September 24, 2025 • 21 mins
Corporate governance is undergoing a revolution in the UK, and Provision 29 of the 2024 Corporate Governance Code stands at the epicenter of this transformation. Far beyond traditional financial oversight, this groundbreaking rule mandates unprecedented transparency from company boards about their internal controls across all domains – financial, operational, compliance, and critically, technology.
Taking effect in 2026, Provision 29 requires boards to actively monitor and review their risk management frameworks, describe their methodology in annual reports, and make clear declarations about control effectiveness. The scope extends well beyond balance sheets to embrace cybersecurity, data protection, and even AI governance – reflecting a world where digital vulnerabilities can pose greater material risks than accounting errors. Our deep dive reveals that while 82% of FTSE 350 companies are planning for implementation, only 30% clearly address non-financial reporting controls, and the number confidently declaring effective systems has dropped from 50% to just 32% as companies apply more rigorous self-assessment.
The financial commitment is substantial – £300,000 to £1.5 million for initial implementation depending on company size and complexity, with ongoing annual costs between £125,000 and £250,000. Yet market trends show approximately half of companies will voluntarily seek external assurance despite no mandate, recognizing this as strategic reputation insurance. Forward-thinking organizations are leveraging Integrated Risk Management platforms to create unified control frameworks, typically reducing redundant controls by 15-30% while enabling automated evidence collection and continuous monitoring. By 2027, experts predict two-thirds of FTSE 350 companies will manage financial and non-financial controls within single integrated systems.
This shift toward comprehensive transparency isn't just another compliance exercise – it represents a fundamental rethinking of corporate accountability. As boards become more forthcoming about what's working and what isn't, we're left with a provocative question: Will this unprecedented visibility foster greater trust in business, or simply invite more intense scrutiny? For investors, business leaders, and governance professionals alike, understanding these changes is essential for navigating the new landscape of corporate transparency and trust.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ori Wellington (00:00):
Welcome to the Deep Dive.
Today we're zooming in on whatfeels like a pretty seismic
shift in the corporate world.
It's something that's reallyabout to redefine transparency
and trust for major UK companies.
We're talking about Provision29 of the UK Corporate
Governance Code 2024.
So if you're curious about whatreally goes on behind those
boardroom doors or maybe you'renavigating corporate governance
(00:22):
yourself well, this Deep Dive isdefinitely for you.
We'll break down what this newrule actually demands from
boards, touch on the maybeunexpected costs and look at
some of the strategic wayscompanies are already adapting.
Sam Jones (00:34):
Yeah, it's a really crucial topic, you know, often
overshadowed by the sort offlashier headlines, but
understanding these fundamentalchanges is just paramount.
And, like you said, this isn'tjust about ticking boxes, is it?
It feels like a profound movetowards building credible
assurance and it tackles what alot of people are calling this
growing trust deficit in bigbusiness.
(00:56):
So, yeah, we'll explore thedetails, pulling insights from
recent analyses and expertprojections to give the clearest
picture possible.
Ori Wellington (01:03):
Okay, let's pull back the curtain.
Then Provision 29 sounds a bitlike, I don't know, secret agent
code or something, but itsimplications are pretty major.
Right, what exactly does thisrule demand from companies
starting in 2026?
Sam Jones (01:16):
Right.
So, at its core, provision 29requires UK company boards to do
three main things.
This is about their riskmanagement and internal control
framework and it kicks in forfinancial years starting on or
after January 1st 2026.
So first, they have to activelymonitor and, crucially, conduct
an annual review of thisframework active monitoring,
(01:37):
annual review.
Second, in their annual reportthey need to describe how they
did that review.
You know the process, the scope, the methodology used.
It's about showing their work.
And third, and this I think isthe really pivotal part, they
have to declare whether thecompany's material controls were
effective right at the balancesheet date and if any weren't
effective, they've got to detailwhich ones, outline the
(01:58):
specific fixes, the remediationtaken or planned and explain how
any past issues were sorted.
Ori Wellington (02:03):
Wow okay, that taken or planned, and explain
how any past issues were sorted?
Wow, ok, that's quite acommitment to transparency.
Isn't it About a company's sortof internal health check?
But does this apply to everyone, or are there specific types of
companies this is really aimedat?
Good question.
Sam Jones (02:16):
So the code itself applies primarily to companies
listed in the FCA's, that's theFinancial Conduct Authority's
commercial companies category,and also closed ended investment
funds.
There is a bit of flexibilitythough.
For example, externally managedinvestment companies, they can
choose to use the AIC codeinstead the Association of
Investment Companies code.
What's also really key here isthe timing.
(02:37):
The wider 2024 code startsJanuary 1st 2025.
But provision 29 itself they'vegiven an extra year, so that
kicks in January 1st 2026.
It 29 itself they've given anextra year, so that kicks in
January 1st 2026.
It gives companies a bit of arunway.
Ori Wellington (02:53):
But honestly, we're already seeing many
feeling the pressure to getready now.
Right, that runway soundsimportant and I also picked up.
It operates on a comply orexplain basis, yeah, and there's
no mandatory external assurance.
That sounds well like a bit ofa tightrope walk.
Companies get flexibility, butthey also have this huge
responsibility to be credible.
What's the thinking there?
Sam Jones (03:08):
Exactly.
It is a fascinating balancethat comply or explain principle
.
It does create flexibility.
It lets boards adopt controlframeworks that are genuinely
fit for purpose for theirspecific company.
The FRC, that's the FinancialReporting Council, their
guidance really emphasizes this.
It puts the ownership squarelyon the company itself internal
accountability.
But the FRC, that's theFinancial Reporting Council,
their guidance really emphasizesthis.
It puts the ownership squarelyon the company itself internal
accountability.
(03:28):
But you know, the market isn'treally waiting for a mandate.
On the assurance side, ouranalysis shows a really clear
trend towards voluntary externalassurance, especially in
specific high-risk areas.
Companies are realizing, Ithink, that even without a rule
forcing them getting thatindependent validation, it
really helps de-risk those bigboard declarations and it boosts
(03:48):
investor confidence.
So it's kind of credibility bychoice, you could say, not just
by rule.
Ori Wellington (03:53):
Credibility by choice.
I like that.
Okay.
So let's dig into the scope.
When we hear internal controls,I think most of us jump
straight to finance rightFinancial statements audits.
But Pro provision 29 seems tocast a much wider net.
It talks about materialcontrols across financial,
operational reporting andcompliance domains.
What does material controlsactually mean in this broader
(04:16):
context, and why is that scopeso significant today?
Sam Jones (04:19):
Yeah, this really does expand the horizon for
boards.
The FRC guidance is clear.
What's material is companyspecific.
It's not some generic checklist.
These controls, they shouldcover the company's principal
risks, any external reportingthat might be price sensitive,
obviously, fraud prevention andcritically important now
information and technology risks.
So this explicitly bringsthings like cybersecurity, data
(04:42):
protection, even the governancearound new tech like AI, right
into scope.
It's a recognition really, thatin today's world, a company's
biggest risks, and therefore itsmost important controls, often
go way beyond just the financialfigures.
Think about it A major cyberattack could be far more
material than a small accountingerror these days.
Ori Wellington (05:00):
Absolutely that expanded definition.
It really shifts the goalposts,doesn't it?
It's not just the balance sheetanymore, it's the company's
digital backbone data privacy,even AI governance.
That's a huge leap.
So how prepared are companiesfor this, especially maybe for
those non-financial controls?
Is the market ready?
Get?
Sam Jones (05:20):
ready.
Well, readiness is, let's say,uneven.
And here's where it gets reallyinteresting.
Actually, boards aren't justgearing up, they seem to be
getting more realistic.
So recent checks on FTSE 350companies they show good
progress in planning for thedeclaration.
About 82 percent mentionedplanned activities in their
latest reports.
(05:41):
That's up significantly from 64percent the year before.
So planning is happening.
However, there's still a biggap.
When you look at thosenon-financial reporting controls
, only 30% clearly stated thesewere covered by their monitoring
and review and that numberhasn't changed from the previous
year still 30%.
And what's even more strikingperhaps, is that the number of
companies reporting positiveconclusions on their overall
system effectiveness actuallyfell.
It dropped to 32% in the latestreports, down from 50% the year
(06:03):
before.
Ori Wellington (06:03):
Wow, 50 down to 32 percent, that's.
That's quite a drop.
Sam Jones (06:07):
It is, but I don't think it's necessarily a sign of
things getting worse.
It feels more like a sign thatthe bar has been raised.
Companies are looking harder,applying more rigor, maybe being
more honest with themselves.
As that deadline looms.
It's a tightening of standards,you could argue, not a collapse
.
Deadline looms.
It's a tightening of standards,you could argue, not a collapse
.
But it definitely highlightswhere the real heavy lifting
(06:27):
still needs to be done,particularly on those
non-financial controls.
Ori Wellington (06:31):
That makes sense .
A dose of realism kicking in.
Is this drop purely a reactionto Provision 29, do you think,
or does it maybe also show thathow companies used to assess
non-financial controls wasn'tquite cutting it?
What's the most surprisingthing you're seeing from the
companies that are getting aheadof this?
Sam Jones (06:46):
It's probably a bit of both.
Yeah, the provision force is aharder look and maybe previous
assessments were a bit lessthorough, especially outside
finance.
The biggest surprise for meit's how proactive the leading
companies are being.
They're not waiting around for2026.
They're already mappingprincipal risks to specific
controls, building out orrefining a central controls
(07:07):
register, doing gap analyses ontheir assurance and many are
even doing dry run declarationsthis year in their FY 2025
reports just to test the wholeprocess end to end.
And a really crucial stepthey're taking is clarifying who
actually owns the oversight forthese non financial controls.
That seems to be a key areaneeding attention pretty much
everywhere.
Ori Wellington (07:28):
Okay, Dry runs central registers Sounds like
serious preparation.
But change, especially thiskind of change, usually comes
with a price tag.
Implementing new governanceframeworks isn't cheap.
So for companies gearing up forprovision 29, what sort of
investment are we actuallytalking about here?
And maybe how does it stack upagainst something well-known
like, say, Sarbanes-Oxley in theUS?
Sam Jones (07:48):
Yeah, cost is definitely a big factor and the
estimates do vary quite a bit.
Depends on the company's size,complexity, how mature their
controls are already.
Just for context, the UKgovernment did an impact
analysis for an earlier,slightly narrower proposal.
One focused just on internalcontrol over financial reporting
, icfr.
That suggested transitionalcosts around £330, pounds per
(08:10):
company with ongoing costs maybe60,000 pounds a year.
Now if you look at USSOX,specifically Section 404, which
deals with internal controlsover financial reporting the
internal costs there for biggercompanies they typically range
from, say, $1 million to $1.8million.
So quite a bit higher but alsomore prescriptive.
Ori Wellington (08:29):
Right, those are definitely significant numbers,
particularly that initial setupcost.
What do you see as the biggesthurdle for companies facing
these costs for the first time?
Sam Jones (08:36):
I think the biggest hurdle is probably
underestimating the upfrontinvestment needed to build a
truly integrated framework, onethat covers all the domains
financial, operational reporting, compliance, it not just
finance.
So based on those benchmarks, areasonable planning range for,
let's say, a typical FTSE 250company that isn't already doing
SOX maybe with moderatecomplexity you're probably
(08:56):
looking at 300,000 to 600,000pounds in year one for the bill.
Then it drops down typicallymaybe 125,000 to 250,000 pounds
a year for the ongoing steadystate operation.
Now for companies already doingSOX 404, the extra cost for
provision 29 is much lower,maybe only 10 to 30 percent on
top of their existing SOX budget.
Because they have a lot of thegroundwork done.
(09:18):
They mainly need to extend itto cover those non-financial and
compliance controls.
But for a really large, complex, maybe highly decentralized
FTSE 100 company, especially ifthey've grown through
acquisition and have fragmentedsystems, year one could easily
hit 800,000 pounds, maybe evenup to 1.5 million pounds.
Ori Wellington (09:35):
Okay, so potentially a hefty investment
for those starting from scratch,but you can leverage existing
systems if you have them Now.
You mentioned earlier thatexternal assurance isn't
mandatory under the code.
Yet analysts are predictingwhat.
Maybe half of companies willchoose to spend more money to
get it voluntarily.
Why would they do that?
This seems a bitcounterintuitive to volunteer
(09:55):
for extra cost and scrutiny.
Sam Jones (09:57):
Yeah, it does seem counterintuitive at first glance
, doesn't it?
But this is a really crucialinsight into how the market's
reacting.
It's about proactivecredibility management.
Even though the code doesn'tforce their hand, the projection
is yes, by the FY2026 reportingcycle, at least 50% of these UK
groups will voluntarily seeksome targeted external assurance
(10:17):
on selected material controls.
Why?
Two main reasons, I think One,to genuinely de-risk their board
declaration.
They want to reduce thepotential blowback liability,
reputational damage, investordoubt if something goes wrong
later.
And two, to actively boostinvestor confidence, signaling
to the market that theirstatement isn't just
self-assessed but it stood up tosome independent scrutiny.
(10:37):
Boards might focus this extraspending strategically, perhaps
on really high-risk areas,things like cybersecurity,
access controls, maybe criticaldata privacy processes or even
those increasingly important ESGmetrics that could be price
sensitive.
So it reflects a shift, I think, from just doing the minimum
for compliance towards astrategic commitment to
demonstrating robust governance.
It's like buying an insurancepolicy for their corporate
(10:58):
reputation.
Ori Wellington (10:59):
An insurance policy for their reputation.
Okay, that makes a lot of sense.
So, given these costs and thesheer breadth of Provision 29,
companies must be looking forsmart ways to manage this
efficient ways, and that bringsus to something called
integrated risk management orIRM platforms.
How exactly does this kind oftechnology help companies tackle
(11:19):
provision 29, both efficientlyand effectively?
You know, it almost sounds likethat classic problem trying to
see your whole house's security,but half the sensors are old,
half are new and none of themtalk to each other.
How does IRM fix that?
Sam Jones (11:30):
That's a perfect analogy.
Actually, irm is almosttailor-made for provision 29,
precisely because the provisiondemands that single, unified
board level view across allthese different risk types.
What IRM does is it unifiesrisk controls and all the
assurance activities testing,monitoring, audits within one
single operating model and,crucially, one data environment.
(11:52):
It's about bringing it alltogether, creating that single
source of truth.
Instead of juggling loads ofdifferent spreadsheets,
disconnected systems, manualprocesses, it gets all those
different security sensorstalking to each other and
feeding into one centraldashboard for the board.
Ori Wellington (12:07):
Right, getting everything talking.
That sounds like it could be areal game changer.
Can you give us some specific,concrete examples of how these
IRM platforms actually deliverefficiency improvements for
companies facing this Provision29 challenge?
Sam Jones (12:19):
Absolutely.
On the efficiency side, irmoffers several really key
benefits.
First, that unified materialcontrols register we talked
about.
This maps all your main risksto the specific controls meant
to mitigate them Across alldomains financial, operational,
compliance, reporting, it, ai,everything this alone cuts out
huge amounts of duplication andmakes scoping much simpler.
(12:41):
Second, control rationalizationBecause you have that single
view, using common language,common taxonomies.
Companies typically find theycan remove somewhere between 15
and 30 percent of duplicate orjust low value controls, often
in the first year.
That's a big saving and effort.
Third, automated evidencecollection and workflow.
This is huge.
It integrates the day-to-daychecks done by the business
(13:02):
teams the first line with theoversight from risk and
compliance, the second line andthe testing done by internal
audit, the third line.
It automates the handoffs, theevidence gathering, the
sign-offs, cuts down massivelyon manual chasing, improves the
audit trail and frees people upfor higher value work.
And finally, something calledcontinuous control monitoring.
For really critical orhigh-risk processes you can use
system logs, data analytics tomonitor controls almost in real
(13:26):
time.
This spots issues much fasterand can actually help stabilize
assurance costs over time bybeing more proactive.
Ori Wellington (13:32):
Okay, so it makes things smoother, less
manual, potentially cheaper inthe long run.
But beyond just efficiency, howdoes IRM make the whole control
framework more effective?
How does it help meet the realspirit of Provision 29?
Sam Jones (13:44):
That's the other side of the coin effectiveness, and
IRM delivers here too.
It helps create a much strongerlink from the board's risk
appetite right down to thematerial controls.
You can tie key risk indicatorsdirectly to how all specific
controls are performing.
This means the board'soversight is focused precisely
on the areas that genuinelymatter most to the company's
strategy and risk tolerance.
(14:05):
It enables board-readyreporting.
Good IRM platforms canbasically generate the reports
the board needs for provision 29.
Things like coverage mapsshowing risks and controls, heat
maps highlighting ineffectivecontrols, real-time status
updates on fixing problems.
This makes the board's job mucheasier and more informed and,
crucially, it facilitates thattechnology risk integration,
(14:27):
Cyber risks, data protectioncontrols, AI governance they all
sit within the same unifiedframework, the same register as
financial controls.
This gives that holistic singleview of tech risk which, as
we've said, is just becomingabsolutely central for almost
every business.
It's exactly what the FRCguidance encourages.
Ori Wellington (14:43):
That integrated view, especially for tech risks,
seems incredibly important now,ok, so as we get closer to that
, 2026 deadline.
Kelsey Hutchinson (14:53):
What's the general feeling?
What's the outlook for howcompanies are going to adapt?
What are the experts projectingfor the next few years and
maybe most importantly, whatadvice are they giving right now
to help companies navigate thissmoothly?
Sam Jones (15:03):
Yeah, we're seeing some pretty clear trend signals
emerging.
As we mentioned, analysts areforecasting that by the FY 2026
reporting cycle that 50% figurefor voluntary external assurance
seems likely.
Companies wanting to bolstertheir declaration two-thirds of
(15:29):
FTSE 350 companies will bemanaging both their financial
controls, icfr, and theirnon-financial reporting controls
within one single integratedframework using platforms like
IRM.
Now that's a really significantshift, especially when you
remember only 30% clearly covernon-financial controls today.
And also by 2027, forecastssuggest at least a quarter,
maybe 25% of the FTSE 350 willbe using that continuous control
monitoring technology on theirmost critical high-risk
(15:50):
processes.
So definitely a move towardsintegration and automation.
Ori Wellington (15:54):
Okay.
So integration, automation andthat strategic use of voluntary
assurance seem to be the keytrends.
For people listening, who aremaybe right in the thick of this
on boards in finance risk audit, what are the most practical,
immediate steps they can takenow to get ahead of this curve?
Sam Jones (16:07):
The recommendations are pretty clear and quite
actionable, depending on yourrole.
For boards and audit committees,the strong advice is approve a
proportionate provision 29roadmap now.
Don't wait and make sure itculminates in doing one of those
dry run declarations for yourFY 2025 reporting.
It's about practice, not justplanning.
They also need to decide earlyon where they might want that
(16:28):
voluntary external assurance,focusing strategically on the
areas that really matter forinvestor confidence or sensitive
disclosures.
Then for the executive CFOs,chief risk officers, chief audit
executives the key actions arebuild or refine that single
unified material controlsregister.
Make sure it meticulously mapsprincipal risks to controls,
(16:48):
clearly shows owners frequency,how evidence is gathered and who
provides assurance, andcritically ensure it includes IT
and non-financial reportingcontrols from the start.
They also need to activelyrationalize those controls, get
rid of the clutter, standardizetesting approaches where
possible, implement or extendIRM tools to automate workflows
and finally define a reallyclear board-facing reporting
(17:09):
pack that lines up perfectlywith what Provision 29 requires.
It's not just about doing thework.
It's about being ready toreport on it effectively and
with confidence.
Ori Wellington (17:18):
Right.
Getting the reporting right isjust as crucial as getting the
controls right.
Well, we've certainly taken adeep dive into Provision 29
today.
From its core rules and thatbroad scope, through to the
costs and these smart integratedsolutions like IRM, it seems
pretty clear this isn't justanother tick box exercise, is it
?
It feels more like a genuineopportunity for companies to
(17:39):
build stronger, more transparentfoundations and hopefully
foster greater trust.
Sam Jones (17:45):
I think that's exactly right, this shift
towards these comprehensivematerial control declarations.
It really reflects a moremature, more sophisticated
understanding of what corporateresponsibility and resilience
actually mean today.
It's pushing boards to thinkmuch more actively about how
interconnected risks are.
Financial stability isn'tseparate from cybersecurity,
which isn't separate from AIgovernance it's all linked.
(18:06):
It's encouraging them to viewthe whole enterprise through
this single lens of control andaccountability.
Ori Wellington (18:12):
So what does all this mean for you?
Listening in, well, whetheryou're an investor trying to
decipher annual reports, abusiness leader setting strategy
, or maybe just someone whobelieves in well-run,
trustworthy organizations,understanding these internal
mechanisms, this plumbing isbecoming absolutely vital.
Sam Jones (18:34):
It really offers a glimpse into the true
operational health of a company,and maybe this leaves us with
an important question to ponder.
Actually, as boards become muchmore transparent about their
internal controls, about theirrisk management, openly
declaring what's working wellbut also what isn't, how might
this unprecedented level ofvisibility really influence
things in the long run?
How will it shape investorbehavior, public perception of
(18:54):
corporate integrity?
Will it genuinely breed moretrust, or could it perhaps lead
to even greater scrutiny?
It's definitely something worthmulling over as these
fundamental changes start toroll out across the UK corporate
landscape.
Kelsey Hutchinson (19:05):
That's a great thought to end on.
Will more transparency lead tomore trust, or just more
questions?
Something to watch?
Thank you so much for joiningus on this Deep Doc.
We really hope this has givenyou a much clearer and maybe
more actionable picture of thiscrucial development in corporate
governance.
Until next time, keep digging,keep learning.
Welcome to the Deep Dive.
Today we're zooming in on whatfeels like a pretty seismic
shift in the corporate world.
It's something that's reallyabout to redefine transparency
and trust for major UK companies.
We're talking about Provision29 of the UK Corporate
Governance Code 2024.
So if you're curious about whatreally goes on behind those
boardroom doors or maybe you'renavigating corporate governance
(00:22):
yourself well, this Deep Dive isdefinitely for you.
We'll break down what this newrule actually demands from
boards, touch on the maybeunexpected costs and look at
some of the strategic wayscompanies are already adapting.
Sam Jones (00:34):
Yeah, it's a really crucial topic, you know, often
overshadowed by the sort offlashier headlines, but
understanding these fundamentalchanges is just paramount.
And, like you said, this isn'tjust about ticking boxes, is it?
It feels like a profound movetowards building credible
assurance and it tackles what alot of people are calling this
growing trust deficit in bigbusiness.
(00:56):
So, yeah, we'll explore thedetails, pulling insights from
recent analyses and expertprojections to give the clearest
picture possible.
Ori Wellington (01:03):
Okay, let's pull back the curtain.
Then Provision 29 sounds a bitlike, I don't know, secret agent
code or something, but itsimplications are pretty major.
Right, what exactly does thisrule demand from companies
starting in 2026?
Sam Jones (01:16):
Right.
So, at its core, provision 29requires UK company boards to do
three main things.
This is about their riskmanagement and internal control
framework and it kicks in forfinancial years starting on or
after January 1st 2026.
So first, they have to activelymonitor and, crucially, conduct
an annual review of thisframework active monitoring,
(01:37):
annual review.
Second, in their annual reportthey need to describe how they
did that review.
You know the process, the scope, the methodology used.
It's about showing their work.
And third, and this I think isthe really pivotal part, they
have to declare whether thecompany's material controls were
effective right at the balancesheet date and if any weren't
effective, they've got to detailwhich ones, outline the
(01:58):
specific fixes, the remediationtaken or planned and explain how
any past issues were sorted.
Ori Wellington (02:03):
Wow okay, that taken or planned, and explain
how any past issues were sorted?
Wow, ok, that's quite acommitment to transparency.
Isn't it About a company's sortof internal health check?
But does this apply to everyone, or are there specific types of
companies this is really aimedat?
Good question.
Sam Jones (02:16):
So the code itself applies primarily to companies
listed in the FCA's, that's theFinancial Conduct Authority's
commercial companies category,and also closed ended investment
funds.
There is a bit of flexibilitythough.
For example, externally managedinvestment companies, they can
choose to use the AIC codeinstead the Association of
Investment Companies code.
What's also really key here isthe timing.
(02:37):
The wider 2024 code startsJanuary 1st 2025.
But provision 29 itself they'vegiven an extra year, so that
kicks in January 1st 2026.
It 29 itself they've given anextra year, so that kicks in
January 1st 2026.
It gives companies a bit of arunway.
Ori Wellington (02:53):
But honestly, we're already seeing many
feeling the pressure to getready now.
Right, that runway soundsimportant and I also picked up.
It operates on a comply orexplain basis, yeah, and there's
no mandatory external assurance.
That sounds well like a bit ofa tightrope walk.
Companies get flexibility, butthey also have this huge
responsibility to be credible.
What's the thinking there?
Sam Jones (03:08):
Exactly.
It is a fascinating balancethat comply or explain principle
.
It does create flexibility.
It lets boards adopt controlframeworks that are genuinely
fit for purpose for theirspecific company.
The FRC, that's the FinancialReporting Council, their
guidance really emphasizes this.
It puts the ownership squarelyon the company itself internal
accountability.
But the FRC, that's theFinancial Reporting Council,
their guidance really emphasizesthis.
It puts the ownership squarelyon the company itself internal
accountability.
(03:28):
But you know, the market isn'treally waiting for a mandate.
On the assurance side, ouranalysis shows a really clear
trend towards voluntary externalassurance, especially in
specific high-risk areas.
Companies are realizing, Ithink, that even without a rule
forcing them getting thatindependent validation, it
really helps de-risk those bigboard declarations and it boosts
(03:48):
investor confidence.
So it's kind of credibility bychoice, you could say, not just
by rule.
Ori Wellington (03:53):
Credibility by choice.
I like that.
Okay.
So let's dig into the scope.
When we hear internal controls,I think most of us jump
straight to finance rightFinancial statements audits.
But Pro provision 29 seems tocast a much wider net.
It talks about materialcontrols across financial,
operational reporting andcompliance domains.
What does material controlsactually mean in this broader
(04:16):
context, and why is that scopeso significant today?
Sam Jones (04:19):
Yeah, this really does expand the horizon for
boards.
The FRC guidance is clear.
What's material is companyspecific.
It's not some generic checklist.
These controls, they shouldcover the company's principal
risks, any external reportingthat might be price sensitive,
obviously, fraud prevention andcritically important now
information and technology risks.
So this explicitly bringsthings like cybersecurity, data
(04:42):
protection, even the governancearound new tech like AI, right
into scope.
It's a recognition really, thatin today's world, a company's
biggest risks, and therefore itsmost important controls, often
go way beyond just the financialfigures.
Think about it A major cyberattack could be far more
material than a small accountingerror these days.
Ori Wellington (05:00):
Absolutely that expanded definition.
It really shifts the goalposts,doesn't it?
It's not just the balance sheetanymore, it's the company's
digital backbone data privacy,even AI governance.
That's a huge leap.
So how prepared are companiesfor this, especially maybe for
those non-financial controls?
Is the market ready?
Get?
Sam Jones (05:20):
ready.
Well, readiness is, let's say,uneven.
And here's where it gets reallyinteresting.
Actually, boards aren't justgearing up, they seem to be
getting more realistic.
So recent checks on FTSE 350companies they show good
progress in planning for thedeclaration.
About 82 percent mentionedplanned activities in their
latest reports.
(05:41):
That's up significantly from 64percent the year before.
So planning is happening.
However, there's still a biggap.
When you look at thosenon-financial reporting controls
, only 30% clearly stated thesewere covered by their monitoring
and review and that numberhasn't changed from the previous
year still 30%.
And what's even more strikingperhaps, is that the number of
companies reporting positiveconclusions on their overall
system effectiveness actuallyfell.
It dropped to 32% in the latestreports, down from 50% the year
(06:03):
before.
Ori Wellington (06:03):
Wow, 50 down to 32 percent, that's.
That's quite a drop.
Sam Jones (06:07):
It is, but I don't think it's necessarily a sign of
things getting worse.
It feels more like a sign thatthe bar has been raised.
Companies are looking harder,applying more rigor, maybe being
more honest with themselves.
As that deadline looms.
It's a tightening of standards,you could argue, not a collapse
.
Deadline looms.
It's a tightening of standards,you could argue, not a collapse
.
But it definitely highlightswhere the real heavy lifting
(06:27):
still needs to be done,particularly on those
non-financial controls.
Ori Wellington (06:31):
That makes sense .
A dose of realism kicking in.
Is this drop purely a reactionto Provision 29, do you think,
or does it maybe also show thathow companies used to assess
non-financial controls wasn'tquite cutting it?
What's the most surprisingthing you're seeing from the
companies that are getting aheadof this?
Sam Jones (06:46):
It's probably a bit of both.
Yeah, the provision force is aharder look and maybe previous
assessments were a bit lessthorough, especially outside
finance.
The biggest surprise for meit's how proactive the leading
companies are being.
They're not waiting around for2026.
They're already mappingprincipal risks to specific
controls, building out orrefining a central controls
(07:07):
register, doing gap analyses ontheir assurance and many are
even doing dry run declarationsthis year in their FY 2025
reports just to test the wholeprocess end to end.
And a really crucial stepthey're taking is clarifying who
actually owns the oversight forthese non financial controls.
That seems to be a key areaneeding attention pretty much
everywhere.
Ori Wellington (07:28):
Okay, Dry runs central registers Sounds like
serious preparation.
But change, especially thiskind of change, usually comes
with a price tag.
Implementing new governanceframeworks isn't cheap.
So for companies gearing up forprovision 29, what sort of
investment are we actuallytalking about here?
And maybe how does it stack upagainst something well-known
like, say, Sarbanes-Oxley in theUS?
Sam Jones (07:48):
Yeah, cost is definitely a big factor and the
estimates do vary quite a bit.
Depends on the company's size,complexity, how mature their
controls are already.
Just for context, the UKgovernment did an impact
analysis for an earlier,slightly narrower proposal.
One focused just on internalcontrol over financial reporting
, icfr.
That suggested transitionalcosts around £330, pounds per
(08:10):
company with ongoing costs maybe60,000 pounds a year.
Now if you look at USSOX,specifically Section 404, which
deals with internal controlsover financial reporting the
internal costs there for biggercompanies they typically range
from, say, $1 million to $1.8million.
So quite a bit higher but alsomore prescriptive.
Ori Wellington (08:29):
Right, those are definitely significant numbers,
particularly that initial setupcost.
What do you see as the biggesthurdle for companies facing
these costs for the first time?
Sam Jones (08:36):
I think the biggest hurdle is probably
underestimating the upfrontinvestment needed to build a
truly integrated framework, onethat covers all the domains
financial, operational reporting, compliance, it not just
finance.
So based on those benchmarks, areasonable planning range for,
let's say, a typical FTSE 250company that isn't already doing
SOX maybe with moderatecomplexity you're probably
(08:56):
looking at 300,000 to 600,000pounds in year one for the bill.
Then it drops down typicallymaybe 125,000 to 250,000 pounds
a year for the ongoing steadystate operation.
Now for companies already doingSOX 404, the extra cost for
provision 29 is much lower,maybe only 10 to 30 percent on
top of their existing SOX budget.
Because they have a lot of thegroundwork done.
(09:18):
They mainly need to extend itto cover those non-financial and
compliance controls.
But for a really large, complex, maybe highly decentralized
FTSE 100 company, especially ifthey've grown through
acquisition and have fragmentedsystems, year one could easily
hit 800,000 pounds, maybe evenup to 1.5 million pounds.
Ori Wellington (09:35):
Okay, so potentially a hefty investment
for those starting from scratch,but you can leverage existing
systems if you have them Now.
You mentioned earlier thatexternal assurance isn't
mandatory under the code.
Yet analysts are predictingwhat.
Maybe half of companies willchoose to spend more money to
get it voluntarily.
Why would they do that?
This seems a bitcounterintuitive to volunteer
(09:55):
for extra cost and scrutiny.
Sam Jones (09:57):
Yeah, it does seem counterintuitive at first glance
, doesn't it?
But this is a really crucialinsight into how the market's
reacting.
It's about proactivecredibility management.
Even though the code doesn'tforce their hand, the projection
is yes, by the FY2026 reportingcycle, at least 50% of these UK
groups will voluntarily seeksome targeted external assurance
(10:17):
on selected material controls.
Why?
Two main reasons, I think One,to genuinely de-risk their board
declaration.
They want to reduce thepotential blowback liability,
reputational damage, investordoubt if something goes wrong
later.
And two, to actively boostinvestor confidence, signaling
to the market that theirstatement isn't just
self-assessed but it stood up tosome independent scrutiny.
(10:37):
Boards might focus this extraspending strategically, perhaps
on really high-risk areas,things like cybersecurity,
access controls, maybe criticaldata privacy processes or even
those increasingly important ESGmetrics that could be price
sensitive.
So it reflects a shift, I think, from just doing the minimum
for compliance towards astrategic commitment to
demonstrating robust governance.
It's like buying an insurancepolicy for their corporate
(10:58):
reputation.
Ori Wellington (10:59):
An insurance policy for their reputation.
Okay, that makes a lot of sense.
So, given these costs and thesheer breadth of Provision 29,
companies must be looking forsmart ways to manage this
efficient ways, and that bringsus to something called
integrated risk management orIRM platforms.
How exactly does this kind oftechnology help companies tackle
(11:19):
provision 29, both efficientlyand effectively?
You know, it almost sounds likethat classic problem trying to
see your whole house's security,but half the sensors are old,
half are new and none of themtalk to each other.
How does IRM fix that?
Sam Jones (11:30):
That's a perfect analogy.
Actually, irm is almosttailor-made for provision 29,
precisely because the provisiondemands that single, unified
board level view across allthese different risk types.
What IRM does is it unifiesrisk controls and all the
assurance activities testing,monitoring, audits within one
single operating model and,crucially, one data environment.
(11:52):
It's about bringing it alltogether, creating that single
source of truth.
Instead of juggling loads ofdifferent spreadsheets,
disconnected systems, manualprocesses, it gets all those
different security sensorstalking to each other and
feeding into one centraldashboard for the board.
Ori Wellington (12:07):
Right, getting everything talking.
That sounds like it could be areal game changer.
Can you give us some specific,concrete examples of how these
IRM platforms actually deliverefficiency improvements for
companies facing this Provision29 challenge?
Sam Jones (12:19):
Absolutely.
On the efficiency side, irmoffers several really key
benefits.
First, that unified materialcontrols register we talked
about.
This maps all your main risksto the specific controls meant
to mitigate them Across alldomains financial, operational,
compliance, reporting, it, ai,everything this alone cuts out
huge amounts of duplication andmakes scoping much simpler.
(12:41):
Second, control rationalizationBecause you have that single
view, using common language,common taxonomies.
Companies typically find theycan remove somewhere between 15
and 30 percent of duplicate orjust low value controls, often
in the first year.
That's a big saving and effort.
Third, automated evidencecollection and workflow.
This is huge.
It integrates the day-to-daychecks done by the business
(13:02):
teams the first line with theoversight from risk and
compliance, the second line andthe testing done by internal
audit, the third line.
It automates the handoffs, theevidence gathering, the
sign-offs, cuts down massivelyon manual chasing, improves the
audit trail and frees people upfor higher value work.
And finally, something calledcontinuous control monitoring.
For really critical orhigh-risk processes you can use
system logs, data analytics tomonitor controls almost in real
(13:26):
time.
This spots issues much fasterand can actually help stabilize
assurance costs over time bybeing more proactive.
Ori Wellington (13:32):
Okay, so it makes things smoother, less
manual, potentially cheaper inthe long run.
But beyond just efficiency, howdoes IRM make the whole control
framework more effective?
How does it help meet the realspirit of Provision 29?
Sam Jones (13:44):
That's the other side of the coin effectiveness, and
IRM delivers here too.
It helps create a much strongerlink from the board's risk
appetite right down to thematerial controls.
You can tie key risk indicatorsdirectly to how all specific
controls are performing.
This means the board'soversight is focused precisely
on the areas that genuinelymatter most to the company's
strategy and risk tolerance.
(14:05):
It enables board-readyreporting.
Good IRM platforms canbasically generate the reports
the board needs for provision 29.
Things like coverage mapsshowing risks and controls, heat
maps highlighting ineffectivecontrols, real-time status
updates on fixing problems.
This makes the board's job mucheasier and more informed and,
crucially, it facilitates thattechnology risk integration,
(14:27):
Cyber risks, data protectioncontrols, AI governance they all
sit within the same unifiedframework, the same register as
financial controls.
This gives that holistic singleview of tech risk which, as
we've said, is just becomingabsolutely central for almost
every business.
It's exactly what the FRCguidance encourages.
Ori Wellington (14:43):
That integrated view, especially for tech risks,
seems incredibly important now,ok, so as we get closer to that
, 2026 deadline.
Kelsey Hutchinson (14:53):
What's the general feeling?
What's the outlook for howcompanies are going to adapt?
What are the experts projectingfor the next few years and
maybe most importantly, whatadvice are they giving right now
to help companies navigate thissmoothly?
Sam Jones (15:03):
Yeah, we're seeing some pretty clear trend signals
emerging.
As we mentioned, analysts areforecasting that by the FY 2026
reporting cycle that 50% figurefor voluntary external assurance
seems likely.
Companies wanting to bolstertheir declaration two-thirds of
(15:29):
FTSE 350 companies will bemanaging both their financial
controls, icfr, and theirnon-financial reporting controls
within one single integratedframework using platforms like
IRM.
Now that's a really significantshift, especially when you
remember only 30% clearly covernon-financial controls today.
And also by 2027, forecastssuggest at least a quarter,
maybe 25% of the FTSE 350 willbe using that continuous control
monitoring technology on theirmost critical high-risk
(15:50):
processes.
So definitely a move towardsintegration and automation.
Ori Wellington (15:54):
Okay.
So integration, automation andthat strategic use of voluntary
assurance seem to be the keytrends.
For people listening, who aremaybe right in the thick of this
on boards in finance risk audit, what are the most practical,
immediate steps they can takenow to get ahead of this curve?
Sam Jones (16:07):
The recommendations are pretty clear and quite
actionable, depending on yourrole.
For boards and audit committees,the strong advice is approve a
proportionate provision 29roadmap now.
Don't wait and make sure itculminates in doing one of those
dry run declarations for yourFY 2025 reporting.
It's about practice, not justplanning.
They also need to decide earlyon where they might want that
(16:28):
voluntary external assurance,focusing strategically on the
areas that really matter forinvestor confidence or sensitive
disclosures.
Then for the executive CFOs,chief risk officers, chief audit
executives the key actions arebuild or refine that single
unified material controlsregister.
Make sure it meticulously mapsprincipal risks to controls,
(16:48):
clearly shows owners frequency,how evidence is gathered and who
provides assurance, andcritically ensure it includes IT
and non-financial reportingcontrols from the start.
They also need to activelyrationalize those controls, get
rid of the clutter, standardizetesting approaches where
possible, implement or extendIRM tools to automate workflows
and finally define a reallyclear board-facing reporting
(17:09):
pack that lines up perfectlywith what Provision 29 requires.
It's not just about doing thework.
It's about being ready toreport on it effectively and
with confidence.
Ori Wellington (17:18):
Right.
Getting the reporting right isjust as crucial as getting the
controls right.
Well, we've certainly taken adeep dive into Provision 29
today.
From its core rules and thatbroad scope, through to the
costs and these smart integratedsolutions like IRM, it seems
pretty clear this isn't justanother tick box exercise, is it
?
It feels more like a genuineopportunity for companies to
(17:39):
build stronger, more transparentfoundations and hopefully
foster greater trust.
Sam Jones (17:45):
I think that's exactly right, this shift
towards these comprehensivematerial control declarations.
It really reflects a moremature, more sophisticated
understanding of what corporateresponsibility and resilience
actually mean today.
It's pushing boards to thinkmuch more actively about how
interconnected risks are.
Financial stability isn'tseparate from cybersecurity,
which isn't separate from AIgovernance it's all linked.
(18:06):
It's encouraging them to viewthe whole enterprise through
this single lens of control andaccountability.
Ori Wellington (18:12):
So what does all this mean for you?
Listening in, well, whetheryou're an investor trying to
decipher annual reports, abusiness leader setting strategy
, or maybe just someone whobelieves in well-run,
trustworthy organizations,understanding these internal
mechanisms, this plumbing isbecoming absolutely vital.
Sam Jones (18:34):
It really offers a glimpse into the true
operational health of a company,and maybe this leaves us with
an important question to ponder.
Actually, as boards become muchmore transparent about their
internal controls, about theirrisk management, openly
declaring what's working wellbut also what isn't, how might
this unprecedented level ofvisibility really influence
things in the long run?
How will it shape investorbehavior, public perception of
(18:54):
corporate integrity?
Will it genuinely breed moretrust, or could it perhaps lead
to even greater scrutiny?
It's definitely something worthmulling over as these
fundamental changes start toroll out across the UK corporate
landscape.
Kelsey Hutchinson (19:05):
That's a great thought to end on.
Will more transparency lead tomore trust, or just more
questions?
Something to watch?
Thank you so much for joiningus on this Deep Doc.
We really hope this has givenyou a much clearer and maybe
more actionable picture of thiscrucial development in corporate
governance.
Until next time, keep digging,keep learning.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!