Governing programmes without drowning

Daniel Taylor asks why governance is often unclear for the biggest, highest-risk programmes

In most public-purpose organisations, a large share of risk, resource and reputation is tied up in a small number of major programmes.

Digital transformation programmes, estates redevelopments, service redesign, integration initiatives, regulatory remediation. These are the undertakings that absorb millions of pounds, large portions of organisational attention, and often a good deal of public scrutiny. When they succeed, they reshape capability and improve outcomes. When they fail, they do so expensively and visibly. And yet, for something so central to organisational success, programme governance is often oddly unclear.

I frequently come across boards unsure about what they should be seeing, committees duplicating or missing scrutiny, and executive teams uncertain about where delivery authority ends and governance oversight begins. Programme boards exist, steering groups proliferate, reports circulate – but the line between management control and governance oversight becomes blurred. The result is a familiar pattern. Boards receive large volumes of programme reporting but relatively little insight into the questions that actually matter:

• Is the programme still delivering the intended value?
• Is it operating within the organisation’s risk appetite?
• What uncertainty is emerging?
• What decisions might the board soon be asked to take?

In other words, the organisation may have plenty of programme management but insufficient programme governance.

That distinction matters. Large programmes are not simply complicated projects; they are strategic interventions that reshape organisational capability and public value. As Mark Moore reminds us, public management is ultimately about creating value that can be justified within the authorising environment of the organisation. When programmes drift away from that purpose, governance has already failed.

What follows is a practical look at how boards and executives can structure that governance: what should be delegated, what the board should actually see, how committees fit into the picture, and how constructive challenge keeps programmes healthy rather than adversarial.

Start with the right mental model: the board is not a project office

One of the most common programme governance failures is category error. Treating the board like a better steering group; overloading it with too much programme information and sprint updates; asking it to ‘note’ status reports that are, in effect, management diaries.

But boards are not courts of audit; they are strategic organs. Their duty is to anticipate, not just account.  So, we need to be disciplined about the difference between:

• management control: are we delivering the plan efficiently?
• governance control: are we delivering the right thing, within an acceptable level of uncertainty, without breaking the organisation’s legitimacy, ethics, finances, people, or future?

Sonnenfeld’s argument is helpful here because it pulls us away from structure-as-salvation. Boards can have the ‘right’ committees and still fail. What distinguishes great boards is not procedural compliance; it is their ability to function as robust social systems that ferret out the truth, foster candour, and treat dissent as an obligation.

Programme governance is where that social system is tested.

The first design decision: what kind of programme is this?

Before you build governance, name the beast. There are (at least) three broad types of large programme, and each demands a different governance posture.

1. Compliance-led programmes (must-do): mandated changes, regulatory remediation, time-bound obligations.
2. Capability programmes (build-to-run): digital platforms, estates builds, operating model redesign.
3. Strategic bets (uncertain, high upside): innovation, new service models, partnerships, market entry.

If you govern a strategic bet like compliance, you strangle it. If you govern compliance like a strategic bet, you invite scandal. This is where risk appetite stops being a policy appendix and becomes a steering wheel. Risk appetite is the board’s quiet superpower when it is used as a living tool linking vision to delivery.

In practice, for each programme, the board should require a short statement answering:

• What uncertainty are we willing to accept to achieve the outcomes?
• What uncertainty are we not willing to accept (red lines)?
• What would cause us to slow, stop, or redesign?

If you cannot answer these, your ‘assurance’ will arrive late, and your oversight will drift into either timidity or recklessness — randomly.

The second design decision: delegation that actually works

Most organisations have delegation frameworks. Fewer have delegation that bites in practice.

King V is crisp: the governing body should approve a delegation of authority framework that sets out what is reserved for it and what is delegated, and it must exercise ongoing oversight and monitoring of that delegation. And crucially, delegation does not discharge accountability; the governing body must still apply its collective mind to the information and recommendations it receives.

For large programmes, that translates into three layers of decision rights:

1. Board reserved matters (few, weighty, explicit)
   • Outcome intent and scope boundaries
   • Total affordability envelope and risk appetite
   • Material changes: scope, timeline, benefits profile, delivery model
   • ‘Point of no return’ commitments (procurement awards, contract break clauses, major comms)
2. Committee deep scrutiny (designed, not accidental)
   • Risk/assurance committee: principal risks, controls, independent assurance, red-line breaches
   • Finance committee: affordability, liquidity/covenants, cost-to-complete, contingencies
   • People/quality committee (where relevant): workforce impacts, safety/quality trade-offs, culture/ethics
3. Executive delivery authority (clear, empowered, accountable)
   • Day-to-day delivery choices within agreed tolerances
   • Managing suppliers, internal dependencies, resourcing
   • Implementing assurance actions and closing loops

The key is that the interfaces are explicit: what moves up, when, and in what form.

The governance structure you actually need

Most large programmes need a ‘double helix’: one strand for delivery cadence, one for governance cadence.

Delivery strand (fast, operational):

• Programme director and PMO rhythm
• Workstream leads
• Weekly control: milestones, issues, resource conflicts, supplier performance

Governance strand (slower, strategic, legitimising):

• Programme board/steerco chaired by an executive sponsor
• Committee scrutiny designed around risk appetite
• Board oversight focused on outcomes, legitimacy, and strategic risk

Here is the trap: if you ask the main board to do everything, it will do nothing well. If you push everything down to committees, the board will lose the narrative thread and become surprised later. So, the board needs a small number of recurring ‘windows’ into the programme. Not a flood - windows.

What the executive must do differently

In a well-governed programme, the executive’s job is not merely to deliver. It is to translate strategy into measured performance — and to do so with discipline.  For large programmes, that means four practical obligations:

1. Keep the story coherent.
   • Moore reminds us that public action needs an account — a story — of why the value is worth it to the community, not just beneficiaries.
   • Executives should maintain a clear ‘public value case’: outcomes, who benefits, what is traded off, why now.
2. Operate within agreed appetite and tolerances.
   • Appetite is intent; tolerance is thresholds; capacity is reality. Confuse them and you govern on vibes.
   • Programmes should have explicit tolerances: cost, timeline, benefits, quality/safety, people impact, reputation.
3. Surface uncertainty early.
   • Assurance that only reports what went wrong is a comfort blanket.
   • The executive should report ‘direction of travel’ signals: slippage patterns, emerging dependency risks, supplier fragility, workforce fatigue, stakeholder temperature.
4. Invite challenge rather than endure it.
   • Constructive challenge is purposeful, evidence-informed, respectful questioning aimed at strengthening decisions.
   • If the executive treats scrutiny as prosecution, the board will either back off or escalate theatrically. Both are failures.

What the board should see, how, and when

A 10/10 board meeting is not one with more papers; it is one where good is defined in lived practice, not abstraction. The same is true for programme oversight. For large programmes, the board should see a standardised programme oversight pack quarterly (or at agreed stage gates), with a short dashboard monthly if risk is high. The pack should be disciplined to governance content.

Here is what should be in it, every time:

1. Outcomes and benefits
   • The intended outcomes (not activities)
   • Benefits profile: what has been realised, what is at risk, what assumptions changed
   • Distributional note: who gains, who bears cost (public value honesty)
2. Risk and appetite alignment
   • Top 5–7 principal risks and opportunities
   • Appetite statement and whether the programme is operating within it
   • Any tolerance breaches (actual or forecast) and proposed corrective action
3. Delivery confidence
   • Critical path milestones (few)
   • Dependency map (what must be true for success)
   • Supplier/partner health (if relevant)
4. Financial integrity
   • Spend to date vs plan
   • Cost to complete and contingency burn rate
   • Any commitments approaching point of no return
5. Assurance and learning
   • Independent assurance activity and ratings
   • Key findings, management responses, closure progress
   • What has been learned and changed (not just ‘actions closed’)
6. Decisions required
   • A single page: what is being asked, why now, options, recommendation, consequences, and what would change our mind

If that last page is absent, the paper is usually not governance; it is reporting theatre.

Committees: the art of scrutiny without fragmentation

King V is also quietly wise on committee mechanics: it stresses effective collaboration and information exchange among committees through cross-membership and coordinated scheduling. That matters for programmes because risks do not respect committee boundaries. Cyber risk becomes service risk becomes reputation risk becomes financial risk in the space of a week.

So, the practical move is this: appoint a named programme assurance integrator (often the governance lead or company secretary function) whose job is to ensure:

• committee scrutiny is sequenced (not duplicated)
• escalations are consistent
• the board receives an integrated view, not committee fragments.

This is boring work. It is also the difference between ‘we didn’t know’ and ‘we chose not to see’.

Culture: constructive challenge as an operating system

When programmes go wrong, it is rarely because nobody could see the problems. It is because people learned, subtly, that seeing was unwelcome.

That is why constructive challenge is not a soft skill; it is an organisational immune response. Embedded well, it turns culture from passive acceptance into shared ownership.  If you want one behavioural norm for programme governance, make it this: challenge is a duty, not a personality trait.

Sonnenfeld’s best boards treat dissent as an obligation and regard no subject as undiscussable. That is not about being adversarial. It is about refusing to let the organisation drift into magical thinking.

If you want a literary image: in the Odyssey, Odysseus has himself bound to the mast so he can hear the Sirens without steering the ship onto the rocks. Programme governance is a kind of mast-binding: agreeing, in advance, how we will behave when the music starts.

Concluding thought

Good governance does not remove uncertainty from major programmes. But it does ensure that uncertainty is seen clearly, discussed honestly, and managed within boundaries that the board has consciously chosen.