When the regulator moves, your governance framework either flexes or it doesn't

ASIC dropped Report 833 and if you work in platform land, your life just got busier.

Here's the thing I keep coming back to though. When something like this lands, the size of the job in front of you has very little to do with the report itself. It has almost everything to do with the product governance framework you (probably) built years ago.

If your framework is robust and properly thought through, this is a comb over the top. You map the new expectations against what you've already got, find the gaps and uplift. A few weeks of focused work, not a crisis.

If your framework was rushed once and then bolted onto, and bolted onto again every time something new came along, it's a very different story. Now you're trying to retro-fit clarity into something that was never coherent to begin with. That can eat the better part of a year and it's miserable for everyone involved. I've watched it happen.

So, what does "built to flex" actually look like?

In my experience it comes down to a few unglamorous things.

You know who owns what. Roles and responsibilities are clear and written down, not assumed. ASIC has been banging on about this for years and FAR has only sharpened it.

You have standards, not just policies - this is the one that gets people. If there's no clear line written down, every situation becomes an exception and once everything's an exception, it's almost impossible for any individual product manager or BDM to say no to an adviser, because there's always a reasonable explanation in the moment. The trouble is that "it was fine, the client had a complicated situation" reads very differently when it turns up on Four Corners.

Ideally, you build for the exceptions on purpose. A good framework handles the 95% with standard processes, then says clearly who can sign off the other 5% and makes them document why, in an easy-to-find register that can be accessed later when needed. Keep the specifics, the actual caps and thresholds, in a supporting document that sits alongside the framework, so you can review them as expectations shift without reopening the whole thing.

None of this is about doing more governance. More governance is usually what you reach for when the framework underneath isn't working, and it doesn't fix the problem. The real question is whether what you've already got is designed to move when the ground does.

If you're not completely sure which kind of framework you're sitting on, that's worth knowing before ASIC tells you.

We do a short product governance health check at Mayflower: a proper look over your framework and a set of recommendations you can act on.

Happy to have a chat if it's useful.