Provision 29 and the downstream shift: why controls are cascading through supply chains

From 1 January 2026, UK Corporate Governance Code Provision 29 starts to apply to in‑scope companies’ new financial years. Boards will need to make a formal declaration on the effectiveness of their material internal controls as at the balance sheet date, and explain any material weaknesses and actions.

What we’re noticing, though, is a downstream shift. At a GRC strategy session in October with analyst Michael Rasmussen, he highlighted how the Provision 29 mindset is already moving beyond listed issuers. In‑scope companies are beginning to expect their critical suppliers to show comparable discipline over material controls. We’re also hearing from large private companies that want to adopt Provision 29‑style practices as best practice—even if they’re not required to.

Why would a company comply voluntarily?

Even if you’re not legally in scope, Provision 29 presents a practical opportunity to raise governance maturity and commercial competitiveness.

1) Win (and keep) enterprise customers

Procurement teams are tightening third‑party requirements. Expect more RFP questions on material controls, testing cadence, issues & remediation, and who in the business is accountable. A clear, proportionate statement over controls shortens sales cycles and lifts supplier scores.

2) Better cost of capital and stakeholder confidence

Investors, lenders, and rating agencies reward predictability and control. A board‑level view of material controls—with evidence—supports governance ratings, reduces due‑diligence friction, and signals resilience.

3) Lower risk of surprises

A disciplined approach to monitoring and assurance catches weaknesses earlier, reducing incident cost and executive distraction. You also avoid the “paper compliance” trap by focusing on what’s material and evidencing those controls proportionately.

4) Insurance and contractual advantages

Underwriters increasingly ask for control evidence (cyber, fraud, operational resilience). Customers are writing attestation and right‑to‑audit clauses into contracts. Being Provision‑29‑ready keeps premiums and negotiations pragmatic.

5) M&A and exit readiness

Buy‑side diligence now probes control design and operating effectiveness—not just policy existence. A Provision‑29‑aligned approach can protect valuation and speed the deal.

What the downstream shift means for the GRC landscape

Controls move from policy to proof. Boards, customers, and partners are asking for evidence of effectiveness, not just frameworks. That drives demand for:

• Clear definitions of “material controls” tied to principal risks, reporting obligations, and key processes.

• A single taxonomy across risks, controls, issues, and assurance activities to kill silos and overlaps.

• Continuous control monitoring (CCM) and data‑driven testing to provide timely, auditable evidence.

• Assurance mapping across the Three Lines, clarifying who owns, who tests, and who oversees.

• Supplier enablement: simple attestation packs and proportionate questionnaires aligned to materiality.

In short: fewer point solutions, more connected risk & control operating models that generate board‑ready evidence.

A SmartStart path to Provision‑29 compliance

You don’t need a big-bang programme—Optial GRC SmartStart is modular: launch with the Provision 29 core to produce board-ready evidence, then add modules as you grow. Focus on materiality and build repeatable rhythms.

Stage 1 — Determine your material controls

What Provision 29 expects

Boards assess and define “material controls” across financial, operational, reporting and compliance domains—typically those addressing key risks to the business model, solvency, liquidity, price-sensitive reporting, fraud, and key IT controls. 

How Optial helps

• Build control portfolios and tag material controls as key controls.

• Link controls to principal risks, processes, indicators/KPIs, and obligations so materiality is traceable.

• Analyse with heatmaps and matrices to evidence prioritisation.

Outcome: A defensible, scoped set of material controls tied directly to principal risks and reporting.

Stage 2 — Monitor & manage the lifecycle

What Provision 29 expects

Ongoing monitoring and an annual effectiveness review of the internal control framework; transparent handling of issues and remediation.

How Optial helps

• Assign owners and cadence (testing frequency, assurance plans) for each material control.

• Schedule recurring control assessments and tests; capture evidence, sign-offs, and audit trail automatically.

• Log issues and track remediation through to closure with status, actions, and dates.

Outcome: A repeatable monitoring rhythm that turns testing, issues, and remediation into an auditable narrative.

Stage 3 — Report with evidence-backed clarity

What Provision 29 expects

In the annual report, boards must make a declaration at the balance sheet date on the effectiveness of material controls, describing any that did not operate effectively and the actions taken or proposed.

How Optial helps

• Generate board-ready reports (heatmaps, registers, KPI views) filtered to your material control set and balance-sheet cut-off.

• Produce a concise effectiveness summary including exceptions and remediation plans.

• Use configurable report criteria to align language and scope with your Annual Report disclosures.

Outcome: A clear, defendable statement backed by traceable evidence and consistent metrics.

Why SmartStart?

• Start lean, scale fast: Stand up the Provision 29 core in weeks, extend to wider GRC as you mature.

• Evidence first: Everything—tests, sign-offs, issues, remediation—is captured and reportable.

• Materiality-driven: Keeps the spotlight on what matters for the declaration.

How can we help

Get in touch to see a demo of how we operationalise Provision 29 in weeks, not months—focused on what’s material to your business.

Sign up to our Provision 29 newsletter to get notified about updates: https://www.optial.com/solutions/provision-29-compliance