Regulatory governance often seems under control. In reality, it is not.

Most regulatory teams have a way of working that feels structured. There is an applicable list. Updates are tracked. Decisions are documented. The process fits the organisation, and over time it becomes accepted as “how we do regulatory.” From the inside, it looks like control.

But when that same structure is tested outside the organisation — in an audit, an inspection, or a due diligence process — something changes. Questions that should have straightforward answers suddenly require interpretation, reconstruction, or internal alignment.

Not because the organisation lacks knowledge, but because what looks like control is, in reality, a set of practices that were never designed to be defended.

The moment where things start to shift

The issue is rarely visible in day-to-day work. The team knows the products. The regulatory landscape feels familiar. The lists are there and have been used for years. People trust the process because it has worked.

Then a question is asked that cuts through that familiarity:

Why is this requirement applicable? Where is the rationale? Has anything changed since that assessment was made?

At that point, the answer often exists, but it is not immediately accessible in a way that holds together. It needs to be explained. Sometimes reconstructed. Sometimes aligned across people.

That is the moment where something that felt structured begins to show its limits.

When internal logic meets external expectations

Most regulatory processes are shaped around internal needs. They evolve over time. They adapt to the organisation, the team, and the products. They are built to make the work manageable.

And for a long time, that is enough.

But regulatory expectations are not defined by how work is organised internally. They are defined by what must be demonstrated externally.

Being able to show what applies is one thing. Being able to show why it applies, how that was determined, and whether it is still correct is something else entirely.

That difference is often underestimated.

What defensible actually means in practice

A regulatory position is not considered strong simply because it exists in a document. It is considered strong when the reasoning behind it can be followed, understood, and revisited without relying on the individual who made the original decision.

That requires more than documentation. It requires decisions to be built on logic that is explicit, consistent, and maintained over time.

In practice, that means being able to answer, without hesitation:

Why was this considered applicable or not? What was the basis for that decision? When was it last assessed? What has changed since then?

If those answers depend on interpretation, memory, or internal discussion, then the position is not fully defensible — even if it was once correct.

Why this breaks over time

The problem is rarely how regulatory work starts. It is how it evolves.

Most organisations begin with a manageable scope: a limited number of products, markets, and regulatory frameworks. The structure works because the complexity is contained.

Over time, that changes. More markets are added. More requirements appear. New domains come into scope. Regulatory updates become more frequent.

The original structure is still used, but it is now carrying a level of complexity it was never designed for. Lists begin to drift. Rationales are not updated in the same way as the regulations themselves. Different versions of the same logic start to exist.

Nothing is obviously wrong, but alignment is no longer guaranteed.

From the inside, this shows up as repeated checks and growing uncertainty. From the outside, it shows up as inconsistent answers.

The shift that is already happening

Regulatory scope today is not stable. It moves across jurisdictions, regulatory domains, and time. Requirements change, interpretations evolve, and expectations around traceability and justification continue to increase.

At the same time, organisations are expected to maintain a clear and current understanding of what applies to each product.

This creates a shift in what regulatory work actually requires. It is no longer enough to manage regulatory information in a structured way. Organisations must be able to maintain a controlled, traceable, and continuously valid position over time.

In other words, it requires governance.

Where most organisations actually are

Most organisations are not doing the wrong things.

They identify regulations.

They build applicable lists.

They document their decisions.

But those activities are often built on structures that were designed to support internal workflows, not external scrutiny.

That is why the same questions keep returning. And why they become harder to answer as complexity increases.

Closing

Defensible regulatory governance is not about having everything in place.

It is about being able to show, clearly and consistently, how your regulatory position was built and why it still holds.

If that cannot be done, then the organisation is relying on assumptions, even if those assumptions were once correct.

And in a regulatory context, that is where risk begins.

Download the full white paper

This article describes a pattern that many regulatory organisations recognise once it is pointed out.

In the full white paper, "Defensible Regulatory Governance in Practice", we examine this in detail. We look at how regulatory applicability is actually managed in practice across life science organisations, where it starts to break down, and what is required to establish and maintain defensible regulatory governance over time.