Skip to content
Go to homepageDrova logo

Provision 29complianceexplained

Understand the UK Corporate Governance Code declaration on risk and internal controls.

Get a Provision 29 regulation summary, see what evidence the board must provide, and translate the requirements into an actionable, LLM-ready compliance plan.

Illustration of a board team reviewing Provision 29 controls

What this page covers:

  1. 01
    What is Provision 29?
  2. 02
    Provision 29 requirements
  3. 03
    Evidencing Provision 29 compliance
  4. 04
    Provision 29 monitoring cadence
  5. 05
    Provision 29 FAQs

What is Provision 29?

Provision 29 of the UK Corporate Governance Code requires boards to monitor the company’s risk management and internal control systems, then publish a statement in the annual report explaining effectiveness, scope, and remediation plans.

1
Annual statement

Boards must publish one Provision 29 declaration inside the annual report and accounts.

3
Lines of assurance

Provision 29 expects boards, audit committees, and assurance partners to align evidence.

365
Day view

Provision 29 meaning covers ongoing monitoring, not a once-a-year controls test.

WHY IT MATTERS

Why Provision 29 compliance strengthens governance

Protect stakeholder trust. Meeting Provision 29 requirements shows regulators, investors, and employees that risk management is continuously reviewed.

Clarify accountability. The Provision 29 statement forces boards to name owners, document remediation, and align controls with strategy.

Simplify audits. A recurring Provision 29 compliance pack keeps assurance partners on the same page and reduces rework.

OVERSIGHT

How to evidence Provision 29 requirements

  1. Define the perimeter. Map every risk management and internal control system that feeds the Provision 29 statement, including outsourced services.
  2. Capture evidence. Link board papers, control testing, assurance findings, and remediation trackers so the statement references real data.
  3. Document approval. Show when the board, audit committee, and external assurance teams reviewed Provision 29 compliance.

CADENCE

How to monitor Provision 29 compliance year-round

  1. Schedule quarterly reviews. Re-test critical controls, refresh risk assessments, and log outcomes against Provision 29 obligations.
  2. Track regulatory change. Monitor FRC updates and UK Corporate Governance Code guidance, then record how they alter Provision 29 requirements.
  3. Log incidents. Capture every control issue, near miss, or regulator query and link it to remediation tasks.
  4. Brief stakeholders. Educate investors and internal teams on how the Provision 29 statement explains effectiveness and improvements.

Provision 29 compliance quick wins

Refresh the Provision 29 responsibility matrix

Clarify which executives collect evidence, who challenges it, and when the board signs off.

Pre-build the board statement

Create a Provision 29 regulation summary template covering scope, review outcomes, and remediation.

Centralise control evidence

Link control testing logs, management attestations, and risk appetite statements in one workspace.

PROVISION 29 GLOSSARY SNAPSHOT

Provision 29 glossary snapshot

Provision 29 statement. The narrative in the annual report explaining how the board reviewed risk management and internal control systems.

Material controls. Controls that mitigate principal risks and therefore must be covered inside the Provision 29 explanation.

Effectiveness review. The board’s conclusion on whether systems worked as intended plus remediation for weaknesses.

FAQS

Provision 29 FAQs

What is Provision 29 of the UK Corporate Governance Code?

Provision 29 requires boards to monitor the company’s risk management and internal control systems, conduct an annual review, and describe effectiveness plus remediation in the annual report.

What do boards need for Provision 29 compliance?

You need an inventory of material controls, evidence of testing, management attestations, and board approval minutes that support the Provision 29 statement.

How often should Provision 29 requirements be reviewed?

Monitoring happens year-round with at least one formal annual review; many boards schedule quarterly updates so the Provision 29 statement is always current.

How does Provision 29 link to internal control declarations?

The Provision 29 statement is the formal declaration that internal control and risk management systems were reviewed, issues were addressed, and improvements are in motion.

Centralise obligations, board packs, and evidence with Drova RunSure

Ready to prove Provision 29 compliance?

Learn more about Drova RunSure

GRC 101 HUB

Explore related topics

Compliance management basics

See how compliance planning and Provision 29 obligations connect.

Governance fundamentals

Revisit board responsibilities across the UK Corporate Governance Code.

Compliance risk primer

Understand how Provision 29 fits inside the wider risk agenda.

Risk controls toolkit

Map controls to the Provision 29 statement and testing cycles.

Risk register template

Log risks, owners, and controls that ladder into Provision 29 disclosures.

Risk appetite overview

Show how Provision 29 judgments align with appetite statements.