
The Corporate Governance Code: 5 practical tips for UK companies

Navigating changes to the Corporate Governance Code is a high priority for UK governance, risk and compliance professionals. The revised code comes into force in January 2025, with the more complex Provision 29 on internal controls effectiveness assurance set to be implemented for reporting periods from January 2026.
Keen to support organisations as they develop their approach to meeting the new requirements, Diligent recently brought together a panel of experts to share practical guidance – particularly around the challenges of Provision 29.
Following a discussion about identifying and managing material risks and controls, the panel offered a range of perspectives and advice.
5 strategies for stronger Corporate Governance Code compliance
1. Be clear on resourcing, scope and timeframes
Steven Brown, Founding Partner of Brave Consultancy, counselled organisations not to underestimate the resources required for effective engagement with the new code provisions. He emphasised the time and effort needed to define material controls, develop enhanced controls testing and assurance, and design the appropriate board review and disclosure, estimating “For a large organisation this is going to take two to three full time equivalent employees over a year.”
He advises organisations to avoid scope creep, focusing closely on what is material. He also recommends using technology to future-proof the organisation’s approach and improve accuracy by minimising manual administration.
In practical terms, Brown advises organisations to use a phased approach and take advantage of the year’s delay in Provision 29’s implementation by undertaking a dry run of reporting on the top five material controls and sharing these with the board so they understand what is heading their way.
2. Emphasise the importance of board engagement with the code’s new provisions
Peter Neville Lewis, Director of The Risk Coalition Research Company, believes there is enormous value in boards being clear on internal controls assurance. He points to stakeholders’ higher expectations of transparency in today’s data-driven world and the primary role of boards, saying: “Boards not only receive assurance; they also give assurances to external stakeholders, offering a strong, confident narrative to investors and clients. If, in the world we live in, you are not capable of telling a strong, clear, and credible story to your stakeholders, your reputation will suffer. And if you have a share price attached, that will suffer too. There are huge benefits in making sure you are getting all the information, properly integrated, with a good narrative to tell stakeholders because that is the way you will create value in your business.”
Boards must also make it clear what assurances they want and from whom, says Neville Lewis, and ensure they know what “good” looks like.
3. Culture and reviews are key to building an effective internal controls programme
Kathryn Kerle, Advisor to The Risk Coalition Research Company and an experienced board chair, points to the importance of creating a positive accountability culture around internal controls that allows employees to raise concerns in a safe, constructive way.
She recommends conducting a post mortem after every reporting cycle to establish what went well, and what can be done better in the next cycle. This is particularly useful in the early days of introducing new declarations and reporting areas.
Engaging with junior managers is a good way to test confidence in the efficacy of internal controls and the data they are generating, as Kerle explains: “If junior managers are unwilling to sign off on reports you can find out why and work to solve the problem. It may be that they are being asked to attest to data accuracy at a level they aren’t comfortable with, and because they are closer to the business they have greater hands-on knowledge of what is really going on. So, if they are not comfortable signing off reports, finding out why and building a roadmap for improvement is valuable – ion fact eventually it can take months out of the reporting cycle.”
Kerle also advised against perfectionism, saying: “Culture, accountability and a cycle of continuous improvement are key; don’t expect to be perfect every time.”
4. Get visibility and assurance through internal controls technology
Tom Faraday, Vice President, Product Management at Diligent explained how the right risk and controls technology supports a culture of transparency and accuracy across the three lines of defence and links vertically through the business, explaining: “You need a line of sight from a dashboard overview that links right down to someone operating a control in the finance department, providing a granular and comprehensive view of the controls environment.”
He underlined the role of technology in promoting accuracy and relieving administrative burden, saying: “Human data is good, but machine data is better, and any technology that minimises effort is good. Typically, software users can be described as “frequent but disinterested” in that they are someone who is doing their day job who has been asked to get involved in a controls process. They’d rather not have this extra responsibility, so technology control support allows them to do what they need to and then get on with what they were doing, but it also gives confidence right up to director level that the control is working.”
Faraday also recommends organisations seek a solution that helps them tell the story, starting from transactional data and moving up to advanced analysis and board insight, by drawing together information from the entire risk and control environment.
Kerle agrees that data is simply a starting point, saying: “Data points you in the direction of the questions you should be asking. They’re not an answer in and of themselves. Boards need to be asking ‘what business are we in, what do we need to get right to be successful, and what does the data tell us about how we’re doing?’”
5. Remember that risk is also opportunity
All too often risk is viewed through an entirely negative lens, but the panel urged organisations to remember that appropriately controlled risk is an essential aspect of success. Tom notes: “Fundamentally we are putting these controls in place so we can achieve more and do more. The benefit to the business is far more than just avoiding regulatory issues.” This is why he advises organisations to frame internal controls improvements as a positive rather than a compliance exercise.
Neville Lewis agrees, saying: “With integrated assurance processes, risks also present opportunities.” He encourages companies to reflect this in reporting: “It shouldn’t be all about saying ‘this is what we’ve done to prevent risk’, it is also about spotting and acting on opportunities.”
Adapting to the latest Corporate Governance Code updates for growth and compliance: What's next
As organizations navigate the evolving landscape of corporate governance, adapting to the Corporate Governance Code updates is crucial for sustainable success. By understanding and implementing effective material controls, engaging with board members and leveraging technology, companies can not only ensure compliance but also unlock new opportunities for growth. The strategies shared by our panel offer actionable insights to strengthen governance frameworks and drive value creation.
Discover more with Diligent
Register for our webinar, Mastering the future of corporate governance: How to lead change and adapt to the UK Corporate Governance Code, to get even more insights and learn how to develop a strategic roadmap for sustainable value creation. Plus, discover best practices for implementing effective material controls and engaging your board and leadership teams, all while leveraging technology to meet the Code's latest requirements.