Executive Summary
In 2027, FTSE 350 boards will sign the first mandatory declarations confirming their material internal controls were effective. The evidence for those signatures must be built across 2026, starting now.
FRC Code Provision 29, PRA Supervisory Statement SS5/25, and the EU Digital Operational Resilience Act converge this year. Each raises the accountability bar independently. Together, they create a systemic trap. A single compliance failure in one domain can void the board’s declaration across all three.
The personal stakes have hardened. The Court of Appeal’s 2025 ruling in Saxon Woods Investments Ltd v Costa weakened the “honest belief” defence for directors. The Economic Crime and Corporate Transparency Act 2023’s “Failure to Prevent Fraud” offence is now fully operational. For PE-backed companies, governance quality determines exit valuation directly. Firms with premium governance controls command ARR multiples of 10x to 15x, compared with 5x to 7x for weakly governed equivalents.
This briefing, written from twenty years of CRO and board-level practice across PRA and FCA-supervised institutions, sets out what each mandate requires, where boards are most exposed, and what adequate preparation looks like.
One action: Take the Board Risk Readiness Assessment to score your organisation across all three mandates.
Three mandates, one convergence risk
Provision 29: the end of boilerplate assurance
The board must state, in the annual report, whether material internal controls were effective at the balance sheet date. Provision 29 of the 2024 UK Corporate Governance Code, applicable for financial years beginning on or after 1 January 2026, extends this obligation beyond financial reporting to cover operational, reporting, and compliance controls.
The FRC deliberately declined to prescribe what counts as a material control. Materiality is a board judgement, calibrated to the firm’s specific risk profile and stakeholder impact. Across the FTSE 350, firms are typically identifying between 30 and 60 material controls, with most settling around 35 to 40. That population must be reviewed and approved annually.
One aspect of Provision 29 is non-negotiable. The board cannot delegate the task of reaching independent conclusions on control effectiveness to management, external consultants, or internal audit. The burden of independent judgement is real and the FRC expects boards to seek out control weaknesses actively, not wait to be informed of them.
DORA: the 4-hour board problem
DORA became enforceable in January 2025. Under Article 5, the board must approve, monitor, and periodically review the ICT risk management framework, and must demonstrate sufficient knowledge to assess ICT risk at board level. Regulators will interview directors directly on their operational controls.
The requirement most firms are not ready for is the 4-hour window for reporting serious ICT incidents after classification. Meeting that deadline requires around-the-clock detection, triage, and escalation workflows that most organisations currently lack. Early compliance data indicates that 43 per cent of UK financial services firms were still non-compliant with DORA in the months following the January 2025 enforcement date.
Boards must also maintain a comprehensive Register of Information covering all ICT third-party providers and their subcontractors, including shadow IT (unapproved SaaS tools used by departments outside formal procurement). A cloud outage at a major provider is not a third-party problem. It is the board’s problem.
For UK-incorporated institutions without EU operations, DORA is not yet mandatory. The FCA and PRA have signalled alignment with its principles, and investors increasingly treat DORA compliance as a proxy for operational governance maturity.
PRA SS5/25: climate risk is now a board competency
PRA SS5/25 ended the grace period for climate risk management in December 2025. Boards must approve risk appetite statements with quantitative climate metrics and limits, integrate climate scenario analysis into the ICAAP, and complete a board-approved remediation plan by 3 June 2026. The PRA expects a credible, ambitious plan by that date, not full implementation.
The PRA’s position is that climate risk analysis previously provided to boards was too generic to drive effective decisions. SS5/25 now requires boards to demonstrate working knowledge of how climate affects the business model across short, medium, and long time horizons. At Credit Suisse, managing PRA and FCA-supervised fiduciary risk across a £50bn+ AUM book, I saw directly how under-specified climate risk transmission channels created material audit exposure. SS5/25 makes that rigour mandatory for all PRA-supervised boards.
| Risk type | Definition | Regulatory expectation for 2026 |
|---|---|---|
| Physical risk | Acute events (storms, floods) or chronic shifts (sea level rise, heatwaves) | Granular asset-level assessment; scrutiny of external data supplier assumptions |
| Transition risk | Impacts from the shift to a low-carbon economy (carbon taxes, technological change) | Integration into ICAAP and long-term business planning |
| Litigation risk | Legal action for failure to mitigate, adapt, or disclose climate risks | Board judgement on whether to treat as an independent risk type |
Three ways boards walk into the convergence trap
Failure mode 1: the RoI liability loop
The DORA Register of Information is a technical document. File structure errors, missing subcontractor entries, and undocumented shadow IT are common. The second-order risk for Provision 29 is that any material error in the RoI constitutes a failure of a material compliance control. If the board signs an effectiveness declaration while the DORA RoI contains inaccuracies, it has effectively made a false statement in the annual report, creating exposure to FRC sanctions and, following Saxon Woods, personal common law liability.
The two frameworks look like separate obligations managed by different teams. In practice, they are the same obligation. The RoI must be treated as a material control under Provision 29 and reviewed by the Audit Committee with the same rigour applied to financial reporting controls.
Failure mode 2: the climate model blind spot
SS5/25 requires boards to quantify the uncertainty in their climate risk assessments. The source of that uncertainty is typically a third-party tool such as a flood exposure model, a transition risk scenario generator, or a carbon data aggregator. Most boards treat these as the supplier’s responsibility.
Under Principle O of the 2024 Code, the governance of third-party climate models is a material control. A board that relies on a black-box flood model without examining its assumptions has failed to maintain an effective control environment. If that model contains material errors and the board has signed an effectiveness declaration, the exposure under FRC rules and standard misstatement principles is direct.
Failure mode 3: the AI governance vacuum
Only 8 per cent of large companies currently disclose board-level oversight of AI. In 2026, that gap carries real consequences. The EU AI Act requires conformity assessments and documented human oversight for high-risk AI systems by August 2026. The FCA is expected to publish SM&CR guidance on senior manager accountability for AI-generated harm by December 2026. Legacy technology contracts were written for passive software; most contain no indemnity provisions for an AI agent’s autonomous decisions.
Under established principles of director oversight, boards can be held liable for failing to monitor material operational risks. An AI system making automated credit decisions, pricing outputs, or compliance assessments without documented board oversight is a control failure, not an IT problem.
| AI governance risk | Nature of the exposure | Implication |
|---|---|---|
| Lack of explainability | Inability to justify AI-generated decisions to regulators or courts | Negligent oversight claims under fiduciary duties |
| Contractual liability gap | Legacy agreements do not cover autonomous agent behaviour | Unrecovered economic or reputational losses |
| Shadow AI | Unauthorised AI tools outside the Register of Information | Non-compliance with DORA; invalidation of Provision 29 declaration |
| Skills deficit | No board-level fluency to challenge AI risk assessments | Dependency on a single key person for AI oversight |
The personal stakes and the commercial case
Director liability: what changed in 2025
The liability environment for individual directors hardened last year. The Court of Appeal’s decision in Saxon Woods Investments Ltd v Costa overturned an established defence. A director who genuinely believed they were acting in the company’s best interest, but who misled the board or caused the company to breach its contractual obligations, could not rely on that belief as protection. Transparency and due process are the legal standard now. Good intentions are not.
The “Failure to Prevent Fraud” offence under the Economic Crime and Corporate Transparency Act 2023 is now fully operational. Large organisations can be criminally liable if an associated person commits fraud intended to benefit the organisation. For boards, this creates a direct link between internal control failure and criminal proceedings.
| Liability type | Trigger | Maximum consequence |
|---|---|---|
| Civil liability | Breach of fiduciary duty or Saxon Woods transparency failures | Personal asset exposure |
| Regulatory fine | DORA, EU AI Act, or GDPR breach | 7% of global annual turnover or €35m |
| Disqualification | Failure to monitor material controls | 15-year director ban |
| Criminal liability | Failure to prevent fraud or false reporting | Corporate fines and personal prosecution |
The governance premium
The commercial case for investing in governance is now quantifiable. Research from Federated Hermes shows that well-governed companies outperform poorly governed peers by an average of 24 basis points per month. For PE-backed businesses, governance quality determines exit valuation directly. Firms with premium governance controls command ARR multiples of 10x to 15x or above, compared with 5x to 7x for firms with weak or immature frameworks. Governance hardening in the 12 to 18 months before a planned exit generates an estimated 2 to 5 per cent increase in enterprise value, driven by reduced due diligence friction and the de-risking of regulatory contingencies.
Weak governance does not merely reduce the valuation; it stops deals. In a selective market, buyers walk away from firms where control environments are undocumented, climate disclosures diverge from operational reality, or AI systems operate without board oversight. The 2026 declaration regime will make these deficiencies visible for the first time.
What adequate preparation looks like
The four-phase dry run
A dry run of the Provision 29 declaration is now standard practice among FTSE 350 Audit Committees preparing seriously for 2026. It allows the board to identify gaps in the material control population, agree evidence thresholds, and stress-test declaration wording before the formal reporting cycle begins. Boards that wait until Q3 to begin will not have sufficient depth to sign a defensible declaration by year-end.
| Phase | Timing | Objective |
|---|---|---|
| Phase 1: scoping | Early year | Confirm materiality criteria; map controls to principal risks; approve ownership and testing cadence |
| Phase 2: targeted testing | Spring | Test priority controls; identify weaknesses; close historical audit findings |
| Phase 3: dry run | Mid-year | Draft declaration wording; present evidence pack to Audit Committee for challenge |
| Phase 4: year-end | Autumn onwards | Finalise disclosure; confirm remediation; align investor communications |
A key principle is defining what counts as a control failure before testing begins. For DORA, is missing the 4-hour incident reporting window once in a year a material failure? The board must agree exception thresholds before testing, so that declaration wording at year-end accurately reflects the state of controls at the balance sheet date.
Building a defensible evidence chain
Description of controls is no longer sufficient. Boards must prove controls work through an ongoing assurance discipline, not a year-end attestation exercise. That requires a unified assurance map, drawing together first-line risk owner attestations, second-line monitoring outputs, and internal audit findings into a single, board-ready view of the control environment.
Assessment using the [[Marentis Risk Maturity Model]]™ consistently identifies the same three underperforming areas across FTSE 350 boards. Framework and Control Design is most often the weakest, with control populations incomplete or poorly mapped to principal risks. Regulatory Alignment follows, where DORA, SS5/25, and AI obligations are managed in functional silos without cross-referencing to the Provision 29 population. Monitoring and Reporting completes the picture; board-level risk dashboards consistently fail to give directors the decision-useful information they need to challenge management and reach independent conclusions.
Red teaming: proving controls work under pressure
The [[Red Team Protocol]]™ goes beyond standard assurance testing. It simulates multi-vector failure scenarios such as a simultaneous ICT outage at a critical third-party provider alongside a climate data restatement request, or a regulatory enforcement action timed to coincide with a board transition. Unlike standard assurance work, which confirms that a control exists, red teaming confirms whether that control works under pressure. The output is a Governance Health Score and a prioritised remediation roadmap that gives directors the evidence chain to sign the Provision 29 declaration with confidence, and gives regulators confidence that the signature is not performative.
Gap assessment checklist for the 2026 declaration
Provision 29: materiality and scoping
- Has the board formally reviewed and approved the criteria for what constitutes a material control for the current financial year?
- Does the population of material controls reconcile directly to the firm’s disclosed principal risks in the Strategic Report?
- Are non-financial reporting controls, including ESG and climate disclosures, included in scope?
- Has the board agreed pre-testing thresholds for what constitutes a material control failure?
Evidence and assurance
- Is there a unified assurance map drawing together first-line, second-line, and third-line outputs for every material control?
- Are first-line risk owners actively engaged in the assessment, or is it treated as a second and third-line exercise?
- Is board-level risk reporting specific, timely, and decision-useful, rather than high-level summaries?
DORA alignment
- Is the Register of Information complete and current, covering direct providers, subcontractors, and shadow IT?
- Has the 4-hour incident reporting workflow been documented and exercised under realistic conditions?
- Are exit strategies for critical ICT providers documented, tested, and aligned with DORA requirements?
SS5/25 alignment
- Does the board’s risk appetite statement include quantitative climate metrics and limits?
- Is climate scenario analysis informing strategic planning and the ICAAP, not just the annual report narrative?
- Is the governance of third-party climate models treated as a material internal control?
AI governance
- Is there a board-approved framework identifying which AI systems are high-risk under the EU AI Act?
- Is there a designated senior manager accountable for AI outcomes under SM&CR?
- Have legacy technology contracts been reviewed for AI-specific liability gaps?
Owen Vallis is the founder of Marentis Labs Ltd and the originator of Strategic Governance as a Service. He has twenty years of CRO and board-level practice across PRA and FCA-supervised institutions, including Credit Suisse, where he managed fiduciary and prudential risk across a £50bn+ AUM book, and SICO Bank. Schedule a confidential discussion.