Are your risk and control frameworks ready for the upcoming governance reform?
From January 2026, new requirements under the Financial Reporting Council (FRC) UK Corporate Governance Code 2024 come into effect. Provision 29 introduces a significant shift in accountability for listed companies, requiring boards to actively monitor and review the company’s risk management and internal control framework and report on its effectiveness annually.
What’s changing?
Under Provision 29, boards must actively monitor and review the company’s risk management and internal control framework and report on its effectiveness at least annually. This review must cover all material controls, including:
- Financial controls
- Operational controls
- Reporting controls
- Compliance controls
The annual report must include:
- A description of how the board monitored and reviewed the effectiveness of the framework.
- A declaration of effectiveness of material controls as at the balance sheet date.
- Details of any material controls that did not operate effectively, actions taken or proposed to improve them, and steps taken to address previously reported issues.
What are ‘material controls’?
The FRC guidance makes clear that material controls are company-specific, varying by size, business model, strategy, operations, structure, and complexity (para. 270). When determining materiality, boards should consider how a deficiency could impact the interests of the company, shareholders, and other stakeholders (para. 271).
The AIC Corporate Governance Code 2024 (covering investment companies) introduces a similar requirement under Provision 34.
Why action is needed
Most large listed companies will already be preparing for these changes, but others may be behind the curve. Failure to comply could lead to:
- Increased regulatory scrutiny
- Reputational risk
- Investor concerns over governance standards
This is not just a compliance exercise - it’s about building resilience and trust in an era of heightened risk.
Why strong controls are critical
2025 has seen major cyber attacks and operational disruptions across global markets, reinforcing the importance of robust risk management frameworks. Boards are expected to demonstrate proactive oversight, not just reactive measures. Provision 29 aligns with this trend, demanding transparency and accountability in how risks are managed.
We’re here to help
We support boards and governance teams to:
- Assess current frameworks against Provision 29 requirements
- Identify material controls and design effective monitoring processes
- Prepare annual report disclosures that meet regulatory expectations
- Strengthen resilience against emerging risks, including cyber threats
If you have any questions or require support, contact a member of our Risk & Technology Assurance team via the form below.
