UK Corporate Governance Code changes: Preparing for Provision 29

This article was originally published with the Chartered IIA.

After much fanfare, the 2024 updates to the UK Corporate Governance Code are finally in force. Introduced in response to high-profile corporate failures, such as BHS, Carillion, and Patisserie Valerie, and following extensive consultation and deliberation, they are the first changes since 2018.

Those expecting a kind of “UK SOX” may be disappointed or pleased, depending on perspective. The major distinction is the Code’s “comply or explain” principle. However, some of the understanding and approaches used to implement SOX can serve as a useful starting point. The new provisions — with the exception of Provision 29 – are applicable for UK public limited companies with a fiscal year end of 31 January 2025 onwards. Provision 29 is introduced one year later and requires boards to monitor the risk management and internal controls framework and review its effectiveness at least annually.

I was recently part of a highly informative discussion hosted by AuditBoard with risk, control, and audit experts Henry Martin (Consultant, Internal Audit and Financial Advisor, Protiviti UK), Andrew Wieser (Associate Director of Internal Audit and Financial Advisory, Protiviti UK), and Carolyn Clarke (Vice President of the Chartered IIA and Director, Brave Consultancy). This article highlights insights and advice from that discussion for risk and assurance professionals supporting their organisations’ preparations.

1. What are the implications of Provision 29?

Provision 29 mandates an annual declaration on the effectiveness of material controls, detailing weaknesses and actions taken to address them. Boards must also show how they go about monitoring and reviewing the risk and control framework. The aim is to enhance accountability and strengthen governance. It amounts to a shift from viewing risk management as a matter of compliance to seeing it as a core business capability. Unlike SOX, the declaration goes beyond financial reporting to encompass financial and non-financial risks. The board’s responsibility regarding risk management should be an ongoing, proactive engagement rather than a purely routine and high-level attestation.

It is tempting to draw comparisons with SOX. While discouraged by the Financial Reporting Council (FRC), this can be useful. Andrew Wieser noted that, “the FRC has made it quite clear that the corporate governance code and specifically the declaration required from Provision 29 is NOT to be compared with Sarbanes Oxley.” However, Andrew also advises that “the structure of SOX programmes, including controls and process attestations and the certification process, is likely able to be leveraged for those preparing for those changes.”

Much attention has been given to understanding “material controls”. Any control that is critical to the integrity of risk management can be considered material. The FRC highlights that the board must determine which controls are material, giving allowance for sector, resources, priorities, and other contextual factors.

If this seems vague, confusing, or overwhelming, Carolyn Clarke reminds us that “there are only so many processes that your organisation has that are material to the outcome,” she says. “And while the board is ultimately responsible, it is important to engage risk owners (the ‘first line’) in making this determination. Controls are not effective unless your first line is able and engaged in assessing them.”

2. How can we help directors “get on board”?

A poll taken during the discussion suggested many are not sure if their organisation is ready or is even in the process of getting ready for Provision 29. Whatever the state of preparation, the panellists agreed that a planned and holistic approach is best. It is necessary to align the activities of risk, control, and assurance across all three lines within a single framework encompassing:

• Continuous risk identification, analysis, prioritisation, and responses.
• Control implementation, monitoring, and maintenance.
• Evaluation and assurance.
• Communication and reporting.

Internal auditing has a critical role to play, as Carolyn Clarke confirmed. “I would expect internal auditing to be thinking about material controls already, and therefore internal auditors can play a really important role in helping navigate these requirements,” she said. However, she also offered some words of caution. “Looking through the lens of internal audit is a really good way to get an independent perspective, but we ought to be really careful that we're not using internal auditing to actually perform the testing.” If this happens, then we risk diluting and undermining auditors’ ability to provide assurance on the adequacy and effectiveness of governance, risk management, and control processes across the organisation.

A planned approach should establish a top-down and holistic view of organisational risk and control, including:

• Organisational strategy, objectives, risk appetite, and KPIs.
• Material controls for financial and non-financial risks, including emerging risks.
• Assurance mapping (including first-line attestations).
• Agreement on what constitutes “adequate and effective”.
• A model for board monitoring and review, aligning the work of relevant committees and oversight mechanisms.
• Consideration of current disclosures (including those required by regulators).
• A pilot.

3. How can technology help?

The use of technology can significantly enhance an organisation’s ability to manage risks and provide tools to support the shifts required by Provision 29. Some of the many benefits we may gain include:

• Integration of governance, risk, compliance, and audit platforms, combining first, second, and third-line testing capabilities and monitoring results.
• Standardisation across the organisation and alignment with policies.
• Full population testing (rather than sampling).
• One source of truth providing searchable datasets, historical performance, benchmarking, and the ability to forecast and flag control deficiencies with RAG ratings to focus attention on where it is needed.
• Efficient issue resolution workflow.
• Customisable dashboards to visualise real-time, dynamic, aggregated data at a high level with options to drill down.
• Embedded AI to enhance analysis and anticipate emerging risks
• Holistic reporting.

To contextualise these benefits, Henry Martin provided examples of the contribution of technology to support engagement by the board in monitoring and making disclosures as required by the updated Code. In particular, the use of “accelerators” (i.e., prebuilt analytics toolkits) can dramatically streamline the monitoring of controls and give the board a direct line of sight via interactive dashboards. Accelerators are essentially a head start on the analytics journey, requiring only minor tweaks to adapt to specific organisational needs. As Henry explained, accelerators “support a shift away from static reporting of sample-based testing to more dynamic insights that are truly data-driven based on full population testing.” This shift helps assurance providers move beyond the limitations of a sample-based approach with the ultimate benefit of giving the board “deeper assurance founded on a true and holistic state of the control frameworks.” The implementation of accelerators also helps organisations identify and monitor what constitutes the material controls by linking testing results directly to risk and impact ratings.

Whatever a business's stage of maturity, it is advisable to be clear on the new expectations set by Provision 29 and have a plan that ensures readiness. The benefits to be gained are not just compliance but tangible advantages for stakeholders arising from more effective risk management. Technology offers its own advantages that can multiply the gains to be had from a well-integrated risk and control framework.

About the authors

Chris is a Certified Internal Auditor and currently works as a Product Solutions Manager (EMEA) at AuditBoard. Prior to joining AuditBoard, Chris spent 8 years working in risk, internal audit, and internal controls roles within the eCommerce, retail, and manufacturing industries. Connect with Chris on LinkedIn.