How to define material controls for Provision 29

While management undertakes the groundwork for Provision 29 – identifying the population of principal risks and controls, and matching the two to determine the material controls – it is the board that must establish governance around that process to make sure it is sufficiently robust. 

These are the three central questions boards are raising about identifying principal risks and aligning them with material controls.

1. Where do you start?

Some businesses already have formalised internal control frameworks. One audit committee chair said theirs had around 130 controls, with a twice-yearly process for testing their effectiveness. An early debate was over whether to start a fresh process to capture material controls for Provision 29 or integrate it into this existing control framework. 

“We decided we didn’t want parallel processes, in case people focused on the material controls and treated the rest as secondary,” the audit committee chair says.

There can be value both in ‘working down’ from the principal risks, but also in ‘working up’ from the controls that the business already uses. By engaging those responsible for the controls – the first line of defence – management and the board have a better chance of seeing the full picture. 

“We could sit in ivory towers saying all the principal risks have material controls, but if they're not being adhered to, or things are thwarting them on an everyday basis in the business, then you've got a real problem,” says Mary Reilly, former audit committee chair at Mitie Group.

2. Do you have the right principal risks?

Before defining a population of material controls against principal risks, boards need to know they have the right principal risks in the first place.

“We started with principal risks as disclosed in the annual report and were debating whether we had the right controls. Surely, they must relate to our principal risks,” begins Jock Lennox, Board Chair at Johnson Service Group and former audit committee chair of Barratt Redrow. 

“But we started to think, if we didn’t actually need that many controls for a certain principal risk, perhaps it wasn’t actually a principal risk. We’ve used the process to challenge whether we’d identified the right principal risks in the first place,” Lennox says.

Doug Webb, Audit Committee Chair at Johnson Matthey and member of the United Utilities audit committee, says that the thinking evolved about principal risks at the latter too. “Risk reporting is generally on what you could call a net risk basis – the risk for companies after controls have been applied. We’ve taken the approach that for Provision 29, we can’t start there. We have to start with gross risks, because it’s asking whether controls are effective against existential risks for the business,” Webb says.

Some events, like a dam bursting, would be highly damaging but the risk is already so well controlled that overall exposure is very low. “The board still needs to be able to say that it's comfortable that the controls against that risk are really strong,” he explains.

It works the other way as well: some of the company’s net risks don’t meet the materiality threshold on a gross basis. Webb points to financial reporting risk as a possible example: “In an infrastructure company, earnings are relatively less important than return on assets over 20 years, which is a number agreed with the regulator.” 

Not every company will come to the same conclusion, but that is the whole point of a principles-based approach: Provision 29 is designed to get boards to think about things that they may previously have taken for granted.  

3. How many material controls should businesses have?

The Financial Reporting Council (FRC), which is responsible for the Corporate Governance Code, has not specified the number of material controls that businesses should have, but the six interviewees who provided figures for their companies expected somewhere between 30 and 50.

One common theme was that the board often needs to whittle down the controls provided by management. “There's an awful lot of weeding that needs to be done in the garden of controls,” says Matthew Lester, Board Chair of Kier Group and Audit Committee Chair of ICG.

Another theme was that directors’ experiences of Sarbanes-Oxley (SOX) regulations would help prevent material control populations from proliferating. 

“One of the big mistakes in the early days of SOX was that companies had masses of key controls, which they reduced over time. That’s been a good learning exercise for Provision 29. Companies have not gone overboard,” explains John Ramsay, Audit Committee Chair at Babcock and DSM-Firminich.

Webb offers some advice: “If anything, start by focusing on a smaller number of material controls. So long as you've explained what you've done, you won't be criticised if the number’s too little, you might just be encouraged to do more next time.”

For Byron Grote, Audit Committee Chair at IHG, audit committee member at Inchcape and former CFO at BP, “The key is to decide which controls are material. You may have hundreds of controls, but whether they are all material is a different ball game.”

Materiality is clearly a matter for the board’s judgement, reflecting the organisation’s unique circumstances and operations. 

Webb explains how matching material controls to principal risks clarified how materiality was defined at United Utilities: “We worked out that the material controls are not the individual activities that go on, like staff inspecting a dam every week, but the governance organisation around them – that there’s a dam safety group, its responsibilities are defined correctly and it meets with sufficient regularity.” 

Several interviewees also said it was valuable to see what everyone else was doing, in some cases with informal contacts between heads of internal audit, and engagement with the FRC itself. 

As Grote puts it, “You don't want to be the board saying we only have five material controls if everybody else has 30 or 40, or the one who says we've got 500.”