Accountability follows the stop button

Provision 29 of the UK Corporate Governance Code 2024, now in force for financial years beginning on or after 1 January 2026, expects boards to make an explicit declaration on the effectiveness of their material controls. 

One of the more consequential changes in the UK Corporate Governance Code is now under way. Under Provision 29, boards are no longer asked simply to describe their internal control frameworks. They are expected to declare whether their material controls were effective at the balance sheet date — and to explain any material weaknesses and the actions taken to address them.

For most boards, this will be supported through established governance processes: management assurance, internal audit testing, risk reporting, and engagement with external auditors. But behind those formal mechanisms lies a more practical question. When something starts to go wrong, can the organisation intervene quickly, clearly, and with an evidence trail that shows who decided what, and why?

Provision 29 expects boards to describe how they monitored and reviewed effectiveness, declare whether material controls were effective as at the balance sheet date, and describe any material controls that have not operated effectively and the action taken or proposed. The aim is not to turn boards into operational managers, but to strengthen accountability, transparency and investor confidence.

In practice, many governance frameworks look robust on paper. Risk registers are comprehensive. Committee remits are clear. Escalation policies are documented. Yet when pressure builds, authority can still become fragmented. Decisions may be delayed. Evidence may be assembled after the event rather than during it.

This is not usually because policies are missing, but because intervention authority is dispersed across process owners, second-line functions, advisers and assurance teams. When time matters, it is not always obvious who has the final say to pause, reverse or override a deteriorating process.

Provision 29 does not ask boards to redesign operational controls. But it does raise expectations about whether boards can be confident — and transparent — about how controls actually function in real conditions. That confidence depends in part on whether escalation and decision rights are understood, exercised, and documented.

A practical way for boards to test this is not by writing new frameworks, but by asking management a small number of focused questions about high-consequence processes:
- Who can pause the process if risk thresholds are breached?
- Who can authorise a rollback or corrective action?
- Who can approve an override, and on what basis?
- What evidence is reviewed before normal operations resume?

These questions sit squarely within the board’s oversight role. They do not require directors to manage day-to-day operations, but they help ensure that governance arrangements are workable when it matters most.

Consider a simple example in financial operations. If reconciliation anomalies exceed tolerance levels, a named finance lead may have authority to pause payments, a change owner to correct the issue, and a senior executive to approve any override. Restarting the process might require trigger data, a short impact assessment, confirmation that the issue has been resolved, and a time-stamped decision record. None of this is unusual. What matters is that the authority is clear and the evidence is available.

Established frameworks already support this approach. COSO, the Committee of Sponsoring Organizations of the Treadway Commission, emphasises that internal controls exist to enable effective, ethical operations — not just regulatory compliance. The Institute of Internal Auditors (IIA) Three Lines Model clarifies the respective roles of management, oversight functions and independent assurance. Provision 29 builds on these foundations by requiring boards to make an explicit statement about effectiveness.

Most boards will rely primarily on internal audit, management attestations and external audit interactions to support their declarations. But those assurances are strongest when they are anchored in processes that operate clearly under pressure.

Two simple indicators can help boards gain confidence without becoming operationally intrusive: coverage (whether high-consequence processes have defined escalation and stop-and-restart authority) and time to pause (in a tabletop exercise, the time from trigger to an authorised pause decision, including what minimum evidence is checked). 

Boards do not need to run these interventions themselves. They need visibility over whether authority exists, whether it is understood, and whether evidence can be produced.

Provision 29 is often described as a reporting reform. In reality, it is also a test of governance maturity. Accountability does not begin with the annual report. It begins with clarity about who can act — and how that action is recorded — when controls are under strain.

________________

Kostakis Bouzoukas is a London-based technology product and engineering leader focused on operational governance and evidence readiness.

The ECGI does not, consistent with its constitutional purpose, have a view or opinion. If you wish to respond to this article, you can submit a blog article or 'letter to the editor' by clicking here.