Regulator-Tested Governance

Most boards have never been pressure-tested by anyone whose job is to find what they missed.

Shareholders ask whether the numbers look right. Regulators ask whether you can prove the numbers are right. Whether your processes work the way you said they work. Whether the public interest got served, not just the entity’s interest. Whether the documentation can withstand scrutiny by someone whose career is built on finding gaps.

I served as Board Chair of the Travel Industry Council of Ontario from May 2021 to February 2026. The Office of the Auditor General of Ontario published a Value for Money audit of TICO on December 6, 2023. The audit period covered five fiscal years from April 2018 to March 2023. Most of it preceded my tenure. The response, when it came, was on us anyway.

Sixteen recommendations. Thirty-two action items. Two months to publish a response. This page is about what that experience changes about board judgment… and why it matters for private-sector boards that have never been audited by a regulator and probably never will be.

What “regulator-tested” actually means

Most governance training treats regulators as one stakeholder among several — customers, employees, shareholders, community, regulators. Five buckets, balance them, move on.

That framing misses something. Regulators don’t ask whether the organization is performing. They ask whether it can be trusted to keep performing after the people running it leave. Different question. Different follow-ups.

The three things only a regulator asks

First: can you prove what you said you did? Not assert. Prove. Show the minutes, the agendas, the decision rationale, the dissent if there was any, the implementation memo, the variance report, the after-action review. If your answer to “can you prove it” is “we definitely did the right thing, you just have to trust us,” you’re failing the question.

Second: did the public interest get served? Not the entity’s interest. Not the registrant’s interest. Not the staff’s interest. The public’s. Most private-sector boards never have to answer this question because no one is asking it. Regulators ask it routinely, and the answer can’t be a deflection toward the entity’s KPIs.

Third: are your processes durable past the people running them? Boards built on a strong CEO can look excellent for as long as the CEO is excellent. Regulators don’t care about the CEO. They care about whether the institution survives the CEO’s departure with its credibility intact.

These are not theoretical questions. They’re the questions auditors who report directly to the legislature ask out loud, in writing, with a publication date.

Why shareholder-tested governance misses them

Shareholders ask whether the entity is worth their capital today, and whether it’ll be worth more tomorrow. Those questions are necessary. They aren’t sufficient.

A board that has only ever answered shareholder questions tends to develop blind spots in three places: confidence about outcomes without confidence about process; confusion of the entity’s interest with the public interest, especially when the two have been aligned for so long no one bothers to distinguish them; and reliance on relational rigor — the right people are in the room, so we don’t need to write things down — in place of institutional rigor.

A regulator’s audit is the place those three blind spots get found. Usually all at once.

The Auditor General lens — what an AG review actually demands

December 6, 2023. The Office of the Auditor General of Ontario released the Value for Money audit of TICO. It examined administration of the Travel Industry Act, 2002: Compensation Fund administration, inspections, risk rating systems, complaint handling, consumer awareness, funding model, board competencies. The auditors wanted documentation, decision logs, and process artifacts spanning a window that included a full pandemic and a complete change in board composition.

A regulator-tested governance experience starts long before the report. Long before the recommendations.

Documentation requirements that most boards cannot produce on demand

Among the items the audit identified at TICO:

• Approximately $31 million from the Compensation Fund had been used for operating costs since 1997, exceeding what the audit deemed reasonable.
• Roughly $2 million in security deposits were potentially eligible for return to registrants.
• 30% of registrants had not been inspected in the prior 10 years.
• Only 51% of Ontarians were aware of TICO’s existence.
• The risk rating system used to prioritize compliance attention was assessed as ineffective.
• The Ministry’s oversight of TICO was found insufficient.

Sixteen recommendations. Thirty-two action items.

What the audit assumed before it began: that we could produce, in writing, the rationale for the Compensation Fund’s deployment back to 1997. That we could show the inspection history of every registered business. That we could show our risk model, our complaint flow, our funding logic, and the stakeholder consultation behind each. That the documentation existed, was organized, and was defensible.

Most private-sector boards would not survive that assumption past day one. Not because they’re negligent. Because nobody has ever asked them to prove anything to that standard. The reflex isn’t there. You build it by being on the receiving end of a regulator who doesn’t accept “we definitely did it correctly” as an answer.

The reflexes that develop under that pressure

Three things change in how you think about board work. You stop assuming minutes capture decisions, and start writing rationale and dissent into a separate decision log that survives a process review. You stop assuming the entity’s interest is automatically aligned with the public interest, and start asking whose interest a particular agenda item serves. You stop assuming institutional process is bureaucracy, because process is the only thing that survives turnover — CEOs leave, chairs leave, regulator expectations evolve, and process is what carries credibility through a transition. Once you’ve watched a regulator audit a process that wasn’t there, you don’t make that mistake again.

How regulator-tested reflexes show up in a private boardroom

These reflexes don’t stay in regulated industries. They translate.

The shareholder-tested risk question is “what’s the worst case for the entity.” The regulator-tested risk question is “what’s the worst case for the people the entity is supposed to be serving… and would we know about it before the customers did.” Those questions produce different risk maps. The second one surfaces customer-protection, data-integrity, and supplier-concentration issues that an enterprise-value framing underweights, because they don’t immediately threaten valuation. They threaten it eventually. By then the cost to fix is multiples of what early intervention would have cost.

The audit-committee reflex is “show me, don’t tell me.” A regulator-tested director treats statements from management as starting points, not endpoints. Not because management is dishonest. Because anyone running an operation has selection bias about what they notice. The audit committee’s job is to test the narrative against artifacts that exist independent of the narrative. Unglamorous work that catches problems confidence-driven boards miss for years.

The crisis instinct is to over-document immediately, communicate to multiple stakeholder groups simultaneously, and treat institutional reputation as something that has to be earned again from zero rather than defended from current position. That’s unfamiliar to boards that have only governed in good times or that have had the option to manage crises privately. It becomes essential the first time a small problem turns into a public one… which, for any consumer-facing business of meaningful scale, is when, not if.

When you need a regulator-tested director (and when you don’t)

Not every board does. A regulator-tested director adds the most value when the board sits on at least one of three risk surfaces.

A regulatory or audit shock is foreseeable. Maybe you’re in an industry about to be regulated more aggressively. Maybe you’re approaching a transaction that will trigger external scrutiny. Maybe you’re a private company contemplating going public. The reflex of “what does this look like under audit” is hard to acquire after the audit starts.

One stakeholder’s interest dominates. Often the founder’s. Sometimes a single PE investor’s. Sometimes an operational team that has built so much trust the board defers automatically. A regulator-tested director is constitutionally suspicious of single-stakeholder dominance, because that’s the structural condition under which trust assessments fall below threshold.

You’re a founder-led or family enterprise approaching an inflection point. Generation transitions, succession decisions, buyout structuring. These moments expose institutional process gaps that worked when one person owned the decision rights and stop working the moment those rights move.

Less useful: pre-PMF startups where speed dominates rigor; closely-held businesses with no external accountability surface; boards that already include multiple regulator-experienced directors. Most operator-led private companies with growth ambition fall into the first useful category. Most don’t realize it until late.

Where the operator-plus-regulator combination compounds

Four sectors and structural situations where the experience pays out most directly.

Hospitality, travel, and travel technology. Forty years of hotel operations. BookDirect, one of the first online hotel reservation platforms. Five years governing the regulator that oversees the entire travel industry in Ontario. Boards in this sector get a director who has built, sold, and regulated the same kind of business they oversee.

Family enterprise and founder-led businesses approaching transition. Succession is governance work the family rarely sees as governance work until something goes wrong. A regulator-tested director brings process discipline to a setting where decisions have historically been made by trust and proximity. Done well, that strengthens the family’s autonomy by creating a board that can hold its own when the founder steps back.

PE-backed portfolio companies on a defined exit timeline. PE boards optimize for exit. Appropriate. Also creates blind spots when the exit window aligns with a regulatory shift, an audit cycle, or an unanticipated public-interest question. A regulator-tested director surfaces those blind spots while the timeline is still long enough to address them.

Consumer digital marketplaces and AI-mediated platforms. Where the next decade of regulatory engagement will land hardest. Boards that bring regulator-tested instincts now are building governance for the regulated reality those businesses will operate in by 2030, not the lightly-regulated one they currently enjoy. The Hotels × AI series walks through one version of that argument.

The point

Five years chairing a regulator changes how you read a board agenda. You stop reading it as a meeting plan and start reading it as a record someone might have to defend later.

That sounds like overhead. In normal times, it is. The cost is real.

The benefit shows up only when something goes wrong, and what goes wrong is usually quiet. A vendor fails to comply. A customer is harmed in a way that doesn’t show up on this quarter’s P&L. A process drifts for two years until somebody publishes the gap. By then, the people who could have caught it have moved on, and the documentation that would have shown they tried isn’t there.

A regulator-tested director is in the room, three years earlier, asking the small question that produces the documentation that would later turn out to matter.

That’s the value. It isn’t visible most of the time. When it becomes visible, it has usually already paid for itself many times over.

Want the operator’s account of the AG review specifically? What five years chairing a regulator taught me about governance →

If your board is approaching a regulatory engagement, a transaction, or a generational transition: talk about an independent director conversation →