Here's what nobody tells you about distributed accountability: it's not about spreading the work around. It's about making sure the work survives the person doing it.
The Problem With Concentrated Ownership
Governance teams in most financial institutions are small. Ten people, maybe fifteen, responsible for data quality across hundreds of systems, thousands of data elements, and dozens of regulatory obligations. They cannot personally own every critical data element. They know this. So they appoint data stewards in the lines of business. The LOB nominates someone, that person gets a title and a spot on the governance committee calendar, and the governance team ticks a box.
But what actually happens? The steward becomes the single point of failure for that domain. They hold the tribal knowledge. They know why a certain threshold was set at 2% and not 1.5%. They know which upstream system has been quietly sending malformed records since the 2023 migration. They know the exception process because they invented it. And when they go on leave, or move to another team, or leave the firm entirely, all of that goes with them.
The governance team discovers this during the next audit, when the new steward can't explain a control, and the answer is "the previous person handled that." That's not governance. That's hero-dependency wearing a different hat.
Why This Matters More Than You Think
Regulators are paying attention to this, even if they don't use the phrase "distributed accountability" in their findings. BCBS 239 requires that responsibility for data quality be clearly assigned and that the organization can demonstrate ongoing compliance. OCC guidance on operational resilience expects institutions to manage key-person risk. The FDIC's recent examinations have flagged cases where governance breaks down because critical processes depend on individuals rather than institutional frameworks.
But regulatory risk is only part of the picture. The operational cost is staggering. When governance is concentrated in people rather than systems, every personnel change becomes a mini-migration. Onboarding a new data steward takes months. Knowledge transfer is informal, incomplete, and usually happens under time pressure. The new person builds their own mental model from scratch, which means the governance standard drifts. Six months later, you have two different interpretations of the same policy living in the same organization, and nobody notices until something breaks.
The Wrong Approach: More Stewards, More Meetings
The instinct when you realize governance is too concentrated is to distribute it by adding more people. More data stewards. More committee seats. More attestation cycles. This is committee fatigue disguised as progress.
Here's what that looks like in practice. A Tier 2 bank decides to "embed" governance in every line of business. They appoint forty data stewards across three business units. Each steward now spends a day a week in governance meetings, filling out attestation forms, and preparing for committee reviews. The governance team, instead of governing, is now managing a small bureaucracy of stewards. Nobody has time to actually improve data quality. They're all too busy reporting on it.
Distributing the work without distributing the accountability just creates more overhead. More people touching the process does not mean more resilience. It often means less, because now you have forty potential points of failure instead of five, and no system to catch any of them.
The Right Approach: Systems Over People
Real distributed accountability means the governance framework survives regardless of who fills the steward role. This requires three things.
First, explicit and enforceable rules, not guidelines. The data quality thresholds, the escalation paths, the exception criteria — these must be codified in a system, not in someone's head. When a new steward starts, they should be able to read the rules, not reconstruct them from email threads.
Second, lineage and observability. You cannot hold a line of business accountable for data quality if they cannot see their own data. Governance teams need to give LOBs the tools to monitor their critical data elements in real time, not just report on them after the fact. If the steward can see a quality issue and act on it without waiting for a quarterly review, governance is working. If they can only report it upward and hope someone responds, it's not.
Third, attestation that means something. Attestation is not a signature on a form. It is a verifiable claim backed by evidence. When a business head attests to data quality, they should be attesting to specific, measurable controls that a system has tracked over the attestation period. Not "to the best of my knowledge." Not "based on the review I conducted." To the evidence. Always to the evidence.
The CoComply Angle
This is the problem CoComply was built to solve. Not by adding more people to the process, but by making the process robust enough that it doesn't depend on any single person. Certification, done right, is institutional memory. It captures the rules, the evidence, the thresholds, and the accountability chain in a form that is repeatable, transferable, and auditable. When a steward leaves, the certification stays. The new steward inherits a working system, not a blank slate and a list of unanswered emails.
The shift from person-dependent governance to system-dependent governance is not optional. It is the difference between an organization that can pass an audit during a staff transition and one that scrambles. It is the difference between governance that scales and governance that breaks under its own weight. It is the difference between accountability that is distributed and accountability that is merely delegated.
The organizations that figure this out first will not be the ones with the biggest governance teams. They will be the ones where governance lives in the systems, not the Slack channels.
The Test
Here is a simple test. Pick any critical data element in your organization. Now ask: if the person primarily responsible for that element's quality left tomorrow, would the governance controls for that element still function next week? Not partially. Not with workarounds. Fully.
If the answer is no, you don't have distributed accountability. You have a name on an org chart and a problem waiting to happen.