Boards that ask these questions early are far more likely to detect problems before they escalate.
Assurance Failure: What the Board Missed
Why Do Oversight Gaps Persist Even With Good Governance on Paper?
Many organisations have well-documented governance frameworks, detailed risk registers, and annual assurance plans. On the surface, these structures suggest that effective oversight is in place. Yet assurance failures continue to emerge, sometimes with severe consequences for stakeholders, reputations, and financial health.
If governance frameworks are meant to prevent these failures, why do they still happen? And more importantly, how can non-executive directors (NEDs) spot the warning signs before issues escalate?
This article explores the hidden weaknesses in assurance systems, why oversight often breaks down despite formal processes, and how boards, especially NEDs, can play a more proactive role in safeguarding against failure.
What Is Assurance, and Why Does It Matter?
Assurance gives stakeholders confidence that the organisation is managing risks effectively, complying with legal and regulatory requirements, and achieving its objectives. It is delivered through various mechanisms, including internal audit, compliance reviews, risk reporting and external audit.
Effective assurance is not a one-off activity or a checklist. It requires ongoing attention, strong leadership and a culture that encourages transparency and challenge.
Governance on Paper: A False Sense of Security
Boards often take comfort in the existence of policies, frameworks, and formal reports. Assurance maps, risk dashboards and internal audit plans may create the impression of control. But assurance that exists only on paper does little to prevent or detect real-world issues.
Organisations with high-profile failures have often had formal governance in place. The problem lies not in the absence of process, but in the absence of effective challenge, critical thinking and cultural alignment.
Common Weaknesses That Undermine Assurance:
- Checklist Mentality
Risk and assurance reports are reviewed as routine rather than scrutinised for insight. Meetings focus on form over substance. - Overconfidence in Management
The board accepts updates at face value, without pressing for independent views or validating management’s assessments. - Heavy Reliance on Internal Audit
There is an assumption that internal audit will catch everything, despite its limited scope and reliance on sampling. - Risk Appetite Misalignment
The stated risk appetite of the board may not reflect actual decision-making or the level of risk being taken across operations. - Marginalised Second Line
Risk and compliance functions may lack influence, independence or visibility, undermining their effectiveness.
Warning Signs: How Assurance Breaks Down
Red flags usually appear long before a major incident, but boards may overlook them due to assumptions, information overload or lack of challenge.
1. Vague or Inconsistent Reporting
Risk updates that rely on subjective language – “adequate”, “under review”, “on track” – can obscure problems. A lack of trend data or benchmarking makes it hard to assess progress.
What to do:
Ask for specifics. Insist on clear metrics, risk trajectories and explanations for changes. Challenge the presentation format if it limits your ability to assess performance.
2. Underpowered Risk and Compliance Teams
If the second line of defence is small, underfunded or frequently reorganised, it raises questions about the organisation’s commitment to independent oversight.
What to do:
Request information on resourcing, independence and escalation rights. Ensure these teams have direct access to the board or its committees.
3. Perfect Assurance Reports
A board pack full of green ratings and minimal issues can be a red flag in itself. Problems may be filtered out, reframed, or simply not escalated.
What to do:
Ask about what did not go well. Request information on near misses, emerging risks, and areas not yet covered by assurance work.
4. Audit Findings Without Follow-up
Repeated issues, delayed responses or lack of evidence that recommendations are implemented point to weak accountability.
What to do:
Track implementation progress. Ask for assurance that actions are embedded, not just recorded as complete.
5. Limited Challenge in the Boardroom
A lack of dissent or probing questions may signal groupthink. Assurance is weakened when board conversations avoid discomfort or complexity.
What to do:
Encourage open challenge. Create space for alternative views, especially on risk-related matters. Consider inviting external advisers or internal experts to stress-test the board’s thinking.
When Governance Fails Despite the Framework
Case 1: Financial Services and Cybersecurity
A regulated firm experienced a serious data breach. Despite cyber risk being a known issue and included in board reports, investment was repeatedly deferred. The assurance process flagged the risk, but it was neither prioritised nor challenged with urgency.
Key lesson: Assurance findings must be acted on, not simply acknowledged.
Case 2: Healthcare and Safety Culture
A large care provider passed multiple audits and reported high compliance. However, staff feared retaliation for raising safety concerns, and reporting systems were routinely bypassed. Cultural issues prevented assurance processes from surfacing the truth.
Key lesson: Assurance that ignores cultural realities is incomplete and potentially misleading.
Proactive Steps for Stronger Board Assurance
Boards must shift from passive receipt of assurance information to active engagement with the system itself. NEDs, with their independence and external perspective, are well-placed to lead this shift.
Cross-Check Information from Multiple Sources
Look for consistency between audit results, staff feedback, regulatory interactions and operational performance. Discrepancies should be investigated, not ignored.
Explore Risks in Depth
Select high-risk areas for deep dives. Topics like data privacy, supply chain integrity or regulatory compliance deserve dedicated attention beyond summary reporting.
Treat Culture as a Risk
Soft indicators, such as staff morale, turnover, whistleblowing rates and survey results, can reveal as much as audit outcomes. Culture audits and leadership behaviour reviews are useful tools.
Strengthen Committee Structures
Ensure the audit and risk committees are adequately skilled and resourced. Their remit should include both oversight and assurance system design.
Learn from Incidents
Review failures at peer organisations and assess how similar risks are managed internally. Use internal incidents, even minor ones, as opportunities to test the assurance framework.
Closing the Assurance Gap
When assurance fails, it is rarely due to a single oversight. More often, it reflects a gradual erosion of challenge, independence and connection between reported risks and actual conditions. The board’s role is not just to receive assurance, but to test its foundations.
Good assurance helps a board see clearly – across complexity, through uncertainty and beyond organisational optimism. Poor assurance hides reality behind well-formatted documents and polished presentations.
Boards that succeed in this space tend to do three things consistently:
- Challenge without fear or favour
- Seek triangulated insight from multiple perspectives
- Stay curious about what lies beneath the surface
NEDs are not there to rubber-stamp. They are there to ask, listen, test and, when needed, push back. Doing so is not just part of good governance, it is central to preventing failure.
Summary Checklist for NEDs: Spotting Assurance Weaknesses
-
Are risk and assurance reports clear, specific and consistent?
-
Is the second line of defence properly resourced and independent?
-
Are audit findings followed up with meaningful action?
-
Does the board encourage and accommodate dissenting views?
-
Are culture and behavioural risks given as much attention as financial or operational ones?
-
Are you hearing about risks from more than one source?
