Ask most mid-market companies who has authority to change their data retention schedule, and the answer will take several emails to produce — and it may still be wrong. Ask who approved the last significant vendor relationship, and the answer is often a name attached to a vague memory of a conversation in a hallway or a thread in someone's inbox. Ask who signed off on deploying the AI feature that now processes customer records, and the honest answer is frequently that nobody formally signed off on anything. The decision happened, but the decision-making process did not.
This is not a failure of intentions. Most people at these companies are trying to make good decisions. The failure is structural. There is no map of who has authority over what. Without that map, decisions get made by whoever is in the room, escalated to whoever is most senior and available, or deferred indefinitely because nobody knows who should resolve the question. The result is a company that makes decisions constantly but cannot reconstruct them — and cannot prove, when asked, that the right person made the right call.
The accountability map is the solution to this problem. Not as a theory but as a working document: a record of who owns every rule the company operates under, who has authority to change it, what process a change requires, and where the record of that change lives. Drawing that map is one of the most valuable governance projects a mid-market company can undertake — and most have never done it.
01 / Decision rights as the spine of governance
Governance is often described in terms of policies, controls, and evidence. These are the outputs of a governance function. The input — the thing that makes any of it possible — is a clear structure of decision rights. Who is authorised to set a rule? Who is authorised to change it? Who has to be consulted? Who has to be notified? Without answers to these questions, no policy is stable, no control is reliable, and no evidence is trustworthy. You cannot verify that a company follows its rules if the question of who set the rules and who can change them is unresolved.
Decision rights are not the same as org chart authority. The CFO is not automatically authorised to change the data retention policy just because the policy touches financial records. The Head of Engineering is not automatically authorised to approve a new AI vendor just because the vendor integrates with an engineering system. Authority over a rule is a function of the rule's scope, the regulatory obligations it touches, and the governance structure the company has explicitly adopted. In a well-governed company, these authorities are documented. In most mid-market companies, they exist only as informal conventions — conventions that break down whenever a new situation arises that the convention was never designed to address.
The spine function of decision rights matters most when rules are disputed or need to change. If the sales team believes the retention policy should allow shorter data storage periods because customers are asking for it, and the legal team believes the current period is required by regulation, who resolves that dispute? If no one has authority that both teams recognise, the dispute does not get resolved — it gets managed around. The policy stays unchanged, the informal practice diverges, and the gap between what the policy says and what the company actually does grows until something makes it visible.
02 / What an accountability map looks like
An accountability map is not a complex document. At its core, it is a table: every rule the company operates under, paired with an owner, an authority, a record location, and a change process. The owner is the person accountable for the rule being current and followed. The authority is the person or body that can approve a change to the rule. The record location is where approved changes are documented. The change process describes what has to happen — who has to review, who has to approve, what notice is required — for a change to be valid.
For a data retention rule, the map entry might show: owner — Head of Legal; change authority — General Counsel or equivalent, with IT and Compliance notified; record location — policy register, version-controlled; change process — legal review, IT feasibility check, approval by authority, distribution to affected system owners. For a vendor procurement rule: owner — Head of Procurement; change authority — CFO; record location — procurement policy register; change process — security review, legal review, CFO approval. For an AI use policy: owner — CISO or equivalent; change authority — Executive team; record location — policy register; change process — cross-functional review including legal, security, and business operations, executive sign-off.
The map makes two things possible that are otherwise impossible. First, anyone in the company who needs to make or route a decision can look up who has authority. The sales leader who wants to change a data handling practice does not have to guess whose problem it is — the map tells them. Second, when a change is made, the map defines the process that makes it valid. A change that was not approved by the correct authority, or that skipped a required review step, is not a change the company can rely on. The map is what distinguishes a real rule change from a hallway conversation that someone remembers differently six months later.
03 / What "who decides" failures actually cost
The cost of unclear decision rights is distributed and often invisible until a specific event makes it concrete. Deals stall in enterprise procurement because the vendor cannot answer questions about its own governance structure. The procurement team asks who approved the data processing agreement terms, and the vendor's response takes two weeks and involves three people who give slightly different answers. The deal does not die, but it slows — and in a competitive evaluation, slow is costly.
Auditors treat undocumented decisions as missing controls. A SOC 2 auditor examining change management controls needs to see that changes were approved by an authorised person using a defined process. If the change management policy describes an approval process but the audit trail shows decisions made by people who were not designated as authorities, or decisions made without the required review steps, the auditor has a finding. The finding may be manageable, but it requires remediation work and creates a record that the control was not operating as described. That record follows the company into future audits and customer security reviews.
M&A diligence prices in the chaos. Acquirers assessing a company's governance posture look at whether the company can demonstrate that significant decisions were made by the right people through a defined process. A company that cannot reconstruct its own decision history — where authority was unclear, where approvals are missing, where the record of what was decided and why lives in someone's inbox — presents as a higher governance risk. That risk gets reflected in deal terms: more representations and warranties, more conditions, more post-close obligations, or a valuation that discounts for the uncertainty the diligence team could not resolve.
A company that cannot tell you who approved a rule cannot tell you whether the rule is valid. Accountability gaps do not stay invisible — they surface in audits, in deals, and in the disputes that follow incidents.
04 / Decision routing in practice
A working accountability map does not just describe authority — it enables routing. When a question arises that requires a governance decision, the routing process is: identify which rule the question touches, look up who has authority over that rule, prepare the question in a form that gives the authority what they need to decide, route it to them, and record the decision.
The preparation step is often skipped, and skipping it is what makes governance decisions slow and inconsistent. An authority presented with a raw question — "should we change the retention period on Salesforce customer records?" — has to gather context before they can decide anything. Which records are affected? What does the current policy say and why? What are the regulatory constraints? What are the technical implications? What are the business reasons for the request? Without that context, the decision either gets deferred while the authority gathers the information themselves, or it gets made on insufficient information and has to be revisited.
A structured brief changes this. The brief identifies the rule in question, summarises what it currently says and why, describes what is being requested and by whom, lists the dependencies the rule touches, summarises the relevant regulatory constraints, and presents the decision clearly: do we change the rule, keep it as written, or defer pending further information? The authority reads the brief, applies judgment, decides, and the decision is recorded. That sequence — structured brief, judgment applied, decision recorded — is what decision routing looks like when it is working.
The record is the non-negotiable element. An organisation that makes good decisions but does not record them cannot prove it made them. The evidence that a decision was made by the right person, at the right time, with the relevant information in hand, is what separates a governed decision from an undocumented one. In an audit, in a dispute, in a deal, in a regulatory inquiry, the record is what you have.
05 / The honest split: what systems do and what people do
There is a temptation, when building governance infrastructure, to treat the system as the decision-maker. If the system flags that a rule is due for review, and the owner acknowledges the flag, and the change goes through a defined workflow, and the record is created automatically — does that mean the decision was made correctly? Only partly. The system can verify that the process was followed. It can prove that the decision was made by an authorised person at a specific time with a specific record attached. It cannot make the judgment call that is the actual substance of the decision.
Whether a retention period is appropriate for the company's current regulatory environment is a judgment question. Whether a vendor meets the company's security requirements is a judgment question. Whether an AI use policy adequately covers the risks the company's AI features create is a judgment question. These require people who understand the domain — the regulatory landscape, the technical environment, the company's risk appetite, the business context. A system that records the decision cannot substitute for the judgment that makes the decision right.
This distinction matters because governance tools that promise to automate decisions are promising something they cannot deliver. What they can deliver — and what is genuinely valuable — is automation of the process that surrounds the decision: surfacing the question at the right time, providing the relevant context, routing to the right authority, and recording the outcome. The judgment in the middle is human. Always. The governance function's job is to ensure that the right human is making each judgment, with the right information, and that the result is recorded in a form that holds up.
06 / Starting the map
Most mid-market companies that draw an accountability map for the first time discover that it is shorter than they expected and more revealing than they anticipated. Short, because the number of rules that a $30 million or $50 million company genuinely operates under — the rules it has actually adopted and could be held to — is manageable. Revealing, because the exercise of assigning an owner and an authority to each rule exposes, immediately, the rules that have no owner, the authorities that have never been formally designated, and the decisions that have been made by convention rather than by anyone with actual authority to make them.
The map is not a governance programme by itself. It is the foundation that makes a governance programme possible. Without knowing who owns each rule and who can change it, the evidence programme has no stable reference point — it is verifying controls against rules that might have changed by informal agreement without anyone updating the record. Without knowing who has authority, the decision routing function has nowhere to route. Without the map, governance is a series of independent efforts that share a general orientation but do not connect into a structure that holds.
Drawing the map is the kind of work that a small team with the right method can complete in weeks, not months. The output is a working document, not a presentation. It belongs in the same place as the policies it governs — version-controlled, owned, on a review schedule. And it is the single most clarifying governance project most mid-market companies have never done.
See it on your company.
This is the desk work of the office we embed. A structured governance review shows you, on your own documents and systems, exactly where your proof is strong, fragile, and missing — in plain language, no data required.