Effective 1 January 2026

Provision 29 Compliance, Automated
From Risk Register to Annual Report

Provision 29 of the UK Corporate Governance Code requires boards to declare the effectiveness of their material internal controls annually. GRCxAI's purpose-built Principal Risks & Uncertainties module automates compliance end-to-end. Link principal risks to operational risks and controls, track board review cycles, measure control effectiveness with real evidence, and generate AI-powered Annual Report disclosures. Turn a complex governance obligation into a streamlined, auditable process your board can rely on.

Get in Touch See How It Works
8
Principal Risk Categories
4
Score Calculation Modes
25
Point Scoring Scale
100%
Full Audit Trail

The Regulation

What is Provision 29?

Provision 29 is part of the UK Corporate Governance Code, revised by the Financial Reporting Council (FRC) in January 2024. It is the most significant governance change in the latest Code revision, applying to accounting periods beginning on or after 1 January 2026.

What Boards Must Now Do

Previously, boards stated that controls existed. Under Provision 29, the bar is significantly higher. Boards must now:

1
Monitor

Monitor the company's risk management and internal control framework continuously throughout the year — not just at annual review time.

2
Review

Review the effectiveness of all material controls at least annually. This covers financial, operational, reporting, and compliance controls — not just financial.

3
Declare

Declare the effectiveness of material internal controls in the Annual Report & Accounts. Boards are personally accountable for this declaration.

4
Evidence

Evidence that controls worked, how they were monitored, and what proof backs the declaration. Compliance is assessed on evidence of control effectiveness, not just existence of policies.

Who must comply: All companies with a premium listing on the London Stock Exchange, on a "comply or explain" basis. In practice, this affects all FTSE 350 companies and many others that voluntarily adopt the Code.

Non-compliance: Companies that cannot comply must provide a public explanation to shareholders. There is no option to simply ignore the requirement.

Why It Matters

The Most Significant UK Governance Change in a Decade

Often called "UK SOX" due to parallels with the US Sarbanes-Oxley Act, Provision 29 brings internal controls management out of the finance silo onto the boardroom agenda.

Board Accountability

Boards are personally accountable for the declaration on control effectiveness. This is not a delegated responsibility — it sits at the highest level of corporate governance.

Evidence Over Existence

Compliance is assessed on evidence of control effectiveness, not just the existence of policies. Boards must prove controls work, not simply state they are in place.

All Material Controls

Unlike US SOX which focuses on financial controls, Provision 29 covers all material controls: financial, operational, reporting, and compliance. The scope is comprehensive.

Public Scrutiny

Non-compliance requires public explanation to shareholders. The declaration appears in the Annual Report & Accounts, visible to investors, regulators, and analysts.

Continuous Monitoring

This is not an annual tick-box exercise. Boards must demonstrate ongoing, continuous monitoring of risk management and internal control systems throughout the year.

Regulatory Alignment

Based on the UK Corporate Governance Code (FRC, January 2024), the UK Companies Act 2006, and FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.

Compliance Framework

The Five Pillars of Provision 29 Compliance

Provision 29 compliance requires a structured, evidence-based approach across five interconnected pillars. GRCxAI maps directly to each one.

1

Risk Identification

Identify and characterise all principal risks and uncertainties facing the organisation. This includes strategic, operational, financial, compliance, reputational, ESG, cyber, and geopolitical risks.

2

Control Mapping

Link material controls to each principal risk with documented ownership. Establish clear accountability and ensure every risk has appropriate mitigating controls with named owners.

3

Effectiveness Testing

Test controls for effectiveness with recorded evidence and a complete audit trail. This is the critical shift from "controls exist" to "controls work" — the core of Provision 29.

4

Board Oversight

Board and committee review cycles with documented governance trail. Ensure board-level visibility through Audit Committee, Risk Committee, Board, and Executive Committee assignments.

5

Annual Declaration

Formal statement in the Annual Report on control effectiveness, backed by evidence from all preceding pillars. The declaration must be evidence-backed and regulator-ready.

Purpose-Built for Provision 29

Principal Risks & Uncertainties Module

GRCxAI includes a purpose-built Principal Risks & Uncertainties (PRU) module designed from the ground up for UK Corporate Governance Code Provision 29 compliance. Ten integrated capabilities cover the full compliance lifecycle.

Capability 1

Strategic Risk Identification & Classification

Classify principal risks across a comprehensive taxonomy designed for Provision 29 reporting:

  • 8 risk categories: Strategic, Operational, Financial, Compliance, Reputational, ESG, Cyber, Geopolitical
  • 3 risk types: Risk, Uncertainty, Emerging Risk
  • 5-level risk appetite framework: Averse, Minimal, Cautious, Open, Hungry
  • Auto-generated reference IDs: PRU-YYYY-NNNN for full traceability
  • Strategic context fields: Link risks to strategic objectives, document business impact and stakeholder impact
Capability 2

Three-Level Scoring with Dynamic Aggregation

Quantify risk at three levels with dynamic calculation from linked operational risks:

  • Inherent score: Risk without controls (1–25 scale)
  • Residual score: Risk with controls in place (1–25 scale)
  • Target score: Desired future state (1–25 scale)
  • Trend tracking: Increasing / Stable / Decreasing with visual indicators
  • Velocity tracking: Slow, Medium, Fast, Very Fast
  • Four calculation modes: Manual (executive judgment), Maximum (worst-case), Average (balanced), Weighted (nuanced by importance)
Capability 3

Operational Risk Linkage (Many-to-Many)

Principal risks are strategic composites. GRCxAI lets you link each to multiple operational risks from the full Risk Register:

  • Link types: Primary (root cause, weight 1.5–2.0), Contributing (weight 1.0), Related (indirect, weight 0.5–0.8)
  • Configurable weights per link for weighted score calculation
  • Dynamic score aggregation: Scores auto-calculate from linked operational risks
  • Aggregated metrics: Average, maximum, minimum, and weighted scores for both inherent and residual risk
  • Risk Picker interface: Search, filter by category/status/department, multi-select risks to link
Capability 4

Control Mapping & Effectiveness Tracking

Map controls directly to each principal risk and track their effectiveness over time:

  • Effectiveness ratings: Effective, Partially Effective, Ineffective, Not Assessed
  • Numeric scoring: 1–5 scale for quantitative analysis
  • Testing schedules: Monthly, Quarterly, Annually with automated overdue tracking
  • Test history: Last tested date, next test date, with overdue alerts
  • Control Picker: Search and link from the full Controls Register
  • Aggregated dashboard: At-a-glance view of effective, partial, ineffective, and overdue counts per principal risk
Capability 5

Board Oversight & Governance Trail

Full board governance lifecycle tracking for Provision 29 compliance:

  • Board oversight flag: Mark risks requiring board-level review
  • Committee assignment: Audit Committee, Risk Committee, Board, Executive Committee
  • Review scheduling: Last and next board review dates with calendar sync
  • Board notes: Record minutes and discussion points from each review
  • Overdue tracking: Automatic flags when board reviews are overdue
  • Review history: Full audit trail of all reviews with date, reviewer, outcome, and required actions
Capability 6

Two-Level Accountability Model

Clear, named accountability at two levels ensures no risk falls through the cracks:

  • Executive Sponsor: C-suite/VP level accountability and board liaison. Responsible for strategic oversight and escalation.
  • Risk Owner: Day-to-day management, assessment, and mitigation responsibility. Responsible for operational management of the risk.
  • Both are named individuals linked to the user directory for clear, auditable accountability
Capability 7

Annual Report Disclosure Management

Purpose-built fields for managing the ARA (Annual Report & Accounts) process:

  • Include in Annual Report flag per risk
  • Annual Report Year for archival and year-over-year comparison
  • Report Status workflow: Draft → Under Review → Approved → Published
  • Disclosure Text: Approved wording for external publication, maintained per risk
  • Provision 29 Compliant boolean flag for compliance tracking across the portfolio
Capability 8 — AI-Powered

AI Annual Report Generation

GRCxAI uses Claude AI to auto-generate Annual Report-ready Provision 29 disclosures:

  • Professional report template following Annual Report conventions
  • Auto-populated data from principal risks, linked operational risks, and controls
  • Structured sections: Introduction, Risk Management Framework, Individual Risk Disclosures, Risk Appetite Statement, Changes in Principal Risks, Viability Statement Support
  • Board-appropriate language suitable for shareholders, regulators, and analysts
  • PDF export for board packs and annual report submissions
Capability 9

Key Risk Indicators & Monitoring

Ongoing risk monitoring tools to satisfy the continuous oversight requirement:

  • KRI Indicators: Text array of Key Risk Indicators per principal risk
  • Monitoring frequency: Monthly, Quarterly, Annually
  • Assessment scheduling: Last and next assessment dates with overdue tracking
  • Calendar integration: Board reviews and assessments sync to the platform calendar
Capability 10

Full Audit Trail

Every change is logged to support regulatory audit and FRC inspection requirements:

  • Who changed what, when, and from what value to what value
  • Board review history with outcomes
  • Control test history
  • Risk link changes
  • Score changes over time
  • Supports regulatory audit and FRC inspection requirements
AI-Powered

From Principal Risks to Annual Report in Minutes

GRCxAI uses Claude AI to auto-generate Annual Report-ready Provision 29 disclosures from your live risk data. Board-appropriate language suitable for external publication to shareholders, regulators, and analysts.

Every action is audit-logged. Every review is documented. Every declaration is evidence-backed and regulator-ready.

Structured Output Includes
  • Introduction (Board's approach to risk management)
  • Risk Management Framework (oversight, committee structure, processes)
  • Individual principal risk disclosures (description, impact, scores, controls, board oversight)
  • Risk Appetite Statement
  • Changes in Principal Risks (new, removed, de-escalated, emerging)
  • Viability Statement Support
  • PDF export for board packs

Complete Feature Set

Everything You Need for Provision 29

A comprehensive checklist of every Provision 29 capability built into GRCxAI.

Risk & Scoring

  • Principal Risks register with 8 categories and 3 risk types
  • Three-level scoring (Inherent, Residual, Target) on 1–25 scale
  • Many-to-many linkage from principal risks to operational risks
  • Weighted score aggregation (Manual, Maximum, Average, Weighted modes)
  • Trend and velocity tracking with visual indicators
  • Risk appetite framework (5 levels from Averse to Hungry)
  • Emerging risk identification and escalation

Controls & Governance

  • Control mapping with effectiveness ratings and test scheduling
  • Board oversight tracking with committee assignments and review history
  • Two-level accountability (Executive Sponsor + Risk Owner)
  • Key Risk Indicators and monitoring frequency management
  • Calendar integration for board reviews and assessments
  • Annual Report disclosure management (Draft to Published workflow)
  • AI-generated Annual Report text from live risk data
  • Full audit trail for regulatory inspection
  • PDF export for board packs

The Difference

Without GRCxAI vs With GRCxAI

See how GRCxAI transforms Provision 29 compliance from a manual, error-prone process into a streamlined, auditable workflow.

Without GRCxAI With GRCxAI
Spreadsheet-based principal risk tracking Structured, searchable risk register with auto-generated reference IDs
Manual score updates across disconnected documents Dynamic score aggregation from linked operational risks
No link between principal risks and operational controls Many-to-many control mapping with effectiveness tracking
Board reviews documented in meeting minutes only Integrated review scheduling, tracking, and audit trail
Annual Report text drafted from scratch each year AI-generated disclosure text from live data
No evidence of control testing Dated test records with overdue alerts
Difficult to demonstrate compliance to auditors Complete audit log of every change, review, and declaration
Weeks of manual preparation for ARA season Board-ready output generated in minutes

FAQ

Frequently Asked Questions

What is Provision 29?

Provision 29 of the UK Corporate Governance Code (revised January 2024) requires boards to monitor risk management and internal control systems, carry out an annual effectiveness review, and make a formal declaration in their Annual Report. It applies to accounting periods beginning on or after 1 January 2026.

Who does Provision 29 apply to?

All companies with a premium listing on the London Stock Exchange, on a "comply or explain" basis. This includes all FTSE 350 companies and many others that voluntarily adopt the Code.

Why is Provision 29 called "UK SOX"?

It draws comparisons to the US Sarbanes-Oxley Act because both require formal declarations on internal control effectiveness. However, Provision 29 is distinct — it emphasises ongoing, proactive risk and control management rather than purely compliance-driven financial control attestation.

What material controls does Provision 29 cover?

All material controls including financial, operational, reporting, and compliance controls. It's not limited to financial controls like US SOX. This broader scope is one of the key differences from the American legislation.

How does GRCxAI help with Provision 29?

GRCxAI provides a purpose-built Principal Risks & Uncertainties module that covers the full compliance lifecycle: risk identification across 8 categories, control mapping with effectiveness testing, board oversight tracking with committee assignments, annual report disclosure management with a Draft-to-Published workflow, and AI-powered report generation. Every action is audit-logged for regulatory inspection.

Can GRCxAI generate the Annual Report risk disclosure?

Yes. GRCxAI uses AI to generate professional, Annual Report-ready Provision 29 disclosures from your live risk data. The output follows standard ARA formatting with structured sections including risk management framework, individual risk disclosures, risk appetite statements, and viability statement support. The generated text uses board-appropriate language suitable for external publication to shareholders, regulators, and analysts.

Regulatory Context

Regulatory References

Primary Legislation

  • UK Corporate Governance Code (FRC, January 2024)
  • UK Companies Act 2006

Supporting Guidance

  • FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting
  • Applies on "comply or explain" basis to premium-listed companies

Don't Just Claim Strong Governance. Prove It.

Provision 29 applies to financial years beginning 1 January 2026. Map risks. Track controls. Evidence effectiveness. Declare with confidence.

The complete platform for UK Corporate Governance Code compliance.

Get in Touch Contact Sales