Who Approved This Post? The Accountability Crisis in Executive Communication

Most organizations cannot answer a simple question:

Who approved this post?

Not confidently. Not with evidence. Not in a way that would stand up in front of regulators, auditors, or a board.

That gap is not operational. It is structural.

The modern executive communication approval workflow exists in nearly every enterprise. Content is reviewed. Legal looks at it. Comms refines it. Someone gives a “thumbs up.”

But when scrutiny arrives, the system breaks.

Because approval exists.

Accountability does not.

Definitions

Executive Communication Is Now Governed Like Financial Reporting

The regulatory baseline is already clear.

The SEC defines “disclosure controls and procedures” as controls designed to ensure that information required to be disclosed is recorded, processed, summarized, and reported within required time periods, and that required information is accumulated and communicated to management to allow timely disclosure decisions (SEC, 2002). These controls are not optional. CEOs and CFOs must personally certify their effectiveness under Sarbanes-Oxley Section 302 (U.S. Congress, 2002).

In financial services, the standard is even more explicit:

• FINRA requires an appropriately qualified registered principal to approve each retail communication before use (FINRA Rule 2210)
• Supervisory reviews must be conducted by a registered principal and evidenced in writing (FINRA Rule 3110)
• Firms must retain all communications “and any approvals thereof” relating to their business (SEC Rule 17a-4)

In security and governance frameworks:

• NIST SP 800-53 requires system-wide audit trails compiled from audit records and time-correlated to enable reconstruction of actions (NIST, 2020)
• COSO requires organizations to hold individuals accountable for their internal control responsibilities (COSO, 2013)

The expectation is not ambiguous.

Every material communication should have:

• A defined control structure
• A responsible owner
• A traceable approval record

And yet, executive communication routinely bypasses all three.

The Gap: Approval Workflows Without Accountability Systems

Most enterprises have approval workflows. Few have accountability systems.

That distinction matters.

Approval is a step.

Accountability is a system.

The evidence is consistent:

• 45% of public companies have no board committee overseeing executive public communications — the most common response to “which board committee has oversight” was “none of the above” (Deloitte / Society for Corporate Governance, 2021)
• Executives at major firms used off-channel messaging (WhatsApp, iMessage, Signal), leading to over $3 billion in cumulative SEC and CFTC fines across more than 70 firms since 2021 (SEC, 2022; SEC, 2024; SEC, 2025)
• Tesla was charged by the SEC for failing to have required disclosure controls and procedures relating to Musk’s tweets (SEC, 2018)
• DraftKings was fined $200,000 for posting material nonpublic information via the CEO’s personal social accounts without proper disclosure controls (SEC, 2024)

Even where policies existed, they failed.

In the DraftKings case, the company had a Regulation FD policy. Internal staff reviewed content. But the company’s PR firm posted material nonpublic information about “really strong growth” on the CEO’s personal X and LinkedIn accounts before quarterly earnings were released. The CEO’s personal accounts had not been designated as disclosure channels. The posts were removed within 30 minutes, but the information was not publicly disclosed until seven days later.

Approval existed. Accountability did not.

The Failure Mode: Coordinated Ambiguity

Inside most organizations, executive content flows like this:

• Draft created by comms or agency
• Reviewed by multiple stakeholders
• Edited asynchronously across tools
• Approved informally (Slack, email, verbal)
• Published

At no point is there a single, definitive answer to:

• Who owned the statement
• Who verified the data
• Who authorized publication
• What evidence supported the decision

This creates what governance research describes as a diffusion of responsibility problem. The structural risks that emerge from these workflows are well documented.

The Institute of Internal Auditors defines governance as requiring three elements: accountability (to stakeholders for oversight), actions (managing risk through decision-making), and assurance (independent audit providing clarity and confidence) (IIA, 2020). Most executive workflows deliver only one: action.

Everything else is implied.

The Executive Accountability Model

To close the gap, approval must be restructured as a system of accountability.

Not more steps. Not more reviewers.

More structure.

1. Approval Ownership

Every executive communication must have a single accountable owner.

Not a group. Not a thread. Not “legal + comms.”

A named individual.

ISO 27001 Clause 5.3 requires top management to assign and communicate organizational roles, responsibilities, and authorities for information security. Annex A 5.2 requires every information asset to have a designated owner responsible for its protection (ISO 27001:2022; Annex A 5.2). Executive public statements qualify as information assets.

Ownership is not about authorship. It is about liability.

If the statement is wrong, who answers for it?

2. Role-Based Responsibility

Approval authority must be tied to roles, not relationships.

COSO requires organizations to establish clear reporting lines, authority structures, and mechanisms to hold individuals accountable for their internal control responsibilities (COSO, 2013). The G20/OECD Principles of Corporate Governance require “clear lines of responsibility and accountability throughout the organisation” (OECD, 2023). Without this, shadow approvals emerge.

Examples:

• General Counsel approves regulatory exposure
• CISO verifies security claims
• Investor Relations validates market-sensitive statements
• Communications ensures clarity and positioning

Each role has a defined scope. Each decision has a defined owner. No overlap. No ambiguity.

3. Audit Traceability

Every approval must be recorded, time-stamped, and attributable.

NIST SP 800-53 requires system-wide audit trails compiled from audit records and time-correlated within an organization-defined tolerance to enable reconstruction of past events (NIST, 2020). SEC Rule 17a-4 requires preservation of all business communications “and any approvals thereof” (SEC Rule 17a-4).

This means:

• Version history
• Identity of approver
• Timestamp
• Content snapshot at time of approval

If an approval happens on WhatsApp, it does not exist.

If it cannot be reconstructed, it did not happen.

4. Decision Attribution

Approval is not enough. The rationale must be documented.

This is the missing layer.

Columbia Law School and Bank for International Settlements research identifies what they call “the accountability stack” — existing fines for misconduct are borne by shareholders rather than the executives who presided over it, giving the impression of immunity at the top. They recommend “statements of responsibility” and “accountability mapping” to close this gap (CLS Blue Sky / BIS, 2023).

Decision attribution answers:

• What data supported this claim
• What assumptions were made
• What risks were considered

Without this, executives have no defense.

Only exposure.

Case Studies: Where Approval Failed

Tesla (2018–2019)

• CEO tweets moved markets
• No pre-approval system existed. The SEC separately charged Tesla for “failing to have required disclosure controls and procedures relating to Musk’s tweets”
• Settlement required $40 million in combined penalties ($20M Musk, $20M Tesla), removal of Musk as Chairman, and mandatory pre-approval controls (SEC, 2018)
• Even after implementation, the SEC revealed Musk had not sought pre-approval for a single tweet, triggering a contempt motion (SEC, 2019)

Lesson: Approval systems without enforcement fail.

Netflix (2013)

• CEO disclosed key streaming metric (1 billion hours) via personal Facebook
• Channel not designated for investor disclosure. No press release, company website post, or Form 8-K accompanied the post
• SEC issued a Report of Investigation establishing that social media is valid for disclosure only if investors are pre-alerted to which channels will be used (SEC, 2013)

Lesson: Approval includes channel governance, not just content review.

DraftKings (2024)

• PR firm posted material nonpublic information about “really strong growth” via CEO’s personal X and LinkedIn accounts
• Content reviewed internally. The company had a Regulation FD policy
• CEO’s personal channels not designated as disclosure channels
• Result: Reg FD violation and $200,000 civil penalty (SEC, 2024)

Lesson: Review is not the same as accountability.

Wall Street Off-Channel Enforcement (2021–2025)

• Executives and employees used personal devices for business communication
• No record keeping or traceability
• Over $3 billion in cumulative SEC and CFTC fines across more than 70 firms, including JPMorgan ($200M), Goldman Sachs ($150M), Morgan Stanley ($125M), and others (SEC, 2022; SEC, 2024; SEC, 2025)

Lesson: If communication escapes the system, accountability disappears.

The Trust Consequence

This is not just a compliance issue.

It is a trust issue.

• 70% of respondents globally worry that business leaders purposely mislead them by saying things they know are false or gross exaggerations — up 12 points since 2021 (Edelman, 2025)
• Only 51% trust CEOs in general — compared to 69% who trust “my CEO,” creating an 18-point credibility gap between proximate and distant executive communicators (Edelman, 2024)

Trust is not declining because leaders communicate more.

It is declining because organizations cannot prove how those communications are governed.

Stakeholders are no longer asking: “What did the CEO say?”

They are asking: “How did that statement get approved?”

The Rise of Compliance Theater

In response, many organizations build visible processes that do not change outcomes.

• Approval checklists
• Workflow tools
• Documentation templates

But when pressure hits:

• Approvals move to Slack
• Decisions happen verbally
• Audit logs are incomplete

Governance exists on paper.

Execution happens elsewhere.

This is compliance theater.

Gartner predicts 80% of data and analytics governance initiatives will fail by 2027 due to a lack of real or manufactured crisis to drive adoption (Gartner, 2024). Most fail because they optimize for appearance, not enforcement. The reasons most executive thought leadership programs fail follow the same pattern.

The Implication: Executive Communication Is Now a Control System

The shift is already happening.

Regulators are expanding the definition of material information. Enforcement is increasing. Executives are being held personally accountable. PwC’s 2025 Corporate Directors Survey found that 78% of directors say board assessments do not capture the full picture of board performance, and more than half say at least one colleague should be replaced — the highest level in the survey’s history (PwC, 2025).

At the same time:

• Communication volume is increasing
• AI-generated content is accelerating output
• Delegation is becoming necessary

This creates a new requirement:

Executive communication must operate like a governed system.

Not a workflow. Not a process. A system. The compliance control layer defines the architecture that makes this possible.

Key Takeaways

• Most organizations cannot prove who approved executive content, creating a structural accountability gap.
• Regulatory frameworks already require traceable, attributable communication controls.
• Approval workflows fail when ownership, traceability, and decision attribution are missing.
• Enforcement actions consistently show that policies without enforcement are ineffective.
• The next generation of executive communication systems will be defined by accountability, not speed.

Conclusion

The question is no longer whether executive communication is regulated.

It is.

The question is whether your organization can answer, with evidence:

Who approved this post?

If the answer is unclear, the risk is not theoretical.

It is already being enforced.

That is the system Doovo is building. As the governance model establishes, executive influence is not a channel — it is a governed system that requires the same rigor as security and finance.

And the organizations that solve this first will not just reduce risk.

They will define the standard.

For a comprehensive view of how executive thought leadership connects to governance, security, and compliance, see the Executive Thought Leadership Guide.