Summary
Government and Parliament use regulation to deliver various public policy objectives across many areas, particularly where government does not provide or commission services directly. Regulation is characterised by a set of rules and expected behaviours that people and organisations should follow, and will often involve one or more regulators enforcing and influencing compliance with those rules and behaviours. Effective regulation can lead to more efficient and effective delivery, such as reduced prices, improved quality or better environmental standards. Failure can result in detriment to people, businesses, the economy or the environment, and large costs to the public purse.
Asset managers and hedge funds have always had frameworks: policies, committees, risk appetites, monitoring plans, board packs to support the regulatory objectives. The supervisory direction of travel is that the existence of those artefacts is no longer persuasive on its own. In order that regulators demonstrate fulfilment of their own objectives, they are increasingly looking for evidence that governance mechanisms within firms change behaviour, shape decisions, and prevent harm in practice, particularly in periods of market stress and rapid strategy shifts. You can see this emphasis on senior accountability and decision-useful MI in the Financial Conduct Authority’s (“FCA”) supervisory messaging to the Asset Management & Alternatives portfolio, where the focus is explicitly on how governance assigns senior accountability and how MI supports decision making.
A useful way to frame the shift is to separate two categories of “control”:
- Controls that exist on paper
Policies that have been approved, reviewed, and circulated, but never referenced when the business makes a decision or a real trade-off. The tell is simple: decision papers do not cite the policy, the risk appetite, or the escalation thresholds, because the policy is not actually the operating system. - Controls that operate in practice
Controls that are visible in the decision trail: a committee challenges a valuation methodology during volatility; a risk limit breach triggers a pre-defined escalation; a distribution strategy is changed because product governance data shows a drift in outcomes; a third-party dependency results in a resilience remediation plan, with tracked delivery.
The FCA is becoming more outcomes-focused and less interested in prescriptive “tick-box” compliance, including explicitly stating that they are leaning into outcomes-based approaches as markets evolve. The implication for firms is a move away from ambiguity into defining desired results to be achieved and what ‘good’ and ‘bad’ would look like in line with the Firm’s risk tolerance.
Governance and Board Reporting
Most firms have governance and reporting frameworks that inform, on a periodic basis, Boards and management committees of static data metrics. Fewer firms can
actually evidence how this information is then used by Boards to refine risk tolerance and recommend action and challenge outcomes. In supervisory terms, static reporting that never triggers action, escalation, or challenge can look aimless.
What “good” increasingly looks like is an MI-to-action chain:
- Thresholds defined in advance (what constitutes drift, breach, or deterioration)
- Ownership defined in advance (who are the ‘doers’, who must challenge, who must approve)
- Evidence created as a by-product (the minutes, actions, decision logs, and follow-up testing)
Monitoring is not the end point, it is a call to action and governance response.
A practical insight for asset managers: speed of evidencing impact has become a proxy for “grip”.
In fast-moving environments where firms are most susceptible to poor outcomes arising through pressure (liquidity stress, valuation uncertainty, investor redemption pressure, geopolitical shocks), when things go wrong the regulator’s is unlikely to question whether you have a policy. The challenge is more about the speed of identification of issues, speed of remediation and whether those learnings then become embedded in better risk management moving forward.
Liquidity risk management provides one of the clearest examples of the FCA’s shift from intent to outcomes. Throughout 2025 and into early 2026, supervisory focus has moved beyond the existence of stress-testing frameworks to whether firms can evidence that results influence portfolio construction, redemption terms, and escalation decisions. Leverage, counterparty behaviour and redemption management tools are increasingly assessed together, with senior managers expected to demonstrate grip as risks evolve, not just respond after stress crystallises.
Senior manager exposure is expanding from failures to drifting outcomes
A second-order effect is accountability attaching to outcomes drifting over time, not only to obvious control failures. In practice, this means senior managers are more exposed where the firm can’t show that they informed themselves, challenged appropriately, and took proactive steps as risks evolved. That “reasonable steps” framing is visible across regulatory decision-making and enforcement materials, including high-profile investment management cases.
For hedge funds and asset managers, the risk is rarely that a control framework is absent. It’s that:
- the control exists but is not used,
- the control exists but the thresholds are meaningless,
- the control exists but the ownership is unclear,
- the control exists but cannot be evidenced quickly.
The growing challenge of risks posed by technological evolution
One of the FCA’s critical regulatory priorities is Financial Crime. The recent horizon scan published by the Financial Action Task Force (“FATF”) highlights a growing tension at the heart of financial crime controls. Video verification, facial recognition, voice authentication and document checks are still widely treated by regulators and lawmakers as strong safeguards within customer due diligence frameworks. Yet the same report makes clear that advances in AI and deepfake technology now allow each of these forms of “evidence” to be convincingly fabricated, reused and scaled, not just by sophisticated actors, but increasingly by low-skilled individuals and organised criminal groups. This fundamentally weakens the assumption that more digital evidence necessarily equates to stronger controls, particularly where firms rely heavily on automated or remote onboarding without sufficient challenge, corroboration, or contextual judgement.
The implication for firms is that regulatory expectations have not yet fully caught up with the reliability of the tools they implicitly endorse. Compliance teams are being asked to evidence robust controls using tools and evidence that are becoming less dependable. In practice, this shifts the burden away from treating verification outputs as proof, and towards demonstrating how those outputs are tested, challenged, combined with other risk indicators, and overridden when necessary. The emerging supervisory expectation is less about perfect prevention, something which is no longer realistic, and more about whether firms understand the limits of their tools, can identify when controls are being gamed, and can evidence informed human intervention.
Practical moves for asset managers and hedge funds
1. Make policies executable, not descriptive
Firms should identify the small number of policies that genuinely constrain risk and outcomes typically valuation, liquidity, conflicts, market conduct, and third-party risk, and redesign them as decision aids. This means moving away from narrative policy documents towards:
- explicit decision prompts embedded in committee papers and approval templates (for example, requiring articulation of how a proposal sits within risk appetite or how a conflict is mitigated),
- unambiguous escalation thresholds that remove discretion over when issues must be raised,
- and mandatory referencing of relevant policies in investment, risk, and valuation decision papers.
2. Redesign MI around intervention, not information
MI should be structured to prompt action, not merely to inform. Boards and senior management should be able to clearly see:
- what triggered escalation or challenge during the reporting period,
- which decisions were influenced or changed as a result,
- and whether subsequent monitoring confirmed the intervention was effective.
3. Speed of effectiveness
Firms should assume that time pressure may impact effectiveness. A useful internal test is whether the firm could demonstrate, within a short timeframe, how controls operated during a recent period of stress. Achieving this requires:
- a clear decision log for key approvals, overrides, and exceptions,
- documented rationale for judgement calls and risk acceptance,
- robust data files that can evidence escalations, actions, and follow-up testing.
4. Treat outsourcing, data, and technology as outcome risks
Where firms rely on third parties, data providers, or automated tools, ensure dependency risks are actively governed. In an environment where technological outputs can be manipulated or misleading, reliance without challenge cannot be treated as a reasonable step. Firms should be able to evidence:
- how service failures would affect important activities,
- what fallback or remediation options exist,
- and where senior management explicitly accepted residual risk.
5. Make ownership explicit, and test it under pressure
Many frameworks fail because accountability is implicit rather than assigned. For each material risk and control, firms should be able to clearly articulate:
- who is responsible for acting,
- who must challenge,
- and who ultimately approves risk acceptance.
Conclusion
The concept of “reasonable steps” has not disappeared, but it is increasingly misunderstood when conflated with demonstrable outcomes. Reasonable steps remain the legal and supervisory lens through which individual accountability is assessed; outcomes are how regulators test whether those steps were real, informed, and effective. Policies, MI, and governance frameworks are still critical, but only insofar as they can be shown to have shaped decisions, constrained behaviour, and prevented poor outcomes over time.
When it comes to the evolving environment where technology can convincingly lie, firms will increasingly be tested in their judgement, escalation discipline, and the ability to show how they’ve adapt controls as the threat evolves, rather than blind reliance on automation that no longer deserves its “gold standard” status.
