The global governance, risk, and compliance market is worth around $72 billion and growing at 13% a year. The failure rate has barely moved.
That gap is structural. The standard diagnosis of governance failure misses the cause.
Most boards have accepted the same diagnosis. Governance fails because organisations lack the right frameworks, the right reporting, or the right oversight mechanisms. The response has been to add more of all three. Compliance stacks have grown. GRC platforms have proliferated. Audit and risk committees have expanded their remits. And the failures have continued, in regulated financial services, in technology, in manufacturing, in the public sector, at precisely the scale and frequency you would expect if none of those interventions addressed the actual cause.
Crowe’s 2026 analysis of ERM implementation for COSO found that enterprise risk management has become, in the majority of organisations, a compliance exercise. The risk function produces reports. The board receives them. Whether the board is actually governing is a different question, and one that most boards never ask themselves.
The market is treating the symptom
Hunziker and colleagues examined 669 listed firms across Germany, Austria, and Switzerland between 2018 and 2024. Of those that suffered a severe value-destroying event, more than 40% were driven by strategy risk and external factors, outside the scope of any GRC programme. The risks that destroyed value sat outside the perimeter of the governance framework.
The ERM research names the mechanism. “What’s Wrong with Enterprise Risk Management” identifies seven failure modes in ERM implementation, almost all invisible to the frameworks designed to prevent them. The frameworks measure what they were built to measure. The failures happen in the gaps.
Three defects no framework can fix
Governance fails for three structural reasons. Each is architectural. Adding another process layer solves none of them.
The first defect is episodic engagement. The governance cycle is periodic. The board meets quarterly. The audit committee reviews the risk register every six months. Reporting arrives on a schedule. Risk accumulates continuously. It develops in the intervals between board meetings, accumulates during the quarters when governance is not in session, and surfaces as a crisis when the gap between the last review and the current reality has grown too wide.
The Post Office Horizon scandal is the most extensively documented example of this failure mode. The board received periodic reports. Internal governance processes were followed. The problem ran for more than a decade in the intervals between reviews, visible in the data, invisible to the governance architecture.
The second defect is consensus dependency. The board is a group. Groups converge on consensus. Research by Sutherland and Gigerenzer on group decision-making under conditions of career consequence shows that participants systematically prefer a defensible wrong decision over a correct one that requires taking a visible stand. This is a property of how committees work when the people on them have reputational stakes in the outcome. The cause is structural.
Boeing’s 737 Max sign-off illustrates the mechanism precisely. The governance architecture had committees, sign-off processes, and documented approvals. No one held a mandate to say no independent of the consensus already formed. The sign-off was the predictable output of a consensus-dependent structure. Process worked exactly as designed.
The third defect is the absence of institutionalised challenge. Challenge in most governance frameworks is informal, intermittent, and structurally dependent on individual willingness to raise concerns. Permission to challenge is built into the architecture; the obligation to challenge is left to individuals. The distinction matters. A structure that permits challenge will produce it occasionally, from individuals with sufficient standing and willingness to absorb the consequences. A structure that requires challenge will produce it systematically, regardless of who holds the roles.
At Silicon Valley Bank, the risk committee met. The risk frameworks existed. Management produced the reports. No function held the mandate and independence to challenge the assumptions behind the duration mismatch with sufficient conviction to change the outcome. Nobody had built that challenge function into the architecture.
Infrastructure and function are not the same thing
Most organisations have built governance infrastructure. Few have built a governance function. That requires a continuous, independent challenge capacity with a mandate that does not depend on individual willingness, committee consensus, or the approval of the people whose decisions it is challenging.
The infrastructure creates the appearance of governance. The function creates governance.
This is the distinction Crowe’s COSO analysis identifies as the gap between ERM as compliance and ERM as strategic operating system. The compliance version produces artefacts. Reports, registers, sign-offs, policy acknowledgements. The operating system version produces decisions. Organisations that have built the infrastructure and called it a function share the same structural vulnerabilities as the Post Office, Boeing, and SVB. Periodic reporting. Consensus dependency. No independent challenge capacity operating in the intervals between board sessions.
The response is architectural. Adding a new framework, a new committee, or a new reporting line addresses none of the three structural defects. A governance function requires scope, continuity, independence, and a mandate to challenge.
From the SGaaS White Paper
The full argument, the evidence base, and the four-tier delivery architecture
The white paper develops each structural defect in full, with the academic evidence base, case studies from the regulatory record, and the SGaaS architecture that addresses episodic engagement, consensus dependency, and absent challenge capacity directly.
Owen Vallis is the founder of Marentis Labs, the firm that originated Strategic Governance as a Service. He spent twenty years as a Group Chief Risk Officer across Credit Suisse, JP Morgan, SICO Bank, and Morgan Stanley, and holds active board roles in the public and charity sectors. Schedule a confidential discussion.