Four in five severe governance failures originate outside internal controls.
The finding comes from the ERM Report 2025, published by the Institute of Financial Services Zug (IFZ) at the Lucerne University of Applied Sciences and Arts. The six-year study examined 669 listed companies across Germany, Austria and Switzerland between 2018 and 2024. Researchers identified 471 crisis events, defined as a monthly share price decline of 25% or more, in the 213 companies that suffered at least one. They then classified each event by root cause using the three-category risk taxonomy established by Kaplan and Mikes (2012), a framework now used widely across enterprise risk management.
Of the 395 events the researchers could classify, strategy risks caused 40.8%. External risks caused 40.0%. Preventable internal risks, the compliance failures, reporting errors and operational breakdowns that enterprise risk frameworks exist to catch, caused 19.2%.
The $72 billion market does the right job for the wrong category
The global GRC market is worth approximately $72 billion and growing at 13% a year. The investment covers risk frameworks, compliance programmes, GRC platforms, internal audit functions and control assurance. Almost all of it addresses the 19.2% category.
That precision reflects good design. Preventable internal risks carry no strategic upside, so the correct response is to eliminate them through controls and carry no residual exposure. A compliance programme catches a reporting error. A fraud control stops misappropriation. An audit process validates the accounts. Each does exactly what it should.
The problem is one of proportion. When a board concentrates its governance investment on the category behind 19% of severe crises, the remaining 81% is covered only to the extent that existing structures happen to reach it. For most boards, that is most of what actually goes wrong.
Capital allocation carries the single highest documented crisis risk
Strategy risks drove 40.8% of classified crises. Within that category, capital allocation and M&A was the largest single subcategory, at approximately 18% of classified events. One subcategory of strategy risk almost matches the entire preventable-risk category that the $72 billion market is built to address.
Boeing’s 737 MAX certification shows how this category materialises. Every governance component was in place: committees, documented approvals, sign-off procedures. Each decision in the chain was individually defensible. The risk sat in the accumulated assumptions behind the aircraft’s safety case, reviewed sequentially across multiple governance cycles with no function mandated to interrogate them before the aircraft entered service.
Research on defensive decision-making explains why the pattern recurs. In group decisions with career consequences, people choose the defensible option over the correct one when raising a concern carries personal risk. A structure that permits challenge produces it only from individuals willing to absorb that risk. A structure that requires challenge produces it systematically, whatever the temperament of the people in the room. Strategy risk at 40.8% reflects, in part, how rarely the second kind of structure exists.
External risk reached almost the same share, and went largely ungoverned
External risks drove 40.0% of classified crises. The largest concentration was macroeconomic and financial volatility, inflation, interest rates and energy costs, prominent during the 2022 rate-tightening and energy shock.
Silicon Valley Bank illustrates the failure mode. The risk committee met on schedule, the frameworks were current, the reporting was in order. What accumulated uncontested was the assumption that the rate environment underpinning the bank’s balance sheet would hold. When the fastest tightening cycle in forty years arrived, the exposure that had been building for months had no governance function positioned to interrupt it.
Continuous stress-testing of assumptions against the external environment is a different function from monitoring exposure against pre-set limits. The risk committee does the second. The first, operating across board cycles with a mandate to challenge assumptions the board has already approved, is the one most boards have never built.
The cost gap between the two governance types is permanent
Two years after a severe crisis, affected firms in the study had returned to roughly 103% of their pre-crisis share price. The broader DACH market reached about 115% over the same period.
The 12-point gap does not close. Crisis-hit firms spend their recovery returning to zero in real terms while the market compounds the growth they are missing. Add the initial value destruction, the management attention absorbed by remediation, and the regulatory scrutiny that follows a public failure, and the total cost runs well above what the share-price chart shows. For the 81% of crises driven by strategy and external risk, that is the price of a governance architecture built for a different category.
Three features of a governance function that covers all three categories
A function able to govern strategy and external risk alongside preventable internal risk has three structural features that a compliance architecture lacks.
The first is a cross-board mandate. Strategy and external risk cross committee lines. A capital allocation decision in one domain interacts with external conditions in another, and a function confined to a single committee’s terms of reference cannot see those interactions.
The second is continuity. The study found that crisis events cluster in the third quarter, particularly September, driven by half-year results and guidance revisions. The accumulation that produces those disclosures develops across the preceding quarters. Observing it needs sustained presence across board cycles. Periodic review captures only what has already formed.
The third is an adversarial orientation. A board that approved a strategy is positioned to defend its assumptions, for the same reasons defensive decision-making is predictable in groups. The function that challenges those assumptions needs independence from the consensus that formed them, and a standing mandate that makes challenge a duty.
From the SGaaS White Paper
A governance function for all three risk categories
The white paper develops the full evidence base behind these findings and the four-tier SGaaS delivery architecture for a governance function designed to cover strategy and external risk alongside the preventable internal category.
Owen Vallis is the founder of Marentis Labs, the firm that originated Strategic Governance as a Service. He spent ten years as UK Head of Fiduciary Risk Management at Credit Suisse and holds active board roles in the public and charity sectors. Schedule a confidential discussion.