UK Corporate Governance Code Provision 29: A New Standard for Global Risk Oversight

The United Kingdom is setting the tone in the global corporate governance conversation. Provision 29 of the revised UK Corporate Governance Code 2024 marks a significant development in how boards are expected to assess and disclose the effectiveness of their risk management and internal control arrangements. While applicable only to UK-listed companies, the principles embedded in the provision are already resonating with practitioners, investors, and regulators beyond the country's borders.

Provision 29 requires boards to produce an annual declaration on the effectiveness of material internal controls. These controls extend beyond traditional financial reporting to cover operational processes, compliance activities, and the increasingly important sphere of narrative and non-financial reporting. This breadth reflects the reality that risks are interconnected and that oversight must be equally comprehensive.

Although comparisons to the U.S. Sarbanes-Oxley Act (SOX) are common, there are key differences. Provision 29 remains a principles-based requirement within the UK's "comply or explain" framework. It does not mandate auditor attestation, impose statutory penalties for deficiencies, or prescribe a rigid methodology. Instead, it relies on transparency, investor scrutiny, and reputational accountability to drive compliance. The underlying philosophy is that boards should have flexibility in how they design, operate, and assess controls, provided they can clearly explain their approach and conclusions.

Alignment with Established Risk Management Frameworks

One reason the provision is attracting international interest is its compatibility with widely recognized Enterprise Risk Management (ERM) frameworks:

The COSO framework emphasizes governance structures, strategic integration, and performance monitoring. Provision 29's requirement for a board-level declaration reinforces these principles by making directors explicitly accountable for the adequacy and effectiveness of the control environment.

ISO 31000, the global standard for risk management, calls for a systematic approach to identifying, analyzing, and mitigating risk. Boards adopting ISO 31000 principles will find they already address many of the processes necessary to meet Provision 29 requirements.

Although the "Three Lines of Defense" model is not referenced explicitly, the approach anticipated under Provision 29 aligns naturally with its logic: operational management as the first line, risk and compliance functions as the second, and independent assurance as the third. This structure provides a coherent evidence base for the annual declaration.

For organizations with mature ERM systems, complying with Provision 29 may not require wholesale change. The main adjustment lies in enhancing the integration of control evaluations into board reporting cycles, documenting assurance activities in a way that supports public statements, and ensuring the process is embedded in both culture and practice.

Historical Precedents of UK Regulatory Influence

Provision 29 sits within a long tradition of UK regulatory and governance developments whose influence has extended far beyond domestic borders:

· The Cadbury Report of 1992 established principles for board responsibilities, audit committees, and the "comply or explain" approach. Its ideas were integrated into the UK's Combined Code and have influenced national governance codes from South Africa's King Reports to Singapore's Code of Corporate Governance, as well as shaping the OECD Principles of Corporate Governance.

· The UK's company law framework, particularly as consolidated in the Companies Act 2006, has provided a reference point for many Commonwealth jurisdictions and other countries operating under common law traditions. While individual statutes vary, concepts such as directors' duties, shareholder rights, and disclosure obligations owe much to the UK model.

· The UK Bribery Act 2010 introduced a corporate offense of failure to prevent bribery, applied to both public and private sectors, and included extraterritorial jurisdiction. This uncompromising approach has prompted multinational companies to strengthen their global anti-bribery programs and has been studied by other legislatures considering similar provisions.

· The Modern Slavery Act 2015 pioneered mandatory annual reporting on steps taken to prevent forced labor and human trafficking in operations and supply chains. This transparency model has since been adopted in Australia and is reflected in current and forthcoming EU supply-chain due diligence laws.

· The Senior Managers and Certification Regime (SMCR), introduced in UK financial services in 2016, assigned prescribed responsibilities to named individuals and required annual certification of certain roles. Variants of this accountability framework now exist in Hong Kong, Australia, Singapore, and Ireland, reflecting a shared regulatory goal of ensuring personal responsibility in senior roles.

Why Organizations Outside the UK Should Pay Attention

Provision 29's influence is not driven by statutory enforcement powers. Instead, it is becoming a reference point because it codifies governance practices that many institutional investors and rating agencies already value. A clear and credible board-level statement on control effectiveness signals organizational maturity, transparency, and a proactive stance toward risk.

For multinational groups, adopting processes that meet or align with Provision 29 offers several advantages. It strengthens investor confidence, facilitates consistent risk oversight across jurisdictions, and prepares the organization for possible adoption of similar rules in other markets. It can also improve internal efficiency by embedding risk evaluation into strategic decision-making rather than treating it as an isolated compliance exercise.

Provision 29 is unlikely to become a universal legal requirement in the near term, but its principles are positioned to influence global practice. As boards and executives face increasingly complex risk environments, frameworks that combine flexibility with accountability will be at a premium.

The decision for organizations outside the UK is not simply whether to comply—it is whether to benchmark themselves against an approach that is gaining traction among investors, regulators, and governance professionals as a credible model for integrated risk oversight. Those who adopt its principles early may gain both reputational and operational benefits, while those who wait risk being seen as lagging behind emerging expectations.

Take Action: Transform Risk Management Lessons into Practice

Ready to explore how Provision 29's principles can strengthen your organization's risk oversight?

Download the eBook "6 Risk Management Lessons from Provision 29 of the UK Corporate Governance Code" to:

• Explore how the principles of Provision 29 offer globally relevant strategies for strengthening risk and internal control systems

• Learn how to proactively address third- and fourth-party risk across complex supply chains

• Discover why treating risk management as a strategic capability, not just a compliance requirement, positions your organization for long-term resilience

In this eBook, you'll find six clear, actionable lessons that help translate the principles of Provision 29 into everyday business practices. Whether you're in the UK or operating globally, these insights can support smarter risk management and a stronger, more resilient organization.