CLARITY - our library of practical, frank compliance information for regulated businesses

Is Governance the Regulator’s Next Frontier?

In 1992, the Cadbury Committee offered what remains the cleanest definition of corporate governance you’ll find:

“Corporate governance is the system by which companies are directed and controlled.”

Simple. And deceptively demanding.

Cadbury went on to set out what that means in practice: boards are responsible for setting strategic aims, providing leadership, supervising management, and reporting to stakeholders on their stewardship. The UK Corporate Governance Code that followed (updated most recently in 2024) has evolved considerably since then, but the core idea hasn’t. Governance is about how decisions get made, who makes them, and how that process can be seen and tested by others.

For larger listed companies, the Code provides a detailed framework. For the smaller businesses that make up much of the Isle of Man’s regulated sector, something more scaled and practical is needed. Over the years, when clients ask me about governance, I come back to four principles: Clarity, Dissent, Evidence, and Communication.

Clarity

Clarity is a 360-degree requirement. It starts with the board understanding the environment it operates in; legally, commercially, and regulatorily. Companies operate within strict legislative requirements and getting that wrong is costly in both time and money.

But clarity isn’t just about knowing the rules. It’s about having a trajectory — a clear plan that can be safely and legally navigated with a realistic budget and a sensible timeframe. Enthusiasm and good ideas are not always balanced with careful research.

Boards that invest time in thorough planning before committing to a direction consistently outperform those that move fast and figure it out later.

Dissent

A board that always agrees is not a board that governs. It is a board that ratifies.

The ability to ask “why”, and to expect a good answer, is one of the most powerful governance tools available. Even where a path seems obvious, a final “why” review is invaluable for identifying risk and testing the strength of a plan.

Boards that create space for genuine challenge make better decisions. Boards that don’t tend to discover the gap between their assumptions and reality at the worst possible time.

Evidence

If it isn’t written down, it didn’t happen.

Important decisions, those dealing with strategy, commercial or financial matters, regulatory and compliance obligations, or third parties should be thoroughly minuted.

A minute that articulates the reasons for a decision and demonstrates the thinking behind it is the board’s sword and shield. Not every decision will be right, but a board that can show it weighed the available information carefully and acted reasonably can survive challenge far more robustly than one that can’t.

Communication

Communication is the fourth principle, and it underpins the other three. Clear communication evidences clear thought.

A board needs to be capable of articulating a consistent message to several different audiences: upwards to stakeholders, internally to staff and externally to clients, partners and oversight bodies. That last category is becoming increasingly important — and not just in the obvious direction of telling regulators what they want to hear.

What’s coming

I’ll be upfront and caveat this by saying that the ways of the Regulator are, of course, inscrutable and that what follows is informed instinct rather than inside knowledge.

Those four principles have always mattered. I think they’re about to matter a great deal more.

The Isle of Man has been through a significant period of regulatory development. The legislative framework is solid. The risk-based approach is embedded, at least on paper. The feedback from the most recent round of Moneyval assessments was pointed: good legislation, now show us that you actually use it.

That feedback lands on the FSA with real weight. The pressure to demonstrate active, effective supervision, to show Moneyval and the international community that oversight here has teeth, will roll downhill to industry. And the natural place for a regulator to look, when it wants to test whether firms are genuinely operating a risk-based approach rather than just documenting one, is governance. Not governance in the abstract. Governance in practice.

The question that I expect firms will increasingly face is this: can you show how your board actually responds to what your compliance framework tells it?

Not just that you have a Business Risk Assessment, but that your board read it, discussed it, and made decisions as a result.

Not just that you complete compliance monitoring, but that the findings go somewhere — that someone with authority saw them and acted.

Not just that your TRA exists, but that it informed a real conversation about technology risk at board level.

This is the closed feedback loop that a genuinely risk-based approach requires. The framework produces information. The board uses that information to direct and control the business. The decisions get recorded. The cycle repeats.

It sounds straightforward. In practice, plenty of firms have the framework without the loop. The BRA gets completed, filed, and revisited twelve months later. The monitoring report goes to the MLRO and stops there. The board signs off on the annual compliance report without a substantive discussion.

That’s governance on paper. What’s coming, in my view, is a much greater focus on governance in practice.

Demonstrating that directors understand the regulatory framework signals to the FSA that control is substantive, not delegated.

What demonstrable governance looks like

The good news is that getting this right doesn’t require a structural overhaul. It requires intention and habit.

Board minutes should reflect genuine engagement with compliance and risk information; not just receipt of reports, but discussion, challenge and decision. If your minutes show that the BRA was “noted,” that’s not enough. If they show that the board considered the BRA, asked questions about the high-risk areas, and directed management to take specific action, that’s a different picture entirely.

Compliance monitoring findings should have a clear path from the person who identifies them to the person with authority to act on them. Where findings are material, that path should reach the board.

Risk assessments should be living documents, not annual exercises. When something changes: a new service line, a new client type, a regulatory development, a staffing change, the board should be able to show that the framework responded.

A question that comes up regularly in board sessions is where responsibility sits when a new procedure is agreed.

The answer is that it sits with everyone — the board and compliance, equally and without exception.

But the board cannot simply rubber-stamp and move on, and the MLRO cannot simply table a procedure and consider the job done. Responsibility without active facilitation is just diffusion.

The MLRO’s role is to drive adoption: setting a clear implementation timeline, nominating staff to test it in practice and report back on what works and what doesn’t, and asking someone outside the relevant department to read it cold.

The board’s role is to ask whether that process has happened and to hold the line until it has.

That’s the difference between shared responsibility and collective abdication.

The four principles come back into focus here. Clarity about what the framework is telling you. Dissent that tests whether the response is adequate. Evidence that the conversation happened and decisions were made. Communication that ensures the right people know what they need to know.

Good governance has always been the foundation of good compliance. What’s changing is the expectation that you can prove it.