UK Corporate Governance Code by Design, LONDON

Blueprint for Risk & Internal Control Effectiveness Under Provision 29

---

The upcoming implementation of Provision 29 in the UK Corporate Governance Code marks the most significant shift in UK risk and control expectations in over a decade. For the first time, boards of UK-listed companies will be required to affirm and disclose the ongoing effectiveness of their risk management and internal control frameworks—not just at a point in time, but continuously, in practice and in principle.

This is not just a compliance obligation. It’s a call to rethink how organizations embed risk and control into strategy, operations, and decision-making.

UK Corporate Governance Code by Design delivers a structured, strategic, and scalable approach to operationalizing Provision 29. This interactive workshop equips attendees with a practical blueprint to design, implement, and sustain a modern risk and control framework—one that is aligned to objectives, responsive to change, and credible in the eyes of regulators, investors, and the board.

Provision 29 is not SOX. It is broader, more principles-based, and embedded in corporate governance and performance expectations. Risk and control must no longer live in isolation—they must become part of how the business thinks, decides, and operates.

This workshop helps organizations:

• Understand the intent and expectations of Provision 29
• Integrate risk and internal control with strategy, performance, and culture
• Establish clear ownership and accountability across all lines of the business
• Build a resilient and agile control environment that can adapt and evolve
• Deliver board-ready assurance that is meaningful, timely, and defensible

---

Workshop Objectives

Attendees will leave with practical approaches to:

• Interpret the strategic implications of Provision 29 in the broader governance landscape
• Map risk and internal control to objectives, value drivers, and accountability structures
• Embed a risk-informed approach across operations—not just within second-line functions
• Clarify roles and responsibilities across the Three Lines Model
• Design risk and control lifecycles that align with materiality, agility, and business change
• Develop information and technology architectures that enable real-time monitoring, integrated reporting, and effective board assurance
• Demonstrate ongoing effectiveness with data, context, and clarity

---

Benefits to Attendees

• Gain clarity on the key components of Provision 29 and how they compare to other regimes (e.g., SOX, UK SOX, COSO)
• Build a risk and control framework that is adaptive, forward-looking, and performance-linked
• Understand what regulators, shareholders, and boards expect from “effectiveness” and how to evidence it
• Learn how to engage business leaders, internal audit, compliance, and IT in a common model
• Explore how GRC technology, taxonomy, and data can support visibility, ownership, and accountability
• Walk away with a practical roadmap to begin implementing risk and control by design

---

Who Should Attend?

• Board Members & Company Secretaries
• Chief Risk Officers & Risk Managers
• Internal Control and Assurance Leads
• GRC Professionals & Compliance Officers
• Internal Auditors
• Operational Risk & Strategy Leaders
• Transformation & Program Leaders
• IT and GRC Technology Architects

---

Workshop Agenda

Part 1: Risk & Control by Design – The New Governance Imperative

• Understanding the role of internal control in today’s governance expectations
• Unpacking Provision 29: key requirements, intentions, and implications
• Differences between UK Corporate Governance Code and SOX-style programs
• Why effectiveness must be continuous, dynamic, and demonstrable
• Interactive Exercise: Mapping Provision 29 into your organization’s risk and control landscape

---

Part 2: Breaking Silos – Building a Federated & Business-Integrated Model

• Creating enterprise-wide alignment of risk and control responsibilities
• Connecting control functions across the Three Lines
• Designing federated oversight through Risk & Control Committees, shared taxonomies, and common assurance models
• Interactive Exercise: Building your federated risk and control governance blueprint

---

Part 3: The Risk & Control Lifecycle – From Identification to Integrated Assurance

• Designing a practical risk-informed control lifecycle
• Rationalising and aligning controls with strategic and operational risks
• Monitoring effectiveness through key indicators, thresholds, and events
• Building assurance models that combine first-line accountability with second- and third-line validation
• Interactive Exercise: Mapping your control lifecycle across business functions

---

Part 4: Architecting for Visibility, Agility, and Accountability

• Defining your risk and control taxonomy for relevance and consistency
• Designing information architectures that connect objectives, risks, controls, issues, and assurance
• Leveraging GRC technology for automation, data integration, and board-level reporting
• Reporting effectiveness with confidence: what boards and investors expect to see
• Interactive Exercise: Designing your integrated risk and control information ecosystem

---

This workshop empowers you to build a risk and internal control environment that is aligned, adaptive, and accountable — a design blueprint that turns Provision 29 into an opportunity for performance, resilience, and trust.

Let us help you go beyond compliance — and lead with confidence.

GRC 20/20 Presenter . . .

Michael Rasmussen is an internationally recognized authority, thought leader, and pioneer in the disciplines of governance, risk management, and compliance (GRC). With over 30 years of experience, he is globally known for defining and shaping GRC strategy, processes, and technology. In February 2002, while at Forrester Research, Michael developed the concept of GRC — establishing the foundation for how organizations approach strategy, process, and technology in today’s complex business environment. For this, he is widely acknowledged as the “Father of GRC.”

A trusted advisor to boards, executives, and professionals around the world, Michael has dedicated his career to helping organizations design and implement effective GRC strategies that are aligned with business objectives. His work empowers organizations to be more effective, efficient, resilient, and agile. He is a sought-after keynote speaker, author, and advisor, with his thought leadership influencing legislation, regulatory frameworks, and corporate best practices globally.

Michael is the host of the Risk is Our Business podcast, where he leads conversations with global experts exploring the evolving frontiers of risk, resilience, and corporate integrity.

Workshop Host . . .

Mitratech has a 35-year history as a leader in providing technology and services that empower organizations to manage risks, increase efficiency, control costs, and scale for the future.

The lines continue to blur across Legal & Claims, Risk & Compliance, and Human Resources (HR)— and Mitratech is the trusted partner in driving clarity and collaboration across all these functions with cloud-based, automation-driven solutions.

Scalable, flexible, and highly configurable by design, Mitratech’s Governance, Risk and Compliance suite offers end-to-end, top-to-bottom risk and compliance management capabilities, spanning policy management, enterprise risk management, data privacy, AI governance, third-party risk management, and more.

Whether organizations are just starting to implement GRC processes or looking to deploy next-generation programs across their full enterprise, Mitratech simplifies the process with cross-industry applications, convenient out-of-the-box templates, and relevant analytics to empower data-driven business outcomes.

Mitratech serves over 24,000 organizations worldwide, spanning more than 160 countries.

For more information, please visit: www.mitratech.com