The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S4E11: Behind Boardroom Doors - The New Era of UK Corporate Transparency
Corporate governance is undergoing a revolution in the UK, and Provision 29 of the 2024 Corporate Governance Code stands at the epicenter of this transformation. Far beyond traditional financial oversight, this groundbreaking rule mandates unprecedented transparency from company boards about their internal controls across all domains – financial, operational, compliance, and critically, technology.
Taking effect in 2026, Provision 29 requires boards to actively monitor and review their risk management frameworks, describe their methodology in annual reports, and make clear declarations about control effectiveness. The scope extends well beyond balance sheets to embrace cybersecurity, data protection, and even AI governance – reflecting a world where digital vulnerabilities can pose greater material risks than accounting errors. Our deep dive reveals that while 82% of FTSE 350 companies are planning for implementation, only 30% clearly address non-financial reporting controls, and the number confidently declaring effective systems has dropped from 50% to just 32% as companies apply more rigorous self-assessment.
The financial commitment is substantial – £300,000 to £1.5 million for initial implementation depending on company size and complexity, with ongoing annual costs between £125,000 and £250,000. Yet market trends show approximately half of companies will voluntarily seek external assurance despite no mandate, recognizing this as strategic reputation insurance. Forward-thinking organizations are leveraging Integrated Risk Management platforms to create unified control frameworks, typically reducing redundant controls by 15-30% while enabling automated evidence collection and continuous monitoring. By 2027, experts predict two-thirds of FTSE 350 companies will manage financial and non-financial controls within single integrated systems.
This shift toward comprehensive transparency isn't just another compliance exercise – it represents a fundamental rethinking of corporate accountability. As boards become more forthcoming about what's working and what isn't, we're left with a provocative question: Will this unprecedented visibility foster greater trust in business, or simply invite more intense scrutiny? For investors, business leaders, and governance professionals alike, understanding these changes is essential for navigating the new landscape of corporate transparency and trust.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome to the Deep Dive. Today we're zooming in on what feels like a pretty seismic shift in the corporate world. It's something that's really about to redefine transparency and trust for major UK companies. We're talking about Provision 29 of the UK Corporate Governance Code 2024. So if you're curious about what really goes on behind those boardroom doors or maybe you're navigating corporate governance yourself well, this Deep Dive is definitely for you. We'll break down what this new rule actually demands from boards, touch on the maybe unexpected costs and look at some of the strategic ways companies are already adapting.
Sam Jones:Yeah, it's a really crucial topic, you know, often overshadowed by the sort of flashier headlines, but understanding these fundamental changes is just paramount. And, like you said, this isn't just about ticking boxes, is it? It feels like a profound move towards building credible assurance and it tackles what a lot of people are calling this growing trust deficit in big business. So, yeah, we'll explore the details, pulling insights from recent analyses and expert projections to give the clearest picture possible.
Ori Wellington:Okay, let's pull back the curtain. Then Provision 29 sounds a bit like, I don't know, secret agent code or something, but its implications are pretty major. Right, what exactly does this rule demand from companies starting in 2026?
Sam Jones:Right. So, at its core, provision 29 requires UK company boards to do three main things. This is about their risk management and internal control framework and it kicks in for financial years starting on or after January 1st 2026. So first, they have to actively monitor and, crucially, conduct an annual review of this framework active monitoring, annual review. Second, in their annual report they need to describe how they did that review. You know the process, the scope, the methodology used. It's about showing their work. And third, and this I think is the really pivotal part, they have to declare whether the company's material controls were effective right at the balance sheet date and if any weren't effective, they've got to detail which ones, outline the specific fixes, the remediation taken or planned and explain how any past issues were sorted.
Ori Wellington:Wow okay, that taken or planned, and explain how any past issues were sorted? Wow, ok, that's quite a commitment to transparency. Isn't it About a company's sort of internal health check? But does this apply to everyone, or are there specific types of companies this is really aimed at? Good question.
Sam Jones:So the code itself applies primarily to companies listed in the FCA's, that's the Financial Conduct Authority's commercial companies category, and also closed ended investment funds. There is a bit of flexibility though. For example, externally managed investment companies, they can choose to use the AIC code instead the Association of Investment Companies code. What's also really key here is the timing. The wider 2024 code starts January 1st 2025. But provision 29 itself they've given an extra year, so that kicks in January 1st 2026. It 29 itself they've given an extra year, so that kicks in January 1st 2026. It gives companies a bit of a runway.
Ori Wellington:But honestly, we're already seeing many feeling the pressure to get ready now. Right, that runway sounds important and I also picked up. It operates on a comply or explain basis, yeah, and there's no mandatory external assurance. That sounds well like a bit of a tightrope walk. Companies get flexibility, but they also have this huge responsibility to be credible. What's the thinking there?
Sam Jones:Exactly. It is a fascinating balance that comply or explain principle. It does create flexibility. It lets boards adopt control frameworks that are genuinely fit for purpose for their specific company. The FRC, that's the Financial Reporting Council, their guidance really emphasizes this. It puts the ownership squarely on the company itself internal accountability. But the FRC, that's the Financial Reporting Council, their guidance really emphasizes this. It puts the ownership squarely on the company itself internal accountability. But you know, the market isn't really waiting for a mandate. On the assurance side, our analysis shows a really clear trend towards voluntary external assurance, especially in specific high-risk areas. Companies are realizing, I think, that even without a rule forcing them getting that independent validation, it really helps de-risk those big board declarations and it boosts investor confidence. So it's kind of credibility by choice, you could say, not just by rule.
Ori Wellington:Credibility by choice. I like that. Okay. So let's dig into the scope. When we hear internal controls, I think most of us jump straight to finance right Financial statements audits. But Pro provision 29 seems to cast a much wider net. It talks about material controls across financial, operational reporting and compliance domains. What does material controls actually mean in this broader context, and why is that scope so significant today?
Sam Jones:Yeah, this really does expand the horizon for boards. The FRC guidance is clear. What's material is company specific. It's not some generic checklist. These controls, they should cover the company's principal risks, any external reporting that might be price sensitive, obviously, fraud prevention and critically important now information and technology risks. So this explicitly brings things like cybersecurity, data protection, even the governance around new tech like AI, right into scope. It's a recognition really, that in today's world, a company's biggest risks, and therefore its most important controls, often go way beyond just the financial figures. Think about it A major cyber attack could be far more material than a small accounting error these days.
Ori Wellington:Absolutely that expanded definition. It really shifts the goalposts, doesn't it? It's not just the balance sheet anymore, it's the company's digital backbone data privacy, even AI governance. That's a huge leap. So how prepared are companies for this, especially maybe for those non-financial controls? Is the market ready? Get?
Sam Jones:ready. Well, readiness is, let's say, uneven. And here's where it gets really interesting. Actually, boards aren't just gearing up, they seem to be getting more realistic. So recent checks on FTSE 350 companies they show good progress in planning for the declaration. About 82 percent mentioned planned activities in their latest reports. That's up significantly from 64 percent the year before. So planning is happening. However, there's still a big gap. When you look at those non-financial reporting controls, only 30% clearly stated these were covered by their monitoring and review and that number hasn't changed from the previous year still 30%. And what's even more striking perhaps, is that the number of companies reporting positive conclusions on their overall system effectiveness actually fell. It dropped to 32% in the latest reports, down from 50% the year before.
Ori Wellington:Wow, 50 down to 32 percent, that's. That's quite a drop.
Sam Jones:It is, but I don't think it's necessarily a sign of things getting worse. It feels more like a sign that the bar has been raised. Companies are looking harder, applying more rigor, maybe being more honest with themselves. As that deadline looms. It's a tightening of standards, you could argue, not a collapse. Deadline looms. It's a tightening of standards, you could argue, not a collapse. But it definitely highlights where the real heavy lifting still needs to be done, particularly on those non-financial controls.
Ori Wellington:That makes sense. A dose of realism kicking in. Is this drop purely a reaction to Provision 29, do you think, or does it maybe also show that how companies used to assess non-financial controls wasn't quite cutting it? What's the most surprising thing you're seeing from the companies that are getting ahead of this?
Sam Jones:It's probably a bit of both. Yeah, the provision force is a harder look and maybe previous assessments were a bit less thorough, especially outside finance. The biggest surprise for me it's how proactive the leading companies are being. They're not waiting around for 2026. They're already mapping principal risks to specific controls, building out or refining a central controls register, doing gap analyses on their assurance and many are even doing dry run declarations this year in their FY 2025 reports just to test the whole process end to end. And a really crucial step they're taking is clarifying who actually owns the oversight for these non financial controls. That seems to be a key area needing attention pretty much everywhere.
Ori Wellington:Okay, Dry runs central registers Sounds like serious preparation. But change, especially this kind of change, usually comes with a price tag. Implementing new governance frameworks isn't cheap. So for companies gearing up for provision 29, what sort of investment are we actually talking about here? And maybe how does it stack up against something well-known like, say, Sarbanes-Oxley in the US?
Sam Jones:Yeah, cost is definitely a big factor and the estimates do vary quite a bit. Depends on the company's size, complexity, how mature their controls are already. Just for context, the UK government did an impact analysis for an earlier, slightly narrower proposal. One focused just on internal control over financial reporting, icfr. That suggested transitional costs around £330, pounds per company with ongoing costs maybe 60,000 pounds a year. Now if you look at USSOX, specifically Section 404, which deals with internal controls over financial reporting the internal costs there for bigger companies they typically range from, say, $1 million to $1.8 million. So quite a bit higher but also more prescriptive.
Ori Wellington:Right, those are definitely significant numbers, particularly that initial setup cost. What do you see as the biggest hurdle for companies facing these costs for the first time?
Sam Jones:I think the biggest hurdle is probably underestimating the upfront investment needed to build a truly integrated framework, one that covers all the domains financial, operational reporting, compliance, it not just finance. So based on those benchmarks, a reasonable planning range for, let's say, a typical FTSE 250 company that isn't already doing SOX maybe with moderate complexity you're probably looking at 300,000 to 600,000 pounds in year one for the bill. Then it drops down typically maybe 125,000 to 250,000 pounds a year for the ongoing steady state operation. Now for companies already doing SOX 404, the extra cost for provision 29 is much lower, maybe only 10 to 30 percent on top of their existing SOX budget. Because they have a lot of the groundwork done. They mainly need to extend it to cover those non-financial and compliance controls. But for a really large, complex, maybe highly decentralized FTSE 100 company, especially if they've grown through acquisition and have fragmented systems, year one could easily hit 800,000 pounds, maybe even up to 1.5 million pounds.
Ori Wellington:Okay, so potentially a hefty investment for those starting from scratch, but you can leverage existing systems if you have them Now. You mentioned earlier that external assurance isn't mandatory under the code. Yet analysts are predicting what. Maybe half of companies will choose to spend more money to get it voluntarily. Why would they do that? This seems a bit counterintuitive to volunteer for extra cost and scrutiny.
Sam Jones:Yeah, it does seem counterintuitive at first glance, doesn't it? But this is a really crucial insight into how the market's reacting. It's about proactive credibility management. Even though the code doesn't force their hand, the projection is yes, by the FY2026 reporting cycle, at least 50% of these UK groups will voluntarily seek some targeted external assurance on selected material controls. Why? Two main reasons, I think One, to genuinely de-risk their board declaration. They want to reduce the potential blowback liability, reputational damage, investor doubt if something goes wrong later. And two, to actively boost investor confidence, signaling to the market that their statement isn't just self-assessed but it stood up to some independent scrutiny. Boards might focus this extra spending strategically, perhaps on really high-risk areas, things like cybersecurity, access controls, maybe critical data privacy processes or even those increasingly important ESG metrics that could be price sensitive. So it reflects a shift, I think, from just doing the minimum for compliance towards a strategic commitment to demonstrating robust governance. It's like buying an insurance policy for their corporate reputation.
Ori Wellington:An insurance policy for their reputation. Okay, that makes a lot of sense. So, given these costs and the sheer breadth of Provision 29, companies must be looking for smart ways to manage this efficient ways, and that brings us to something called integrated risk management or IRM platforms. How exactly does this kind of technology help companies tackle provision 29, both efficiently and effectively? You know, it almost sounds like that classic problem trying to see your whole house's security, but half the sensors are old, half are new and none of them talk to each other. How does IRM fix that?
Sam Jones:That's a perfect analogy. Actually, irm is almost tailor-made for provision 29, precisely because the provision demands that single, unified board level view across all these different risk types. What IRM does is it unifies risk controls and all the assurance activities testing, monitoring, audits within one single operating model and, crucially, one data environment. It's about bringing it all together, creating that single source of truth. Instead of juggling loads of different spreadsheets, disconnected systems, manual processes, it gets all those different security sensors talking to each other and feeding into one central dashboard for the board.
Ori Wellington:Right, getting everything talking. That sounds like it could be a real game changer. Can you give us some specific, concrete examples of how these IRM platforms actually deliver efficiency improvements for companies facing this Provision 29 challenge?
Sam Jones:Absolutely. On the efficiency side, irm offers several really key benefits. First, that unified material controls register we talked about. This maps all your main risks to the specific controls meant to mitigate them Across all domains financial, operational, compliance, reporting, it, ai, everything this alone cuts out huge amounts of duplication and makes scoping much simpler.
Sam Jones:Second, control rationalization Because you have that single view, using common language, common taxonomies. Companies typically find they can remove somewhere between 15 and 30 percent of duplicate or just low value controls, often in the first year. That's a big saving and effort. Third, automated evidence collection and workflow. This is huge. It integrates the day-to-day checks done by the business teams the first line with the oversight from risk and compliance, the second line and the testing done by internal audit, the third line. It automates the handoffs, the evidence gathering, the sign-offs, cuts down massively on manual chasing, improves the audit trail and frees people up for higher value work. And finally, something called continuous control monitoring. For really critical or high-risk processes you can use system logs, data analytics to monitor controls almost in real time. This spots issues much faster and can actually help stabilize assurance costs over time by being more proactive.
Ori Wellington:Okay, so it makes things smoother, less manual, potentially cheaper in the long run. But beyond just efficiency, how does IRM make the whole control framework more effective? How does it help meet the real spirit of Provision 29?
Sam Jones:That's the other side of the coin effectiveness, and IRM delivers here too. It helps create a much stronger link from the board's risk appetite right down to the material controls. You can tie key risk indicators directly to how all specific controls are performing. This means the board's oversight is focused precisely on the areas that genuinely matter most to the company's strategy and risk tolerance. It enables board-ready reporting. Good IRM platforms can basically generate the reports the board needs for provision 29. Things like coverage maps showing risks and controls, heat maps highlighting ineffective controls, real-time status updates on fixing problems. This makes the board's job much easier and more informed and, crucially, it facilitates that technology risk integration, Cyber risks, data protection controls, AI governance they all sit within the same unified framework, the same register as financial controls. This gives that holistic single view of tech risk which, as we've said, is just becoming absolutely central for almost every business. It's exactly what the FRC guidance encourages.
Ori Wellington:That integrated view, especially for tech risks, seems incredibly important now, ok, so as we get closer to that, 2026 deadline.
Kelsey Hutchinson:What's the general feeling? What's the outlook for how companies are going to adapt? What are the experts projecting for the next few years and maybe most importantly, what advice are they giving right now to help companies navigate this smoothly?
Sam Jones:Yeah, we're seeing some pretty clear trend signals emerging. As we mentioned, analysts are forecasting that by the FY 2026 reporting cycle that 50% figure for voluntary external assurance seems likely. Companies wanting to bolster their declaration two-thirds of FTSE 350 companies will be managing both their financial controls, icfr, and their non-financial reporting controls within one single integrated framework using platforms like IRM. Now that's a really significant shift, especially when you remember only 30% clearly cover non-financial controls today. And also by 2027, forecasts suggest at least a quarter, maybe 25% of the FTSE 350 will be using that continuous control monitoring technology on their most critical high-risk processes. So definitely a move towards integration and automation.
Ori Wellington:Okay. So integration, automation and that strategic use of voluntary assurance seem to be the key trends. For people listening, who are maybe right in the thick of this on boards in finance risk audit, what are the most practical, immediate steps they can take now to get ahead of this curve?
Sam Jones:The recommendations are pretty clear and quite actionable, depending on your role.
Sam Jones:For boards and audit committees, the strong advice is approve a proportionate provision 29 roadmap now. Don't wait and make sure it culminates in doing one of those dry run declarations for your FY 2025 reporting. It's about practice, not just planning. They also need to decide early on where they might want that voluntary external assurance, focusing strategically on the areas that really matter for investor confidence or sensitive disclosures. Then for the executive CFOs, chief risk officers, chief audit executives the key actions are build or refine that single unified material controls register. Make sure it meticulously maps principal risks to controls, clearly shows owners frequency, how evidence is gathered and who provides assurance, and critically ensure it includes IT and non-financial reporting controls from the start. They also need to actively rationalize those controls, get rid of the clutter, standardize testing approaches where possible, implement or extend IRM tools to automate workflows and finally define a really clear board-facing reporting pack that lines up perfectly with what Provision 29 requires. It's not just about doing the work. It's about being ready to report on it effectively and with confidence.
Ori Wellington:Right. Getting the reporting right is just as crucial as getting the controls right. Well, we've certainly taken a deep dive into Provision 29 today. From its core rules and that broad scope, through to the costs and these smart integrated solutions like IRM, it seems pretty clear this isn't just another tick box exercise, is it? It feels more like a genuine opportunity for companies to build stronger, more transparent foundations and hopefully foster greater trust.
Sam Jones:I think that's exactly right, this shift towards these comprehensive material control declarations. It really reflects a more mature, more sophisticated understanding of what corporate responsibility and resilience actually mean today. It's pushing boards to think much more actively about how interconnected risks are. Financial stability isn't separate from cybersecurity, which isn't separate from AI governance it's all linked. It's encouraging them to view the whole enterprise through this single lens of control and accountability.
Ori Wellington:So what does all this mean for you? Listening in, well, whether you're an investor trying to decipher annual reports, a business leader setting strategy, or maybe just someone who believes in well-run, trustworthy organizations, understanding these internal mechanisms, this plumbing is becoming absolutely vital.
Sam Jones:It really offers a glimpse into the true operational health of a company, and maybe this leaves us with an important question to ponder. Actually, as boards become much more transparent about their internal controls, about their risk management, openly declaring what's working well but also what isn't, how might this unprecedented level of visibility really influence things in the long run? How will it shape investor behavior, public perception of corporate integrity? Will it genuinely breed more trust, or could it perhaps lead to even greater scrutiny? It's definitely something worth mulling over as these fundamental changes start to roll out across the UK corporate landscape.
Kelsey Hutchinson:That's a great thought to end on. Will more transparency lead to more trust, or just more questions? Something to watch? Thank you so much for joining us on this Deep Doc. We really hope this has given you a much clearer and maybe more actionable picture of this crucial development in corporate governance. Until next time, keep digging, keep learning.