Three questions every rule must answer: Can it be governed? Is it wise? Who decides?

Most governance failures do not happen because companies have bad intentions. They happen because companies mix up three questions that need to be kept separate. A company adopts a rule without asking whether the rule can be governed in practice. It hands the rule to a consultant who answers whether it is wise without leaving anything behind that can be verified. It asks a tool to tell it whether the rule makes sense, as if the tool can supply the judgment that only people who understand the domain can supply. And it goes through all of this without the company itself formally accepting the rule and the obligation to be held to it.

These are three distinct questions. Every rule a company adopts — every policy, every standard, every commitment — must answer all three before it can be called governed. The first is about structure: can this rule actually be governed? The second is about judgment: is this the right rule? The third is about authority: who has said this rule binds us? Mix them up, or skip one, and the result is not governance. It is the appearance of governance, which is worse than nothing because it creates confidence that has not been earned.

What follows is a working account of each question, in order. The examples are drawn from the kinds of rules that mid-market companies deal with constantly — data retention, AI use, expense approval — because abstract principles are only useful when they can be applied to something real.

01 / Question one: is it governable?

Governability is a structural question. It asks: can this rule be run as an operating control? Not whether the rule is good or bad, not whether someone agreed to it — just whether it can function in practice as a rule the company is actually held to. A rule that cannot be governed is not a rule. It is a statement of preference.

The governability test has several parts. Is the rule clear? A rule that says "sensitive data should be retained appropriately" fails the clarity test. Appropriately for what purpose, over what period, for which categories of data, enforced by whom? A rule that says "customer records classified as personal data under our data classification policy shall be retained for no longer than seven years from the date of last transaction, after which they shall be deleted from all primary systems" passes the clarity test. You can look at a system and determine whether the rule is being followed.

Is the rule measurable? Some rules describe states that can be directly observed: MFA is either enabled for all administrative accounts or it is not. A vendor is either on the assessed list or it is not. An expense above the threshold either has an approval on record or it does not. Other rules describe outcomes that require interpretation to measure: "reasonable security measures" are in place, "appropriate oversight" is applied to AI outputs. Rules that require interpretation to measure are not ungovernable, but they require a more careful translation step — turning the interpretive standard into specific, observable checkpoints — before they can function as operating controls.

Is the rule owned? Every governable rule has a person accountable for it: the person who ensures it stays current, who is notified when the control fails, and who is responsible for remediation when a gap is found. A rule with no owner is a rule in a policy document that no one is responsible for. It may have been followed once. It is not being governed.

Is it free of conflicts with other rules the company has adopted? A retention rule that requires seven-year retention conflicts with a deletion obligation in a privacy policy that requires deletion on request within thirty days. Until that conflict is resolved, neither rule can be fully governed — following one means violating the other. Conflict identification is part of the governability check, not a separate exercise.

Is it checkable in a system, and can evidence be collected? The evidence function is what makes governance real rather than asserted. If a rule cannot be verified by an independent check against the systems where the rule applies, the company can only attest to following it — it cannot prove it. The governability question includes whether the verification mechanism exists or can be built. A rule that applies to Salesforce data can be checked in Salesforce. A rule that applies to employee conduct in verbal conversations requires a different verification approach, and the governability assessment should be honest about how robust that approach can be.

02 / Question two: is it wise?

Wisdom is a judgment question. It asks: is this the right rule for this company, this industry, this risk, and this moment? Governability tells you whether the rule can be run. Wisdom tells you whether it should be run. These are entirely different questions, and confusing them is one of the most reliable paths to a governance programme that is technically operational but substantively wrong.

Take a data retention rule. A rule requiring seven-year retention of all customer records may be governable — it is clear, measurable, owned, and checkable. But whether seven years is the right period requires judgment about the regulatory environment the company operates in, the categories of data involved, the company's industry, the risks of retaining data too long versus too short, and the practical implications for the systems that would need to enforce it. A healthcare company is operating under HIPAA retention obligations. A financial services firm has SEC or FINRA-specific requirements. A SaaS company serving EU customers has GDPR data minimisation obligations that push in the opposite direction from retention. Getting the period right requires someone who understands these constraints and can apply them to the company's specific situation.

An AI use rule presents the wisdom question even more sharply. A rule that says "employees may use approved AI tools to assist with internal tasks, provided no customer personal data is processed by an unapproved AI system" is governable — you can check the AI tool register, verify which tools are approved, and verify that data handling configurations match the rule. But whether that rule is the right rule requires judgment about the company's current AI tool landscape, the nature of the customer data it holds, the risk of data leakage through AI systems, the regulatory environment around AI data processing, and the practical tradeoffs between security and productivity that the company is prepared to make. That judgment belongs to people who know those things — not to a checklist, not to a framework document, and not to a governance platform.

A checklist can tell you whether a rule is being followed. It cannot tell you whether the rule is right. Wisdom requires people who understand the domain. Governance requires both.

The wisdom question is also the question that most governance consultants are actually hired to answer. And answering it is genuinely valuable. The problem is when the wisdom answer is the only output — when a consultancy produces a set of recommended policies that are well-designed in principle but have no implementation path, no verification mechanism, and no owner. The company has received judgment without governability. The rules exist in the deliverable. They do not exist in the company's operating practice. Six months later, the policies are in a folder, and nobody is running them.

03 / Question three: who decides?

Authority is a sovereignty question. It asks: has the company — the actual company, through the people with authority to bind it — formally adopted this rule and accepted being held to it? This is not about ratification in a ceremonial sense. It is about whether there is a clear, documented act of adoption by an authorised decision-maker that makes the rule real as a company obligation.

Rules that nobody had authority to set are not rules the company can be held to, and they are not rules the company can use as a basis for its own governance. If the Head of Engineering adopts an AI use policy without involving Legal, HR, or the executive team, the policy may be technically valid as an engineering team guideline. It is not a company policy. It has not been adopted by anyone with authority to bind the company to it. When a customer asks in a security questionnaire whether the company has an AI use policy, and the company answers yes, and the answer is based on the engineering team's internal guidelines — the gap between what was said and what is real is a governance problem, not just an administrative one.

The authority question also applies to changes. A rule that was validly adopted can be invalidated by a change made outside the authority structure. If the legal team updates the retention policy without the required approval from the General Counsel, the updated policy is not valid. If a manager changes an expense approval threshold informally — "we're going to treat anything under $2,000 as pre-approved for now" — without a formal policy change, the operational practice has diverged from the governing rule. These gaps are exactly what surfaces in audits, in diligence, and in disputes about what the company's actual rules are.

The authority question is the one that governance tools are worst at substituting for. A platform that routes a policy change through a workflow and creates a record of who clicked "approve" does not resolve the authority question if the person who clicked "approve" was not the person with authority to approve it. The record proves that the process was followed. It does not prove that the right person completed it. Establishing who has authority in the first place — and making that assignment visible and verifiable — is human governance work. The system records it and enforces it. People define it.

04 / What happens when you mix them up

Each of the three governance failure patterns that most companies recognise corresponds to a specific confusion between these three questions.

The tool that claims to answer wisdom. A compliance platform that scores a company's governance posture against a framework checklist is answering the governability question — it is checking whether controls are in place — but the score it produces is often understood as an answer to the wisdom question: "our score is 87%, so our governance is good." Whether the controls being checked are the right controls for the company's actual risk profile is a separate question that the score does not answer. A company with strong controls around the wrong risks has high governability and poor wisdom, and the score will not reveal the gap.

The consultant who answers wisdom but leaves nothing governable. A policy delivered in a slide deck or a Word document has answered the wisdom question — here is what the rules should be. But if the policy has no owner, no verification mechanism, no evidence programme, and no integration into the company's actual systems, it is not governable. The wisdom was sound. The governance is absent. This is the outcome of most compliance engagements that produce policy deliverables without an implementation plan attached to them.

The company that adopts rules nobody had authority to set. This is the authority gap — the governance failure that is least visible until it becomes most consequential. Rules adopted without clear authority look like governance. They may even be well-designed and governable in principle. But when an auditor, a regulator, or a counterparty in a deal asks who adopted the rule and what the basis for that authority was, the answer has to be credible. A company that cannot point to a clear act of adoption by an authorised decision-maker is in a weaker position than one that can, regardless of how well the rule is written.

05 / Asking all three, in order, every time

The discipline is the sequence. Governability first — can this rule be run as an operating control? Wisdom second — is this the right rule for our situation? Authority third — has the company formally adopted this rule through a person with authority to bind it? The sequence matters because the questions are genuinely interdependent.

You cannot answer the wisdom question well without first understanding whether the rule you are evaluating is governable. A wise rule that cannot be verified in practice is an aspiration, not a rule. You cannot answer the authority question without first having a clear, specific rule to adopt — the kind of clarity that the governability question forces. An authority cannot meaningfully adopt a vague rule because there is nothing precise enough to be adopted. And no amount of governability infrastructure or wisdom in the rule's design substitutes for the act of authority that makes it a company obligation.

Asking all three questions on every rule is not a bureaucratic exercise. It is the discipline that separates a company that is governed from one that has governance documentation. The distinction is real. A company with governance documentation has a folder of policies that were written at some point, reviewed at some point, and distributed to some group of people. A company that is governed has rules that are clear and verifiable, right for its situation and moment, adopted by the people with authority to adopt them, and held to by an evidence programme that proves compliance is not merely asserted.

The discipline is also repeatable. It does not require a large compliance team, an enterprise governance platform, or a CGO on the org chart. It requires a method: every rule gets asked the same three questions, in the same order, by someone with the mandate to route the answers to the right people and record the results. A company that builds that method and runs it consistently — on the dozen rules that actually govern its most significant risks — is governed in a way that holds up. The method does not require an enterprise budget. It requires discipline applied to the right questions.