Robust governance is the cornerstone of any well-run business. Global regulators will also always look at the strength of this area when they find problems or issues. Organisations therefore need to have a strong board who hold management to account and good governance practices that permeate throughout the business. Global accountability regimes only amplify the importance of getting this right so both firms and individuals demonstrate “reasonable steps”, with key decisions and actions recorded and overseen appropriately.

However, in our experience, we still tend to see a range of issues and themes including:

  • Unclear reporting lines, roles and responsibilities, overlaps and underlaps
  • Insufficient escalation protocols – including when, why and how issues are escalated
  • Lack of robust and meaningful MI
  • Insufficient clarity on action tracking, review and closure
  • Tone from the top, and alignment throughout the organisation
  • Operational resilience, especially in the current crisis

Furthermore, as global regulators begin to ask questions around the challenges businesses have faced from the COVID-19 pandemic, organisations could benefit from considering reviews of their governance arrangements and also “lessons learned” exercises to consider areas such as:

Governance and oversight

  • To what extent was the firm considering the impact it may have on the business at an early stage?
  • Were all appropriate stakeholders involved in planning and preparing the response?
  • To what extent were crisis response plans reviewed, updated and tested?


  • How were the potential impacts of the crisis on customers considered?
  • Were the needs of different cohorts of customers considered, particularly those that may be more vulnerable?
  • Were customers communicated to regularly to inform them of the action that was being taken?


  • How were impacts on staff considered?
  • Were staff clear on the action they needed to take
  • Were staff communicated with regularly and appropriately?

Technology and hardware

  • Were systems capabilities robustly tested in advance to ensure they could operate effectively?
  • Were critical technology capabilities able to work remotely?


  • How have communications to the regulator been overseen and managed?
  • How have the practical implications of regulatory guidance been considered, impact assessed and acted on in a timely manner?

Businesses should therefore consider the ongoing effectiveness of their governance arrangements and whether reviews of these could be beneficial. Such reviews can be very valuable exercises to understand why issues and weaknesses occurred and give valuable insight into their root causes so they can be fixed. Organisations can also satisfy themselves that issues should not reoccur, remediate any detriment and feedback lessons learned throughout the business.