What you will learn
Through expert-led sessions, peer collaboration, and hands-on activities, attendees will:
- Understand the strategic implications of Provision 29, and how it differs from other global frameworks (e.g., SOX), focusing on ongoing effectiveness not point-in-time compliance.
- Build a risk-informed internal control framework that supports strategy, performance, and operational resilience.
- Explore how to embed risk management into business operations, not just within risk or compliance functions.
- Learn to identify and assess material risks and controls, clarify ownership, and establish meaningful accountability across the three lines of defence.
- Evaluate how to architect the information and technology infrastructure to enable continuous monitoring, real-time insights, and integrated assurance.
Who will benefit?
This workshop is essential for senior leaders, board advisors, GRC professionals, internal control managers, risk and compliance officers, and audit personnel seeking to proactively respond to the updated UK Corporate Governance Code.
Agenda overview
Session 1: What is Risk & Control by Design?
- Understanding risk and internal control in the context of business strategy and operations
- Unpacking Provision 29: board accountability, assurance requirements, and risk/control effectiveness
- How risk and control intersect across governance, compliance, and performance
- Workshop exercise: Mapping Provision 29 into your organisation
Session 2: Breaking Down Silos – Building a Federated Model
- Creating an integrated view of risk and internal control across the enterprise
- Designing collaborative risk/control governance structures (e.g., Risk & Control Committees)
- Aligning risk and control functions across the three lines of defence
- Workshop exercise: Creating your federated risk and control blueprint
Session 3: The Risk & Control Lifecycle – From Identification to Assurance
- Risk-informed control design: top-down strategic risks and bottom-up operational insights
- Control rationalisation: reducing duplication and aligning controls with material risks
- Assurance strategies for Provision 29: continuous monitoring, independent validation, and reporting
- Workshop exercise: Designing a control lifecycle aligned to risk
Session 4: Architecting for Visibility, Agility, and Accountability
- Information and technology architecture for risk and control management
- Defining a risk and control taxonomy with business relevance
- Reporting on effectiveness: dashboards, metrics, and board-level insights
- Workshop exercise: Developing an integrated risk and control information architecture