UK Building Societies: Preparing for the Declaration under Provision 29

What’s the issue?

In 2024, the Financial Reporting Council (FRC) revised the UK Corporate Governance Code (the “new Code”), which is mandatory for listed companies. Under Provision 29 of the new Code boards are now encouraged to disclose how they have monitored and reviewed the effectiveness of their risk management and internal control frameworks. They must also include a declaration regarding the effectiveness of material controls in their annual report. If the board is unable to make such a statement or identifies that material controls were not effective, it is expected to explain the reasons and, in the latter case, outline the actions being taken to address the issue.

Although building societies are not subject to statutory requirements to disclose a corporate governance statement in their annual reports, particularly if they do not list debt or equity instruments on the London Stock Exchange, they are encouraged by the Building Societies Association (BSA) to do so. This is because, under the Prudential Regulation Authority’s Supervisory Statement SS19/15, building societies are required to ‘have regard’ to the UK Corporate Governance Code when establishing and reviewing their governance arrangements.

As such, building societies are encouraged to assess their governance frameworks and prepare a declaration of effectiveness of material controls, or an equivalent statement, in line with the expectations of the new Code.

What does this mean?

Listed companies have already begun to discuss their review of provisions and preparation for the implementation of Provision 29 in their annual reports and this will be mandatory in 2026.  Building societies are not directly subject to these regulations, needing only to ‘have regard’ to the UK Corporate Governance Code but may see increased attention on the area, particularly for the larger societies, given the response of listed companies. The disclosure should focus on board oversight.

Building societies are likely to have systems and processes in place to monitor, review, and report on material controls, particularly within the three lines of defence model required by the FCA and the PRA.

When preparing a declaration of effectiveness of the material controls, building societies are encouraged to consider their unique governance structures when applying Principle O of the UK Corporate Governance Code on a 'comply or explain' basis. Principle O states that:

“The board should establish and maintain an effective risk management and internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.”

What are the key changes to Principle O and Provision 29?

While the previous Principle O only required boards to establish procedures for managing risk and overseeing the internal control framework, the updated Principle O expands board responsibilities by requiring them to explain how they monitor and review the effectiveness of risk management and internal control framework and what their conclusions are on this.

In applying Principle O, building societies are encouraged to meet the requirements under Provision 29. Although the responsibilities outlined in Provision 29 are not new, the updated provision now requires a specific statement on the results of the board’s review. Provision 29 states that:

“The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The board should provide in the annual report:

• A description of how the board has monitored and reviewed the effectiveness of the framework.
• A declaration of effectiveness of the material controls as at the balance sheet date.
• A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.”

Will internally or externally facilitated assurance be required?

There is no specific mandated requirement here, even for listed companies. The FRC explains in its supporting guidance that boards should consider what level of assurance they need to obtain in order to satisfy themselves. This assurance could be internally or externally facilitated, such as internal audit or other third-party assurance.

Current Practice

Building societies are mutual organisations owned by their members and do not have any shareholders. Consequently, their corporate governance arrangements may differ from those applied to listed companies and, as noted above, they are not obliged to adopt the UK Corporate Governance Code.

Building societies include corporate governance reports in their annual reports, stating that they establish and review their governance arrangements, 'have regard’ to the UK Corporate Governance Code. While these reports typically cover board composition, committee activities, risk management and internal controls, compliance statements have not generally been included, as they are not specifically required for building societies.

Practical Considerations: Evaluating material controls to support declaration compliance

Building societies, as dual-regulated firms, should have robust controls in place. In light of the new affirmative statement required by the new Code, boards may wish to undertake additional assessments to ensure these controls are operating effectively. Boards are typically expected to demonstrate that internal reviews have taken place to support this, and where issues are identified, further reporting will be required.

While preparing for declaration readiness, boards may find the following practical tips helpful in evaluating the effectiveness of material controls and ensuring compliance with declaration requirements:

• Identify and evaluate key controls that manage and mitigate principal risks. Material controls do not need to be confined to principal risks; they must cover all critical risk areas across the organisation, including financial, operational, reporting, and compliance controls. For example, many companies treat IT and cyber-related risk controls as material controls, even though these are not always considered principal risks.
• Narrow down material controls among key controls by quantitative and qualitative materiality.
• Perform a gap analysis between the current framework and the design framework for testing the effectiveness of material controls. Conduct a detailed review of identified material controls in their current state to determine gaps, inefficiencies, and duplication.
• Prepare a detailed material controls assessment across each material control identified.
• Use the assessment to provide a roadmap of remediation of material controls and design improvements.
• Define testing strategies for design and operating effectiveness.
• Perform detailed process walkthroughs and Test of Design (ToD) Assessment of material controls.
• Perform evidence-based Tests of Operating Effectiveness (ToE).
• Consider a dry run of ToD and ToE prior to the balance sheet date to identify potential material control failure(s) to allow additional time to address issues.
• Identify and aggregate material controls from a large population to report to the board.
• Perform final of material controls to support declaration compliance.

Practical Considerations: Preparing disclosures under Provision 29

The disclosure related to Provision 29 should be less than two pages, focusing on what the board did and what it found. When preparing an effectiveness statement (or its equivalent), boards may consider the following practical tips to enhance the clarity and usefulness of their reporting:

• Explain how the board has monitored and reviewed the effectiveness of the governance, risk management, and internal control frameworks, including the three lines of defence model.
• Describe some key material controls in place to manage or mitigate each principal risk.
• Identify any material controls that were not operating effectively as at the balance sheet date, along with actions taken or proposed to address them, including follow-up on previously reported issues.
• Include a clear declaration regarding the effectiveness of material controls as at the balance sheet date.

To avoid duplication, building societies may cross-reference the effectiveness statement to relevant sections of their annual reports. The FRC also encourages firms to avoid boilerplate language by using company-specific examples and focusing on outcome-based reporting.

Where can I get more guidance?

The FRC published the UK Corporate Governance Code 2024 and its supporting guidance in January 2024. It also published a review of corporate governance reporting focusing on the UK Corporate Governance Code 2018 in November 2024.

The Building Societies Association published guidance on the 2024 UK Corporate Governance Code for building societies in October 2024.

When is it effective?

For listed companies, provision 29 will apply for accounting periods beginning on or after 1 January 2026. i.e. this will be for companies with a calendar year ending 31 December 2026. As noted above, for building societies, compliance is not specifically required but building societies should have regard to the new Code.

Who is applicable to?

While this is mandatory for UK-listed companies, building societies are encouraged to disclose their corporate governance arrangements in their annual reports, although they are not subject to specific statutory requirements.