiveness review after implementation, the Board was able to easily review real-time reports on all material controls, complete with evidence such as test results and incident trends. They identified two control areas in need of strengthening (related to IT access and third-party oversight) and had actionable remediation plans in the platform, which they disclosed in the annual report. Investors reacted positively to the enhanced transparency. Internally, there was a cultural shift: risk management became more proactive, with issues flagged and fixed earlier. The bank met its Provision 29 obligations confidently, and executives noted that the Connected Risk approach not only simplified compliance but actually improved their business by reducing surprises and losses from risk events.

Case Study 2: Global Bank (Regional Subsidiaries) – Strengthening Control Assurance
Challenge: A global banking group with several regional subsidiaries (each with some autonomy) struggled to maintain consistent internal control standards across the group. Different subsidiaries had varying quality in documentation and testing of controls. With Provision 29’s effectiveness declaration looming, the group board was concerned that without uniform oversight, they might miss a material control failure. They needed to ensure every regional unit was up to the mark and that the group could consolidate control assessments effectively.

Approach: The bank rolled out a Connected Risk-based Internal Controls Management program across all subsidiaries. They introduced a common control framework aligned to COSO, hosted on the connected platform. Each region’s finance, risk, and operations teams were trained to document their key controls in the system, perform regular self-assessments, and log any control deficiencies. The platform was configured to require quarterly sign-offs on control status by regional managers, with workflows automatically escalating any “red flags” (like a self-assessment indicating a control failure) to group-level risk officers. The internal audit function also used the platform to plan and track audits across regions, and to record audit findings linked to the relevant controls. This created a single source of truth for internal control status group-wide.

Outcome: This initiative harmonized the internal control process throughout the bank. At year-end, the Group Board received an aggregated report from the Connected Risk system showing 100% coverage of all material controls across all subsidiaries, with traffic-light ratings indicating effectiveness. They could see that, say, 95% of material controls were green (effective), 4% amber (minor issues being addressed), and 1% red (significant issues with corrective action in progress). Crucially, they discovered a particular issue in one region’s compliance controls that might have gone unnoticed before – and were able to ensure it was being fixed and disclosed appropriately. The Board’s Provision 29 declaration in the annual report was backed by hard data: they not only stated that they had reviewed effectiveness, but could point to the systematic process behind it. For the next cycle, the bank expects even better results, as the few issues identified are being remediated. This case showed that Connected Risk tools can provide a level of assurance and granularity that gives the board confidence in signing off on control effectiveness, even in a decentralized organization.

These case studies demonstrate how a connected approach to risk and control management can yield tangible benefits: better visibility, faster information flow, and stronger control oversight. Both banks were able to meet the letter and spirit of Provision 29 – not just to comply with the Code but to genuinely improve their risk management.

The Provision 29 Compliance Journey (Visualizing the Process)

It’s helpful to visualize the compliance journey under Provision 29 – from setting up controls to continuous monitoring and reporting. Below is a conceptual flowchart of the steps involved, which could serve as a roadmap for any organization aiming to strengthen internal controls in line with the Code:

1. Establish/Enhance Internal Control Framework: Define your risk management and internal control framework (tailored to your business strategy and risks). Identify key risk areas and map out “material controls” that address those risks. Set governance structures (e.g. assign control owners, form risk committees). (This aligns with upfront requirements of Provision 29 – having a solid framework in place.)
2. Implement Controls and Embed in Operations: Roll out the controls and embed them in daily processes. Train staff on risk-aware culture and procedures. If adopting a Connected Risk system, configure it to capture all relevant risk and control data at this stage.
3. Monitor Throughout the Year: Continuously monitor risks and control performance. Use dashboards or reports to track indicators (e.g. incident logs, KPIs, audit findings). Address minor issues as they arise – don’t wait. (Ongoing monitoring prepares you for the big annual review and prevents nasty surprises.)
4. Gather Assurance (Testing & Review): Periodically test controls for effectiveness. This can be done via internal audits, management self-assessments, or external reviews. Document the outcomes in a centralized system. If using Connected Risk software, ensure all test results and issues are logged. This step gives the board evidence to rely on.
5. Board’s Annual Effectiveness Review: At year-end, consolidate all risk and control information for the board. The Audit/Risk Committee and then the full Board review the effectiveness of the risk management and internal control framework, armed with data and reports (e.g. a Connected Risk dashboard summary). They discuss and challenge where needed, and ultimately form a conclusion on effectiveness.
6. Disclosure and Reporting: Draft the internal control report for the annual report. This includes the description of the framework, how the review was conducted, and the board’s declaration on effectiveness, including any weaknesses and actions (as detailed earlier). The board approves this language for publication.
7. Continuous Improvement: After reporting, use the lessons learned to improve. If any control weaknesses were disclosed, prioritize fixing them in the new year. Update the risk management framework for any changes in strategy or external conditions (a new regulation, new business line, etc.). Then repeat the cycle, which should be smoother each year as the process matures.

(Imagine a flowchart here depicting the above steps in sequence, with feedback loops – for example, a loop from Step 7 back to Step 1 showing continuous improvement. Each step could be a box, perhaps with icons: a shield icon for establishing controls, a monitoring eye icon for continuous monitoring, a checklist icon for testing, a meeting table icon for board review, and a report icon for disclosure.)

By following this journey, companies create a virtuous cycle of risk management: robust controls → active monitoring → effective board oversight → transparent reporting → trust and improvements → and back to even more robust controls.

And when much of this journey is facilitated by a Connected Risk platform, each step becomes more efficient and reliable – the flow of information is seamless, responsibilities are clear, and the board can truly act as the steward of risk management that Provision 29 envisions.

Conclusion & Call to Action: Strengthening GRC with Connected Risk

Provision 29 of the UK Corporate Governance Code is more than just a compliance box to tick – it’s an opportunity for companies to elevate their governance, protect their business, and build stakeholder confidence. By establishing strong internal controls, diligently reviewing their effectiveness, and transparently reporting the outcomes, boards fulfill both their regulatory obligations and their broader duty of stewardship to the company. The experiences of global banks show that embracing a Connected Risk approach – breaking down silos and unifying risk management – can make this process not only manageable but genuinely value-adding. It transforms risk management from a fragmented chore into a cohesive strategy that supports better decision-making and resilience.

As you consider your own organization’s readiness for Provision 29 (or similar internal control requirements), ask yourself: Do we have an integrated view of our risks and controls? Can our board confidently declare our controls effective, with evidence to back it up? If the answer to either is “not yet,” it may be time to explore how Connected Risk solutions can help close the gaps.

Ready to strengthen your GRC approach? Contact our team to discover how you can turn Provision 29 compliance into a catalyst for operational excellence and trust. Empower your organization to not just comply with the UK Corporate Governance Code, but to thrive under it. Your journey to stronger risk management and corporate governance starts now – make that commitment to Connected Risk and take your GRC to the next level.