How to read aa GRC Score
Governance

Provision 29 Corporate Governance Code: What Boards Need to Know

July 14, 2026

Provision 29 of the UK Corporate Governance Code 2024 marks one of the most significant shifts in board accountability in a generation. For financial years beginning on or after 1 January 2026, boards of UK premium-listed companies must formally declare whether their material controls were effective at the balance sheet date. This is not a disclosure update. It is a change in the standard of evidence the board is expected to hold before it can sign the annual report.

This article explains what Provision 29 requires, how it differs from what came before, and what boards need to do to meet the obligation with confidence.

What Is Provision 29 of the Corporate Governance Code?

Provision 29 of the UK Corporate Governance Code 2024 requires the board to monitor the company's risk management and internal control framework and carry out a review of its effectiveness at least annually. That monitoring and review must cover all material controls, including financial, operational, reporting, and compliance controls.

The full text of the provision reads:

Provision 29 : UK Corporate Governance Code 2024 (FRC)

The board should monitor the company's risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls.

The board should provide in the annual report:

  •  A description of how the board has monitored and reviewed the effectiveness of the framework;
  •  A declaration of effectiveness of the material controls as at the balance sheet date; and
  •  A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve.

The key word in that list is declaration. Before the 2024 Code, boards were expected to show they had conducted a review. Now they are expected to state a conclusion. That is a meaningfully higher bar.

When Does Provision 29 Come Into Effect?

The 2024 UK Corporate Governance Code applied from 1 January 2025 for most provisions. Provision 29 was given a one-year deferral to allow boards sufficient time to build their internal control frameworks and testing processes. It applies to financial years beginning on or after 1 January 2026.

As a result, the first annual reports containing the new Provision 29 declaration are expected to appear from 2027 onwards, covering the 2026 financial year. The Financial Reporting Council has confirmed it does not require or expect early adoption before this timeline.

Provision 29 Timeline at a Glance

January 2024: FRC publishes the revised UK Corporate Governance Code 2024

1 January 2025: Most provisions of the 2024 Code come into force

1 January 2026: Provision 29 declaration requirement comes into force

From 2027: First annual reports containing Provision 29 declarations expected

Basis: Comply or explain (applicable to all UK premium-listed companies)

What Changed from the 2018 Corporate Governance Code?

Under the 2018 UK Corporate Governance Code, Provision 26 (which covered similar ground) required boards to monitor and review the effectiveness of risk management and internal control systems and to report on that review in the annual report. Companies were expected to confirm that monitoring had been carried out, but there was no requirement to state whether controls had actually been effective.

The 2024 Code makes three significant changes:

  • Formal declaration: Boards must now explicitly state whether material controls were effective at the balance sheet date, not simply confirm that a review took place.
  • Broader scope: The 2024 Code extends coverage to include reporting controls, such as narrative and ESG reporting controls, alongside financial, operational, and compliance controls.
  • Mandatory disclosure of failures: Where material controls have not operated effectively, the board must disclose this in the annual report and describe the action taken or proposed to address the issue.

The practical implication is that boards can no longer rely on process language in the annual report. The declaration requires a conclusion backed by evidence, and any weakness identified during the year needs to be surfaced and addressed.

What Are Material Controls Under Provision 29?

The Financial Reporting Council has deliberately chosen not to define material controls in the code or to publish a standard list of what they should include. This is an intentional policy choice, not an oversight. The FRC does not want companies working from a template and treating compliance as a tick-box exercise.

Instead, each board is responsible for determining which controls are material, based on the company's own principal risks, operating model, strategy, size, and complexity. A useful working principle is to ask whether the failure of a given control could reasonably be expected to have a material adverse impact on the company's financial position, operations, regulatory standing, or long-term sustainability.

How the FRC Describes Materiality

Ask whether the failure of a control would be significant enough that investors need to know quickly.

Consider risks that threaten the business model, solvency, or reputation.

Look at impact holistically : on and off the balance sheet, including effects on shareholder sentiment, consumer trust, and public profile.

The FRC will not comment on whether the controls a company has chosen are the right ones, or whether the number is appropriate.

Source: FRC Provision 29 Mythbuster, January 2026

Based on early engagement with companies preparing for Provision 29, the FRC has noted that most companies are identifying somewhere between 30 and 50 material controls. Companies in the financial services sector, or those with more complex operating models, may identify more. There is no minimum or maximum. The number should reflect the genuine risk profile of the business.

Importantly, companies are not required to publish a list of their material controls in the annual report. The reporting should describe the governance process that led to the selection of those controls and the oversight the board has maintained. Commercially sensitive details about specific control failures, such as technical cyber security measures, do not need to be disclosed.

The Four Categories of Material Controls

Provision 29 covers a broader control landscape than many boards initially assume. It is not limited to financial controls. The review must span all four categories:

  • Financial controls: Controls over financial reporting accuracy, the integrity of financial statements, and the reliability of financial data used in board decision-making.
  • Operational controls: Controls over key business processes, including those governing approvals, delegated authority, procurement, supply chain integrity, and business continuity.
  • Reporting controls: Controls over the quality and accuracy of all external reporting, including narrative reporting, sustainability disclosures, and ESG data. This category is new compared to the 2018 Code.
  • Compliance controls: Controls that ensure the company meets its legal, regulatory, and policy obligations, including regulatory licensing conditions, data protection requirements, and conduct standards.

This four-category scope means that companies reporting under the US Sarbanes-Oxley Act (SOX) will need to go beyond their existing SOX framework. SOX focuses primarily on financial reporting controls. Provision 29 requires the board to extend its coverage to operational, reporting, and compliance controls in a way that SOX does not.

What the Board Declaration Must Include

Provision 29 requires three distinct elements in the annual report. These are not optional disclosures or narrative additions. They are the minimum standard for compliance:

1. Monitoring and review description

An explanation of how the board has monitored and reviewed the effectiveness of the risk management and internal control framework throughout the year. This should describe who was involved, what evidence was examined, what oversight committees reviewed, and how conclusions were reached. General statements that monitoring occurred will not be sufficient.

2. Declaration of effectiveness

A clear, formal declaration by the board stating whether material controls were effective as at the balance sheet date. The FRC has not prescribed standard wording for this declaration, so boards have flexibility in how they frame it. What matters is that the declaration is clearly signposted in the annual report and reflects genuine board-level confidence based on the monitoring process.

3. Disclosure of control failures and remediation

A description of any material controls that did not operate effectively at the balance sheet date, along with the actions taken or proposed to improve them. Where issues have previously been reported, an update on progress is also expected. There is no requirement to restate the declaration if something comes to light after the balance sheet date, but issues that existed at the balance sheet date must be disclosed.

The FRC has indicated that, in most cases, this reporting should be no longer than two pages in the annual report. Proportionality is important. The declaration is not an opportunity to produce a comprehensive audit manual. It is an evidence-backed conclusion from the board about the state of controls at year end.

Who Does Provision 29 Apply To?

The UK Corporate Governance Code applies on a comply-or-explain basis to all companies with a premium listing on the London Stock Exchange. This includes FTSE 350 companies, closed-ended investment funds, and commercial companies listed under the UK Listing Rules.

The comply-or-explain approach means that companies can depart from the provision, but must provide a meaningful explanation of why they have done so and how they have otherwise addressed the underlying governance objective. The FRC has been clear that boilerplate explanations are not acceptable. Any decision to depart from the Code must be reconsidered and justified in each reporting year.

Companies not subject to the UK Corporate Governance Code, such as AIM-listed companies or private companies, are not directly required to comply with Provision 29. However, many are reviewing its requirements as a governance benchmark and considering voluntary adoption or alignment.

How to Comply with Provision 29: A Practical Board Approach

Provision 29 compliance is not a year-end reporting exercise. The declaration can only be made credibly if the board has maintained genuine oversight throughout the year. The following steps reflect the approach that emerging market practice supports.

Step 1: Define Your Material Controls Population

Start by identifying which controls meet the materiality threshold for your organisation. Work from the board's principal risk register. For each principal risk, identify the controls that are most critical to preventing or mitigating that risk. Cross-check against the four categories: financial, operational, reporting, and compliance. Document the rationale for why each control has been classified as material. This process should be board-sponsored, typically with the Audit Committee Chair leading and the CFO, Chief Risk Officer, Head of Internal Audit, and Company Secretary involved. In practice, most companies are arriving at between 30 and 50 controls, though the right number depends entirely on the risk profile of the business.

Step 2: Establish Board-Level Governance and Ownership

Each material control should have a named owner who is accountable for its operation and for raising issues when it is not functioning as intended. The Audit Committee should have a defined role in overseeing the monitoring process and reviewing evidence before the board reaches its conclusion. The governance structure should be documented so that the annual report can describe it clearly. The board's oversight role is not to manage the controls themselves but to receive credible evidence from those who do.

Step 3: Monitor and Test Controls Throughout the Year

Evidence of effectiveness needs to be gathered across the reporting period, not reconstructed at year end. Controls should be tested through a combination of management self-assessment, second-line risk and compliance reviews, and internal audit. The testing approach for each material control should reflect its nature and risk level. People-dependent controls, such as policy attestations, approval workflows, mandatory training completion, and conflict of interest disclosures, are often the most difficult to evidence because activity happens across many individuals and systems. These controls need structured, repeatable tracking rather than manual follow-up at year end.

Step 4: Build and Retain the Evidence Chain

The board's declaration rests on the quality of the evidence the organisation has collected. System records, workflow logs, testing results, audit findings, and control owner sign-offs are defensible forms of evidence. Emails, spreadsheets, and manual summaries reconstructed after the fact are not. For each material control, there should be a clear record showing: that the control ran when required; that it covered the full population it was intended to cover; whether it operated without exceptions or what exceptions arose; and what remediation took place where it did not operate effectively.

Step 5: Draft and Sign the Annual Report Declaration

Before the board signs the declaration, the Audit Committee should review the full picture of evidence, exception rates, and remediation status across the material controls population. Any control that did not operate effectively at the balance sheet date must be captured in the declaration. The board should satisfy itself that the monitoring process has been robust enough to support a credible conclusion, not merely that a review has taken place. The declaration itself should be clearly located in the annual report and written in language that reflects genuine board-level confidence.

Provision 29 Board Readiness Checklist

Material controls population defined, documented, and linked to principal risks

Board-level sponsor and Audit Committee ownership confirmed

Named control owners assigned for all material controls

Monitoring and testing activity carried out across the reporting period

Evidence captured in structured, defensible form (not email chains or manual logs)

Exceptions identified, escalated, and remediation status tracked

Audit Committee reviewed evidence and summary before board declaration

Annual report includes all three required Provision 29 elements

Disclosure of any controls not operating effectively, with remediation detail

Provision 29 and the GRC Framework

The requirements of Provision 29 align closely with the six domains of a GRC framework: Governance and Oversight, Risk Management, Regulatory Compliance, Information Security, Operational Resilience, and Third-Party Risk. Each of these domains generates controls, and the material controls that boards need to declare on will typically draw from several of them.

For organisations that have invested in a GRC framework, Provision 29 is an opportunity to put that framework to work in a board-visible way. The risk register provides the starting point for identifying material controls. The compliance monitoring programme provides the testing evidence. Internal audit provides independent assurance. The GRC score across domains gives the board a structured basis for reaching and documenting its conclusion.

For organisations that have not yet built a connected GRC framework, Provision 29 makes the case for doing so. Managing the declaration requirement through disconnected tools, shared drives, and manual follow-up is both inefficient and risky. The board's conclusion needs to be supported by an evidence chain that can be produced quickly, reviewed consistently, and updated throughout the year.

The Financial Reporting Council has been explicit that Provision 29 is not intended to create a UK equivalent of the US Sarbanes-Oxley regime. There is no requirement for external audit attestation, no prescribed control framework, and no mandated evidence format. The Code places the judgment with the board, which is precisely why the board needs a structured, defensible process behind the declaration it signs.

Frequently Asked Questions About Provision 29

What is Provision 29 of the UK Corporate Governance Code?

Provision 29 of the 2024 UK Corporate Governance Code requires boards of premium-listed companies to monitor and review their risk management and internal control framework and, from financial years beginning on or after 1 January 2026, to provide a formal declaration in the annual report on whether material controls were effective at the balance sheet date.

When does the Provision 29 declaration requirement come into force?

Provision 29 applies to financial years beginning on or after 1 January 2026. The first annual reports containing the new declaration are therefore expected from 2027 onwards. The 2024 Code as a whole applied from 1 January 2025, but Provision 29 was deferred by one year to give boards time to prepare.

What are material controls under Provision 29?

Material controls are those whose failure could reasonably be expected to have a material adverse impact on the company. Each board defines its own material controls based on its principal risks, business model, size, and complexity. The FRC does not provide a standard list. In practice, companies are identifying between 30 and 50 material controls across financial, operational, reporting, and compliance categories.

Does Provision 29 require boards to publish a list of their material controls?

No. The FRC does not expect companies to list their material controls in the annual report, nor to describe the specific testing they have carried out. The annual report should instead explain the governance process the board followed in reaching its conclusion and the oversight it maintained throughout the year.

Do boards need external assurance to comply with Provision 29?

No. The UK Corporate Governance Code does not require external assurance over material controls. Whether to commission external assurance, and over which areas, is a decision for the individual board. Some boards may choose it for higher-risk or more complex control areas; others may rely solely on internal audit and management testing.

How is Provision 29 different from the 2018 Corporate Governance Code?

The 2018 Code required boards to monitor and review internal controls but did not require a formal declaration of effectiveness. The 2024 Code adds that specific declaration, extends the scope to include reporting controls such as narrative and ESG reporting, and requires disclosure of any material controls that did not operate effectively along with remediation actions.

What happens if a material control fails under Provision 29?

If a material control has not operated effectively as at the balance sheet date, the board must disclose this in the annual report and describe the action taken or proposed to improve it. There is no requirement to restate the declaration if a failure comes to light after the balance sheet date. However, if an issue existed at the balance sheet date and was known at the time of reporting, it must be included.

How long should the Provision 29 section of the annual report be?

The FRC expects the reporting to be proportionate and concise. In most cases, the full Provision 29 disclosure, covering the monitoring description, the declaration, and any control failure disclosures, is expected to be no longer than two pages.

GRC Assessment & Benchmarking

Evaluate your governance, risk, and compliance performance. Receive your GRC Score. Join organisations & professionals building verifiable, standards-based trust.