Provision 29: What to prioritise as first year reporting approaches

Organisations are now shifting from understanding the requirements of Provision 29 to hard‑wiring governance arrangements that will stand up to sustained board scrutiny and external challenge. With first‑year reporting approaching, 2026 needs to be treated not as a final preparation phase, but as a live test of whether accountability, risk assessment and assurance models are genuinely fit for purpose.

To recap, what does Provision 29 require?

Provision 29 of the UK Corporate Governance Code requires boards to:

• Monitor the company’s risk management and internal control framework throughout the year.
• Review the effectiveness of material controls covering operational, reporting, compliance and financial risks.
• Include a declaration in the annual report as to whether these controls have operated effectively at the balance sheet date.
• Where material weaknesses exist, explain the actions taken or planned to remediate them.

Importantly, the focus is not on demonstrating that every control works perfectly, but on whether the board can evidence a robust process for identifying, assessing, testing and concluding on the effectiveness of controls that matter most to investor decision‑making.

Why 2026 preparations are different

Many companies made early progress by mapping existing controls, refreshing documentation or piloting elements of testing. However, our recent 2025 Corporate Governance Review showed that 45% of companies only partially met the spirit of Provision 29 to date. The difference in 2026 will be that boards are  expected to stand behind a formal effectiveness conclusion.

This drives three fundamental shifts:

1. Management ownership to board ownership: Provision 29 is not a management attestation. Boards and audit committees must own the effectiveness conclusion, understand the basis on which it is reached, and be able to explain how they have challenged it.

2. Broad frameworks to risk-based scoping: Companies need to be crystal clear on why certain controls are defined as “material” and others are not. This judgement must be grounded in risk assessment, materiality and investor relevance – not convenience or legacy structure.

3. Ad hoc assurance to a coherent assurance model: The existence of assurance activity is no longer enough. Boards need confidence that assurance is proportionate, coordinated across the three lines of defence, and sufficient to support a declaration.

Importantly, the Financial Reporting Council (FRC) has been clear that Provision 29 is intended to be applied proportionately. It does not expect companies to publish exhaustive lists of material controls, disclose detailed control testing methodologies, or reveal commercially sensitive information in their annual reports. Nor does the Code mandate external assurance over the effectiveness statement. Instead, the FRC emphasises that decisions around the nature and extent of assurance are for boards and management to determine, based on the company’s specific risk profile and circumstances. That said, proportionality should not be confused with a light‑touch approach: boards are still expected to demonstrate a clear, well‑evidenced basis for their effectiveness conclusions and to show how they have exercised judgement, challenge and oversight throughout the year.

Key priorities for organisations for the rest of 2026

Based on our experience talking with companies preparing for first-year reporting, several priorities have become clear that need to now be front of mind.

Clarify roles, responsibilities and accountability

Organisations should revisit how responsibilities for risk management, internal control and assurance are defined across the three lines of defence. A recurring challenge is ambiguity over where accountability truly sits – particularly where responsibilities are shared between group functions, business units or third‑party providers. Boards should be satisfied that accountability for the Provision 29 conclusion is unambiguous and that escalation routes are clear.

Finalise and stress-test scoping decisions

Scoping is one of the most sensitive areas of Provision 29. Companies should be able to articulate:

• How material risks have been identified and prioritised.
• Which processes, locations, systems and controls are in scope.
• Why certain controls are considered material to investor decision‑making.
• How materiality thresholds have been applied consistently.

Crucially, this rationale needs to be defensible – not just internally, but if challenged by regulators or investors.

Mature the approach to documenting and assessing controls

Documentation should support assurance, not exist for its own sake. Companies need confidence that:

• Key processes and controls are documented clearly and consistently.
• Entity‑level controls are identified and understood.
• Control gaps are tracked, prioritised and remediated.
• Evidence of control operation is retained in a way that enables effective testing.

This applies equally across operational, compliance, reporting and financial controls.

Establish an assurance model that genuinely supports the declaration

Boards should challenge whether the current assurance framework is sufficient. Key questions include:

• What level of testing is enough to support an effectiveness conclusion?
• How are first‑ and second‑line activities coordinated?
• Where does independent assurance sit, and is it scalable?
• How is progress against remediation actions monitored?

Disjointed or duplicative assurance activity often creates noise without confidence. A joined‑up model is essential.

Focus on monitoring, reporting and culture

Provision 29 is not an annual event. Boards need visibility of control effectiveness throughout the year, supported by:

• Regular, meaningful reporting on control operation and issues.
• Clear governance forums with defined remits.
• A culture that supports transparent internal reporting and early escalation of weaknesses.

The quality of insight matters as much as the volume of reporting.

Link material Risks and controls in a consistent way

Where organisations, particularly some operating in Financial Services, have identified Primary Risks this also creates an opportunity to confirm whether the material controls cover these Primary Risks. This would ensure the top-down view of risks has been considered in the identification of material controls.

Using Provision 29 as a catalyst for better governance not just a compliance exercise

Organisations deriving the most value from Provision 29 are not treating it as a compliance exercise. Instead, they are using it to strengthen governance, embed continuous improvement, and future‑proof risk management and internal control frameworks.

With first year reporting fast approaching, boards should now be asking whether their current arrangements would genuinely support a clear, confident declaration. If the answer is uncertain, 2026 is the year to address it.

Provision 29 will succeed where it is treated as a governance discipline, not a compliance milestone – with clear accountability, transparent reporting and informed board challenge.

Next steps for you now:

As first year reporting approaches, organisations need a clear line of sight from preparation to declaration. Here are five priorities:

• Lock foundations early: confirm board ownership, finalise risk-based scoping of material controls, and clearly document judgement and accountability.
• Focus testing on what matters: prioritise evidence and testing of controls that genuinely underpin the effectiveness declaration, escalating issues promptly.
• Embed monitoring and assurance into BAU: ensure joined-up assurance across the three lines, with regular, insight-driven reporting to the board.
• Move from evidence to judgement before year-end: rehearse challenge at Audit Committee level and agree a balanced, defensible conclusion.
• Use year one to strengthen governance: keep disclosures clear and proportionate, and leverage lessons learned to embed continuous improvement beyond compliance.