Metricstream Logo
×
banner-background-min solutions-banner-mobile-bg

AI-Driven Compliance Solution to Simplify Provision 29 of the UK Governance Code

Get Board-Ready with Stronger Internal Controls and Governance Reporting

banner

Confident Board Sign-Off with Connected Internal Controls, Risk, and Audit


Give your board the evidence, oversight, and confidence to stand behind a defensible Provision 29 declaration — applicable for all UK premium-listed companies in financial years beginning on or after 1 January 2026.

Implement a strong internal controls framework with MetricStream's AI-native UK Corporate Governance Solution, which unifies Enterprise Risk Management, Internal Controls, and Internal Audit on a single platform, for complete visibility across all lines of defense. Centralize your material control environment, identify control gaps before they escalate, and manage issues with full auditability. One source of truth. Zero blind spots. A formal attestation that your board can own.


  Confident Board Sign-Off with Connected Internal Controls, Risk, and Audit

How Our UK Corporate Governance Code Solution Helps You

 
How Our UK Corporate Governance Code Solution Helps You How Our UK Corporate Governance Code Solution Helps You

AI Agents and Assistants That Work the Way Risk, Compliance, and Audit Professionals Think

Get instant answers on control health, risk exposure, and audit status, without digging through reports or switching screens. MetricStream's AI assistants for risk, compliance, and audit bring cross-domain intelligence directly into your workflow, so you spend less time finding information and more time acting on it. Whether you're assessing a control gap, preparing for an audit, or capturing risk data on the go, these assistants guide you to what matters, flag what needs attention, and help you move faster with greater confidence.

Give Your Board the Evidence to Declare with Confidence

Get a structured, evidence-backed program to declare on the effectiveness of material controls: from scoping and testing to board-ready reporting that underpins your control effectiveness, with every step logged, version-controlled, and traceable to source. AI-powered dashboards provide curated insights into the organization’s top risks, mapped material controls, key threshold breaches, and emerging risks.

Complete Visibility Across Your Material Controls

Know the state of every material control across financial, operational, IT General Controls (ITGC), Internal Controls over Financial Reporting (ICFR), and Segregation of Duties (SoD) in a structured and repeatable way. Establish a material control taxonomy that maps to risks, processes, and issues. Leverage AI to rationalize controls and improve control definitions through automated control descriptions based on industry standards.

Risk Appetite Monitoring

Define thresholds. Track Key Risk Indicators (KRIs) in real time. Know whether you're operating within appetite before your board asks. Group, business unit, and functional risk registers map principal risks to sub-risks, controls, and assurance activities. Interactive heatmaps and configurable reporting packs provide the audit committee with a current picture of Provision 29 requirements. Quickly identify emerging risks and potential control gaps based on external and internal signals, issue clusters, and threshold breaches, and take action before annual audits.

A Connected Three Lines Model

Replace siloed assurance with a single, connected view across your organization, Internal Audit, Risk, Internal Controls, IT, and Third-Party on a single platform with a shared taxonomy. Each function keeps its own workflow. Leadership and the board get a unified, real-time view with no duplicate records, no conflicting versions of the truth. Give the audit committee a single view to provide audit reports and recommendations to the board.

AI-Powered Proactive Control Deficiency and Issue Management

Get instant visibility into control gaps and failures, and manage them proactively, so your year-end declaration reflects your year-long rigorous oversight. MetricStream's AI identifies issues based on relevance, relationships, and criticality, recommends how to classify them, and suggests action plans, so your teams spend less time triaging and more time fixing. Build remediation actions directly within the workflow by modifying existing controls, defining new ones, and tracking every step through to closure with real-time status updates at each stage.

Ongoing Monitoring and Testing of Material Controls

Move beyond annual or periodic testing. Proactively detect control failures, compliance, and policy violations. Gather evidence regularly throughout the year by integrating with your various internal systems.

Outcomes-Based Governance and Long-Term Business Sustainability

Link governance activities to business objectives. Map board decisions to measurable results, and track everything through dashboards and reports that your audit committee can interrogate. Every disclosure is backed by reliable, evidence-based data for resilient business operations. Leverage AI to refine audit reports that are clearer, more consistent, and ready to stand up to scrutiny, with no extra effort layered on top of an already demanding process.

How Our UK Corporate Governance Code Solution Benefits Your Business

  • Give your board a defensible trail of evidence and gain investor and regulator confidence
  • Eliminate siloed assurance and give leadership one real-time view of controls across all three lines
  • Establish a single source of truth across the three lines with a centralized risk and control taxonomy
  • Move from point-in-time checks to on-demand control monitoring with anomaly detection
  • Proactively fix control gaps and failures before they become public disclosures
bvc-desk-img
BUSINESS VALUE CALCULATOR

Frequently Asked Questions

The UK Corporate Governance Code is a principles-based framework published by the Financial Reporting Council (FRC) that sets standards for board leadership, risk management, internal controls, and corporate reporting. It applies to all companies with a premium listing on the London Stock Exchange, whether incorporated in the UK or elsewhere. While private companies are not required to comply, large private entities within the scope of The Companies (Miscellaneous Reporting) Regulations 2018 must disclose their corporate governance arrangements. Companies outside the Code's mandatory scope can also choose to follow it voluntarily as a best practice benchmark.

The 2024 Code introduces a stronger emphasis on outcomes-based governance reporting, where boards must demonstrate the results of decisions rather than simply describe policies. It adds explicit requirements to assess and monitor how the desired organisational culture has been embedded across the business. Most significantly, Provision 29 expands the board's responsibilities around risk management and internal controls, requiring an annual declaration of the effectiveness of all material controls — financial, operational, reporting, and compliance — and a description of any controls that did not operate effectively during the year.

Provision 29 requires boards to monitor and review the effectiveness of their risk management and internal control framework at least annually, and to report on that review in the annual report. Boards must provide a description of how the framework was monitored and reviewed, a declaration of effectiveness of all material controls as of the balance sheet date, and a description of any material controls that did not operate effectively — including the actions taken or proposed to address them. This applies to financial, operational, reporting, and compliance controls, extending the scope beyond the traditional focus on financial controls alone.

Most changes in the 2024 UK Corporate Governance Code became effective from January 1 2025. Provision 29 applies to financial years beginning on or after 1 January 2026. For companies with calendar-year financial reporting, the first board declaration under Provision 29 is therefore expected in early 2027, making 2026 the critical period for building evidence, testing material controls, and establishing repeatable assurance processes.

Material controls are the internal controls that boards must monitor, review, and declare effective under Provision 29 of the 2024 Code. The Code expands the definition beyond traditional financial controls to include operational controls, reporting controls, and compliance controls. The FRC does not prescribe a standard list. Boards must determine what is material based on the organization's own principal risks, operating model, complexity, and risk appetite. The judgment and the evidence supporting it must be defensible to investors, auditors, and regulators.

A GRC solution helps organizations comply with the UK Corporate Governance Code by providing a structured, technology-driven approach to the requirements that are most difficult to manage manually. This includes building and documenting a risk and internal control framework with a common taxonomy, scoping and testing material controls across financial, operational, reporting, and compliance domains, capturing and prioritizing workforce observations, and generating the audit-ready reporting needed for annual report disclosures. Automated workflows, real-time dashboards, and centralized data reduce the manual effort required to gather evidence and produce board-level declarations. AI-powered audit tools can further reduce this effort by guiding planning, documentation, and evidence analysis across the audit lifecycle, while keeping final judgment with the auditor.

Outcomes-based governance reporting requires boards to connect their decisions and interventions to measurable results in the annual report. They do not simply describe the policies and processes in place. Organizations can demonstrate this by maintaining a clear record of risk and control assessments, tracking the actions taken in response to identified issues, and evidencing how those actions have reduced risk exposure or improved control effectiveness over time. Real-time dashboards and structured issue management workflows make it easier to compile this evidence in a format that satisfies the Code's reporting expectations.

Internal audit plays a central role in supporting compliance with the 2024 Code, particularly under Provision 29. Depending on the organization's chosen assurance model, internal audit may be responsible for testing material controls and providing the board with independent assurance that controls have operated effectively. Audit plans and resources typically need to be adjusted to cover the full scope of material controls — financial, operational, reporting, and compliance — ahead of the board's annual declaration. Structured audit management tools help teams plan, schedule, execute, and document control testing in a repeatable, evidence-backed way.

Provision 2 of the 2024 Code requires boards to assess and monitor culture and provide assurance that the desired culture has been embedded across the organization. In practice, this means establishing structured mechanisms for the workforce to raise concerns — including anonymously — and ensuring those concerns are independently investigated and resolved. Organizations need processes that make concern reporting accessible, track issues through to closure, and give boards a clear, auditable view of culture-related activity.

Organizations that benefit most are those with a premium listing on the London Stock Exchange, where compliance with the Code is mandatory on a comply-or-explain basis. This includes large-cap UK-listed companies across financial services, insurance, energy, utilities, and other regulated sectors. Organizations preparing for an IPO or a premium listing, as well as large private companies that choose to adopt the Code as a governance benchmark, also find a structured compliance solution valuable. Companies with complex organizational structures, multiple business units, or a high volume of material controls particularly benefit from a centralized, technology-driven approach.

UK SOX Compliance
lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk