Governance is either the thing your organisation treats as table stakes or the thing it resents. In the mid-market, it is almost always the second. The usual reason is that governance has been specified as though the firm were a trillion-dollar bank — three committees, a policy catalogue, a fourteen-role accountability model — and no part of it survives first contact with operations.
This article is the ninety-day governance framework we use on engagements between discovery and delivery. It is deliberately small. It does the minimum you need to pass an audit, satisfy a regulator, and not stop the business. It is the floor, not the ceiling.
Days 1–30: decide what governance is for
Name the regulators
Every governance framework begins with the regulators, real and potential. ICO, PRA, FCA, FRC, RSH, Ofwat — each has different expectations. Write down which apply, which supervisory letters you have received, and what a bad day looks like. Governance design should be downstream of this list.
Pick three decisions the framework must support
Not twenty. Three. On a recent engagement: "we can answer a DSAR in twenty working days", "we can evidence the lineage of any figure on the annual accounts", "we can stop an AI model going to production without change control." Every policy in the framework must support at least one of the three. Policies that support none are dropped. Policies that duplicate are merged.
Appoint three owners
Data Protection Officer, Chief Data Officer (or equivalent), and AI Risk Owner. One person can hold two of these; no one person should hold all three. Publish the list.
Days 31–60: write less than you think
The policy stack
We aim for a five-policy stack, totalling under 35 pages:
- Data Classification Policy — how you label sensitivity.
- Data Retention Policy — how long you keep things, per class.
- Access Control Policy — who can see what, and how access is reviewed.
- Change Management Policy — how production data and models change.
- AI Risk Policy — how new AI use cases are approved.
If your auditor needs more than this, write more. If they do not, do not.
One register, not five
A single register covers data assets, data products, AI use cases, and third parties. Not four registers that disagree. The register has a named owner, a classification, a retention class, and a risk status. It is maintained monthly, not annually.
The control catalogue
Controls are the things that operationalise policy. A control without a named operator and a named auditor is decoration. We aim for 25–40 controls on the first pass, mapped to NIST CSF and, where applicable, ISO 27001.
Days 61–90: prove it works
Run a drill
Pretend you have had a breach, an ICO request, or a regulator visit. Walk through the response with the owners. Time it. Note where the evidence is not where it should be. Fix it. This is the most useful thing you will do in the whole programme.
Establish the cadence
Monthly governance board. Quarterly executive review. Annual external benchmark. Everything smaller than monthly is noise; everything larger than annual is drift.
Publish
Intranet page. Policies linked. Register searchable. Contact for questions. If governance is invisible to staff, it is not operating.
What we explicitly do not do
- Enterprise data catalogues for 100k datasets. Start with the top 300. Extend only when the first 300 are loved.
- Fourteen-role accountability models. Most mid-market firms need four to six roles. Fourteen is a diagram, not an operating model.
- Committees that outnumber decisions. One governance board, one AI review. No more.
- Policy prose nobody reads. Every policy opens with a plain-English summary of what it means for a typical employee.
When mid-market becomes enterprise
As the organisation grows, the framework flexes. Additional domains may warrant their own stewards; the register may need tooling (we have good experiences with Purview, Collibra, Alation at different scales); the AI policy may acquire technical appendices on model evaluation. These are extensions of the same bones, not replacements. If the ninety-day framework is right, every subsequent addition is a delta.