Boards across the UK are about to face one of the most significant governance shifts in more than a decade. Provision 29 of the UK Corporate Governance introduces three fundamental changes that will redefine how organisations think about controls reporting:
- Boards must understand and articulate the organisation’s material controls
- They must monitor and evidence control effectiveness, not just existence
- They must publicly declare whether those controls were operating effectively at the balance sheet date.
For many organisations, this has meant a dramatic departure from current practice. Risk registers, spreadsheet-based control logs, and legacy GRC systems describe controls, but they don’t prove they work. Without consistent testing, clear ownership, and reliable data flows, executives cannot stand behind a declaration that demands assurance, not assumption.
Some organisations have embedded Provision 29 workflows into their day-to-day operations, while others have relied on resource-intensive manual processes to ensure compliance using existing tools. Although the latter group should mostly be able to achieve compliance, this is a struggle that detracts from their core business rather than enhancing it.
This is the challenge now confronting business leaders: How do you adapt for Provision 29 in a long-term sustainable way that genuinely improves clarity, control, and confidence without adding unnecessary cost, complexity, or consulting overhead?
Read Protecht’s Provision 29 eBook to find out how you can prepare for the shift:
The move from assumptions to proof
Boards have always been responsible for overseeing internal controls. But the previous Code gave companies considerable latitude in how they interpreted and communicated that oversight. Businesses relied on risk registers, management declarations, and periodic assurance updates that gave comfort, but not always evidence.
Provision 29 removes this grey zone. Boards must describe how effectiveness was monitored, declare whether controls are operating effectively at the balance sheet date, and disclose any deficiencies and remediation.
It’s no longer enough to assume the fire alarm works because it’s installed. As our eBook notes, it’s like aviation:
“The engineers may have serviced the plane and checked every bolt and system, but before take-off, it’s the captain’s responsibility to run final checks and give the final go-ahead.”
This is where many organisations are feeling the pressure: not because they lack controls, but because they lack the evidence to defend them.
Why Provision 29?
The origins of Provision 29 lie in a decade of high-profile corporate failures, most notably Carillion, which exposed weaknesses in board oversight and internal control management.
The resulting regulatory consultation considered a Sarbanes-Oxley-style regime, before ultimately rejecting a rigid, prescriptive solution. Instead, the Financial Reporting Council (FRC) established a principle-based model. No definitions of ‘material controls’. No mandated control lists. No set wording for declarations.
The intent is clear: this is not meant to be a compliance exercise, but a governance one. Boards must apply their own judgement and take real ownership of control effectiveness. That flexibility is both empowering and challenging.
This challenge is what is now motivating companies well outside the FCA’s commercial category to voluntarily align with Provision 29. As one industry leader told us:
“We’re aligning for best practice... not because we’re obligated, but because we want to be the best function we can possibly be.”
This sentiment reflects a broader shift happening inside organisations. Governance maturity is no longer optional, it is a competitive advantage.
Descriptions without evidence
A key theme emerging across industries is the widespread reliance on risk registers as the backbone of internal control oversight. But risk registers, by their nature, are descriptive. They catalogue risks, assign scores, and list controls. They do not verify that those controls are effective.
This leads to misplaced assurance. Boards are often confident in their control environment until something fails. Provision 29 is designed to expose and close that gap long before a failure occurs.
The fundamental issue is not the existence of controls. It’s the absence of:
- Consistent testing
- Structured evidence
- Clear accountability
- Real-time visibility
- Credible remediation tracking.
The best-prepared organisations will be those that recognise this now and begin building an evidence base long before the first required declaration.
Boards want assurance, not more process
We held multiple conversations with senior governance and risk leaders to research our Provision 29 eBook. One message was consistent: boards do not want more processes. They want better insights.
They want to know:
- Which controls genuinely matter most
- Whether those controls are actually working
- Where investment is needed
- Whether risks are being actively managed
- How internal and external assurance aligns
- How they can defend their declaration with confidence.
One CRO interviewed by Protecht put it simply:
“It’s already shifting the conversations. Everyone is talking about material risk.”
This shift in language signals a deeper cultural change. Organisations are no longer accepting broad lists of operational controls. They want to understand the material control themes that genuinely protect the business.
Turning Provision 29 into a strategic advantage
The organisations already making progress on Provision 29 are not simply meeting a regulatory requirement, they are using it as a catalyst for transformation. Among our customers, a clear pattern is emerging in how they are approaching the challenge.
- Begin with risk tiering and materiality mapping: Not all risks are equal and not all controls should be either. Leading organisations are revisiting risk scoring, applying data-led analysis, and defining material risk tiers.
2. Embed strong first-line ownership: Boards can only have confidence if the people who own controls understand them, operate them, and test them consistently.
3. Group controls sensibly without losing visibility: Good governance does not mean cataloguing hundreds of micro-controls. Boards want clarity. Acceptable grouping helps them understand overarching control themes.
4. Build a quarterly cadence of evidence: This is one of the biggest practical shifts. Companies cannot prepare an annual declaration with annual testing. Quarterly testing and reporting ensure surprises are avoided.
5. Invest in real-time dashboards and data-driven validation: Boards need to see which controls are operating, which are failing, which are overdue for testing, what issues remain unresolved, and how risks are trending. This cannot be achieved through spreadsheets or static documents.
Provision 29 is harder than it looks
The principle-based nature of Provision 29 creates ambiguity. And organisations are feeling it. One participant summed it up bluntly:
“There’s no definition of material risk… They don’t define material controls either, but that’s what you need to report on.”
That ambiguity doesn’t disappear. Instead, the organisations who succeed will be those who:
- Embrace judgement
- Align stakeholders early
- Build shared understanding
- Prioritise simplicity without losing rigour
- Invest in consistent, auditable testing
- Integrate risk and controls into one coherent framework.
This is exactly the area where mature GRC platforms and structured frameworks become invaluable.
How Protecht helps you move from compliance to confidence
Provision 29 requires alignment between risk, controls, and assurance that cannot be managed in the long run through manual processes. Protecht supports organisations by giving boards and executives a clear, real-time view of control effectiveness, risk exposure, and remediation progress.
With Protecht, organisations can:
- Manage a structured library of controls aligned to ISO 31000 and COSO
- Map risks to controls to demonstrate clear line of sight
- Automate control testing through workflows and templated assurance programmes
- Track remediation with full audit trails
- Surface insights through real-time dashboards for board reporting
- Consolidate risk, compliance, incidents, issues, and key obligations in one unified system.
The result is not just compliance, it is confidence.
Conclusions and next steps for your organisation
Provision 29 is more than a governance update. It is a shift in how organisations demonstrate oversight, manage risk, and build trust with stakeholders. The businesses who The businesses who embed Provision 29 into their workflows from the start will not only meet the requirement, they will strengthen risk culture, improve decision-making, and reduce the likelihood of future failures.
Boards must be confident in signing their names to the declaration of effectiveness. That confidence is built on evidence. And the work to generate that evidence starts long before the reporting deadline.
If you want to see how Provision 29 readiness looks in practice, and how Protecht helps organisations build assurance that boards can stand behind, we’re here to help.
Request a Protecht ERM demo and see how to operationalise control effectiveness with clarity and confidence:
