Why your firm’s strategy has already written its governance trajectory, and why the culture that produced it will determine whether your transformation investment delivers, or compounds the problem it was meant to solve.
Transformation is expensive, either in cash cost, human resource cost, or more often than not, both. The decision to fund it, the ExCo conversation, the business case, the resource allocation, is one of the most consequential a financial services firm makes. And it is almost always made before anyone has asked the question that determines whether the investment will actually work and what outcomes you’re trying to achieve.
Not “what do we need to build?” That question gets answered first, usually with a vendor shortlist and a project timeline. The question that gets skipped is this: “what do we actually have, who inside this firm is accountable for it, and what does the regulator expect us to demonstrate about it?”
Avoiding those questions to make the programme cheaper doesn’t work. It makes it more expensive by avoiding accountability gaps left unexamined which will undoubtedly surface mid-delivery, when they cost significantly more to address than they would have at the outset.
Strategy writes the governance story, culture solidifies it.
Every firm that exists today inherited the governance infrastructure its business model required. The systems it bought, the vendors it relied on, the decisions about what to build internally versus what to contract out, each of those choices created a governance position almost by default.
For traditional financial services firms, that default posture has a consistent shape. It tends toward outsourced model governance, diffuse internal accountability, and a technology estate where the relationship between systems, decisions, and named responsible individuals is at best implicit. There is usually a vendor agreement and a SLA. What there frequently is not is a clear internal answer to the question: “who in this firm is accountable for what this system does, and what happens when it produces an adverse outcome?”
Over time, that posture stops being a structural arrangement and becomes something harder to shift: a governance culture. A settled, shared assumption that accountability for systems lives with the provider, that model governance is something you procure rather than build, and that “handled” means “contracted to a third party.” That culture does not dissolve when a transformation programme begins. It shapes how the programme is designed, which risks get surfaced, and which accountability gaps get papered over rather than resolved. The new technology estate inherits the same structural assumption as the old one, just with newer systems underneath it.
“Outsourcing model governance transferred apparent accountability. Not actual accountability. And culture preserved the assumption that the two were the same.”
A different strategy produced a different culture, and a structural advantage.
The contrast with algorithmic trading firms is instructive, not as a benchmark most traditional firms would claim to aspire to, but because it demonstrates precisely what happens when regulatory constraint forces internal governance to be built rather than procured.
MiFID II Article 17, implemented through the FCA’s SYSC sourcebook, required firms conducting algorithmic trading to maintain specific organisational controls: pre-deployment testing, documented algorithm records, annual self-assessments, and a designated SMF holder personally accountable for algorithmic trading operations under the SMCR. A named individual inside the firm, with personal regulatory accountability that could not be contracted away.
These firms were required to know exactly what their systems did, who was responsible for their behaviour, and what the internal audit trail looked like when something went wrong. That constraint (though experienced as a burden at the time), produced a governance culture where ownership of systems is assumed to be internal, accountability is personal, and the answer to “who is responsible for this?” is always ready.
What that culture produces in practice.
When working with algo trading firms through transformation, the governance map already exists to a much deeper level, because it has to. Systems are documented. SMF accountability is assigned. The programme knows what it is replacing, what it is retaining, and where oversight sits at every stage. That clarity is a commercial one, not solely a compliance-driven one. It compresses the discovery phase, reduces mid-programme remediation, and produces a transformation that moves faster and costs less to govern than one built on unmapped foundations.
The commercial cost of the governance gap.
The case for building a governance map is frequently framed as regulatory risk management. That framing undersells it, and it is also the wrong framing for an ExCo conversation about resource allocation.
The commercial case is more direct. Transformation programmes designed without a governance map carry three distinct cost exposures that do not appear on the initial business case but will appear on the final one.
- The first is mid-programme discovery cost. When a programme encounters a system whose ownership is unclear, a vendor relationship whose scope was misunderstood, or an accountability gap that needs to be resolved before the next phase can proceed, the cost of addressing it mid-delivery is a multiple of what it would have cost at the outset. Discovery inside a live programme is a delay, a scope change, and a cost overrun, often simultaneously.
- The second is vendor dependency risk. Firms that have outsourced model governance without maintaining internal oversight have, in many cases, also created undocumented commercial dependencies. They do not have a clear picture of which vendors are material to which processes, what exit costs look like, or where concentration risk sits in their technology estate. That picture is essential not just for the regulator’s operational resilience requirements, but for negotiating vendor contracts from a position of knowledge rather than dependency.
- The third is the cost of regulatory remediation after the fact. The FCA’s expectations around systems accountability, third-party oversight, and governance of automated decision-making are moving in one direction. Firms that respond to those expectations under supervisory pressure, rather than ahead of it, bear significantly higher costs: remediation programmes, external review, management time, and the reputational consequence of being the firm that was required to fix something rather than the firm that had already addressed it.
“The map is not a risk mitigation cost. It is the investment that makes the transformation investment work.”
Five questions your firm should be able to answer.
When it comes to AI transformation, the practical starting point for a COO or CCO building the internal case is not a methodology, it is a set of questions. If these cannot be answered confidently and without significant internal effort, the governance map does not yet exist, and neither does the foundation for a credible transformation programme.
“When we’re moving into a world where high risk outputs are generated through systems, and the integration of them: who in the organisation can sit in front of the regulator and talk through the methodology?”
Governance readiness: diagnostic questions
1. Which systems or automated processes materially influence decisions affecting your customers, your risk profile, or your regulatory obligations. Is that list documented internally?
If the answer requires calling a vendor to find out, the governance map does not exist.
2. For each of those systems, can you name the individual inside the firm, not a supplier, not a consultant, who carries SMF accountability for its behaviour under the SMCR?
Under SMCR, accountability cannot be contracted to a third party. If the answer is a vendor name, that is an open regulatory exposure.
3. Which of your third-party technology relationships are material enough to affect an important business service, and do you have documented oversight of those relationships that sits internally, not just in a contract?
The FCA’s operational resilience framework requires firms to maintain oversight of important business services regardless of whether delivery is outsourced.
4. If a system failed today, how quickly could you produce an accurate picture of its scope, its dependencies, and who internally is responsible for the remediation decision?
The answer to this question under stress is the real test of whether governance is internal or merely assumed.
5. When your transformation programme is complete, will the governance of new systems be owned internally or will it be outsourced to the implementation partner in the same way the legacy estate was outsourced to the original vendor?
If the answer is unclear, the transformation will reproduce the governance structure it was designed to replace.
The investment case is straightforward – and in the era of mainstream LLM use, systems governance is no longer just for large undertakings.
A governance map, a structured, internally owned view of which systems exist, what they do, who is accountable for them, and where the regulatory obligations attach, is not a large or indefinite undertaking. It is a bounded piece of work with a clear output and a direct line to commercial value.
It compresses the discovery phase of any subsequent transformation programme, reducing its cost and timeline. It surfaces vendor dependencies that are currently invisible, improving the firm’s negotiating position and its ability to manage concentration risk. It produces the internal accountability structure that the FCA’s evolving expectations around AI governance and automated decision-making will require firms to demonstrate. And it gives the ExCo an accurate picture of what the technology estate actually contains before committing to a transformation programme designed on assumptions about it.
Firms that build the map before the programme are investing in the programme’s success. Firms that begin the programme without it are funding a more expensive version of the same discovery, one that happens mid-delivery, under time pressure, with a project team waiting on the outcome.
The firms that will navigate the AI governance era with speed and credibility are not necessarily the most technologically advanced. They are the ones that already know what they have, who owns it, and what it is supposed to do. That knowledge is not inherited. It is built. And the time to build it is before the pressure arrives, not during it.
The commercial starting point
Before any transformation programme is scoped, resourced, or vendor-engaged, the right investment is the one that makes all subsequent investments more effective: a governance map of your technology estate, what systems you have, what decisions they influence, and who inside your firm is accountable for each of them.
That investment pays for itself in the discovery cost it avoids, the vendor dependencies it makes visible, and the regulatory accountability it establishes.
The question for ExCo is not whether the firm can afford to build the map. It is whether the firm can afford to fund a transformation programme without one.
