- 16 June 2026
Read time: 6-8 minutes
Summary: The Institute's Head of Policy Kayla Schembri argues that modern slavery has moved from a transparency exercise to a board-level accountability test – and many organisations still haven’t caught up.
When the Modern Slavery Act was introduced in 2015, it was rightly seen as world leading. It created a new expectation of transparency, requiring organisations to disclose what they were doing to identify and manage risks in their operations and supply chains. But the context in which it operates has fundamentally shifted. Modern slavery and human rights risks are no longer confined to ethical or reputational considerations. They have become legal, litigation, and operational risks, and ultimately, enterprise risks keeping our boards up at night.
Why Modern Slavery is now an enterprise risk
This brings modern slavery squarely into the domain of mainstream corporate governance. In particular, it places it within the scope of the UK Corporate Governance Code and, most notably Provision 29, requiring boards to establish and maintain effective risk management and internal control systems. Boards are still coming to grips with Provision 29. The question is no longer whether an organisation simply produces their modern slavery statement, but whether the risks are being managed with the same rigour as any other enterprise risk.
The governance shift: from statements to systems
The critical lesson from the past decade: transparency without substance is a liability. Unsubstantiated statements, unsupported claims, and disclosures misaligned with operational reality create exposure rather than assurance. Human rights disclosures are now scrutinised in much the same way as financial statements or climate-related claims. The governance challenge has shifted from publication to proof.
Naturally, this has significant implications for boards. Beyond approval, boards must understand where the organisation’s risks lie, challenge management on identification and mitigation, and ensure consistency between what is said externally and what is happening internally. Increasingly, directors are expected to evidence that they have exercised reasonable care, skill and diligence in this area, particularly where statements may prove to be misleading or incomplete. Boards must evidence – not just assert – oversight.
The global regulatory push
There is a broader global shift away from transparency-based regimes toward mandatory, enforceable due diligence. This is clearest in the EU’s Corporate Sustainability Due Diligence Directive (CSDDD), which will establish a legal duty on companies to identify, prevent, mitigate and, importantly, remediate human rights and environmental harms across operations and value chains. It goes beyond what organisations do (and the systems they have in place) by introducing potential civil liability where those obligations are not met. This represents a fundamental change in regulatory philosophy, and while not directly applicable to the UK, it does capture many large UK businesses operating in the EU and indirectly affects many others through supply chain demands.
At the same time, there are also the developments such as the EU Corporate Sustainability Reporting Directive (CSRD) bringing a new level of structure, standardisation and assurance to non-financial reporting that mirrors financial reporting frameworks. Put simply: one directive sets what companies do; the other, what they must disclose. Taken together, these developments signal a clear direction of travel for regulation – the UK is unlikely to stand still while the EU and others move forward, particularly in light of parliamentary scrutiny suggesting the current framework is no longer sufficient.
For boards, this raises a pressing question: what does this mean for the internal control environment? At its core, modern slavery risk is now a controls issue. It requires systems to identify, assess, and mitigate risks, and mechanisms to respond effectively when issues arise. This is precisely the language and expectation embedded in Provision 29. The challenge is ensuring that human rights risks are not treated as isolated or peripheral – but are fully integrated into enterprise risk management and the broader system of internal controls.
Supply chains: the weak links boards can’t ignore
One of the most difficult challenges is supply chain oversight. The past decade has shown that deep supply chain visibility remains limited in many organisations. Beyond first-tier suppliers, there are often significant gaps in understanding, particularly in higher-risk geographies and sectors. Yet expectations have moved on, and it’s simply not good enough to say that risks are unknown. In fact, in other jurisdictions, “not knowing” is becoming a source of liability in and amongst itself.
This is illustrated starkly by the United States Uyghur Forced Labor Prevention Act, which effectively reverses the burden of proof by presuming that certain goods are produced using forced labour unless companies can demonstrate otherwise. The consequence is not a reporting failure – but the detention or exclusion of goods at the border. This is a clear example of how human rights risk translates directly into operational and financial disruption. It also underscores the need for organisations to develop supply chain visibility not as an aspirational objective, but as a strategic capability.
Controls, culture, and data: where risk lives
Equally important is the role of culture and incentives in undermining or enabling effective governance. Many of the most significant failures in this space have not been due to a lack of policies or commitments – as much as it pains me to say as a policy person, words on a page are useless unless fully lived and breathed. Failures occur where commercial pressures (be that cost, speed or margin) have been inconsistent with those commitments. Procurement practices that prioritise price above all else, unrealistic contractual terms, or performance metrics that ignore ethical considerations can all create conditions in which risks materialise. From a governance perspective, this speaks directly to the criticality of alignment between culture and decision-making. Controls, however well designed or well-articulated, will not operate effectively in the absence of supportive behaviours and incentives.
Another persistent challenge has been the quality of data and measurement. Organisations can report on activities (e.g., audits conducted, employees trained) but struggle to demonstrate impact. With the governance expectation shifting toward outcomes, boards need to understand whether risks are being reduced, interventions are effective, and issues are identified in a timely manner. This requires not only better metrics but also more robust assurance. Internal audit functions and, increasingly, external assurance providers have a critical role to play in testing whether systems are operating as intended – demand in this area is only increasing.
Overlaying all of this is an evolving stakeholder landscape. Investors, customers, regulators and civil society are all applying greater scrutiny to how organisations manage human rights risks. Scrutiny is becoming more sophisticated, global, and fast-moving. It is no longer enough to have a UK-compliant approach if operations and disclosures in other jurisdictions don’t align. Inconsistencies can undermine credibility – with direct implications for access to capital, commercial relationships and reputation. To share a term I heard recently: adjacent to “greenwashing” there is also “green hushing”, wherein organisations are actually downplaying their ESG activities to avoid greenwashing accusations. All of which is to say, as the times continue to change, organisations not keeping pace will find themselves plastered on the front page of the news under neologisms that don’t even exist yet.
The role of the company secretary
For governance professionals and company secretaries, this evolving landscape places us at the centre of the response. We play a pivotal role in ensuring that boards have visibility of these risks, that they are integrated into risk management and internal control frameworks, and that disclosures are accurate, consistent, and defensible. We are also instrumental in aligning policies and practices across our organisations, ensuring that what is said at the top is reflected in what happens everywhere else it’s supposed to.
The role of the board
Ten years ago, the Modern Slavery Act brought hidden risks into view. It created transparency and shone a light on the skeletons in the closet. But transparency was never the end point, it was the starting point. We are now entering a different phase, one defined by accountability for cleaning out those closets, and keeping them clean.
And in governance terms, that means recognising that modern slavery is no longer just a disclosure issue. It’s a Provision 29 issue. It’s about the impact on dignity and humanity. It’s a question of whether boards can demonstrate that they have effective systems of risk management and internal control in place to address material, foreseeable risks.
We should also never lose sight of the fact that behind these risks are real human beings. Yes, good governance is of utmost importance, but beyond that, this is about people, and whether what we do meaningfully protects their safety, dignity and fundamental human rights.
Boards should be asking:
- Does your organisation treat modern slavery risk like other principal risks?
- Can your organisation evidence effectiveness – not just activity?
- Where are your organisation’s biggest supply chain blind spots?
- Are your organisation’s incentives aligned with its commitments?
The real test now is whether organisations can demonstrate, clearly and credibly, that their systems, controls, and decisions are actually reducing harm. Because in this next phase, it’s not what you say – it’s what you can prove.