Provision 29: The End of Governance by Good Intention

When your boss has to sign their name to it

Think about the last time you had to sign something you weren't completely sure about. Maybe it was a form at the doctor's office, or a contract you only half-read. There's that moment, pen hovering, where you silently hope everything you just attested to is actually true. Now imagine your CEO, CFO, and board of directors doing the same thing. But instead of a routine form, they're signing a public declaration in the company's annual report stating that your risk management and internal control framework is effective. Not "we believe it to be effective." Not "we haven't heard of any major problems." Effective. Full stop.

That's exactly what the UK's updated Corporate Governance Code, specifically Provision 29, now asks of boards. And if your organization has any connection to the UK (a subsidiary, a trading relationship, UK operations, or UK customers), you need to understand what it means for the GRC program you run every day.

Provision 29 isn't just a UK problem

Many compliance teams outside the UK read "UK Corporate Governance Code" and assume it doesn't apply to them. That's a mistake. Governance signals have a way of traveling, and these two carry real cross-border reach.

Provision 29 of the January 2024 UK Corporate Governance Code takes effect for financial years beginning on or after 1 January 2026. It requires boards to formally declare, in their annual report, whether their material internal controls are working, covering financial, operational, compliance, and reporting risks. If controls fall short, the board must explain the gap and the remediation plan in the same report. Vague assurances and boilerplate language about "ongoing monitoring" won't cut it anymore.

Running alongside it is the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which introduces a "failure to prevent fraud" offence that came into force on 1 September 2025, with deadlines for certain requirements activating during 2026. The reach of this law is explicitly extraterritorial. Large organizations headquartered outside the UK can still face prosecution if an associated person, including overseas employees or subsidiaries, commits a fraud offence connected to the UK. The penalty is unlimited fines, and the only defense is demonstrating that reasonable fraud prevention procedures were in place and operating.

Taken together, Provision 29 and ECCTA 2023 are sending a clear signal: the era of governance-by-good-intention is over.

The real challenge isn't knowing the rules. It's building the foundation.

Most compliance analysts already understand what good looks like in theory. You know controls should be mapped to obligations. You know evidence should be current rather than assembled in a panic the week before an audit. You know that when a new regulation lands, someone needs to own it, update it, and connect it to everything it touches downstream.

The challenge is that most GRC programs aren't actually built that way. They're built on spreadsheets, email chains, annual review cycles, and heroic individual effort. They produce a snapshot of compliance at a moment in time, and that snapshot is already aging the second it's printed.

That's fine, until someone has to sign their name to it.

When a board is required to formally declare that material controls are effective as of the balance sheet date, the question isn't whether the program looks good on paper. The question is whether the program can prove it, continuously and traceably, without scrambling to pull evidence together after the fact.

What a strong GRC program foundation actually looks like

Something important shifts when you move from a compliance project mindset to a continuous GRC program mindset: evidence stops being something you collect and starts being something you produce as a natural byproduct of how the program operates.

In practice, that means monitoring controls on an ongoing basis instead of testing them annually and hoping nothing changed in the intervening eleven months. It means updating obligation-to-control mappings as regulations evolve, automatically and with clear ownership, rather than letting a one-time mapping exercise slowly drift out of date. And when audit season arrives, it means drawing from a single connected record that already reflects current reality instead of assembling a pack from scattered documents and emails.

This is the foundation that gives executives the confidence to make a board-level internal controls declaration. A better audit process won't get them there, and neither will a more thorough annual review. What works is a program architecture where compliance assurance is a continuous output rather than a periodic project. That's what regulators are increasingly looking for, and it's what Provision 29 in particular is designed to surface.

Why continuous GRC compliance is now a vaseline expectation

The governance standards driving Provision 29 are consistent with a broader global trend. Regulators in the UK, the EU, the US, and beyond are moving away from point-in-time reporting toward continuous, outcomes-based governance with real accountability at the top. Sarbanes-Oxley pointed this direction for US public companies years ago. Provision 29 is now applying analogous pressure to UK-listed companies, and the ECCTA extends accountability to organizations with any meaningful UK nexus.

For compliance analysts, this matters because the programs you're responsible for building and maintaining are the direct evidence base for what executives will be required to assert. The gap between what a board needs to declare and what most programs can actually demonstrate on demand is where the real exposure lives.

Continuous regulatory change management (tracking new obligations, mapping them to controls, routing ownership, and capturing evidence in real time) is no longer an aspiration. It's the operating model.

Where Archer Evolv™ fits in

This is where purpose-built GRC technology earns its place. Archer Evolv is designed around exactly this operating model: a continuous Listen → Decide → Act → Assure → Learn loop that keeps the GRC program current without depending on manual effort to hold it together.

Regulatory changes are detected and mapped to affected controls automatically. Evidence is captured in the flow of work, not assembled at crunch time. When a control gap emerges, it's visible to the people responsible for fixing it instead of being discovered six months later by an auditor. And when someone at the board level needs to understand whether the risk management and internal control framework is effective, that answer comes from a living, traceable record rather than a best guess assembled under pressure.

For the board-level accountability obligations that Provision 29 and ECCTA 2023 are creating, that's the difference between a declaration your executives can stand behind with confidence and one that keeps them up at night.

The bottom line for risk and compliance analysts

You're the people who actually build and maintain these programs. The board-level declarations under Provision 29 and the fraud prevention obligations under ECCTA ultimately rest on the work you do every day: mapping obligations, maintaining the control library, tracking evidence, flagging gaps, and keeping the whole framework current.

The UK's governance shift is a signal worth paying attention to, even if your organization isn't directly in scope today. Regulators globally are moving toward continuous, board-accountable internal control governance with real consequences attached, and programs built on periodic effort and manual stitching are going to struggle to keep up. The executives above you are the ones who will be asked to publicly confirm otherwise.

The good news is that the foundation isn't complicated to describe: a connected control library, kept current, with evidence that speaks for itself. Build that, and your executives won't have to hover over that pen.

For more information, read a recent article from Governance Intelligence.

FAQ