Provision 29 of the UK Corporate Governance Code, introduced by Financial Reporting Council (FRC), requires that boards of companies with premium listing on the London Stock Exchange (including those in the commercial companies or closed-end investment fund categories) confirm they have monitored and reviewed the effectiveness of their risk management and internal control systems, and that these systems have operated effectively throughout the reporting period.
For the media sector, this requirement can present particular challenges.
Media companies typically operate in fast-evolving, digitally-driven environments characterised by complex revenue models, high data volumes, and increasing reliance on technology platforms. These features create an elevated Provision 29 risk profile.
The complexity of revenue models, especially around issues such as IP (intellectual property), can present particular Provision 29 challenges. Media organisations generate income through a wide range of streams including advertising, subscriptions, licensing, syndication, streaming, and content distribution. Each of these revenue typologies has distinct characteristics and contractual arrangements, often involving multiple parties and jurisdictions.
IP-based revenue streams are especially complex. Licensing agreements may include variable consideration, performance-based payments, territorial rights, and time-limited usage terms. A single piece of content, for example, may generate revenues across different platforms and geographies, each with its own contractual structure. This creates challenges in determining when revenue should be recognised, how it should be measured, and how it should be allocated across reporting periods. Weaknesses in contract management, revenue recognition policies, or system integration can lead to material misstatements. Under Provision 29, boards must be satisfied that controls over these complex arrangements are both well-designed and consistently applied and monitored.
The move towards digital and platform-based distribution further increases revenue complexity. Media companies often rely on third-party platforms for content distribution, advertising delivery, and audience monetisation. This introduces dependency on external data and reporting systems which may not always be fully transparent. Reconciling internally-generated data with platform-provided reports can be challenging, particularly where methodologies differ. This can increase the risk of inaccuracies in revenue reporting and make it more difficult for boards to obtain reliable assurance over financial controls.
Another significant, and increasingly vexatious, component of Provision 29 risk is cybersecurity and data-related exposure. This is particularly acute in digitally-focused media organisations. Media companies collect, process and monetise large volumes of user data, including personal information and behavioural data. This data can underpin key revenue streams such as targeted advertising and subscription services.
As a consequence, the sector is highly exposed to cyber threats, data breaches, and system disruptions. A cyber incident could compromise sensitive data, disrupt content delivery, or affect advertising delivery systems, leading to financial loss and reputational harm. Boards must ensure that robust cybersecurity frameworks, access controls, and incident response mechanisms are in place. However, given the pace of technological change and the increasing sophistication of cyber threats, especially using AI, maintaining effective controls is a major ongoing challenge.
In addition to cybersecurity challenges, media companies face risks related to data integrity and reporting accuracy. Digital operations rely heavily on complex data pipelines that aggregate information from multiple sources including websites, mobile apps, streaming platforms, and third-party analytics providers. Errors in data collection, processing, or aggregation can lead to inaccuracies in both financial and non-financial reporting. Ensuring the integrity of these data flows requires strong governance, validation controls, and system integration. These are all areas where weaknesses can undermine the overall control environment.
In addition to cybersecurity challenges, media companies face risks related to data integrity and reporting accuracy. Digital operations rely heavily on complex data pipelines that aggregate information from multiple sources including websites, mobile apps, streaming platforms, and third-party analytics providers.
Errors in data collection, processing, or aggregation can lead to inaccuracies in both financial and non-financial reporting. Ensuring the integrity of these data flows requires strong governance, validation controls, and system integration. These are all areas where weaknesses can undermine the overall control environment.
The reliance on third-party platforms and ecosystems introduces additional Provision 29 control challenges. Media companies often depend on major digital platforms for content distribution, advertising, and audience engagement. These relationships can create dependencies on external systems and data, limiting a company’s direct control over key processes. Changes in platform algorithms, policies, or reporting methodologies can have immediate impacts on revenue and performance metrics. Boards must consider not only internal controls but also the risks associated with external dependencies. These can be difficult to monitor and manage.
The sector is also exposed to content-related and regulatory risks. Organisations must comply with a range of legal and regulatory requirements, including copyright laws, broadcasting standards, advertising regulations, and data protection rules. Failure to comply can result in fines, legal disputes, and reputational damage. Managing these risks requires robust editorial controls, legal oversight, and compliance processes, all of which form part of the broader internal control framework assessed under Provision 29.
Additionally, the media sector faces challenges related to rapid technological change and business model evolution. The meteoric rise of AI is a prime example. The transition from traditional media formats to digital and streaming platforms has required significant investment in new technologies and capabilities. The constant state of change can strain existing control frameworks, as systems and processes are continually updated and integrated. During periods of transformation there is an increased risk that controls may not keep pace with operational changes, creating gaps in the control environment.
For boards in the sector, the main challenge under Provision 29 is to obtain sufficient assurance that internal controls are operating effectively across a complex and dynamic landscape. This requires strong coordination between finance, technology, legal, and operational functions, as well as robust internal audit and risk management processes. Given the sector’s reliance on data, technology, and external platforms, achieving comprehensive assurance is a major challenge.
Considering all of these demands it is not surprising that the media sector faces elevated Provision 29 risk. The multiplicity of factors creates a control environment in which risks are interconnected and can change rapidly. For boards seeking to provide a confident statement on the effectiveness of risk management and internal controls, the answer lies in a high degree of vigilance, integration, and continuous monitoring across both financial and non-financial domains. A challenge, but not an impossibility, especially in light of new tools and systems based on technologies such as AI, which can be good news for media company Provision 29 compliance.
