There’s a shift coming in UK corporate governance, and it’s got boardrooms on notice.
Effective for financial years starting on or after 1 January 2026, Provision 29 of the updated UK Corporate Governance Code introduces a new level of scrutiny over your company’s risk management and internal control framework. And unlike past guidance which left plenty of room for interpretation, this one’s explicit. Boards must monitor, review, and most importantly, declare whether their controls are actually working.
If that doesn’t spark a sense of urgency, it should.
What Does Provision 29 Require?
In plain terms, Provision 29 puts the burden squarely on the board to:
- Oversee the company’s risk management and internal control systems
- Conduct an annual review of these systems
- Include in the annual report:
- A description of the review process
- A declaration of effectiveness
- Any material controls that failed
- Actions taken to remediate control failures
This isn’t limited to just financial controls. Provision 29 covers all material controls – whether it be financial, operational, reporting, and compliance. The expectation is simple: if it’s important, you better be on top of it.
Not Just a Board-Level Concern
While Provision 29 holds the board accountable, the execution starts much further down the chain.
Risk managers, compliance officers, internal auditors, and line-of-business control owners all play a crucial role in enabling the board to confidently make that declaration. If frontline teams aren’t identifying, documenting, testing, and escalating issues, the board’s assurance is built on shaky ground.
This isn’t the time for business as usual. Provision 29 represents an opportunity (and an obligation) for risk and compliance teams to:
- Tighten control ownership and visibility
- Formalize monitoring and evidence-gathering processes
- Escalate and remediate breakdowns proactively
- Collaborate across silos to deliver end-to-end assurance
The success or failure of the board’s declaration will reflect directly on the maturity and integration of your risk ecosystem.
How Connected Risk Helps
Connected Risk gives you exactly what Provision 29 demands: clarity, confidence, and control.
With our platform, you can:
- Monitor risk and controls continuously, not just annually
- Capture evidence of effectiveness and track it to resolution
- Centralize operational, compliance, and financial controls in one place
- Generate board-level reporting that supports declaration of effectiveness
- Demonstrate remediation for any control issues, before the regulator asks
In short, we make it easier for boards to sign that declaration with confidence.
The 2026 Deadline Isn’t as Far Away as It Sounds
Boards are already under pressure to show they take risk oversight seriously. Provision 29 will only intensify that expectation. The organizations that start preparing now will be the ones who pass inspection with ease.
If you’re still managing critical controls in spreadsheets or relying on siloed systems, now’s the time to rethink your approach.
Provision 29 is coming. Make sure you’re ready.
Talk to our Team
