The preparation period is over. Provision 29 of the UK Corporate Governance Code is now in effect, requiring Boards of UK-listed companies to monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. Crucially, the Provision lists not just financial controls, but “all material controls”, including operational, reporting, and compliance controls.
At a recent Diligent event, Steve Brown, founding partner of Brave Within, was joined by Stefan Gershater, Head of Risk and Governance at the Co-op, and experienced Audit Committee Chair and NED, Carolyn Clarke, for a candid discussion on the reality of implementing Provision 29. They identified several tensions and challenges for risk and governance professionals to navigate.
Provision 29 was designed to deliver transparency and build stakeholder confidence. Maureen Beresford, Director of Corporate Governance and Stewardship at the FRC and author of Provision 29, told the Co-op’s Stefan Gershater, it is about “communicating with shareholders and creating a sense of confidence that your strategy is actually deliverable”. This speaks to the need to engage directors more deeply with the business, beyond financial controls, to demonstrate transparency, confidence, and strategic clarity.
The friction lies in striking a balance between gaining the business’s backing (and investment) to build an effective materials controls framework, while also satisfying the audit committee and external auditor that financial controls are adequately covered. In short, the approach must be progressive enough to support business strategy and secure investment in controls, yet conservative enough to satisfy audit committees and avoid regulatory risk.
Richard Moriarty, CEO of the FRC, has repeatedly emphasised that Provision 29 is designed to foster “curiosity and courage in the boardroom.”
Carolyn Clarke has seen this change in progress, noting a distinct shift among the director community towards recognition that they can no longer delegate responsibility to external auditors. They know that they need stronger relationships with providers of internal audit, internal assurance, and internal risk management to achieve the assurance required by the provision. If a strong internal audit function doesn’t exist, budget must be allocated to it.
The situation also spotlights the background of Audit Committee Chairs, many of whom have experience as external auditors or CFOs. Accustomed to receiving guidance through an external audit lens, they are struggling to shift their focus from financial controls to the broader set of material controls in the scope of Provision 29.
The panel acknowledged that defining what constitutes a “material control” in terms of Provision 29 is a subjective and contested process. Selecting controls that are meaningful to both the board and the business – and that satisfy external audit – is not simple
In preparing its “dummy declaration”, the Co-op took a brave, deliberately broad, business-aligned approach, covering traditional controls but also controls that help the company achieve its growth aims, as Gershater explained: “We said we were going to identify processes, yes, but also policies… and transformation projects as well.”
The Co-op divided its controls into these three different “buckets”:
As an example of this approach, Gershater and his team selected the company’s “buy” function as a material control, on the basis that retailer success depends heavily on a well-functioning buying process. This resonated with business leaders, but external auditors rejected this strategy, favouring narrower, more traditional controls, such as purchase-to-pay.
External audit also criticised Gershater’s decision to identify specific areas for future improvement and the inclusion of a cybersecurity control failure that had been resolved by the end of the reporting period.
On the basis of his dummy declaration experience with external audit, Stefan acknowledges that organisations may feel they should tighten material control definitions and be wary of over-divulging or over-committing to transparency. However, he believes that ultimately, Provision 29 “is headed in the direction the FRC intended: more discursive, more authentic disclosure.”
It’s important to note that Provision 29 does not exist in isolation.
In companies that are SOX compliant, there is a tendency to apply learning from SOX controls programmes to Provision 29 implementation, but this risks creating a too-narrow focus. Conversely, regulations such as the Economic Crime and Corporate Transparency Act (ECCTA), which can result in personal criminal liability for directors, are likely to influence conversations about what is designated as a material control.
These are two examples of factors influencing material control discussion, but there are many more to consider across ESG, AI, and privacy realms. Stefan advises: “We have to be really careful that we’re not thinking about this in isolation or that it is just the same as financial controls, but with a little bit of arms and legs into other areas.”
He believes his business-first approach has been validated. It resulted in increased trust and a mandate for increasing expenditure on risk capability – the business is writing the cheques. The challenge now lies in redressing the equilibrium to satisfy external audit too.
Learn more about how Diligent helps companies prepare and implement Provision 29 here.
The UK Corporate Governance Code: Key provisions and updates
Explore the crucial updates to the UK Corporate Governance Code, focusing on the shift to outcomes-based reporting and the new requirements for internal control declarations. This guide equips UK-listed companies with essential insights into the Code's provisions, emphasizing effective governance, stakeholder communication, and how technology can enhance compliance.
