AboutBlogBusiness First AIFounder FreedomBook a conversation

How decision rights and accountability fit together

May 18, 2026
Two colleagues reviewing a document together at an office desk
TL;DR

Decision rights define who can say yes or no to a given business decision. Accountability defines who has to answer for the outcome and demonstrate reasonable conduct. For UK services firms, the ICO, FCA, and NCSC each expect both to be explicit and documented. Assigning accountability without the matching decision authority creates hollow governance that breaks down the first time a founder overrides a team decision.

Key takeaways

- Decision rights define who has standing authority to make a specific category of decision in the business. Accountability defines who must answer for the outcome and can demonstrate they acted reasonably. The two are related but distinct. - Naming someone as accountable without giving them genuine decision authority is hollow governance. It creates the appearance of delegation without the substance, and breaks down the first time a founder overrides a team member's call. - The ICO's accountability framework requires UK firms to assign senior responsibility for data protection and document how decisions are made. The FCA's Senior Managers and Certification Regime requires named individuals with statements of responsibilities and a statutory duty to act on them. - AI tool adoption brings this into focus for firms with no prior regulatory exposure. The UK government's framework for automated decision-making recommends a named senior responsible owner for any system that supports significant decisions. - A practical starting point: list 15 to 20 recurring decisions, name one accountable role per decision, set a threshold for escalation, and write it on a single page. Regulated firms should keep brief decision records to satisfy the standard UK regulators increasingly expect.

A founder I spoke with recently had done the right thing on paper. They had named their operations manager as the person accountable for GDPR compliance, written it in the handbook, and told the team. Then a major client asked the firm to share a dataset that almost certainly included personal data it had not been authorised to transfer. The operations manager said no. The founder, not wanting to lose the contract, said yes. The accountability statement became meaningless in about forty seconds.

The decision right had never moved.

What are decision rights and accountability?

Decision rights and accountability are two distinct governance concepts that work as a pair. Decision rights define who has the authority to make a specific category of decision: pricing, contracts, AI tool adoption. Accountability defines who has to answer for the result and demonstrate they acted reasonably. Keeping these two concepts clearly separate is what makes delegation actually stick in a small firm.

Consultancies such as Burnie Group describe decision rights using frameworks like RACI (Responsible, Accountable, Consulted, Informed), which clarify who holds standing authority for each significant call and who needs to be looped in. The UK Information Commissioner’s Office offers the clearest definition of accountability for a domestic audience: the need to demonstrate compliance with data protection law, not just comply in theory.

That demonstration piece is the part founders tend to underestimate. Accountability is a paper trail as much as a mindset. You need to be able to show, if asked, how a decision was made, by whom, and on what basis.

For a 5 to 50 person services firm, the practical version looks like this:

  • Decision rights: who can say yes or no to a given category of choice, covering discounts, new hires, client onboarding, data governance, and AI tool use.
  • Accountability: who can produce the reasoning, records, or documentation if a client or regulator later asks why a decision went the way it did.

One without the other creates problems. Accountability without authority produces a team member who is answerable in theory but cannot act without the founder’s sign-off. Authority without accountability produces drift, where people make consequential calls with no obligation to document or answer for them.

Why does the pairing matter for your business?

The pairing matters because you can appoint accountability without giving someone the authority to act. In founder-led firms, this is the typical failure: the team member is answerable in theory but overruled in practice. The FCA built its Senior Managers and Certification Regime precisely to close this gap, requiring named individuals to hold both the responsibility and the genuine authority to discharge it.

Financial services firms regulated by the FCA have worked through this since SM&CR was extended to all FCA-regulated firms in 2019. Under the regime, each prescribed senior management function must be mapped to a named individual who takes on a statutory duty of responsibility under the Bank of England and Financial Services Act 2016. Industry interviews published by Oxford Law Blogs in 2024 found that the regime led to more conscientious decision-making and clearer documentation of processes. The researchers noted this happened not primarily through fear of enforcement, but because people finally understood what they were genuinely responsible for.

You do not need to be regulated to learn from this. The same logic applies at the owner-managed level. If you name someone as accountable for a business area but continue to override their decisions, you have created accountability in name only. The result is a team member who cannot act with confidence and a founder who has built the appearance of delegation without the substance.

Where will you actually encounter this in a UK services firm?

For a UK services firm of 5 to 50 people, you will encounter this most sharply in three areas: data protection under UK GDPR, regulated activities covered by the FCA or SRA, and decisions about AI tools that touch client information. Each of these areas has a regulator that will ask you to name a person who is both authorised to act and answerable for the outcome.

Under UK GDPR, the ICO’s accountability framework expects organisations to assign senior responsibility for data protection, document how decisions are made, and embed governance into everyday processes. That means someone in your firm must be able to show which decisions they own, how they made them, and what records they kept.

For FCA-regulated firms, SM&CR formalises this through statements of responsibilities and a responsibilities map. For solicitors’ practices, the SRA applies a risk-based approach that expects authorised decision-makers under a published schedule of delegation. That is, at its core, a decision rights map with accountability attached.

AI adoption is bringing this into focus for firms that had no prior regulatory exposure. The UK government’s Ethics, Transparency and Accountability Framework for Automated Decision-Making recommends that any organisation using AI to support decisions identifies a senior responsible owner, assesses impacts and risks, and ensures appropriate human oversight is in place. The NCSC’s guidance for boards reinforces the same point for cyber risk: the board should own it, which means knowing who makes security decisions and who answers for them.

For firms serving clients in the EU, the AI Act adds a further layer. High-risk AI systems require defined accountability, risk management documentation, and human oversight. Even for lower-risk use cases, the direction of travel is clear: regulators across the UK and Europe expect someone to be explicitly responsible and able to produce evidence of it.

When does this need to be formal, and when can you keep it light?

The level of formality you need depends on what you do and the size of the decisions at stake. If your firm is FCA-regulated, formally documented statements of responsibility are not optional. If you run a 10-person consulting firm with no direct regulatory obligations, a one-page decision table and a clear conversation with your team is usually enough to get the benefit without the bureaucratic overhead.

Research on SM&CR surfaces a useful caution: increased documentation can create administrative burden without improving culture if it is disconnected from how people actually work. For small teams, over-engineering a governance structure produces documents nobody reads and a founder who ends up overriding them anyway.

A lighter approach that still delivers the benefits: list 15 to 20 recurring, significant decisions across pricing, contracts, staff, data, and technology. Name one role as accountable for each. Set a clear threshold above which the decision escalates to the founder. Write it on a single page and share it with the team. This gives your people clarity, gives you confidence that outcomes can be traced, and satisfies the basic standard the ICO expects.

Where the stakes are higher, or where a regulator will inspect your governance arrangements, you need more: brief notes on how high-risk decisions were made, records of who approved new suppliers or AI tools, and a culture where significant calls are documented at the moment they are made. This does not mean committees and approval chains. It means brief, consistent record-keeping at the decisions that matter.

What should you read alongside this?

Decision rights and accountability do not sit in isolation. They work best when paired with a decision rights framework that maps the full picture across your firm (a companion post on this site covers what a decision rights framework is and how to build one for a small business), clear role descriptions, and a documentation habit that lets your team demonstrate their reasoning when a client or regulator asks.

A RACI matrix is a useful complement: it clarifies who is Responsible, Accountable, Consulted, and Informed on specific tasks and projects. The decision rights framework handles who has standing authority for recurring decisions; RACI handles how those decisions get executed day to day.

One question worth putting to your leadership group: can each person in a senior role clearly name which decisions they own, and what they would do if they were uncertain? If the honest answer is that they would ask the founder, the structure is not yet working. A half-day spent building a decision rights and accountability map with your senior team is often the most practical starting point. The ICO’s accountability guidance and the FCA’s statements-of-responsibility approach both give you a clear template to adapt, even if you are not directly regulated by either body.

Sources

- ICO (accessed 2026). Guide to accountability and governance (UK GDPR). Defines the accountability principle and the requirement for organisations to demonstrate compliance via documented policies and governance measures. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/ - FCA (2019). PS18/14: Senior Managers and Certification Regime for FCA solo-regulated firms. Sets out how SM&CR requires named senior managers with statements of responsibilities and a statutory duty of responsibility. https://www.fca.org.uk/publication/policy/ps18-14.pdf - FCA (2021). Speech: The expanding scope of individual accountability for corporate misconduct. Explains how SM&CR maps authority to accountability for named individuals, creating a duty to take reasonable steps to prevent regulatory breaches. https://www.fca.org.uk/news/speeches/expanding-scope-individual-accountability-corporate-misconduct - Oxford Law Blogs (2024). Accountability in UK Financial Services: Industry perceptions of the success of the Senior Managers and Certification Regime. Industry interviews finding SM&CR produced more conscientious decision-making and clearer governance documentation. https://blogs.law.ox.ac.uk/oblb/blog-post/2024/12/accountability-uk-financial-services-industry-perceptions-success-senior - UK Government (2021). Ethics, Transparency and Accountability Framework for Automated Decision-Making. Recommends senior responsible owners, documented design decisions, and human oversight for AI-assisted decision-making. https://www.gov.uk/government/publications/ethics-transparency-and-accountability-framework-for-automated-decision-making - EUR-Lex (2024). Regulation (EU) on Artificial Intelligence (AI Act). Requires providers and deployers of high-risk AI systems to implement risk management, human oversight, and logging to demonstrate accountability. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0206 - NCSC (accessed 2026). Board Toolkit: Introduction to cyber security for boards. Argues that cyber risk is a board-level responsibility requiring named owners for security decisions, and that boards must assign clear decision rights for incident response. https://www.ncsc.gov.uk/collection/board-toolkit - SRA (accessed 2026). How we make decisions and the criteria we apply. Illustrates how a professional regulator expects authorised decision-makers under a published schedule of delegation, a practical example of decision rights in a regulated services context. https://www.sra.org.uk/solicitors/guidance/make-decisions-criteria-apply/ - Burnie Group (accessed 2026). Role Accountability and Decision Rights. Describes how RACI and related frameworks clarify who holds standing authority for each significant decision and the roles of other stakeholders. https://burniegroup.com/capabilities/role-accountability-decision-rights/

Frequently asked questions

What is the difference between decision rights and accountability?

Decision rights define which person has the standing authority to say yes or no to a category of decision, whether that is approving a discount, onboarding a supplier, or signing a contract. Accountability defines who must answer for the outcome of that decision and can show, if asked, that they acted reasonably and followed a reasonable process. Assigning accountability to a person who lacks the matching decision authority creates hollow governance.

Does my firm need to document decision rights and accountability formally?

That depends on what you do. Firms regulated by the FCA must maintain formal statements of responsibilities under the Senior Managers and Certification Regime. Organisations handling personal data are expected by the ICO to assign senior responsibility and document governance decisions. If your firm has no direct regulatory exposure, a one-page decision table and a clear escalation threshold per role typically delivers the core benefit without a formal governance structure.

What happens if I adopt AI tools without clarifying decision rights and accountability?

If your firm uses AI tools that process client data without naming who authorised that use and who is accountable for the outcomes, you face real regulatory risk. The ICO expects controllers to demonstrate accountability for how personal data is handled. The NCSC states that firms remain responsible for data shared with third-party AI services. A clear record of who approved which tool, with what data, covers both.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two professionals reviewing documents together across a meeting table

Should your management team buy the business?

A practical guide for founders weighing up whether their management team is ready to buy the business and what the decision actually turns on.

Two professionals in a focused conversation across a meeting table with papers and a laptop between them

How private equity buyers approach law, accountancy and consultancy firms

Private equity is moving into UK law, accountancy and consulting at pace. Here is what PE buyers look for, how they change firms, and what it means for UK owner-operators who may or may not want to sell.

Two people in discussion across an office desk, papers spread between them

Comparing the main succession planning options for owners

Five succession routes for UK owner-managed businesses explained: the trade-offs between family transfer, MBO, EOT, trade sale, and wind-down, and how to choose.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd