Provision 29 of the UK Corporate Governance Code has put the spotlight on corporate resilience. As UK companies prepare for the latest Code updates, boards are now required to do more than sign off a compliance checklist – they must embed resilience into their strategy, culture, and operations. In other words, Provision 29 mandates that boards declare the ongoing effectiveness of the company’s risk management and internal control systems, according to Michael Rasmussen of GRC20/20. This isn’t a one-time “UK SOX”-style attestation; it’s about creating a living, breathing framework where risk management is proactive and pervasive, not just a box-ticking exercise.
We’ll explore why Provision 29 should be seen as a competitive differentiator rather than a regulatory hurdle. We’ll discuss how true organizational resilience can become a source of strategic advantage, globally relevant well beyond the UK. Along the way, we’ll highlight real-world examples of companies that have successfully woven resilience into their DNA, and introduce how Connected Risk (CR) – an integrated risk management platform – helps organizations meet Provision 29 requirements. Finally, we’ll walk through a demo scenario of Connected Risk in action, and end with a call-to-action for those ready to turn compliance into opportunity.
Provision 29: Embedding Resilience, Not Just Compliance
Provision 29 explicitly calls on boards to ensure their companies are resilient by design – monitoring and reviewing risk management and controls enterprise-wide. The Code expects leadership to attest each year that these systems are effective on an ongoing basis. This goes far beyond traditional compliance. It means that risk and control can’t live in silos or be revisited only during an annual audit. Instead, they must be ingrained into everyday business decisions and corporate culture.
In the Code’s Words: Provision 29 mandates a declaration of the ongoing effectiveness of risk management and internal control systems – emphasizing ongoing, proactive risk and control management rather than one-off compliance-driven attestations.
In practice, “ongoing, proactive” management means companies need to build resilience into how they plan, operate, and behave daily. It’s about aligning risk and control with strategy and operations, and ensuring every level of the organization is aware of and accountable for managing risk. The spirit of Provision 29 is that resilience should be baked into corporate DNA – from the boardroom to the break room.
Critically, this approach reframes compliance as the outcome of good business practice, not the objective. A compliant organization, under Provision 29, is one where resilience measures (like robust risk assessments, internal controls, scenario planning, and responsive crisis plans) are part of “how we do things” as a company. The UK regulator’s intent is clearly that resilience becomes business-as-usual, not a separate checkbox task. As one governance expert noted, the updated Code places a strong emphasis on integrating risk management into core business activities, rather than treating it as a standalone compliance function. It’s a shift from assurance for its own sake to assurance that the business can weather shocks and seize opportunities.
Resilience as a Competitive Differentiator
Treating Provision 29 as merely a new hurdle to clear would be a mistake. In today’s environment of continuous disruption, resilience is emerging as a key source of competitive advantage. Forward-looking organizations understand that the ability to survive and thrive through turmoil can set them apart from less prepared competitors. In fact, a recent global survey by PwC found that companies are increasingly using their resilience programs as a source of competitive advantage, not just a way to “weather the storm”. Nearly 90% of business leaders now say that resilience is among their most important strategic priorities – and notably, their investments in resilience are driven not by fear or mere compliance, but by the goal of developing an edge over rivals.
Research bears out the benefits of this mindset. McKinsey analysis during the COVID-19 pandemic showed that businesses with healthy, resilient behaviors (think open knowledge-sharing, regular scenario reviews, and a culture of innovation in response to setbacks) were far less likely to fail during the crisis. In the longer term, companies that cultivate organizational resilience “driven not only by crisis but also by opportunity” can gain an important, lasting advantage over competitors. In other words, resilience isn’t just about avoiding collapse – it’s about bouncing forward. A resilient organization can absorb a shock and emerge stronger, while a less resilient one falters or falls behind.
Consider what this means in practice: If your firm can quickly adapt to a sudden supply chain disruption, you can keep customers happy while your competitors struggle to fulfill orders. If your team is prepared for a cybersecurity incident, you can contain it with minimal damage while others suffer prolonged outages. If your culture encourages surfacing bad news early, you can respond to risks before they escalate – whereas a competitor might be blindsided. In all these cases, resilience translates to tangible business gains: protecting revenue, maintaining market share, safeguarding reputation, and even capturing opportunities that arise from others’ missteps.
Importantly, viewing resilience as a strategic differentiator also energizes the organization. It shifts the narrative from “we have to do this because regulators say so” to “we want to do this because it makes us better.” Employees are more likely to engage in risk management activities when they see how it contributes to the company’s success and longevity, not just to passing an audit. Thus, treating Provision 29 as more than a checkbox can galvanize positive change – turning compliance into a catalyst for stronger performance and innovation.
A Global Imperative: Resilience Principles for All Organizations
Although Provision 29 is part of a UK governance code, its core principles resonate globally. In an era often described as a “polycrisis” – where economic, geopolitical, technological, and environmental disruptions are converging – every organization needs to build resilience to survive and thrive. We have all learned in recent years that resilience is vital in the face of constant turbulence. From the pandemic to geopolitical conflicts and supply chain shocks, businesses worldwide have been taught that being resilient doesn’t just mean riding out the storm; it means finding ways to succeed despite (or even because of) the storm.
Around the world, regulators, investors, and stakeholders are converging on the idea that good governance includes robust risk management and adaptability. While UK boards have Provision 29, a board in the U.S. or Asia might face shareholder demands for better risk oversight, or industry standards requiring business continuity plans. The language may differ, but the message is the same: resilience builds trust and value. The World Economic Forum, for example, has emphasized that by embedding resilience into the core of operations, leaders can prepare their organizations to respond nimbly to new challenges – whether arising from technological shifts, regulatory changes, or market demands. And McKinsey’s global research on organizational health underscores that resilience has no expiration date; the companies that systematically build agile operations, adaptive leadership, and a cohesive risk culture are better equipped for whatever comes next.
In practical terms, this global focus on resilience means companies everywhere should internalize the spirit of Provision 29. It’s about integrating risk awareness into decision-making at every level. It’s about ensuring that siloed approaches to risk are replaced with cross-functional collaboration and information sharing. It’s about leadership setting the tone at the top that resiliency matters, and empowering teams to act on that mantra. Whether you’re a UK-listed firm or a family-owned business elsewhere, the formula for resilience is remarkably universal: anticipate risks, absorb shocks, adapt quickly, and keep your purpose and values at the center. Those that do so are not only meeting governance expectations – they are positioning themselves to leap ahead in the race for long-term success.
Resilience in Action: Real-World Examples
To illustrate how embedding resilience pays off, let’s look at some real-world examples (one public, one anonymized) of companies that turned robust risk management into business strength. These cases show that resilience is achievable and rewarding when treated as a strategic priority.
Resilience Example – Leading Automaker: One of the world’s top car manufacturers (widely known for its just-in-time production) learned hard lessons from past disruptions and proactively built resilience into its supply chain. Before a global microchip shortage struck, this company had adjusted its lean inventory model to include “safety stock” of critical components like semiconductors. When chip supplies tightened, the automaker also prioritized production – reallocating the limited chips to its most in-demand models – and maintained transparent communications with suppliers and customers about potential delays. These measures, rooted in foresight and agility, helped the company weather the initial impact of the crisis far better than many competitors. In the ensuing months, the firm doubled down on resilience: diversifying its supplier base across regions, investing in alternative chip designs, and refining its inventory strategies to buffer against future shocks. The result? While other automakers had to halt production for weeks, this company sustained output and met customer demand. By embedding resilience into operations and supplier relationships, it turned a potential catastrophe into a competitive win – protecting its market share and reputation when others faltered.
Resilience Example – Global Financial Firm: A large international bank (let’s call it “BankCo”) provides a powerful example of how embedding resilience into corporate culture and strategy yields advantages in a crisis. BankCo’s leadership spent years nurturing a “risk-aware” culture – encouraging employees at all levels to flag concerns, rigorously stress-testing the bank’s portfolio against adverse scenarios, and aligning its risk appetite to its long-term strategy (a philosophy its CEO termed the “fortress balance sheet”). These efforts were more than compliance; they became part of how BankCo made decisions. When the 2008–09 financial crisis hit, BankCo was able to respond swiftly. Thanks to early warning systems and a habit of candid internal communication, senior management quickly recognized the growing credit risks and took action to shore up capital and liquidity. The bank’s robust internal controls and pre-planned contingency measures kicked in, limiting its exposure to the worst of the market turmoil. In fact, while many competitors were caught off-guard and needed government bailouts, BankCo stayed solvent and even had the capacity to acquire a weaker rival during the downturn. Its resilience was noticed – by regulators, who held it up as an example of prudent risk management, and by customers, who placed greater trust in the institution’s stability. This case underscores that a strong risk culture and integrated risk management framework can translate into real financial resilience, allowing an organization not only to survive a crisis but to emerge stronger relative to peers.
These examples highlight a common theme: successfully embedding resilience means taking deliberate actions before crises hit. Whether it’s redesigning processes, holding buffer resources, fostering open risk reporting, or practicing crisis simulations, companies that treat resilience as an investment tend to reap the rewards. They turn potential surprises into manageable events and sometimes even into opportunities for growth. Crucially, these efforts require support from the top (board and executives) and buy-in across the business – exactly what Provision 29 aims to achieve by making resilience a board-level responsibility.
Introducing Connected Risk: A Platform to Enable Resilience and Compliance
Building true organizational resilience can sound daunting – how do you actually break down silos, integrate risk into strategy, and monitor controls continuously across a whole enterprise? This is where technology and smart processes come into play. One solution gaining attention is Connected Risk (CR), a governance, risk, and compliance platform designed to help organizations connect the dots across various risks, controls, and functions. Connected Risk provides a tech-enabled framework to embed resilience into daily operations and to help companies comply with requirements like Provision 29 in a streamlined way.
So, what is Connected Risk? It’s an enterprise-wide risk management platform (developed by Thomson Reuters) that brings together all your risk and control information into one integrated system. Instead of having different departments manage risks in isolation – finance tracking financial controls, IT tracking cyber risks, operations tracking safety, etc. – Connected Risk allows you to aggregate and view all risk data in a single, holistic view. By pulling together disparate data sources and using advanced mapping, the platform creates a unified picture of the organization’s risk landscape. This means the board and management can see interconnections between risks, identify concentrations or gaps, and make informed decisions faster.
Connected Risk is built to break down silos and foster a shared understanding of risk. For example, it can map your company’s policies, processes, risks, controls, and incidents in a common taxonomy. A risk in one business unit that could impact another will no longer languish unnoticed in a spreadsheet on someone’s PC – it becomes visible to relevant stakeholders through the central platform. The benefit is not just better risk identification, but also efficiency: teams aren’t duplicating efforts or overlooking critical issues that fall “between the cracks” of organizational charts. Everyone speaks the same risk language in the system.
From a Provision 29 compliance standpoint, Connected Risk directly addresses some of the key challenges. Remember that Provision 29 requires an annual attestation on the effectiveness of risk management and internal controls. Using Connected Risk, management can continuously monitor control performance and risk indicators. The platform’s dashboards and analytics provide ongoing assurance that controls are functioning as intended – or flag weaknesses if they arise – so that there are no surprises at year-end. In fact, one of the modules on the Connected Risk platform is specifically geared toward compliance and internal control management, helping organizations demonstrate strong governance and sound internal controls even under intense regulatory scrutiny. Instead of scrambling to compile data to satisfy auditors or the board, companies using Connected Risk have the evidence of effective control at their fingertips, updated in real time.
Additionally, Connected Risk fosters a culture of accountability and resilience by providing tools for issue management and remediation. When an incident or control failure occurs, it can be logged in the system, triggering workflows for investigation, root cause analysis, and corrective action. Responsible owners are assigned and progress is tracked. This closes the loop on risk events and ensures lessons are learned – a hallmark of a resilient organization. Over time, this continuous improvement loop, facilitated by Connected Risk, embeds resilience into the fabric of the company’s operations.
In summary, Connected Risk acts as an enabler for organizations to fulfill the spirit and letter of Provision 29. It not only streamlines compliance by aggregating risk and control information, but also truly helps embed resilience by integrating risk management into everyday business processes and decision-making. It’s a tool that turns the abstract goal of “enterprise risk management” into a tangible, practical reality.
Connected Risk in Action: A Demo Scenario
To make this more concrete, let’s walk through a simplified scenario of how Connected Risk might work in practice to embed resilience and support Provision 29 compliance. Imagine a mid-sized multinational company, GlobalCo, which has adopted Connected Risk as part of its governance framework:
- Risk Identification and Linkage: GlobalCo’s risk team uses Connected Risk to document and map key risks to strategic objectives. For example, they log a risk called “Supply Chain Disruption” and link it to the objective “Ensure continuous product delivery.” They also map which critical suppliers, regions, and business units would be affected by this risk. In the platform, this risk is connected to related controls (e.g. “Dual-sourcing policy in place” and “Safety stock of 8 weeks for critical components”). All this information is stored centrally and is visible to stakeholders from procurement, operations, and executive management alike.
- Early Warning and Monitoring: Connected Risk continuously pulls in data relevant to these risks and controls. Let’s say news emerges of political instability in a country where one of GlobalCo’s key suppliers operates. The platform has an integration that captures external risk alerts (or an internal user logs an incident report about the developing situation). Connected Risk triggers an alert: the “Supply Chain Disruption” risk has increased in likelihood, and it flags the specific supplier and region at risk, since those were mapped in the system. A dashboard indicator for supply chain risk turns from green to amber. The relevant risk and control owners (in procurement and operations) are automatically notified via the system.
- Coordinated Response: Because GlobalCo embedded its response plans into Connected Risk ahead of time, the moment the risk level rises, everyone knows what to do. The platform displays the contingency plan linked to the supply chain risk – for instance, “activate secondary supplier in Country B if primary in Country A is disrupted.” Through Connected Risk’s workflow, the procurement manager is assigned a task to initiate orders with the backup supplier, and the operations manager is tasked to adjust production schedules. The platform tracks these tasks in real time. Team members from risk management, procurement, and operations can log updates or concerns on a shared forum in the risk record, ensuring cross-functional communication. Because all this activity happens through the integrated platform, there’s a single source of truth and no time wasted in meetings to figure out who should do what – the plan is in place and roles are clear.
- Mitigation and Recovery: Thanks to the swift action, GlobalCo switches to its secondary supplier with minimal delay. The potential disruption is largely mitigated – production continues and customer orders are fulfilled without major incident. Connected Risk captures the outcome: the risk event (political unrest) that could have caused a supply interruption was handled, and the relevant control (dual sourcing strategy) proved effective. Any issues encountered (maybe the secondary supplier took an extra week to ramp up) are noted in the system for future learning. GlobalCo not only averted a crisis, but also gleaned insights to further strengthen its resilience (perhaps they decide to qualify a third supplier, or increase safety stock for certain components).
- Review and Reporting: At quarter-end, the board of GlobalCo reviews a resilience dashboard from Connected Risk. They see that the “Supply Chain Disruption” risk went from amber back to green after mitigation, and they can drill down to see the actions taken and their results. This gives the board concrete evidence that the company’s risk management and internal controls are working continuously and effectively – exactly what they need to confidently sign off the Provision 29 annual effectiveness statement. In their annual report, the board can describe this scenario (in general terms) as an example of how they maintain oversight of material risks and respond in real time. Because Connected Risk has logged all these activities, audit and assurance teams can also verify that the controls operated as intended, providing further comfort to the board. GlobalCo has essentially operationalized resilience: when a challenge arose, the organization detected it, responded in a coordinated fashion, and learned from it – with full transparency to leadership.
This hypothetical scenario demonstrates how a platform like Connected Risk helps embed the principles of resilience into the day-to-day running of a company. The key elements – early detection, clear accountability, cross-team collaboration, and continuous feedback – are all enabled by having an integrated risk system. For Provision 29, this means GlobalCo can move beyond a annual compliance scramble to prove its controls work, and instead live in a state of controlled readiness. The board’s required declaration of effectiveness becomes not a hopeful assertion but a well-substantiated report, backed by data and real incidents managed throughout the year.
Final Thoughts: From Checkbox to Competitive Edge
Provision 29 is a wake-up call that resilience must be woven into the fabric of modern organizations. Far from being a mere checkbox on a compliance list, it is an opportunity – a mandate to transform how companies think about risk and durability. By treating Provision 29 as more than a rule, organizations can drive a culture where anticipating threats and building buffers is second nature. This not only satisfies regulators but also propels the business forward. As we’ve discussed, companies that embrace this mindset often find themselves more agile, trusted, and successful in the face of adversity.
In a world of unpredictable challenges, true organizational resilience is the ultimate competitive edge. Whether you operate under the UK Corporate Governance Code or not, the lesson is universal: embedding resilience into strategy, culture, and operations pays dividends in stability and performance. The tools, frameworks, and examples are out there – from global best practices to technologies like Connected Risk that make it attainable.
Now is the time to act. Rather than waiting for the next crisis to test your systems, proactively strengthen them. Connected Risk is one way to accelerate that journey, by uniting your risk management efforts and illuminating where you can improve. We encourage you to explore the Connected Risk platform to see how it can help your organization meet the spirit of Provision 29 – and not just comply, but excel.
Ready to move beyond checkboxes and build true resilience? Contact us for a consultation on how Connected Risk can be tailored to your organization’s needs. Let’s turn the mandate of Provision 29 into an engine for sustainable success, and ensure your organization is not only prepared for the uncertainties of tomorrow, but poised to thrive amid them.
