Provision 29 and people risk: can your board declare your controls work?

Provision 29 of the 2024 UK Corporate Governance Code requires boards to do more than document a control framework. For financial years beginning on or after 1 January 2026, they must declare the effectiveness of their material controls – and describe publicly any that have not operated as intended.

For many in-scope organisations, that judgement will bring people risk into scope of material controls. Conduct risk, speak-up culture, harassment prevention, investigation quality – these are not soft governance topics. They are controls, and boards will need evidence that they work in practice.

That is where most organisations are underprepared.

The gap between policy and practice

A speak-up control is not effective because a hotline exists. It is effective if people genuinely believe that raising a concern is safe and worthwhile. Psychological safety is built through the quality of everyday interactions and the visible outcomes for those who speak up – none of which can be documented into existence.

A harassment prevention control is not effective because training was completed. It is effective if managers understand their role before something goes wrong, if conduct risk is assessed in the environments where people actually work, and if there are functioning routes to raise concerns.

UK employment law is heading in the same direction. The duty to take reasonable steps to prevent sexual harassment – in force since October 2024 – strengthens to all reasonable steps in October 2026. The direction of travel is clear: organisations are expected to evidence active prevention, not just policies.

Where fragmented ownership becomes a problem

Nobody fully owns people risk. Manager capability sits across L&D, HR and the business. Speak-up culture is simultaneously the responsibility of HR, Compliance and leadership. Investigation quality depends on who is involved and whether the function has sufficient skill and independence.

Provision 29 exposes that fragmentation. Organisations that approach readiness through a single function will find the gaps quickly – and those gaps will need to be explained publicly in the annual report.

HR and ER leaders are managing the casework and investigations that will either substantiate or undermine a board declaration. Compliance and risk functions are increasingly accountable for people risk, as the boundary between conduct issues and regulatory exposure continues to narrow. L&D teams are being asked to demonstrate that training has changed behaviour, not just reached inboxes. And boards are being asked to sign their name to a public statement without always having a consistent evidence base underneath it.

Where Byrne Dean comes in

Our team are mostly former City employment lawyers who understand both the regulatory exposure and what it takes to change behaviour in practice. We work across manager capability, speak-up culture, harassment prevention, conduct risk and investigation quality – not as separate workstreams, but as connected parts of a people risk control environment.

If your organisation is working through what Provision 29 means for your people-related controls, we would be glad to talk.

‍