Corporate governance has never been a static discipline. It evolves sometimes gradually, sometimes abruptly, in response to the failures that reveal what good intentions alone cannot prevent. The 2024 revision of the UK Corporate Governance Code represents one such important evolution.
Among its most consequential changes is Provision 29, which fundamentally redefines what boards are expected to do regarding internal controls. Boards are no longer expected merely to describe controls or endorse management assurances; they must now demonstrate that those controls work.
For directors serving on boards across Nigeria, Africa, and the wider Commonwealth governance ecosystem, this shift deserves serious attention. The issue is not simply compliance with UK law; rather, it is the deeper governance principle that every responsible board must confront: the difference between governance that appears effective and governance that is demonstrably effective.
Understanding the Shift Introduced by Provision 29
For years, the prevailing approach to internal controls followed a familiar and comfortable pattern. Boards reviewed management reports, noted that internal controls were in place, and approved statements affirming their effectiveness. Auditors reviewed compliance, annual reports carried the appropriate language, and stakeholders were largely expected to rely on trust.
However, major governance failures such as the collapse of Carillion in the United Kingdom exposed the limitations of this approach. In many cases, organizations appeared compliant on paper while serious weaknesses existed beneath the surface. These failures accelerated calls for stronger board accountability, greater transparency, and more reliable assurance over internal controls.
Provision 29 deliberately disrupts that traditional rhythm. Under the revised Code, boards are now required to make an annual declaration on the effectiveness of material controls across four critical dimensions: financial, operational, reporting, and compliance controls.
Most importantly, that declaration must be supported by evidence; not merely management assurance, historic precedent, or procedural formality, but a structured and documented process through which the board can genuinely account for what it knows and how it knows it.
This distinction is fundamental. A declaration simply says, “Our controls are effective.” Evidence-based assurance asks, “How do you know, and can you demonstrate it?” The former is posture; the latter is discipline.
Implications for Directors and Boards
The implications for directors are both practical and philosophical. At the practical level, boards must establish or strengthen the mechanisms through which control effectiveness is assessed, tested, and reported. This requires close collaboration with internal audit functions, risk management teams, compliance officers, and external assurance providers to create a coherent and reliable picture of how controls operate in practice—not merely how they are documented in policy manuals.
At a deeper level, Provision 29 requires boards to take direct ownership of internal control effectiveness. In many organizations, this has historically been treated primarily as a management responsibility. The board approved the framework while management handled execution. That distinction is no longer sufficient.
When a material control failure occurs whether through financial misstatement, operational disruption, cyber risk, fraud exposure, or regulatory breach; the question is no longer whether management was aware. The question is whether the board knew, whether it challenged management effectively, and whether it acted decisively.
This is accountability in its fullest sense. It requires directors who are willing to ask difficult questions, challenge management narratives, and maintain healthy skepticism even when everything appears stable.
For non-executive directors, this reinforces the importance of genuine independence; not simply structural independence, but the intellectual confidence to push back when evidence is weak, incomplete, or overly optimistic.
Practical Challenges in Implementation
Boards that approach Provision 29 merely as a reporting requirement will quickly discover its limitations. The true challenge is not producing a statement for the annual report; it is building the internal infrastructure that makes that statement credible.
- Mapping Material Controls
Many organizations lack a current and comprehensive mapping of their material controls. Risk registers may exist, but they are often disconnected from operational reality. Boards must ensure there is a clear understanding of which controls are critical, how they function, who owns them, and how failure would be identified.
Closing this gap requires investment in governance capability, process discipline, and often technology-enabled assurance systems.
- Defining Sufficient Evidence
The revised Code does not prescribe a single methodology for determining control effectiveness. This flexibility is useful, but it also creates ambiguity. Boards must decide what constitutes sufficient assurance relative to the organization’s size, complexity, and risk profile.
This may involve periodic independent testing, internal audit reviews, control self-assessments, external assurance engagements, and formal board-level challenge sessions. What matters is not uniformity, but defensible judgement supported by documentation.
- Building a Culture of Transparency
Perhaps the most delicate challenge is cultural. In organizations where management has historically controlled the flow of information to the board, transitioning to genuine evidence-based transparency requires trust and discipline on both sides.
Boards must create an environment where bad news travels upward without fear, where control weaknesses are surfaced early rather than hidden, and where challenge is seen as governance strength rather than personal criticism. This cultural shift is often harder than the technical work.
Relevance for Nigerian Boards and Governance Frameworks
Although Provision 29 is situated within the UK Corporate Governance Code, its principles are highly relevant to Nigerian boards and governance institutions. The Nigerian Code of Corporate Governance (NCCG 2018), the Securities and Exchange Commission governance framework, Central Bank of Nigeria corporate governance expectations, and public sector board oversight structures all emphasize accountability, transparency, and board responsibility for risk oversight.
Yet, many boards across both private and public sectors still rely heavily on management assurance without sufficient independent validation of control effectiveness. The lesson from Provision 29 is clear: governance credibility depends not on what boards are told, but on what boards can verify.
For Nigerian directors, this is particularly important in sectors such as banking, telecommunications, public enterprises, infrastructure, and state-owned institutions where control failures carry significant financial, reputational, and public trust consequences.
What Boards Should Do Now
To align with this stronger governance expectation, boards should consider five immediate actions:
- Establish a formal board-level internal control review framework.
- Strengthen Audit Committee oversight beyond financial reporting into operational and compliance controls.
- Commission periodic independent testing of material controls.
- Improve escalation protocols for material control weaknesses and incidents.
- Invest in director education to strengthen understanding of assurance interpretation and governance accountability.
These actions move boards from passive oversight to active assurance.
Strategic Opportunity Beyond Compliance
It would be a mistake to view Provision 29 purely as a regulatory burden. For boards willing to embrace its intent, there is a significant strategic opportunity.
Stakeholder expectations around governance transparency have changed materially over the past decade. Investors, regulators, lenders, development partners, and increasingly sophisticated civil society actors want to understand not only what a board says about its controls, but how confident it is in those controls.
An organization that can point to a robust, documented, and challenge-tested assurance process occupies a stronger position with these stakeholders than one relying on standard boilerplate declarations. Governance confidence increasingly influences investment confidence.
There is also a powerful internal benefit. The discipline of systematically testing controls often exposes issues that management has normalized or overlooked entirely. In this sense, Provision 29 is not only about external reporting; it is about improving the quality of insight available to the board and strengthening strategic decision-making.
Boards that use this process to better understand how their organizations truly operate, not merely how they are presented to operate, will find that the governance dividend extends far beyond the annual report.
Conclusion
Provision 29 represents a significant maturation in the expectations that corporate governance places on directors. The movement from compliance-based declaration to evidence-based assurance is not merely technical; it reflects a broader recognition that accountability, to be meaningful, must be grounded in real, tested, challengeable knowledge.
For Chartered Institute of Directors (CIoD) members and governance professionals, the relevance of this principle extends well beyond the UK Code’s jurisdictional reach. Every board, in every market, faces the same fundamental question: Are we governing based on what we genuinely know, or based on what we have simply been told?
Provision 29 makes that question harder to avoid—and that is perhaps its greatest contribution.
As the leading institution for director development and governance excellence in Nigeria, the Chartered Institute of Directors remains committed to supporting boards through training, board evaluations, governance advisory services, and capacity-building initiatives that strengthen accountability and institutional resilience.
Good governance is no longer measured by assurance statements alone. It is measured by evidence, trust, and the courage of boards to know before they declare.
Research Unit
Chartered Institute of Directors (CIoD)
28, Olawale Edun Road (Formerly Cameron Road), Ikoyi, Lagos