The FCA and the PRA have identified governance as a priority item to consider when authorising and supervising firms but what does this mean in practice?

1          Governance used to be synonymous with corporate governance – board composition, terms of reference, board committees and so forth.  Those days have gone.  There’s now project governance, product governance, governance and conduct, culture and governance and an expectation that governance extends to all aspects of the business.  As we’re looking at governance in the context of regulation, I’ll go with Andrew Bailey’s definition in a speech on 16 March 2017 where he referred to governance as the framework of responsibility, that oversees the operations of a firm.

2          FCA references to governance usually go hand-in-hand with references to culture – and often with responsibility, accountability and remuneration.  More recently, social licence has been added to the mix (see the separate Blog entry).

3          For the PRA, the emphasis is more on processes.  That’s not to say that these aren’t important to the FCA or that the PRA disregards culture; it’s more a question of where the emphasis falls.  In this context, governance is about processes of decision-making and implementation of those decisions, having mechanisms in place for decision-making – and those mechanisms kicking in when a decision needs to be made.  It’s about putting processes in place to implement that decision.  The PRA is putting particular emphasis on governance in the case of changes to IT systems, so firms need robust decision-making arrangements – and clear processes to implement the decisions made – before any change is made.  The FCA expects a similar approach.

4          There needs to be oversight of what’s done and, under the SMR, there’s accountability too.  The SMR and responsibility statements/maps have become a fundamental part of governance.  But what I’m also picking up is that regulators are expecting all directors to have a good working knowledge of relevant topics in order to ask questions, probe answers and hold management to account.  The days when there could be the director who had deep knowledge of IT/conduct/financial matter/risk and the other directors could let the expert-director take responsibility for that are over.

5          All decisions, processes, implementation frameworks and oversight must be documented – and communicated to all involved.  But there’s a risk that overly rigorous decision-making arrangements, processes, implementation and accountability allocation can result in staff focusing on the specific steps to be taken and missing indicators of possible problems – missing the wood for the trees.  My preference is to have someone in the business who will be able to provide a sense-check and ask questions as work proceeds, in addition to the board’s role in doing this.

6          There’s another point that’s starting to emerge, where governance (decision-making; processes; implementation; oversight) is seen in the context of the values and culture of the firm – which now includes (and this is the important part) concepts such as transparency, social licence and inclusion, as well as the regulatory principles for businesses and putting the customer/client at the heart of the business.  This isn’t completely new but it wouldn’t have been expressed in quite these terms even a couple of years ago.  As an example, think about product development, a review of collections policy or migration to a new IT platform where the customer is at the heart of the business – and then again where transparency, social licence and inclusion are held as core values.  There’s a difference and I expect to see the FCA, in particular, looking for evidence that firms are connecting decision-making, processes and oversight with values.

7          There are various other points to consider (and I’m listing a few below – this is far from complete) but the purpose of this entry is to take stock of where governance is and look at some of the emerging points.

  • Consider the need for clear allocation of responsibilities – and for those to be documented.
  • Consider the importance of reviewing and updating terms of reference and board committees and their composition – is a committee still needed? – does it have the right people with the right skills? – should it do different things?
  • How important it is to have appropriate MI and what MI is needed by different people within the organisation. I rarely see people below senior management loving the MI they receive.  And make sure the MI serves the project or work people do.
  • Allow for projects to evolve – don’t try to keep exactly the same project plan and make the project fit that.
  • Non-executive directors must probe – it’s their raison d’être.
  • Have a three lines of defence model and consider using that approach for project and change work too.
  • Ensure that the Risk, Compliance, Legal, AML/Fraud and Internal Audit functions know what they’re responsible for, have frameworks and plans in place and are appropriately resourced.
  • Remember that remuneration is inextricably linked to governance and can evidence good governance.
  • Decide what else can demonstrate good governance in the firm and what good governance looks like for you.


The blog and all entries on it are intended to provide general information about recent and expected items that might be of interest.  Neither the blog nor any entry provides or constitutes, or purports to provide or constitute, advice relevant to any particular circumstances.  Legal or other professional advice relevant to any particular circumstances should always be sought.


This entry was posted in Ruth's Blog. Bookmark the permalink. Both comments and trackbacks are currently closed.