Provision 29 has changed the conversation for UK boards.

This is no longer about showing you have policies, frameworks and good intentions on paper. It is about whether the board can stand up and say, publicly and with confidence, that the company’s material controls were effective at the balance sheet date, and explain how that conclusion was reached across the year.

Under the 2024 UK Corporate Governance Code, that requirement now applies to financial years beginning on or after January 1, 2026.

 That changes the standard. It is no longer enough to show a policy exists, or that a process has been documented. Boards need credible evidence that material controls actually operated in practice.

As our partner and LMS, VinciWorks puts it; “The challenge is not designing controls. The difficulty lies in demonstrating that those controls actually operated throughout the reporting period.”

That is why Provision 29 matters so much. On paper, it looks like a reporting change. In reality, it is forcing organizations to confront whether their control environment is truly visible, testable, and defensible.

At CoreStream GRC, we believe that there is the real opportunity here. Provision 29 can be treated as a compliance exercise. Or it can be used to make GRC more useful and valuable to the business.

What is Provision 29?

Provision 29 of the revised UK Corporate Governance Code requires the board to monitor the company’s risk management and internal control framework and, at least annually, review its effectiveness.

As the Financial Reporting Council explains: “Under the 2024 Corporate Governance Code, the revised Provision 29 introduces an additional requirement for the board to provide a declaration of the effectiveness of the company’s material controls. Reporting on material controls should be proportionate, consider the risk appetite of the individual organization, and avoid unnecessary duplication and disclosure of immaterial information” Financial Reporting Commission

The timing matters. The 2024 Code has applied since January 1, 2025, but Provision 29 itself applies from January 1, 2026. That means many companies are now in the first real declaration cycle.

The big shift is this: boards are moving from “we have controls” to “we can show those controls operated effectively, based on evidence.”

That declaration needs to be backed up. The annual report should explain how the board monitored and reviewed the framework over the reporting period, whether material controls were effective at the balance sheet date, and what happened where controls did not operate effectively.

“Provision 29 effectively asks boards to move from describing governance to proving it.” VinciWorks

That is a much higher bar.

The scope is broader than many teams first assume. This is not only about financial controls. The FRC has made clear that the review covers all material controls, including financial, operational, reporting, and compliance controls.

There is another important wrinkle. The FRC does not provide a standard list of “material controls.” Boards have to decide what is material based on the organization’s own principal risks, operating model, complexity, and risk appetite.

In other words, the judgement is yours, which means the logic and the evidence behind it have to be defensible.

As Paul Cadwallader, GRC Strategy Director at CoreStream GRC, puts it, Provision 29 should be viewed as a catalyst for a more value-based approach to governance, risk, and compliance: “Traditional GRC focuses on the mechanics of compliance and reporting, whereas, introducing the value dimension brings GRC back to the performance goal.”

That matters because the strongest Provision 29 programs will not just produce a declaration. They will create a clearer, more connected view of how controls support performance, accountability, and decision-making across the business.

The real challenge: people-based controls are often real, but not provable

One of the most useful insights from VinciWorks’ Provision 29 analysis is: “The most difficult controls to evidence are often the ones that depend on human behavior.” – VinciWorks’ Provision 29 analysis

That should ring alarm bells for a lot of organizations, because many important controls fall into exactly that category.

Think about:

• mandatory compliance training
• policy attestations
• conflict of interest disclosures
• approval workflows
• whistleblowing awareness
• regulatory certifications
• sign-offs and periodic acknowledgements

These are often treated like routine admin. But in reality, they function as genuine controls over conduct, compliance, operational discipline, and risk exposure. “Training, disclosures, attestations and approvals therefore function as genuine risk controls.” -VinciWorks

That is the issue many organizations are now running into. These controls may be real, important, and widely used, but the evidence behind them is often fragmented across spreadsheets, inboxes, shared drives, separate systems, and manual follow-up.

That becomes a problem the moment the board asks basic questions such as:

• Who was required to complete the control?
• Did they complete it on time?
• Was the full population covered?
• Were exceptions identified?
• What remediation took place?
• Can we show this consistently across the whole reporting period?

If the business cannot answer those questions clearly, then the board may struggle to provide credible assurance. This is where Provision 29 is exposing a gap that has existed for years. Organizations often have the control in theory. What they do not always have is a defensible evidence chain.

How Provision 29 can help your business  

Provision 29 introduces a formal requirement for boards to declare whether material controls were effective in the annual report. On the surface, that sounds like more pressure. In reality, it can force the kind of clarity most organizations need anyway.

“Everyone agrees Provision 29 could drive genuine improvement—but only if organizations embrace it as an opportunity rather than a checkbox.” Michael Rasmussen, Pundit and GRC 20/20 founder

That is exactly the dividing line. Once the board has to stand behind a declaration, vague language stops working. Teams need to define what each control is, what it is meant to achieve, what evidence demonstrates operation, and what happens when it fails. That improves much more than year-end reporting.

First, it improves clarity. A control environment cannot be relied on if nobody can clearly explain what is being controlled, how it is monitored, and what counts as failure.

Second, it improves accountability. Provision 29 is not just asking whether the framework exists. It pushes companies to explain what did not operate effectively and what was done about it. That creates a stronger line of sight between control ownership, issues, remediation, and board reporting.

Third, it strengthens assurance. Boards need enough confidence to sign the declaration. That means assurance structures have to be strong enough to support a real conclusion, not a hopeful one. The FRC has been clear that the board’s reporting should reflect how it monitored and reviewed effectiveness, and whether material controls operated effectively at the balance sheet date.

“Provision 29 is more than a reporting requirement. It is a catalyst.” Michael Rasmussen, Pundit and GRC 20/20 founder

This is where the case for value-based GRC gets more interesting. When controls are tied to outcomes, GRC stops looking like overhead and starts acting like an operating advantage. Better control clarity can mean fewer delays, cleaner escalation, faster approvals, and better management confidence.

The value case usually lands in 3 buckets.

1. Business outcomes. Better-defined controls reduce friction and support faster decisions. One CoreStream GRC client reduced headcount approval time from six months to one week by improving transparency and decision confidence.
2. Transparency and accountability. Provision 29 gives boards and executives a clearer picture of what is working, what is not, and where remediation is stalling.
3. Cost effectiveness. When evidence is captured through the workflow instead of reconstructed through email chains, screenshots, and manual chasing, teams spend less time proving work after the fact.

That is the bigger point. Provision 29 can feel laborious at first because it demands precision. But that precision is useful. If you build for the declaration properly, you usually end up running the business better too.

“GRC is not only about avoiding the downside. It should actively drive value.” – Paul Cadwallader, GRC Strategy Director, CoreStream GRC

How to optimize your existing program to be more strategic  

This section is about one thing: making sure the board can sign the Provision 29 declaration without hand-waving. That means you need a clear scope, a repeatable evaluation method, and evidence that stands up at year end.

3.1 Start with what the board must declare, then work backwards from the annual report wording

Begin with what the board will actually need to say in the annual report. Under Provision 29, boards are expected to describe how they monitored and reviewed the effectiveness of the framework, declare whether material controls were effective at the balance sheet date, and explain any material controls that did not operate effectively and what action was taken or proposed. From there, work backwards.

Define your material controls population in a way that clearly links to principal risks. Then agree what evidence the board will accept. System records, workflow history, attestation logs, testing results, and audit trails are defensible. General statements, scattered emails, or screenshots from shared drives are much harder to rely on. The FRC’s position is clear: the board’s conclusion needs to be grounded in monitoring, review, and evidence.

3.2 Pick 2–3 priority control areas to industrialize first (where Provision 29 risk is highest)

You do not need to perfect every control at once. You need to make sure the highest-risk areas can be evidenced and evaluated repeatably before the board has to declare on them.

The timing pressure is real. Institute of Chartered Accountants in England and Wales (ICAEW) has been blunt that the revised requirements apply to 2026 financial years and that work needs to start soon.

Start where failures are common and evidence is messy.

People-dependent controls are often the first weak spot. Training completion, policy attestations, conflicts disclosures, approvals, and sign-offs are frequently treated as routine admin. Under Provision 29, they become much harder to wave through if they cannot be evidenced properly.

Cross-functional controls are another risk area. Third-party onboarding and renewals, access reviews, incident response, and regulatory reporting often break down because ownership is split across teams.

Then there are controls with a known exceptions profile, the places where you already see recurring failures, slippage, or late completion. Those are the areas most likely to create discomfort at board level.

The goal is to turn each priority area into a repeatable pattern: named control owners, known evidence sources, a clear testing method, an exception workflow, and a board reporting view. That is how you avoid year-end theatre. Evidence should be captured in the workflow itself, not rebuilt from memory after the fact.

3.3 Decide on metrics that prove operation and remediation, not just activity for the sake of it

Provision 29 is not asking “how many GRC things did you do?” or “how much time did your sink on your reporting?”. It is asking whether material controls were effective, and if not, what changed.

Use the disclosure requirement as your metric checklist: you may need to explain what did not operate effectively and what action was taken.

Metrics that map directly to the declaration

• Operation and coverage: did the control run when required, for the full population, with timeliness.
• Effectiveness signals: testing pass rates, exception rates, repeat exceptions, severity, time-to-remediate.
• Closure quality: remediation completed, validated, and re-tested where needed (not just “marked done”).
• Board-readiness: can you produce a single view showing control status, evidence, exceptions, and remediation without manual stitching.

“These forms of measurement… shouldn’t be seen as adding bureaucracy… If they are seen as adding to bureaucracy, you’ve made the process too complex!” Paul Cadwallader, GRC Strategy Director, CoreStream GRC.

4. Embedding into wider value based GRC concept 

4.1 What “value-based GRC” actually means in this context

Value-based GRC is not just a slogan. In this context, it means connecting governance, risk, and compliance to the outcomes the organization is actually trying to achieve. Paul Cadwallader, GRC strategy director, CoreStream GRC defines it clearly: “Value-based GRC aligns governance, risk and compliance with what matters most, the organization’s strategic goals and objectives.”

That matters for Provision 29 because the declaration becomes much easier to support when controls, risks, issues, ownership, and outcomes are already connected.

If control ownership sits in one place, testing in another, people evidence in a third, and board reporting in a fourth, the business ends up stitching together a story instead of managing the control environment properly. Provision 29 makes that fragmentation harder to hide.

4.2. The people-controls gap

A large share of real controls depends on human behavior. Training, attestations, disclosures, approvals, and certifications are often critical to managing risk. But they are rarely captured in a way that is genuinely board-ready. That creates a gap between operational activity and board assurance.

VinciWorks addresses the behavioral evidence side by generating structured, defensible records of compliance adoption, including training completion, policy attestations, and disclosures. CoreStream GRC connects that evidence into the wider internal control framework, linking it to ownership, testing, exception handling, remediation, and board reporting.

Provision 29 does not ask for isolated evidence points. It asks for a defensible control story. As VinciWorks puts it, “When those processes are treated as formal controls rather than administrative tasks, the gap between operational activity and board assurance begins to close.”

4.3 Why disconnected tooling fails Provision 29

Provision 29 is unlikely to fail because boards do not care. It is more likely to fail because organizations are trying to evidence critical controls through email trails, one-off exports, local trackers, and tools that do not reflect how the business actually works.

That creates familiar problems: incomplete coverage, inconsistent reporting, weak exception handling, and lots of manual reconstruction at year end. Provision 29 exposes that weakness fast. Where evidence is not captured in a connected, repeatable way, boards are left with fragmented assurance instead of a reliable view of control effectiveness.

Final thought from CoreStream GRC and VinciWorks

Provision 29 raises the bar for boards, but it also creates an opportunity. Organizations that treat it as a year-end reporting exercise will feel the pressure. Organizations that use it to improve control clarity, evidence, and accountability will get more than compliance in return.

The real test is whether the business can show, with confidence, that its material controls operated effectively and that issues were identified, managed, and remediated in a way the board can stand behind. Better proof. Better oversight. A control environment the board can actually use.

Want to make Provision 29 reporting more defensible and more useful?