Insights
18. May 2026

Governance as a Living Standard

Merixa Insights · Risk, Controls & Governance

Understanding what current governance frameworks demand — and the two areas where organisations have the most immediate opportunity to align their policy environment with the standards that regulators, lenders, and counterparties now expect.

Governance is not a destination that organisations arrive at and maintain by inertia. It is a standard that evolves — driven by regulatory reform, by the expectations of capital markets, and by the hard-won lessons of governance failures that produce legislative responses. The organisations that lead on governance quality are not those that reactively respond to each new requirement as it arrives. They are those that understand the direction of travel, anticipate what the framework will demand, and build the internal governance environment that positions them ahead of the standard rather than catching up to it.

The current governance landscape — shaped by the 2024 update to the UK Corporate Governance Code, the ongoing extraterritorial reach of Sapin II across EMEA, the internal control requirements of the Sarbanes-Oxley Act for organisations within US-listed group structures, and the deepening regulatory expectations around operational financial controls — presents a specific and valuable opportunity for scaling organisations. Those that engage with it proactively discover that a well-governed business is not merely a compliant one. It is a more credible, more fundable, and more resilient one. Two areas most consistently represent the starting point for that engagement.

Area one — the 2024 UK CGC update and the internal controls declaration

The Financial Reporting Council's 2024 update to the UK Corporate Governance Code — effective for accounting periods beginning on or after 1 January 2025 — introduces a materially strengthened requirement under Provision 29. Boards are now required to make an annual declaration on the effectiveness of their material internal controls, supported by a description of the monitoring and review process that underpins that declaration. This represents a significant elevation from the previous Code's requirement to report on actions taken and their effectiveness — moving the governance standard meaningfully closer to the principles that inform the internal controls framework under the Sarbanes-Oxley Act, without importing the full compliance architecture that SOX Section 404 demands of US-listed entities.

For organisations within the Code's scope, and for those whose investors or lenders apply its principles as a governance quality benchmark regardless of formal applicability, this development is an opportunity. Building the monitoring process, the control evidence documentation, and the board reporting infrastructure that supports a credible Provision 29 declaration does not require a compliance programme of enterprise scale. It requires a structured, proportionate internal controls assessment — conducted at the level of material financial reporting risks — with documented evidence of the monitoring activities that give the board genuine confidence in its conclusion. The organisations that have already begun that building process will find the 2025 reporting cycle a demonstration of governance maturity. Those that have not have a defined and finite window in which to begin.

"The 2024 UK CGC update does not ask boards to guarantee that controls are perfect. It asks them to demonstrate that they have genuinely examined whether controls are working — and that the examination was rigorous enough to support a declaration made with professional integrity."

Area two — operational policy depth: credits, payments, and financial conduct

Governance policy is frequently conceived at the level of the master framework — the overarching financial controls policy, the risk management policy, the code of conduct. These are necessary. They are not sufficient. The governance standards that most directly affect the organisation's day-to-day commercial integrity operate at the operational transaction level — the credit policy that governs how customer credit limits are set, reviewed, and enforced; the payments policy that governs authorisation thresholds, vendor onboarding, and segregation of duties in the payments cycle; and the operational conduct standards that govern how financial commitments are made and evidenced across the business.

Sapin II's requirements — applicable to organisations with 500 or more employees and €100 million or more in consolidated revenue operating in or with French counterparties — include specific obligations for accounting controls in the payments and procurement cycle, anti-corruption due diligence on third parties, and internal alert mechanisms for reporting suspected violations. SOX Section 302, applicable to organisations within US-listed group structures, requires management certification of the adequacy of disclosure controls and procedures — including those governing the completeness and accuracy of financial reporting at the operational transaction level. Both frameworks point in the same direction: that governance credibility in the current regulatory environment requires policy that reaches into the transactional fabric of the business, not merely its governance superstructure.

Where the diagnostic begins

  • Does the organisation's current governance policy framework extend to operational transaction policies — credit limits, payment authorisation, vendor onboarding, expense conduct — with sufficient specificity that every employee whose decisions affect the financial position of the business understands the standard they are expected to maintain?
  • For organisations within or adjacent to the 2024 UK CGC scope: is the monitoring and review process that would support a Provision 29 internal controls declaration currently in place — and if not, what is the most immediate step toward building it?
  • For organisations with EMEA operations or French counterparties: has a formal assessment of Sapin II applicability been conducted — and where the framework applies, are the required accounting controls, third-party due diligence procedures, and internal alert mechanisms documented and operational?
  • When were the organisation's operational financial policies — credit, payments, procurement conduct — last reviewed against the current transaction volumes, commercial relationships, and regulatory obligations they govern?

These questions are not tests of compliance adequacy. They are invitations to examine what the current governance landscape makes possible for an organisation that approaches it with ambition rather than obligation. The governance standard has moved. For organisations with the clarity to see that movement as an opportunity rather than a burden, the policy environment they build in response to it becomes a source of commercial credibility that their peers who treat governance reactively will not match.

Merixa builds governance policy environments that reach into the operational fabric of the business — aligned to current regulatory standards, maintained continuously, and designed to earn the confidence of every stakeholder who depends on them.  Explore our Risk & Control solutions →

The observations in this post reflect professional opinion informed by practitioner experience in governance and policy maintenance engagements, grounded in the Accounting Governing Bodies' fundamental principles of professional competence and due care. References to the 2024 UK Corporate Governance Code update, Sapin II, and the Sarbanes-Oxley Act are for contextual awareness — their specific applicability to any organisation requires qualified legal and compliance advice appropriate to the entity's structure, jurisdiction, and regulatory context. The 2024 UK CGC update's effective date is stated as publicly available information from the FRC. Merixa Advisory provides Governance and Policy Maintenance services — this commercial context should be considered when evaluating the perspectives offered here.

Back
Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.