Skip to content

Featured Search

UK Corporate Governance Code Provision 29

Controls you can trust. Evidence the board can sign.

The UK Corporate Governance Code's upcoming Provision 29 requires the board to declare internal control effectiveness. This requires more than process. Protecht's GRC software solution gives you the tested controls, mapped risks, and clear assurance pathways your board needs to declare effectiveness.

Request a demo
The UK Corporate Governance Code's Provision 29 introduces a simple requirement: a board declaration of internal control effectiveness. But meeting it is anything but simple. It demands consistent monitoring, structured assurance, and real-time evidence. Find out how our corporate governance software solution makes it achievable.

Monitor and evidence internal control effectiveness.

Give your board the evidence it needs to declare that controls are effective.

  • Document all material controls in a structured control library using consistent attributes aligned to COSO and ISO 31000 best practices

  • Link each control to relevant principal risks, obligations and policies to demonstrate top-down alignment and reduce duplication

  • Assign and simplify testing workflows using control self-assessments, internal audit test plans and structured assurance templates

  • Track control failures and remediation actions in real time, with visibility into open items before year-end

  • Enable the board to make its Provision 29 declaration with supporting evidence that is timely, traceable and complete

Streamline assurance across the three lines.

Clarify roles, eliminate duplication and prove coverage across the business.

  • Map assurance responsibilities using the three lines of defence model and define who owns, tests and oversees each control

  • Schedule regular testing across all three lines and consolidate the results in a single view

  • Automate follow-ups and reminders for overdue remediation, ensuring issues are addressed before the balance sheet date

  • Use real-time dashboards to demonstrate how assurance activities cover the full scope of financial, operational, compliance and reporting controls

  • Provide internal and external auditors with a transparent view of what’s tested, by whom, how often, and with what result

Create a single source of truth for risk and control.

Unify fragmented processes into a connected, organisation-wide framework.

  • Maintain connected registers for risks, controls, obligations, incidents, and issues, all mapped and cross-referenced

  • Apply a common taxonomy across business units for easier aggregation and risk reporting

  • Ensure traceability from strategic objectives to control effectiveness

  • Log and monitor real-time incidents that impact control design or effectiveness

  • Replace spreadsheets and standalone systems with a scalable, auditable platform that supports ongoing control improvement

Enable confident, board-level reporting.

Deliver data-driven, board-ready assurance for Provision 28 and Provision 29 compliance.

  • Use real-time dashboards to visualise control effectiveness, open issues, assurance coverage and testing progress

  • Track effectiveness of controls at the level required for annual reporting across financial, operational, compliance and reporting domains

  • Export dashboards and reports directly into board packs and disclosures, with commentary on weaknesses and remediation actions

  • Align reports to the UK Corporate Governance Code 2024’s expectations on outcomes-focused governance and monitoring

  • Give your board, risk committee and auditors full visibility of how internal controls are governed, tested, and remediated

eBook

DORA: From compliance to resilience.

The Digital Operational Resilience Act (DORA) is now in force. While many organisations focused on last-minute compliance, the true objective of DORA is building long-term resilience. Download our eBook today to move beyond compliance checklists and embed resilience into your operations.

 
Find out more

How Protecht ERM helps you meet Consumer Duty requirements.

Protecht_Solutions_Icons_01_RiskManagement

Visualisation of the customer journey

Visualise your end-to-end customer service process via embedded process mapping. Identify where weak operational resources are contributing to customer detriment and infringing on customer rights.

Protecht_Solutions_Icons_02_ComplisanceManagement

Expert reviews

Templates for tactical and strategic reviews. Integration with control assurance activities enables deep understanding of the operational control environment. Deep-dive templates to support comprehensive product assessment and service reviews.

Protecht_Solutions_Icons_05_VendorRisk

Testing and assurance

Enable management of issues identified through the fair value test process. Testing templates which enable evidence collection to support documentation management and the attestation process.

Protecht_Solutions_Icons_03_OperationalResilience

Continuous improvements

Interface for action management. Remedial actions and space to link actions coming from independent assurance reviews.

Protecht_Solutions_Icons_06_AuditManagement

Governance

Governance templates for annual board attestations and reports. Underpinned by workflow alert tool which provisions for the dependency on accuracy and timely completeness of data.

Protecht_Solutions_Icons_07_WHSRisk

Compliance monitoring

Templates to support ongoing testing and assurance of customer outcomes. Adherence to customer collateral and contracts. Link compliance rules and obligations to assessments to support attestation process. Management reports providing comparative analysis on revenue generation KPIs vs customer KPIs over time.
Protecht_Solutions_Icons_01_RiskManagement

Analytics

Designing product insights to demonstrate good outcomes. Ability to reconcile customer outcomes vs risk appetite. Integration of external data points (e.g. use open banking data to identify where customers' money not working hard for them). Informed decision making based on research and information.

Learn more

Latest corporate governance news and commentary

Compliance management

UK Corporate Governance Code: Why you need to act now.

4 mins read

Gary Lynam, Managing Director, EMEA

Learn more
Compliance management

Enhanced controls: The revised UK Corporate Governance Code.

5 mins read

Michael Howell, Research & Content Lead

Learn more

Upcoming and on-demand corporate governance webinars

Compliance brochure.

Find out how Protecht helps you to achieve compliance objectives, improve resilience and manage risk.

Read brochure

Operational resilience brochure.

Ensure that your operational resilience and business continuity management processes are able to support your customers and meet your regulatory requirements.

Read brochure

Information security and cyber brochure.

Safer, smarter information security, allowing you to better protect your organisation.

Download brochure

Vendor risk management brochure.

Find out how our vendor risk management solution allows you to manage vendor risk and avoid disruption.

Read brochure

Trusted by well known organisations

  • afterpay_(touch_networks_australia_pty_ltd)
  • aon_uk_limited
  • british_council
  • cigna_insurance
  • impax-logo-greyscale
  • worldremit

UK Consumer Governance Code FAQ

Provision 29 is a new requirement in the UK Corporate Governance Code 2024 that mandates boards of premium-listed companies to provide an explicit annual declaration that their internal controls are effective. This applies to controls covering financial, operational, compliance and reporting risks, and takes effect for financial years beginning on or after 1 January 2026.

To comply with Provision 29, boards must disclose in their annual report:

  • How they monitored and reviewed the effectiveness of internal controls
  • Whether they consider the material controls to be effective as of the balance sheet date
  • Any material control weaknesses, with details of remediation or improvement plans
  • This must apply to all material controls, not just financial ones. Aligning with COSO or ISO-style control frameworks is strongly recommended

Provision 29 applies to premium-listed companies on the London Stock Exchange. However, many subsidiaries, private firms, and foreign-listed companies voluntarily adopt the UK Code to demonstrate strong governance to investors, parent companies or regulators, especially in financial services and regulated sectors.

The UK Corporate Governance Code 2024 sets out expectations for boards to establish, monitor and annually assess a risk management and internal control framework. This includes:

  • Assigning control ownership and responsibilities
  • Embedding risk management into strategy and operations
  • Testing and improving control effectiveness
Reporting transparently on governance outcomes, not just structures.
Provision 29 builds on these by requiring formal board-level assurance on the effectiveness of internal controls

Protecht ERM provides a structured, integrated system to help you:

  • Document and map material controls to principal risks
  • Track control testing, remediation and assurance activities
  • Provide board-ready dashboards for the annual effectiveness declaration
  • Centralise risks, obligations, issues and incidents to create a single source of truth
  • Align with COSO, ISO 31000 and the FRC’s expectations for board accountability and transparency.

Although Provision 29 applies to periods starting from 1 January 2026, preparation should begin well in advance, ideally by mid-2025. Companies need time to:

  • Define and document material controls
  • Implement structured testing and monitoring cycles
  • Remediate any weaknesses ahead of the reporting date. Boards will need real-time, auditable evidence by year-end not just retrospective reviews