Q&A on the operating model for running an authority program: who owns what, how often to review, change workflows, and leadership reporting.
Definition: An authority management operating model is the organizational structure of ownership roles, review cadences, change workflows, and reporting mechanisms that keeps decision rights, approval limits, and delegated authority current, enforceable, and audit-ready as the organization changes.
An authority matrix is not a document you finish. It is a program you run. McKinsey's research on organizational decision-making found that 72 percent of senior executives see bad strategic decisions as at least as frequent as good ones in their organizations. APQC's 2024 survey of 311 finance professionals found that 29 percent of organizations rate their delegation of authority policy as ineffective. The gap between a policy that exists on paper and a program that works in practice is the operating model.
This Q&A answers the questions practitioners ask when standing up or fixing an authority program: who owns what, how often to review, what change workflow actually works, how to prevent shadow approvals, and what leadership reporting should look like. If you are looking for the broader foundations first, see Delegation of Authority 101 and The DOA Policy That People Actually Follow.
A: An authority management operating model turns your delegation of authority policy into an executable program. It defines who owns which decisions, how often authority gets reviewed, how changes move through the organization, and how leadership sees whether the program is healthy.
The framing comes from governance research. Deloitte's governance operating model framework describes four components that together operationalize any governance policy: structure (organizational design, committees, reporting lines), oversight responsibilities (accountability, authority, veto rights), talent and culture (who is qualified to hold authority, and how that is reinforced), and infrastructure (policies, reporting mechanisms, technology). Authority management inherits all four components, but makes them concrete against a specific artifact: the decision rights your organization has chosen to codify.
The gap between policy and program is wide. EY and the Society for Corporate Governance's 2025 survey of 222 companies found that almost 90 percent maintain a delegation of authority policy, yet only 14 percent embed that policy in a dedicated IT system for tracking and enforcement. The operating model is what connects the two: it defines how a documented policy becomes enforced practice. Organizations that close that gap see measurable outcomes. Among those reporting effective DOA in APQC's 2024 research, 67 percent report better decision-making, 62 percent report increased productivity, and 53 percent report higher organizational agility.
A good operating model also defines what the program is not. It is not a one-off policy refresh, not an annual compliance exercise, and not a task that lives permanently on one person's desk. It is a distributed program with named owners, scheduled cadences, and evidence trails.
A: Ownership should be distributed across four roles: a policy owner who sets principles, a matrix owner who maintains the rules, process owners who validate them against operational reality, and system owners who enforce them in workflows.
Authority programs fail when ownership concentrates in one place. If a single person in finance manages the matrix, rules drift the moment workflows change in procurement, legal, treasury, or IT. The four-role model distributes responsibility to the functions that know where authority actually gets applied.
APQC's research found that organizations with senior management involvement in DOA report a 75 percent effectiveness rate, compared to 59 percent for those without. That 16-point gap underscores how ownership depth affects outcomes. Junior ownership produces a junior program.
Reserved authorities, meaning decisions the organization has chosen never to delegate, belong to the policy owner and the board. Common reserved authorities include mergers and acquisitions above a set threshold, capital expenditures above a defined ceiling, sanctions-related transactions, and authority over the authority policy itself. These are documented, rarely changed, and never redelegated.
The table below maps the four core ownership roles to typical functions and review cadences.
For the mechanics of how ownership interacts with execution, see how to build a delegation of authority matrix.
A: Centralize the taxonomy, reserved authorities, and change workflow. Decentralize role mappings, bounded exceptions, and local approvals. As the organization scales, the operating model should mature from ad-hoc to optimized without changing what sits at the center.
APQC's 2024 data shows how organizations currently distribute authority: 59 percent use a centralized structure, 21 percent decentralized, and 20 percent a balanced hybrid. Centralization is not an end in itself. The goal is consistency where it matters and local agility where it helps. Organizations with effective DOA report 53 percent higher organizational agility and 49 percent reduction in bottlenecks, outcomes that come from centralizing the right things while pushing execution as close to the work as safe constraints allow.
The matrix below summarizes what belongs at the center of the authority program versus what can safely move to local business units.
The question changes as the organization grows. In a 200-person company, a single matrix owner and a shared spreadsheet can hold the program together. At 2,000 people across three legal entities, the same approach produces drift within a quarter. EY and SCG found that 28 percent of organizations cite time-consuming updates as a persistent challenge and 27 percent struggle to maintain an updated version, both signals that the operating model has not evolved with the organization.
Scaling triggers are predictable. New legal entities, mergers and acquisitions, carve-outs, new geographies, and significant reorganizations each require operating-model adjustments: adding a matrix co-owner per entity, layering entity-level approval bands on top of the core taxonomy, or standing up a change review board that includes regional representation. These adjustments are not rewrites. The core taxonomy and reserved authorities stay centralized. What changes is the operational scaffolding around them.
The following table summarizes the four typical maturity stages of an authority operating model. Most organizations move through them sequentially, though acquisitions and regulatory events can accelerate or reset the progression.
Knowing where you are on the curve matters more than how fast you move. A company that honestly sits at "documented" and is working toward "operational" is healthier than one that claims to be "optimized" because it once bought a governance tool. For the sibling practice of keeping those centralized systems in step with local reality, see avoiding sync drift between authority systems.
A: Use a mixed cadence. Event-based triggers handle role changes and structural events immediately. Monthly reconciliation catches routine drift. Quarterly reviews sample approvals and recertify high-risk signers. Annual reviews recalibrate thresholds against business strategy.
APQC's data shows how rare this discipline is. Only 41 percent of organizations review their delegation of authority semi-annually or more frequently, and 37 percent review only on an as-needed basis. As-needed review is effectively no review. It means authority drifts until something forces a look, which is usually an audit finding, a controls failure, or a near-miss.
The cadence should be calibrated to authority tier. High-impact signatories who commit the organization to material obligations deserve more frequent recertification than mid-level approval limits on routine purchase orders. The following cadence matrix matches review frequency to authority tier.
The cadence should also reflect volume. West Monroe's 2026 Speed Wins research, based on a survey of 1,000 managers and 214 C-suite executives at U.S. companies with at least $250 million in revenue, found that 44 percent of managers have come to accept that slow decision-making is normal. That resignation is what happens when cadence becomes theater. The operating cadence should be frequent enough to catch drift but lightweight enough to avoid becoming the bureaucracy it is meant to prevent. If a quarterly review takes two weeks to prepare, it is not a quarterly review, it is a quarterly special project.
For the specific metrics that make a review productive, see Authority Monitoring and Reporting Metrics.
A: Five steps: request with scope and effective dates, automated impact check for segregation-of-duties and risk flags, approval by risk-appropriate stakeholders, versioned publish, and acknowledgment collection where required. Skip any step and you lose auditability.
The most valuable step is step 2. EY and SCG found that only 14 percent of organizations embed DOA in a dedicated IT system. The rest rely on intranets, spreadsheets, and manual tracking that cannot support an automated impact check. That gap shows up in APQC's numbers: 75 percent of organizations using ERP integration rated their DOA as effective, compared to 64 percent of those without. The 11-point difference is largely explained by automated enforcement catching conflicts at request time rather than discovering them during audits.
Our recommendation: Build the impact check directly into the request workflow, not as a separate manual step. When SoD and risk flags are checked automatically at request time, conflicts are caught before approval rather than discovered during audits. This single automation eliminates the most common source of control gaps we see in authority programs.
For the full workflow design (including exception handling, emergency authority, and retroactive change processing), see the Authority Change Management Playbook.
A: Treat workarounds as usability signals, not discipline problems. Teams route around the official process when it is slow, hard to search, or has no path for exceptions. Fix the friction first, enforce through routing second, police last.
Shadow authority, meaning approvals granted over email, chat, or side channels that never enter the authority system of record, is the operating model's most expensive failure mode. When a shadow approval leads to a commitment, the organization has no evidence trail, no point-in-time recall, and no defensible audit position. When teams route around the process, it is usually because of three patterns:
The fix is usability and exception design, not stricter policing. West Monroe's research found that each additional request for analysis adds an average of three weeks of delay to a decision. When the official authority process imposes similar friction, teams find faster alternatives. The same research found that 73 percent of leaders estimate halving decision time would unlock at least 5 percent in revenue growth, a meaningful upside if well-designed authority workflows can be captured.
Enforcement follows usability. Once the official path is genuinely the fastest path, enforcement can layer in: ERP and CLM systems reject transactions that do not reference a valid authority record, signatory systems refuse to generate documents without an authorized signer, and audit logs flag any commitment lacking an authority trace. Enforcement without usability produces avoidance. Usability without enforcement produces drift. Both are required.
For the taxonomy of roles that makes enforcement routing possible, see DOA vs. approval matrix vs. RACI.
A: Report on drift and risk signals, not transaction volume. Leadership needs to know where authority is misaligned, where exceptions are concentrating, and where recertification is lapsing. Volume metrics belong in operational dashboards, not board decks.
The difference matters. A report that says "we processed 4,200 approvals last quarter" tells leadership nothing about risk. A report that says "17 signatory records are now misaligned with HR status and 3 of them are on bank mandates" is actionable. The first is busywork reporting, the second is governance reporting.
Six core indicators cover the health of an authority operating model:
APQC found that 69 percent of organizations use regular progress reports as their primary accountability mechanism, and 60 percent use clear assignment of responsibilities. Those two mechanisms in combination are what convert a policy into a program. Neither works without the other.
For the full metric set with definitions, calculation methods, and target ranges, see Authority Monitoring and Reporting Metrics. For the specific reporting needs of signatory governance, see authorized signatory lists explained.
A: Five patterns appear repeatedly: single-owner concentration, policy-without-process, cadence theater, shadow-authority tolerance, and audit-only reporting. Each has an early signal and a specific remediation.
EY and SCG found that 35 percent of organizations cite tracking and enforcement difficulty as a top challenge in managing DOA. The reason most organizations land there is not complexity, it is a predictable set of operating-model failures that compound over time. The consequences are measurable: ACFE's 2024 Report to the Nations, based on 1,921 occupational fraud cases across 138 countries, found that 51 percent of cases involved either the absence of internal controls (32 percent) or the override of existing controls (19 percent). Both failure modes map directly to authority operating model breakdowns.
The table below catalogs the five most common authority operating model failures, their early warning signals, and the remediation that works.
The common thread across all five is that the operating model was designed but never maintained. A governance operating model is not a project with a completion date. It is an ongoing practice with named owners, scheduled cadences, and a feedback loop that catches deviations before they become failures.
A: Days 0 to 30 establish the charter, ownership, and scope. Days 31 to 60 build the cadence and change workflow. Days 61 to 90 turn on reporting and run the first review cycle. By day 90, the program is operating, not merely designed.
Days 0 to 30: Charter and ownership. Name the policy owner, matrix owner, process owners per function, and system owners per platform. Document the reserved authorities the board and executive team will not delegate. Confirm the current-state authority inventory, even if incomplete. Draft the program charter: scope, success criteria, cadence, reporting lines. Agree on the maturity stage the organization is starting from, realistically.
Days 31 to 60: Cadence and change workflow. Stand up the five-step change workflow with automated impact checks where systems allow. Publish the review cadence by authority tier. Identify the top 10 change types the organization will see in the next quarter and walk each one through the new workflow to pressure-test it. Align the core ERP, CLM, and procurement systems to the authority taxonomy so that enforcement can begin.
Days 61 to 90: Reporting and first review cycle. Turn on the six core indicators for leadership reporting. Run the first monthly reconciliation and the first quarterly sample review. Capture exceptions and surface systemic signals back to the policy owner. Publish the first operating-model health report. By day 90, leadership has visibility, process owners have a rhythm, and the change workflow has absorbed its first real tests.
For the full Aptly-specific rollout sequence (including data preparation, user provisioning, and integration milestones), see Launching Aptly: A 30-60-90 Day Plan.
A: Aptly is the authority system of record that holds the operating model together: role-based ownership, controlled issuance and revocation, version history, time-bound delegations, and audit-ready logs in a single platform.
The platform maps cleanly to the four-role ownership model. Policy owners set the principles and reserved authorities. Matrix owners maintain the decision taxonomy with version history and point-in-time recall. Process owners work inside the change workflow with automated impact checks. System owners connect Aptly to ERP, HRIS, CLM, and identity systems so that authority rules drive real workflow routing rather than living in a document.
The cadence and reporting that this article describes become easier to sustain when authority is a living record rather than a periodically refreshed document. Event-based triggers fire from HRIS integrations. Monthly reconciliation runs against a live dataset instead of a reconstructed one. The six leadership indicators compute themselves from the underlying event log. The operating model becomes something the program runs on, not something the program rebuilds every review cycle.
In a company of under roughly 150 employees with a single legal entity, a CFO or Controller can hold both the policy owner and matrix owner roles, with process and system ownership distributed to functional leads. The risk is concentration: if that person leaves, institutional knowledge goes with them. Document the program charter and core taxonomy early, so the roles are transferable even when only one person holds them today.
AI agents that execute approvals, commit the organization to transactions, or route workflows autonomously need the same authority governance as human actors: bounded limits, conditions, revocation, and audit trail. The operating model extends naturally. Agent delegations live in the same matrix as human delegations, with the same change workflow and recertification cadence. For the specifics of governing non-human actors, see agentic authority management.
Pre-close, the acquiring organization should inventory the target's authority matrix, reserved authorities, and signatory lists. At close, interim authority decisions (who can sign, approve, commit) are published as a time-bound addendum to the operating model. Post-close integration maps the target's taxonomy into the parent taxonomy, retires duplicate roles, and re-issues signatory authority under the combined entity. The operating model should have this path documented before a transaction, not drafted during one.
The board should approve the policy, the reserved authorities, and any material changes to either. Day-to-day matrix maintenance and change processing sit with management, not the board. Board committees (audit, risk, governance) typically review authority program health annually and escalate significant drift or failures. The board's involvement is oversight, not administration.
A RACI assigns roles to tasks. An approval matrix defines who signs off on what. The authority operating model is the organizational structure that keeps both of those artifacts current, enforceable, and audit-ready. RACIs and approval matrices are outputs; the operating model is the program that produces and maintains them. For the distinction in detail, see DOA vs. approval matrix vs. RACI.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
