top of page
Search

Global Risk Management: Lessons from Provision 29 of the UK Corporate Governance Code

Provision 29 of the UK Corporate Governance Code has established a new benchmark for risk management and internal control systems. While initially designed for UK-listed companies, its principles offer valuable insights for organizations worldwide. As businesses face increasingly complex risks, the core elements of Provision 29 provide a framework that transcends geographical boundaries.

The universal value of robust risk management

At its core, Provision 29 requires Boards to implement procedures for managing risk, overseeing internal control frameworks, and determining acceptable risk appetites to achieve strategic objectives. These foundational activities are relevant to any organization, regardless of industry, size, or location:

  • Regular monitoring of risk management systems

  • Annual effectiveness reviews

  • Comprehensive coverage of financial, operational, and compliance controls

  • Board-level accountability for risk oversight

  • Transparent reporting on risk management approaches

For global businesses, these activities are not mere compliance exercises but essential practices that promote sustainable growth and resilience.

Third- and fourth-party risk -- the extended enterprise challenge

Organizations depend on a complex network of suppliers and partners to deliver services to end consumers. The provision’s emphasis on material controls is particularly relevant when applied to third- and fourth-party risk management.

The pandemic, geopolitical tensions, and supply chain disruptions have exposed vulnerabilities in global business relationships. Applying Provision 29 principles to third-party management involves:

  • Identifying third-party relationships that pose material risks

  • Establishing continuous monitoring systems beyond initial due diligence

  • Implementing appropriate controls aligned with vendors' risk profiles

  • Ensuring Board visibility into significant third-party risks

  • Developing contingency plans for critical supplier failures


Fourth-party risk—the vendors of your vendors—introduces an additional layer of complexity. While Provision 29 does not explicitly address this layer, its principles naturally extend to these hidden dependencies such as:

  • Mapping critical fourth-party relationships that could impact business continuity

  • Establishing contractual obligations for third parties to manage their supply chains effectively

  • Implementing monitoring systems that provide visibility beyond direct suppliers

  • Collaborating with industry peers to address common fourth-party risks

Building global operational resilience

Operational resilience—an organization's ability to adapt, respond to, and recover from disruptions—relies on effective risk management across geographies. Applying Provision 29 globally often involves the following strategies:

  1. Break down geographic silos: Ensure consistent risk approaches across regions while allowing for local adaptations where necessary.

  2. Leverage technology: Utilize GRC platforms and monitoring tools for real-time visibility into global operations.

  3. Clarify accountability: Establish governance structures that define risk ownership across multinational organizations.

  4. Promote risk culture: Foster a shared understanding of risk appetite and management approaches across all locations.

  5. Develop scenario-based resilience plans: Prepare for disruptions that may cross geographic and organizational boundaries.

The business case for global implementation

Beyond regulatory compliance, organizations that embrace Provision 29 principles often realize significant benefits:

  • Strategic agility: Access to accurate risk information enables faster, more confident decision-making in uncertain environments.

  • Resource optimization: Prioritizing material controls reduces wasted effort on low-impact compliance activities.

  • Improved stakeholder confidence: Demonstrating strong risk management attracts investment and strengthens stakeholder relationships.

  • Competitive differentiation: Superior risk management capabilities can become a competitive advantage in volatile industries.

Moving forward: from compliance to capability

For global organizations, applying the principles of Provision 29 requires shifting from a compliance mindset to embedding risk management as a core capability. Steps to consider in making this shift include:

  1. Identify material risks: Understand the most critical risks across your global footprint.

  2. Develop consistent frameworks: Build unified risk management frameworks with flexibility for regional adaptations.

  3. Invest in technology: Implement platforms that provide enterprise-wide risk visibility.

  4. Ensure Board engagement: Establish oversight that spans geographic boundaries.

  5. Embrace continuous improvement: Regularly test and refine your approach through scenario planning and ongoing learning.

Provision 29’s emphasis on proactive, integrated risk management offers a universal model for resilience. By applying these principles to manage extended enterprise risks, global businesses can navigate today’s complex risk environment with confidence and agility.

Learn more

Discover how Provision 29 is shaping risk management practices by registering for our April 29 webinar, “The UK Corporate Governance Code: Balancing Risk, Control & Assurance.”

Our expert panel, featuring Michael Rasmussen, GRC Pundit and Analyst, GRC 20/20 Research LLC; Kirsty Hart, Archer’s Global Head of Risk; and Graeme Keith, Archer’s Vice President of Quantitative Risk, will explore practical applications and insights from the UK Corporate Governance Code. Register



 
 
bottom of page