Blog After the deadline: Can boards stand behind their Provision 29 declaration

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

For the first time, boards must publicly declare that their material controls are effective, not merely that they exist.

For many organisations, the formal deadline has now passed. But a more important question remains: could the board genuinely stand behind its declaration if challenged?

That question goes to the heart of what Provision 29 was designed to achieve. The Code does not seek more elaborate disclosures or careful phrasing. It demands confidence grounded in evidence, judgement exercised visibly, and assurance that extends beyond paper-based compliance.

A higher bar for accountability

From 2026 year-end onwards, boards must now include in their annual reports a declaration on the effectiveness of material controls, alongside an explanation of how those controls have been monitored and reviewed. Any material control failures, and the actions taken to address them, must also be disclosed.

The Financial Reporting Council has deliberately taken a principles-based approach. It has avoided defining what constitutes a "material control" or prescribing how declarations should be framed. Responsibility for determining both rests squarely with boards themselves.

This design choice matters. It makes clear that Provision 29 is not about mechanical compliance, but about whether boards are exercising informed judgement over the controls that matter most to their organisation's risks and business strategy.

The confidence gap

In practice, many boards continue to face the same unresolved questions.

Materiality remains ambiguous. How many controls are truly material? How far can controls be grouped without weakening assurance? Where does simplification improve clarity, and where does it obscure risk?

There is also tension between comparability and specificity. Boards are conscious of how peers approach Provision 29, yet the Code makes clear that declarations must reflect an organisation's own risk profile, not an industry template.

Perhaps most significantly, there is a struggle to meet the evidential standard Provision 29 implies. Risk registers describe risks and list controls, but they rarely demonstrate that those controls have been tested, reviewed and shown to work over time. Description alone does not provide assurance.

From declaration to defensibility

Provision 29 reframes internal controls as an ongoing assurance discipline rather than a year-end reporting task.

Boards are expected to show how control effectiveness is monitored throughout the year, not reconstructed retrospectively. Evidence needs to accumulate through regular testing, clear ownership and documented review, rather than being assembled under reporting pressure.

Grouping controls is not prohibited, but it is conditional. Boards must be confident that grouped controls remain monitorable and testable, and that weaknesses would not be masked by aggregation. The underlying test is straightforward: could the board explain and defend its judgement if asked why it believed those controls were effective?

Provision 29 as a governance lens

While Provision 29 applies formally to companies in the FCA's commercial category, many organisations outside its scope are aligning voluntarily. They see it less as a compliance requirement and more as a practical framework for strengthening governance.

Used well, Provision 29 sharpens board conversations. It encourages clearer prioritisation of the most important risks, more meaningful engagement with control effectiveness, and assurance that supports challenge rather than discouraging it.

Confidence is built before the statement

The credibility of a board's declaration depends less on how it is written than on the discipline behind it.

Boards that treat Provision 29 as a continuous assurance process (embedding testing, ownership and review into normal governance rhythms) are far better placed to stand behind their declaration with confidence. Those that view it primarily as a reporting exercise may comply, but remain exposed to challenge.

Further reading:

Protecht's guide How to prove control effectiveness with Provision 29explores how boards are approaching materiality, evidence and assurance in practice.