Managing the 2026 GRC landscape: Strategic resilience in a changing regulatory world

Key Regulatory and Governance Updates

1. UK Corporate Governance Code - Provision 29 Starting January 1, 2026, boards must annually review and declare the effectiveness of their company's internal controls, including financial, operational, compliance, and reporting systems. Boards are now expected to formally disclose any material weaknesses and remediation actions, marking a significant increase in accountability.
2. The Expanding Scope of Internal Audit Internal Audit (IA) is transitioning from a traditional control-checking role to a strategic partner in risk management. Its remit now extends into areas such as capital and liquidity risks, risk culture, cybersecurity, and ESG.
3. Regulatory Reporting Reliability (PRA 'Dear CEO' Letter) The Prudential Regulation Authority (PRA) has emphasised that regulatory returns must be prepared with the same level of rigour as financial statements. Firms are expected to have clear senior manager accountability and robust end-to-end controls to avoid errors that will no longer be tolerated.
4. Data Act 2025 This act amends existing data protection laws to encourage innovation while maintaining high standards for UK-EU data adequacy. Notable changes include loosened restrictions on automated decision-making and streamlined processes for Data Subject Access Requests (DSARs).
5. Basel 3.1 Standards These final global banking reforms aim to strengthen risk measurement and reduce variability in risk-weighted assets (RWAs). Implementation begins on January 1, 2027, with full effect by 2030, requiring banks to upgrade their risk systems and data infrastructure now.