Too Many Controls, Not Enough Control
Most organisations don’t have too few controls. They have too many to manage effectively.
It’s not unusual to see frameworks with dozens, sometimes hundreds, of “key controls”. On paper, this looks comprehensive. In reality, it often dilutes focus to the point where it becomes unclear which controls actually protect the organisation from material risk.
With Provision 29 of the UK Corporate Governance Code now in effect, that lack of focus becomes harder to ignore. Boards are expected to review and stand behind the effectiveness of material controls. That requires something far more precise than a long list of activities labelled as “key”.
“Across our client work, we rarely see organisations lacking control activity. What’s often missing is a clear line of sight from material risk through to the handful of controls that genuinely matter.”
– Paul Haley, Founder, Littlechild & Haley
Throughout 2025, many organisations treated Provision 29 as a ‘dry run’ year — reviewing frameworks, mapping controls, and beginning to define what ‘material controls’ really means in practice.
Since January 2026, that exercise has shifted from preparation to expectation. The question is no longer whether the framework exists, but whether it can stand up to scrutiny.
The hidden problem: control inflation
In many organisations, control frameworks have evolved over time rather than being deliberately designed. New controls are added in response to audits, incidents, or regulatory change, but rarely removed or challenged.
The result is control inflation: a growing library of activities, many of which are valuable in isolation, but collectively dilute focus and accountability.
“In our experience with clients, this isn’t usually a capability gap; it’s a clarity gap. When material risks aren’t defined in a practical way, ‘key controls’ quickly become a long list of activities, making it difficult to distinguish what is truly critical from what is simply routine.”
– Donna Littlechild, Founder, Littlechild & Haley
When everything is labelled as a key control, prioritisation becomes difficult. Teams spend time maintaining and evidencing a wide range of activities, but it becomes less clear which controls are critical to keeping material risks within appetite.
A simple test
A useful test is to ask: if your top 10 controls were removed tomorrow, would anyone notice before an audit, or would a material risk move outside appetite within weeks?
In well-designed frameworks, the answer should be immediate and obvious. In many cases, it isn’t.
Where frameworks begin to break down
The issue is rarely a lack of intent. More often, frameworks lose effectiveness because key elements are not defined with enough precision.
Material risks are often described at a high level, without a shared understanding of what “material” means in practice. Ownership can be unclear, particularly where risks span multiple teams or functions. Controls are frequently described as activities rather than outcomes, making them difficult to test consistently. Operating frequencies and scope may be implied rather than explicit, and expectations around evidence are not always defined.
In practice, many of the controls we see across client environments sound right on paper but are difficult to evidence consistently. If a control cannot be clearly defined, consistently operated, and easily evidenced, it becomes very difficult to rely on in any meaningful way.
Over time, this creates a disconnect between risk, control, and assurance. Controls exist, but the framework does not operate as a cohesive system that can be monitored, evidenced, and improved.
Reframing the approach: start with material risk
Provision 29 effectively forces a reset. It requires organisations to demonstrate that their most important risks are being controlled effectively, not just that controls are in place.
That starts with clearly defining material risk. A material risk is one that could credibly threaten strategic objectives, financial sustainability, customer outcomes, regulatory compliance, operational resilience, or reputation.
Once material risks are agreed, the question becomes more focused: what must be true, every time, to keep this risk within appetite?
From objectives to control effectiveness (a practical lens)
1. Anchor to objectives and appetite
Define what success looks like and what is not acceptable. Without this, everything risks being treated as ‘material’.
2. Define material risk criteria
Agree impact thresholds across financial, customer, regulatory, resilience and reputation. This creates consistency in what is escalated and controlled.
3. Assign clear risk ownership
Identify who owns the risk (not just the control), including key dependencies. Accountability is essential under Provision 29.
4. Identify a small set of key controls
Focus on the controls you would least want to fail. This prevents dilution of effort and attention.
5. Define controls so they are testable
Set clear scope, frequency, ownership and evidence expectations. This enables consistent assurance and auditability.
6. Embed governance and oversight
Monitor performance, exceptions and actions through defined forums. This turns control activity into demonstrable control effectiveness
What good looks like in practice
In practice, strong frameworks tend to share a number of characteristics. They have a clearly defined set of material risks, with named owners who are accountable for outcomes. There is a short, curated set of key controls that can be directly traced back to those risks. Control definitions are specific and testable, with explicit expectations around how and when they operate, and what evidence is required.
Importantly, performance is embedded in governance. Controls are not just performed, but reviewed, challenged, and reported on in a way that provides real insight into whether risks remain within appetite.
The board-level reality
The direction of travel from the Financial Reporting Council has been clear: greater transparency, clearer accountability, and more robust evidence of control effectiveness. Provision 29 is a natural extension of that shift.
“Boards are now being asked to stand behind control effectiveness in a way that goes beyond process. In our experience, that requires a level of clarity and evidence that many frameworks simply weren’t designed to provide.”
– Paul Haley, Founder, Littlechild & Haley
Provision 29 raises the bar for everyone involved in governance and assurance. It is no longer sufficient to demonstrate that controls exist. Boards are now expected to review and stand behind their effectiveness, and to explain the basis for that assessment.
For many organisations, the question is not whether they have controls, but whether they can clearly point to their material risks, show how those risks are assessed, and demonstrate the small set of controls that keep them within appetite.
If that line of sight is not consistently clear, it is not a failure. But it is a signal that the framework may need to move from activity to effectiveness, and from coverage to clarity.
