Navigating Provision 29 of the UK Corporate Governance Code: Challenges and Insights

What an exhilarating few weeks! My recent travels have taken me across the Middle East, London, Utrecht, and Stockholm, engaging with organizations and professionals across the governance, risk management, and compliance (GRC) landscape. The energy and focus on risk management, regulatory compliance, ESG, and corporate governance have been evident in every discussion, workshop, and meeting.

This week, I was back in London for an in-depth workshop on the UK Corporate Governance Code (UK CGC), with a particular emphasis on internal control and risk management by design to address Provision 29. Hosted at the historic Chartered Accountants Hall—where industry giants like Waterhouse and Cooper once presided—this session was packed with engaged professionals eager to address the challenges of the revised UK CGC. The timing of this workshop couldn’t have been more critical, as UK firms are under increasing pressure to ensure readiness for Provision 29. I have interacted and provided advice on four RFPs in the UK already this week with organizations looking for solutions to address this challenge. In just over a week, I will be heading to Asia for more GRC engagements, hosting workshops in the Philippines, Malaysia, and Singapore.

The Growing Pressure of Provision 29

Provision 29 of the updated UK Corporate Governance Code is top of mind for many UK organizations as they prepare for 2025. It mandates that boards provide a declaration of the ongoing effectiveness of their risk management and internal control systems. While some call it “UK SOX” (drawing comparisons to the Sarbanes-Oxley Act in the U.S.), I find that analogy misleading. UK CGC is distinct in its approach, placing a strong emphasis on ongoing, proactive risk and control management rather than compliance-driven financial control attestation.

Organizations across industries are grappling with how to operationalize Provision 29. As one UK bank shared in context of my workshop:

“The UK Corporate Governance Code is one of our main projects this year. Readiness for Provision 29 means identifying our most material controls, ensuring board disclosures on effectiveness, and maintaining alignment with peer banks to avoid being an outlier. Assurance is going to play a significant role, especially in evolving risk areas such as cyber and third-party risk.”

A smaller UK firm (under 500 employees) expressed coming out of the workshop more prepared for the Provision 29:

“Thank you so much for the insightful workshop yesterday. I found it really interesting and came away buzzing with excitement as to new ways to invigorate the business in respect of controls and risk.”

The Risk and Internal Control Insomnia List

During my workshop, I had attendees collaborate on what keeps them up at night regarding UK CGC compliance and risk management. The resulting list highlights key concerns and challenges:

• Concentration of risk knowledge in silos?– lack of shared understanding across departments
• Siloed approaches to risk and internal control?– limited visibility and consistency
• Cultural barriers?– weak communication, inconsistency, and poor tone at the top
• Defining ‘bad’ risk and internal control?– what does ineffective risk management look like?
• Incident reporting challenges?– clarity on thresholds and processes
• Managing business and regulatory change?– adapting controls to evolving risks
• Simplifying and prioritizing the approach to UK CGC?– avoiding unnecessary complexity
• Addressing redundancy and overlaps in risk and control functions
• Educating the organization on UK CGC requirements?– ensuring buy-in at all levels
• Evaluating inherited controls?– are they still appropriate in today’s risk landscape?
• Process modeling and business risk analysis?– integrating risk and control into core operations
• Applying UK CGC principles effectively?– practical implementation strategies
• Embedding UK CGC into the three lines of defense?– ensuring integrated accountability
• Breaking down silos in risk and control management?– fostering collaboration across departments
• Cultural and accountability shifts for UK CGC compliance?– making governance a shared responsibility
• Linking UK CGC to strategy, performance, and objectives?– ensuring risk supports business goals
• Designing a UK CGC framework?– aligning controls with business needs
• Clarifying ownership and accountability structures?– defining roles clearly
• Identifying material vs. immaterial controls?– focusing efforts where they matter most
• Measuring control effectiveness?– avoiding over-control and unnecessary bureaucracy
• Assembling the right UK CGC team?– ensuring the right expertise and collaboration

Moving Forward: The Path to Effective UK CGC Compliance

UK organizations must take a strategic, risk-based approach to implementing Provision 29. Success requires:

1. Breaking Down Silos?– Risk and control management should be an enterprise-wide initiative, not a fragmented exercise.
2. Embedding UK CGC into Business Operations?– Aligning risk and control frameworks with business strategy, performance management, and operational processes.
3. Enhancing Risk Management, Awareness & Culture?– Driving engagement across all levels of the organization to ensure risk and control are part of daily decision-making.
4. Investing in Assurance and Continuous Monitoring?– Leveraging technology and robust assurance mechanisms to demonstrate control effectiveness.
5. Defining Material Controls with Confidence?– Focusing on controls that truly mitigate the most significant risks, rather than creating unnecessary layers of compliance.

The UK Corporate Governance Code represents a major shift in how UK organizations approach internal control and risk management. Organizations must move beyond viewing compliance as a check-the-box exercise and embrace a more dynamic, integrated GRC management framework that fosters resilience and accountability.

I look forward to continuing these discussions in the weeks ahead as I head to Asia for more workshops. The evolution of corporate governance and risk management remains a global challenge, but one that, when addressed effectively, can lead to stronger, more resilient organizations.