Why two decades of compounding governance investment has not closed the gap on strategic risk. The three defects identified in the Strategic Governance as a Service research are diagnostic, not editorial: each is a feature of how governance is designed, not how it is performed.
Across 669 listed companies in Germany, Austria, and Switzerland between 2018 and 2024, 32% suffered at least one severe corporate crisis — defined as a monthly share-price decline of 25% or more. Over 80% of those events were driven by strategy and external risks, not by compliance failures.1
The diagnosis below is taken directly from the paper. The three structural defects are defects of architecture, present in organisations with well-resourced governance functions and highly competent boards, because they are products of how governance is designed rather than how it is performed.2
Boards engage with risk on periodic cycles, through quarterly risk reports, annual strategy reviews, and scheduled committee meetings. But risks do not evolve on quarterly cycles. The result is governance by snapshot rather than by signal, i.e. boards see the risk environment as it was at the last reporting date, not as it is when decisions are made.
The cognitive argument is reinforced by a market pattern. Hunziker et al. analysed 471 severe share-price declines of 25% or more across Germany, Austria, and Switzerland between 2018 and 2024 and found that they cluster on the reporting calendar. The heaviest months were September (70 events), June (57), and October (56).3
The authors' interpretation: event risk clusters around reporting cycles and is often triggered by corporate announcements. The implication for governance is sharper than the statistic. Material risk does not crystallise on the reporting rhythm; its public recognition does. Boards whose engagement with risk is indexed to the same rhythm learn of material exposures at roughly the moment the market does, with no advantage of foreknowledge and no window in which to act.
Board decision-making is structurally biased toward satisficing; accepting the first option that achieves group agreement rather than stress-testing for the most resilient path. This is a predictable consequence of bounded rationality operating in a group setting, compounded by what Kahneman, Sibony, and Sunstein identify as "noise"4 — the variability in professional judgement that even qualified decision-makers produce under identical conditions.
The pattern recurs through every case study examined in the paper.5 In each, a prevailing narrative was maintained by consensus long after evidence to the contrary was available:
In each case, the prevailing narrative was maintained by consensus long after evidence to the contrary was available. "The aircraft is safe." | "The company is a fintech success." | "The bank's model is sound." | "The new leadership will restore discipline." | "The system is robust."
The paper's diagnosis is direct: consensus is not inherently dangerous, but without a structured mechanism for challenge, consensus becomes the means by which organisations convince themselves that what is comfortable is also true.5
No permanent function exists within most governance architectures whose explicit purpose is to challenge assumptions, stress-test decisions, and surface failure modes before they materialise. Internal audit, the function nominally positioned for this role, spends 75% of its capacity on routine assurance and compliance.6 Risk management functions face ever-increasing funding constraints for emerging-risk identification, consuming their bandwidth on business-as-usual monitoring and regulatory reporting.7 Neither has the mandate, the capacity, or the methodology to act as a continuous, adversarial challenge function at board level.
The Three Lines Model, updated by the Institute of Internal Auditors in July 2020, remains the dominant governance architecture in medium-to-large organisations.6 It defines ownership of risk across the organisation, establishes the principle of independent assurance, and provides a common language for governance architecture. It is, however, a model designed for assurance: providing confidence that controls are operating and risks are being managed.
What it was not designed for, and does not provide, is a resilient mechanism for continuous, adversarial challenge of strategic decisions and governance architecture at board level. Between these lines, in the space where continuous, adversarial, forward-looking challenge of governance and strategy should occur, there is a structural gap. The gap is architectural.8
| Line | Function | Empirical reality (paper) |
|---|---|---|
| Line 1Operational management | Owns and manages risk in the conduct of day-to-day business activity. Risk identification at the point of origination. | Focused on execution. |
| Line 2Risk & compliance | Specialist oversight; framework design and policy. Independent in reporting line. | 73–75% report funding constraints for emerging-risk identification and advanced monitoring.7 |
| Line 3Internal audit | Independent assurance over the effectiveness of governance, risk management, and internal controls. | 75% of capacity on routine assurance.6 Only 23% of functions received budget increases in 2025, down from 34% the year before.9 |
| The gapContinuous adversarial challenge | No standing role within the formal governance architecture. | The architectural gap the paper identifies.8 |
The paper's conclusion is direct. The three defects are defects of architecture, present in organisations with well-resourced governance functions and highly competent boards, because they are products of how governance is designed rather than how it is performed.2
Strategic Governance as a Service is the structural response: it replaces episodic oversight with continuous engagement, consensus dependency with adversarial challenge, and the absence of institutionalised challenge with a permanent, principal-led governance function that operates at board level.10
The interactive above is one of seven drawn from the 90-page Strategic Governance as a Service research paper. Download the full paper or schedule a confidential conversation.