David Kelleher
Jul 24, 2025
David Kelleher
Jul 24, 2025
DIONE VELLA, Chief Service Excellence & Compliance Officer at BMIT, talks governance and why it is so much more than a box-ticking exercise.
Absolutely, and I get it. Governance doesn’t exactly spark excitement at first. But when you think about it, governance is like the backbone of a business. It’s what keeps things running smoothly, ensures everyone’s pulling in the same direction, and protects the organisation from unnecessary risks. Unfortunately, governance has more often than not been treated as a burden and a box-ticking exercise for compliance audits. That image persists but it is slowly changing. Today, governance should not add red tape but create clarity and structure.
You’re right, and that’s a common complaint. I think it’s often because governance is seen as this big, complex thing that doesn’t have an immediate payoff. It can feel like a mountain of paperwork or dozens of rules that slow things down.
But a lot of that comes down to how governance is introduced. If you ask someone to read a 50-page policy document without explaining how it helps, of course, they’ll feel frustrated. Perception matters too. As I said, governance is often seen as a ‘tick-the-box for compliance’ rather than something that actively supports the business. As practitioners, we may need to change our approach and how we position governance within a business. That said, I admit, few enjoy reading through multiple policies to satisfy an audit requirement, but it is crucial that all staff know what these documents are about.
Think of it like this: policies are the “why”, standards are the “what”, and procedures are the “how”. For example, if you’re running an IT department, a policy might be “We prioritise data security.” The standard could be “All employees must use multi-factor authentication”. And the procedure would be the step-by-step guide on how to set it up.
Without these, people are left guessing. They don’t know what’s expected or how to go about things. And that’s where inefficiencies, mistakes, or even compliance issues creep in.
It starts with communication. You need to connect the dots for people. For instance, let’s say a business introduces a policy requiring regular software updates. On the surface, that might seem like extra work for the IT team. But when you show them how it reduces the risk of cyberattacks suddenly, it makes sense.
You also need to make governance practical. Don’t overcomplicate things. Use clear, concise language and focus on what’s relevant to your business goals. And when a policy helps to prevent loss of data or a security breach, inform the company. Make some noise. A win for governance is a win for everyone in the company.
Regulations in the EU are driving major changes in how companies approach governance by embedding compliance directly into their strategic and operational frameworks.
Starting with the General Data Protection Regulation (GDPR) in 2018 to the Network and Information Security (NIS) 2 Directive in October 2024, and in January 2025, the Digital Operational Resilience Act (DORA), the EU has increased its efforts to protect its citizens, businesses and critical infrastructure by ensuring that governance extends into the technical and operational domains.
Yes, these regulations are required for enforcement and substantial fines can be imposed but what they are really achieving is so much more. They are reshaping corporate governance to prioritise transparency, sustainability, and resilience. Companies aren’t just being told what to do; they’re being shown how these practices benefit their long-term performance and reputation. By mandating these measures, the EU is creating a level playing field while promoting better governance across all industries.
Ultimately, this regulatory landscape is forcing businesses to make governance a key part of their operations to build trust with customers, partners, and investors.
Well, the short answer is: they learn the hard way. Take cybersecurity again as an example. If you don’t have proper policies around password management, it’s only a matter of time before someone uses “123456” and your business becomes a target for hackers. Things get worse if data was exfiltrated, especially customer data. No business wants to pay substantial fines when in most cases it could have been avoided if good governance was in place.
Beyond security, poor governance can lead to inefficiencies, missed opportunities, and even legal trouble. A lack of clear decision-making processes can slow a company down when it needs to act quickly, like during a crisis or market change.
Start small and keep it practical. Don’t try to reinvent the wheel overnight. Focus on the areas where you’re most at risk or where small changes can make a big impact.
And involve your teams. Ask for their input when developing policies. They’re the ones who’ll be using them day-to-day. Finally, don’t forget to review and update regularly. The business world moves fast, and your governance framework needs to keep up.
I also recommend talking to a governance expert if the business doesn’t have the resources or expertise to create and manage a governance strategy.
Governance might not be the flashiest topic, but it’s one of the most important investments a business can make. And once you see the benefits, it’s hard to imagine running without it.
BMIT provides comprehensive governance, risk and compliance services for businesses. From policy development, to security awareness training, to guidance on the latest regulations, BMIT can help. Talk to one of our GRC experts to learn more.
