These are undoubtedly challenging times, with economic and political uncertainty highlighting the increasingly important role that risk managers play in helping organisations navigate choppy waters. The strategic nature of risk management has also, finally, been recognised by the regulator, with changes to the UK Corporate Governance Code set to bring in new and demanding reporting demands next year. 

Provision 29 of the Code in essence mirrors the broader shift in the risk management role, from a compliance-focused one to one of strategic leadership. And as is always the case with regulation, the change brings in new reporting requirements, as it shifts accountability to the Board level and raises expectations for formal, documented, and auditable controls. 

Due to take effect for financial years from 1 January 2026, the Provision means that boards will need to monitor and annually review the effectiveness of their company's risk management and internal control framework and provide a public declaration on the effectiveness of those controls, covering both financial and non-financial risks.  

However, whilst risk accountability will shift directly to the board there is yet no clear guidance on how to deliver the rigorous, evidence-based assessments required – which include the need to map and assess material controls; monitor effectiveness throughout the year; perform an annual review; and disclose effectiveness publicly and explain any weakness.  

The introduction of higher expectations for transparency, documentation, and auditability means those still reliant on manual reporting – including those dreaded spreadsheets - are at greater risk.  A manual approach leaves organisations open to non-conformities, not to mention, hours of manual effort to track, measure, and create the relevant, robust, reports. 

The UK Corporate Governance Code operates on a "comply or explain" basis, meaning companies are expected to comply with each provision or provide a clear and persuasive explanation for non-compliance in their annual report. 

Though there are no automatic fines or criminal sanctions associated with non-compliance under Provision 29, companies would be wise to ensure compliance as they face a number of indirect, yet significant, consequences. These include reputational damage, increased scrutiny from investors and regulators, and potential negative impacts on share price or investor confidence. Persistent non-compliance could also attract further regulatory attention and, in rare cases, affect a company’s listing status. 

Technology clearly has a key role to play in helping risk managers meet the new, exacting, requirements. Systems available can provide centralised risk and control data, an automated control testing and monitoring process, the generation of clear, audit-ready reports aligned to Board and regulatory expectations, and the provision of flexible dashboards to track material risks and controls in real time. 

Our own  Enterprise Risk Management (ERM) module for example gives a clear, real-time view of material risks across an organisation, whilst our Internal Controls Management (ICM) module provides a structured, efficient way to design, document, test, and report on both financial and non-financial controls. GRC modules are built audit-ready with tools for easily generating Board-level reports and dashboards. 

Whilst Provision 29 will, to start with, only be mandatory for companies that fall under the UK Corporate Governance Code - under a "comply or explain" framework – it may indirectly impact subsidiaries, suppliers and experience would suggest, standards applicable to the wider business community may well look to align in the future.  

Whether impacted by the new changes for not, all risk managers could benefit from embracing modern risk management tools that enable them to seamlessly  move away from "tick-box" compliance and to focus on embedding good governance, better decision-making, and operational resilience across their organisations. 

Get in touch to find out how Origami can help you through this new regulatory framework.