Risk and Control by Design: Navigating Provision 29 of the UK Corporate Governance Code, LONDON

The Park Plaza London Riverbank, 18 Albert Embankment, London SE1 7TJ

The upcoming implementation of Provision 29 in the UK Corporate Governance Code marks the most significant regulatory change in over a decade.

Boards of UK-listed companies must now affirm the ongoing effectiveness of both their risk management and internal control frameworks, and report on them with clarity, confidence, and accountability starting in 2026. 

Protecht invites you to a special session with internationally renowned GRC expert Michael Rasmussen, designed to help you cut through the complexity and understand what these changes mean in practice.

We will explore how to create an agile, business-integrated approach to risk and control management that aligns with corporate objectives, empowers decision-makers, and withstands scrutiny from boards, regulators, and investors alike.

You’ll leave with a clear understanding of Provision 29 and how to embed it in your organisation’s risk and control frameworks.

Spaces are going quickly: don’t miss your chance to join us.

What you will learn

Through expert-led sessions, peer collaboration, and hands-on activities, attendees will:

• Understand the strategic implications of Provision 29, and how it differs from other global frameworks (e.g., SOX), focusing on ongoing effectiveness not point-in-time compliance.
• Build a risk-informed internal control framework that supports strategy, performance, and operational resilience.
• Explore how to embed risk management into business operations, not just within risk or compliance functions.
• Learn to identify and assess material risks and controls, clarify ownership, and establish meaningful accountability across the three lines of defence.
• Evaluate how to architect the information and technology infrastructure to enable continuous monitoring, real-time insights, and integrated assurance.

Who will benefit?

This workshop is essential for senior leaders, board advisors, GRC professionals, internal control managers, risk and compliance officers, and audit personnel seeking to proactively respond to the updated UK Corporate Governance Code.

Agenda overview

Session 1: What is Risk & Control by Design?

• Understanding risk and internal control in the context of business strategy and operations
• Unpacking Provision 29: board accountability, assurance requirements, and risk/control effectiveness
• How risk and control intersect across governance, compliance, and performance
• Workshop exercise: Mapping Provision 29 into your organisation

Session 2: Breaking Down Silos – Building a Federated Model

• Creating an integrated view of risk and internal control across the enterprise
• Designing collaborative risk/control governance structures (e.g., Risk & Control Committees)
• Aligning risk and control functions across the three lines of defence
• Workshop exercise: Creating your federated risk and control blueprint

Session 3: The Risk & Control Lifecycle – From Identification to Assurance

• Risk-informed control design: top-down strategic risks and bottom-up operational insights
• Control rationalisation: reducing duplication and aligning controls with material risks
• Assurance strategies for Provision 29: continuous monitoring, independent validation, and reporting
• Workshop exercise: Designing a control lifecycle aligned to risk

Session 4: Architecting for Visibility, Agility, and Accountability

• Workshop exercise: Developing an integrated risk and control information architecture
• Information and technology architecture for risk and control management
• Defining a risk and control taxonomy with business relevance
• Reporting on effectiveness: dashboards, metrics, and board-level insights

GRC 20/20 Analyst Workshop Facilitator . . .

Michael Rasmussen is an internationally recognized authority, thought leader, and pioneer in the disciplines of governance, risk management, and compliance (GRC). With over 30 years of experience, he is globally known for defining and shaping GRC strategy, processes, and technology. In February 2002, while at Forrester Research, Michael developed the concept of GRC — establishing the foundation for how organizations approach strategy, process, and technology in today’s complex business environment. For this, he is widely acknowledged as the “Father of GRC.”

A trusted advisor to boards, executives, and professionals around the world, Michael has dedicated his career to helping organizations design and implement effective GRC strategies that are aligned with business objectives. His work empowers organizations to be more effective, efficient, resilient, and agile. He is a sought-after keynote speaker, author, and advisor, with his thought leadership influencing legislation, regulatory frameworks, and corporate best practices globally.

Michael is the host of the Risk is Our Business podcast, where he leads conversations with global experts exploring the evolving frontiers of risk, resilience, and corporate integrity.

Workshop Host/Sponsor

Redefining the way the world thinks about risk. While others fear risk, we embrace it. With offices in Los Angeles, Sydney and London, Protecht has been redefining the way people think about risk, compliance and resilience for over 20 years. Through our people, we enable smarter risk taking by our customers to drive their resilience and sustainable success. We do this by channeling our passion for enterprise risk management into knowledge and expertise that drive every aspect of our training, thought leadership, products and services, and by building true relationships with our customers as we support their risk management journey. We help our customers increase performance and achieve strategic objectives through better understanding, monitoring and management of risk. We provide a complete solution of world-class risk management, compliance, training, framework, advisory and consulting services to businesses, regulators and governments across the world.