Back to Blog
Provision 29 and NED Due Diligence: What You Need to Know

Provision 29 and NED Due Diligence: What You Need to Know

7 min readmeetinginsight.ai
Governance IntelligenceBoard Preparation

Your board chair turns to you during the annual report discussion and asks: "Are you confident we can sign a declaration that our material controls are effective?" Under Provision 29 of the UK Corporate Governance Code, that question is no longer hypothetical. From financial years starting on or after 1 January 2026, your board must make that declaration publicly — and your name is on it.

Provision 29 is the most significant governance change in a decade. It applies to financial years beginning on or after 1 January 2026, which means the work to prepare for it needs to be happening now. For non-executive directors, the implications are substantial — and personal.

What Provision 29 Actually Requires

The 2024 UK Corporate Governance Code introduced revisions to Provision 29 that go well beyond what was previously expected of boards.1 The previous version asked boards to monitor and review their risk management and internal control frameworks. The new version asks them to make a public declaration about whether those controls actually work. In other words, the Code now expects boards to stand behind the outcome of their control framework, not just its design and documentation.

Specifically, boards must now disclose three things in their annual report:2

A declaration of effectiveness. The board must state whether its material controls were effective as at the balance sheet date. This is the headline change — a move from describing processes to declaring outcomes.

A description of how the board monitored and reviewed. It's not enough to say the controls work. The board must explain the evidence and process behind that conclusion.

A description of any controls that didn't work. If material controls were not effective, the board must say so publicly — along with what it's doing to fix them.

This is a "comply or explain" regime, not a legal mandate.1 But explaining why you didn't comply carries its own reputational weight. As one audit committee chair put it to ICAEW: "If you sign that statement and something later goes wrong, the reputational hit is enormous. Investors will immediately question whether you really tested your controls."3

What Are "Material Controls"?

This is where the challenge gets real for NEDs. The FRC has deliberately avoided prescribing a list of material controls or setting a minimum number.2 It's the board's responsibility to determine what counts as "material" based on the company's specific risks and circumstances.

The scope is broad. Material controls cover financial, operational, reporting, and compliance activities — not just the financial controls that most directors are used to overseeing.4 That means controls over narrative reporting, ESG disclosures, cyber risk management, and supply chain resilience may all fall within scope.

In practice, most organisations are identifying between 20 and 50 material controls, depending on their size and complexity.5 A major financial institution might land above 50. A less complex business might have fewer than 20. There's no single right answer — but the board must be able to explain and defend its choices.

The practical advice from those who've gone through the process is worth noting. John Ramsay, Audit Committee Chair at Babcock, told the Corporate Governance Institute: "One of the big mistakes in the early days of SOX was that companies had masses of key controls, which they reduced over time. That's been a good learning exercise for Provision 29. Companies have not gone overboard."5

Why This Matters for Non-Executive Directors

Here's what makes Provision 29 different from most governance changes: it creates a direct, personal line between the NED and the declaration.

Under UK law, there is no legal distinction between executive and non-executive directors.6 NEDs have the same duties, responsibilities, and potential liabilities as their executive colleagues. When the board signs a declaration that material controls are effective, every director's name is behind it.

This isn't theoretical. In 2023, the PRA fined George Hambro, a former non-executive director of Wyelands Bank, £72,000 for failing to act with due skill, care, and diligence — specifically in relation to control weaknesses around capital recognition and large exposure assessments.7 Provision 29 makes this kind of scrutiny more likely, not less, because the declaration creates a clear public record of what the board believed about its controls at a specific point in time.

The question every NED should be asking is not "Will our controls pass?" but "Do I have enough information to put my name to this declaration with confidence?"

The Preparation Gap

For many NEDs, the honest answer to that question is "not yet." And the clock is ticking.

Board Intelligence's research shows that 68% of directors and governance professionals rate their board materials as "weak" or "poor."8 The average board pack for large organisations runs to 294 pages — up from 267 in 2023 — yet directors spend only 3 to 4 hours reading each one.8 That's roughly 30 pages per hour, which means half the pack may go unread.

Now layer Provision 29 on top of that. The board must declare on the effectiveness of 20 to 50 material controls, each requiring evidence of monitoring and review. That evidence lives somewhere in those board papers — in risk registers, internal audit reports, compliance updates, and management assurance letters. The NED's challenge is not just reading the pack, but finding and assessing the right information within it.

This is where the preparation gap becomes a governance risk. If a NED can't locate the evidence for a specific control's effectiveness within the board materials, they have two options: challenge management to provide it (which is good governance) or sign the declaration without full confidence (which isn't).

Five Things Every NED Should Do Now

Provision 29 doesn't require NEDs to become internal auditors. But it does require them to be more rigorous about what they know, how they know it, and whether the evidence supports the declaration they're being asked to sign.

Understand the scope of material controls. Ask your company secretary or audit committee chair for the list of controls that will be subject to the declaration. If no list exists yet, that's itself a concern worth raising. Most organisations should have this settled by now.

Trace the evidence chain. For each material control, understand where the evidence of effectiveness comes from. Is it internal audit testing? Management self-assessment? External assurance? The board's declaration is only as strong as the evidence behind it.

Challenge the gaps. Provision 29 explicitly requires the board to disclose controls that didn't work. This means there should be a culture of transparency, not defensiveness. If management isn't surfacing weaknesses, the system isn't working as intended.

Review the reporting. Provision 29 creates new reporting requirements for the annual report. Review the draft disclosures early — not at the final board meeting before sign-off. The declaration language matters, and NEDs should be involved in shaping it.

Rethink how you prepare. With 294 pages per board pack, multiple committees feeding into the controls framework, and 20 to 50 controls requiring evidence of effectiveness, the preparation workload is significant. The principles matter more than any single tool: can you search across documents, cross-reference risk registers against control evidence, and quickly surface gaps? Whether through better-organised digital papers, structured note-taking, or AI-assisted review, the goal is the same — enabling sharper judgement, not replacing it. The directors who navigate Provision 29 well will be those whose preparation process matches the rigour the declaration demands.

The Bigger Picture

Provision 29 isn't just about compliance. It's about raising the bar for board effectiveness at a time when trust in corporate governance is under pressure. The 2025 Edelman Trust Barometer reported a record 68% of respondents believing businesses purposely mislead people.9 The Economist called out widespread board "fecklessness" in holding management to account.8

Against that backdrop, Provision 29 is the FRC's answer: make boards publicly accountable for the controls that protect shareholders, employees, and markets. For NEDs, that means the quality of your preparation, the sharpness of your challenge, and the rigour of your oversight are more visible than ever.

The directors who will navigate this well are those who go deeper into the evidence, ask the difficult questions before the declaration is due, and ensure they can stand behind their signature with confidence.

The preparation you do now determines the declaration you sign later. Make sure you've done yours.

meetinginsight.ai helps non-executive directors go deeper into board packs — surfacing insights, cross-referencing documents, and preparing sharper questions, entirely on your computer. Nothing ever leaves your device. Start your free 30-day trial.

Notes

Footnotes

  1. FRC, UK Corporate Governance Code 2024frc.org.uk 2

  2. Chartered IIA, UK Corporate Governance Code Provision 29: Key Considerationscharterediia.org (PDF) 2

  3. ICAEW, "Prepare for 2026: Get Ready for Provision 29"icaew.com

  4. KPMG, UK Corporate Governance Code 2024: Provision 29kpmg.ie (PDF)

  5. Corporate Governance Institute, "Provision 29: The Final Countdown"thecorporategovernanceinstitute.com 2

  6. Mosaic Search, "The Duties of a Non-Executive Director: Governance, Risk, and Compliance Explained"mosaic-search.co.uk

  7. PRA Enforcement, Final Notice: George Edward Brooksbank Hambro, 2023 — referenced in Diligent, "The Liability of Non-Executive Directors"diligent.com

  8. Board Intelligence, "Under the Microscope: The State of Board Effectiveness in 2025"boardintelligence.com 2 3

  9. Edelman, 2025 Trust Barometer — referenced in Board Intelligence report above