Turning UK Governance from a Checkbox to a Confidence Booster in the Provision 29 Revolution:

Executive Summary:  

1. Provision 29 of the 2024 UK Corporate Governance Code, effective for financial years beginning on or after 1 January 2026, represents the most significant governance change in a decade for UK premium-listed companies.
2. Provision 29 shifts from
1. A process-oriented approach
2. To an outcomes-based requirement,
3. Provision 29 mandates that boards explicitly declare in the annual report whether the company's material internal controls were effective as of the balance sheet date.
4. Under Provision 29, boards must:
1. Monitor the company's risk management and internal control framework.
2. Conduct at least an annual review of its effectiveness.
3. Provide a clear declaration on the effectiveness of material controls.
5. The scope of "material controls" is intentionally broad and not limited to financial controls. It encompasses
1. Operational, compliance, and reporting controls (including narrative and ESG reporting where relevant).
6. The definition of "material" remains a matter of the board's judgment, but it must be
1. Defensible, documented, and aligned with the company's risks, strategy, and risk appetite.
7. The Financial Reporting Council (FRC) emphasises [see appendix 1 to this blog] the need to avoid boilerplate disclosures, and for boards to explain
1. Their conclusions,
2. The evidence relied upon, and
3. How any weaknesses are addressed.
8. Many organisations already maintain strong individual controls, but they often lack a unified, coherent view.
1. Controls are frequently dispersed across functions, inconsistently documented, locally owned, and evidenced in fragmented systems.
9. Compliance with Provision 29 is therefore
1. Less about creating new controls and
2. More about enhancing visibility, central ownership, consistency, and structured evidence.
10. In practice, companies typically identify 20–40 material controls (sometimes more in complex sectors), focusing on
1. Higher-level "entity-level," oversight, governance, or "Jenga" controls—those whose failure could significantly impact the business model, solvency, reputation, or investor decisions
2. Rather than numerous granular transactional ones.
11. Effectiveness requires objective evidence, not merely the absence of incidents, good intentions, or policies.
1. Boards assess via indicators such as design quality, consistent operation, testing results, self-assessments, metrics, documentation, and real-world outcomes (including incidents or remediation history).
2. A single failure does not automatically deem a control ineffective; severity, recurrence, and context are key, with professional judgement documented.
12. The declaration is the board's non-delegable responsibility—management, risk teams, internal audit, and external advisers can provide support and assurance.
1. Still, the board must understand, challenge, and own the conclusion and disclosure.
2. Reporting must be clear, map controls to principal risks, track issues, and show remediation progress.
13. The regime remains "comply or explain."
1. If material controls were not fully effective, the annual report must transparently describe the affected controls, reasons for ineffectiveness, actions taken or planned, and progress on previously reported issues.
2. Weak or vague explanations risk scrutiny, while evidence-based, credible remediation aligns with the Code's intent.
14. To prepare effectively, organisations should treat Provision 29 as an ongoing control lifecycle matter rather than a year-end exercise.
1. Key actions include centrally defining material controls, assigning ownership, ensuring consistent deployment, using agreed assessment criteria, structuring evidence capture, tracking remediation, and producing board-reliant reporting.
15. When implemented well, Provision 29 delivers substantial benefits:
1. Greater board confidence, stronger leverage for risk and control teams, clearer expectations for control owners, and a shift from reactive assurance to proactive, continuous oversight.

Long read

How to demonstrate compliance with Provision 29 of the UK Corporate Governance Code and understand what boards must prepare and declare.

From January 2026, boards of UK premium-listed companies will have to state whether their material internal controls are effective explicitly.

1. Boards will not be asked whether controls are improving or whether management believes they are broadly sound. They will be required to state, clearly, whether those controls are effective.
2. This requirement sits at the heart of Provision 29 of the 2024 UK Corporate Governance Code, which applies to financial years beginning on or after 1 January 2026.
3. This is the most significant governance change in a decade because it turns what was previously a process-focused obligation into an outcomes-based declaration.
4. For compliance, risk, and internal control teams, this requires some thought and action.

What Provision 29 actually requires

Provision 29 does not ask boards to design new controls or adopt a prescribed framework. It asks them to do three things and to report on them clearly:

1. Monitor the company’s risk management and internal control framework.
2. Carry out at least an annual review of its effectiveness.
3. Declare whether the company’s material controls were effective as at the balance sheet date.
4. The scope is deliberately broad. Material controls are not limited to financial controls. They include operational, compliance, and reporting controls, including narrative and ESG reporting where relevant.

Crucially, the Code leaves the definition of “material” to the board’s judgement.

1. That judgement must be defensible, documented, and grounded in the company’s risks, strategy, and risk appetite.
2. The Financial Reporting Council has been explicit that boilerplate disclosures are not the goal, and that boards should be able to explain how they reached their conclusions, what evidence they relied on, and how weaknesses are being addressed.

Why does this feel harder than it looks

1. Most large organisations already have controls. Many have very good ones. What they often lack is a single, coherent view of those controls that can support a board-level declaration.
2. Across the market, controls tend to be:
   1. Spread across functions and business units
   2. Documented in inconsistent formats
   3. Owned locally rather than centrally
   4. Tested for different purposes at different times
   5. Evidenced in spreadsheets, emails, SharePoint folders, and local tools
3. Individually, the controls exist.
1. Collectively, no one can confidently say which ones are material, who owns them globally, whether they operate consistently across entities, and what evidence supports their effectiveness.
4. This is why many organisations are discovering that Provision 29 is
1. Less about fixing broken controls and
2. More about fixing visibility, ownership, and evidence.

What “material controls” look like in practice

1. In general, most organisations are identifying somewhere between 20 and 40 material controls, with some landing higher depending on complexity and sector.
2. These sit across risk, compliance, internal audit, and finance.
3. Importantly, there is a clear trend away from hundreds of granular transactional controls and towards a smaller number of higher-level controls that genuinely matter.

These often include:

1. Entity-level or framework controls
2. Oversight and governance controls at the board or committee level
3. Controls whose failure would significantly affect the business model, solvency, reputation, or investor decisions

Jenga controls

1. One way to assess whether a control is material is to consider “Jenga controls”, meaning controls that, if removed, would cause the structure to collapse.
2. This approach aligns closely with FRC guidance, which emphasises proportionality and material impact rather than volume.

Effectiveness means evidence, not comfort.

1. The most uncomfortable part of Provision 29 is the word “effective”. The absence of incidents does not define effectiveness. Nor is it defined by good intentions or mature policies. Boards are expected to rely on evidence gathered through monitoring and review
2. In practice, organisations are using a mix of indicators, including:

1. Whether the control is properly designed
2. Whether it operates consistently across the group
3. Completion and timeliness metrics
4. Quality of documentation
5. Results of testing, self-assessments, or assurance
6. Real-world outcomes, including incidents, near misses, or remediation history

A single control failure does not automatically mean a material failure.

1. There is a broad consensus that a single control failure does not automatically mean a material control is ineffective. Context matters.
1. Severity, recurrence, and impact matter.
2. Professional judgement still applies, though it must now be recorded and explained.

The board cannot delegate the conclusion.

1. Provision 29 is explicit on one point.
1. This is a board declaration.
2. Management, risk functions, and internal audit can provide information, analysis, and assurance.
3. External advisers can support. None of them can make the declaration.
2. Boards are expected to understand the basis on which effectiveness is being asserted, to challenge where necessary, and to own both the conclusion and the disclosure.
3. This has practical implications.
1. Boards need reporting that is clear, consistent, and decision-useful.
2. They need to see how controls map to principal risks, how issues are tracked, and how remediation is progressing over time.

Comply or explain still applies.

1. The UK Corporate Governance Code remains a comply or explain regime. Boards can conclude that material controls are not fully effective.
2. Where controls are not effective, the annual report must describe:
1. Which controls were affected
2. Why were they not effective
3. What actions have been taken or are planned

How have previously reported issues progressed

1. A weak explanation will attract scrutiny.
1. A clear explanation, grounded in evidence and accompanied by credible remediation, is entirely consistent with the Code’s intent.

Turning Provision 29 into something workable

1. To prepare for Provision 29,
1. Organisations should stop treating this as a year-end disclosure exercise and start treating it as a control lifecycle issue.
2. The focus now should be on building a clear, repeatable approach to identifying, owning, assessing, evidencing, and reporting controls.
3. That means:
1. Defining material controls centrally
2. Assigning clear ownership
3. Deploying controls consistently across entities
4. Assessing effectiveness using agreed criteria
5. Capturing evidence in a structured way
6. Tracking gaps and remediation over time
7. Producing reporting that boards can rely on

Conclusion

1. When Provision 29  is done well, it will provide the following benefits:-
1. Boards gain confidence.
2. Risk teams gain leverage.
3. Control owners understand expectations.
4. The organisation moves away from reactive assurance towards continuous oversight.

Appendix 1

FRC documents (all publicly available on the FRC website at frc.org.uk).

• The primary FRC statements supporting the emphasis on avoiding boilerplate disclosures, while requiring boards to explain conclusions, evidence relied upon, and how weaknesses are addressed, can be found in the following official FRC documents (all publicly available on the FRC website at frc.org.uk).
• These align directly with Provision 29 of the UK Corporate Governance Code 2024, shifting toward meaningful, outcomes-based reporting rather than generic or vague statements.

1. UK Corporate Governance Code 2024 (PDF document)

• URL: https://www.frc.org.uk/documents/6709/UK_Corporate_Governance_Code_2024_a2hmQmY.pdf
• Relevant Section: Section 4: Audit, Risk and Internal Control – Provision 29 (page 13).
• Key Supporting Statements:
• Boards must provide "a description of how the board has monitored and reviewed the effectiveness of the framework" (explains conclusions and evidence from the review process).
• Include "a declaration of effectiveness of the material controls as at the balance sheet date."
• Provide "a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues" (directly addresses weaknesses and remediation).
• The Code operates on a "comply or explain" basis, emphasising that departures from Provisions require "full and meaningful explanations" to ensure understandable and persuasive reporting (implied avoidance of boilerplate; see introductory notes on pages 1-2 and FAQ on the FRC Code webpage).

2. Guidance to the UK Corporate Governance Code 2024 (Webpage with detailed guidance)

• URL: https://www.frc.org.uk/library/standards-codes-policy/corporate-governance/corporate-governance-code-guidance (HTML format; last updated November 5, 2025).
• Relevant Section: Section 4: Audit, Risk and Internal Control (paragraphs 293-300).
• Key Supporting Statements (paraphrased with paragraph references for precision):
• Para 293: Boards should describe the main features of the risk management and internal control framework, including governance structures, risk assessment, mitigation, and information sharing (promotes specific, non-boilerplate descriptions).
• Para 294: Provide a summary of how the board monitored and reviewed effectiveness, including types of information received, units/individuals consulted, internal/external assurance obtained, and any recognised frameworks/standards used (requires explanation of conclusions and evidence).
• Para 296: The annual report must include a clear declaration on material controls' effectiveness (succinct and focused, avoiding generic language).
• Para 297: If a material control is not effective, disclose it with actions taken/proposed to improve, plus a summary of progress on previously reported issues (explicit on addressing weaknesses).
• Para 298-300: Emphasise proportionality and material impact; clarified wording reinforces meaningful, insightful explanations over high-level confirmations (avoids boilerplate by focusing on decision-useful details).
• Overall section notes: The purpose of outcomes-based reporting is to "move away from boilerplate disclosures" (cross-referenced in FRC's Code overview on the same site), ensuring reports are tailored, evidence-based, and connected to strategy/risk appetite.

3. Provision 29 Mythbuster (PDF document)

• URL: https://www.frc.org.uk/documents/9097/Provision_29_Mythbuster.pdf (published January 29, 2026).
• Relevant Content: Full document (2 pages); focuses on clarifications for Provision 29 reporting.
• Key Supporting Statements:
• Reporting should be "proportionate" and "avoid unnecessary duplication and disclosure of immaterial information" (implicitly discourages boilerplate by promoting concise, relevant content; expected length: no longer than two pages).
• Include "commentary on the monitoring and review process, and an explanation of how the board reached its decision" (directly requires explaining conclusions and evidence).
• "Governance leading to decisions on material controls and board oversight must be set out" (emphasises evidence-based explanations).
• For weaknesses: Report on material control issues persisting at the balance sheet date, including actions to rectify; also cover progress on publicised issues from the year if relevant to stakeholders.
• No prescribed wording for declarations; "companies choose their approach" (encourages tailored, non-boilerplate language).
• No need to list all material controls or specific testing, but focus on insightful oversight and confidence in effectiveness.

Conclusion

• These documents collectively underscore the FRC's intent for transparent, specific disclosures under Provision 29, moving beyond generic "boilerplate" to substantive explanations backed by evidence and remediation details. For the latest versions, please check the FRC website, as guidance may be updated without formal consultation.

Source –

• https://media.frc.org.uk/documents/Provision_29_Mythbuster.pdf
• https://media.frc.org.uk/documents/UK_Corporate_Governance_Code_2024_a2hmQmY.pdf
• https://www.frc.org.uk/library/standards-codes-policy/corporate-governance/corporate-governance-code-guidance/
•  https://tinyurl.com/2w9c3zk8