By Dr Ramesh Shanmuganathan
In a world shaped by digital systems, real-time decisions, and interconnected ecosystems, governance, risk, and compliance can no longer be treated as static corporate functions. They now sit at the heart of how organizations operate, how accountability is exercised, and how trust is sustained. The real challenge for boards today is not whether GRC frameworks exist, but whether they are strong enough to govern the organization as it truly functions.
Why boards must strengthen oversight across systems, controls, culture, and accountability
There was a time when governance, risk, and compliance could be discussed as distinct disciplines.
Governance was about structure, authority, and stewardship. Risk was about identifying threats and reporting exposures. Compliance was about adherence to policy, regulation, and standard. Each had its own rhythm, its own language, and often its own reporting channels. For many years, that model was sufficient. Organizations were more linear, operating environments were more contained, decision pathways were easier to trace, and the line of sight from policy to execution was far clearer than it is today.
That world has changed.
Today, organizations operate through digital systems, interconnected platforms, third-party ecosystems, remote teams, automated workflows, and data-driven decision environments that move with extraordinary speed. Authority is not exercised only through formal reporting lines. It is exercised through permissions, system roles, access rights, integrations, overrides, and control configurations. Risk does not accumulate only in balance sheets or operational logs. It accumulates quietly in exceptions, in fragmented accountability, in unmanaged dependencies, in poorly governed access, and in the widening gap between how leadership believes the organization works and how it actually works in practice.
That is why I believe the traditional framing of governance, risk, and compliance is no longer enough.
In a digitally enabled organization, GRC cannot be treated as a set of adjacent functions. It must be understood as a single, integrated discipline of institutional stewardship. It is not merely about satisfying oversight obligations. It is about ensuring that the organization remains coherent, controlled, resilient, and worthy of trust in an environment where complexity is rising faster than many control models are evolving.
To me, this is one of the defining leadership challenges of our time. The organizations that will endure will not simply be those with the most ambitious growth strategies, the most advanced technology stacks, or the most impressive innovation agendas. They will be the ones that understand that scale without control is fragility, and that digital progress without disciplined governance can create as much exposure as opportunity.
The question, then, is not whether governance, risk, and compliance still matter. It is whether boards and executive teams are prepared to rethink what those terms now mean.
The governance challenge has changed
One of the greatest mistakes organizations can make is to assume that governance has kept pace simply because governance structures still exist.
Most organizations today have boards, committees, delegations of authority, policies, control frameworks, audit mechanisms, and reporting routines. On the surface, this can create a reassuring picture. It suggests order. It suggests discipline. It suggests that oversight remains firmly in place. But in many cases, that assurance is more formal than real.
The truth is that the governance challenge has changed far more profoundly than many institutions admit.
In earlier operating models, governance often relied on slower cycles and more tangible control points. Processes were less distributed, approvals were easier to follow, manual checks played a larger role, and leadership could often understand exposure through a relatively stable chain of responsibility. Today, much of that certainty has been displaced. Actions can be triggered automatically. Approvals can be embedded in systems rather than conversations. Exceptions can be processed through digital pathways. Sensitive data can be accessed, moved, replicated, or altered at speed. Third parties can operate inside core environments. Privileged users can hold levels of influence that are not always visible through formal hierarchy. And all of this can happen beneath the surface of reassuring governance language.
That is why boards need to ask a far more difficult question than they once did: are we governing the organization we think we have, or the organization that actually exists?
That distinction matters deeply.
An organization may appear well governed because its frameworks are well articulated. But if real authority is increasingly exercised through systems, if critical decisions are increasingly shaped by digital workflows, and if control effectiveness depends more on configuration than on stated process, then governance must move far closer to the operational reality of how the enterprise functions.
This, to me, is where modern board leadership must become more exacting. Governance can no longer be assessed only by whether the right structures are present. It must be assessed by whether those structures retain real influence over an organization that has become faster, more distributed, and far more dependent on digital architecture than many legacy oversight models anticipated.
In this new environment, governance is not static stewardship. It is active interpretation. It requires boards to look beneath the surface of process and understand how systems, incentives, access, and accountability interact in practice. That is a very different challenge from simply reviewing reports and receiving assurance. It demands sharper questions, deeper curiosity, and greater willingness to test whether form has quietly drifted away from substance.
Exposure is not only external. It often sits inside the organization
Organizations are naturally drawn to visible external threats. External risks are easier to narrate. They are easier to rally around. They fit the familiar story of the institution defending itself against outside pressure, outside attack, outside disruption.
But in my view, some of the most consequential exposures in modern organizations do not come from outside at all. They arise internally — not always from malicious intent, but often from weak discipline, diffuse accountability, overextended trust, or operating models that have outgrown their control architecture.
That is why I believe boards need to devote far more attention to internal exposure than many currently do.
Internal exposure is not limited to wrongdoing in its most obvious form. It includes the gradual normalization of workarounds. It includes the accumulation of access that no longer reflects genuine need. It includes poorly governed exceptions that become permanent because the business becomes dependent on them. It includes the unchallenged influence of technical teams, business leaders, or third parties who hold operational power beyond what leadership fully appreciates. It includes the quiet erosion of standards when speed, performance, or convenience begins to trump control discipline.
This is often how serious breakdowns begin. Not with a dramatic breach, but with a series of tolerated weaknesses that, over time, reshape the control environment from the inside.
I have long believed that one of the hallmarks of mature leadership is the willingness to confront this honestly. It is easy to discuss resilience when the threat is external. It is harder to discuss resilience when the vulnerability may lie in the culture, the control design, the access model, or the organization’s own habits. But that is precisely why it matters.
Strong organizations do not assume that trust alone will hold the enterprise together. Nor do they assume that people, because they are capable or long-serving or well regarded, somehow sit outside the need for disciplined control. Quite the opposite. Mature organizations recognize that risk is often created where familiarity reduces scrutiny. Where people are trusted most, processes are sometimes challenged least. And where technical capability is concentrated, governance can become reluctant to intrude.
To me, this is one of the most important shifts boards must make. They must stop seeing internal exposure as secondary to external threat. In many cases, it is the deeper and more strategically significant issue, because it speaks directly to whether the organization can trust its own architecture of authority, control, and accountability.
Governance must move from reporting to real oversight
There is a difference between being informed and exercising oversight.
That may sound obvious, but many organizations still blur the two. Boards receive thick packs, dashboards, risk summaries, audit updates, compliance attestations, and management commentary. The volume of information can be considerable. Yet the presence of reporting should never be confused with the presence of control.
Real oversight is something more demanding.
It requires the ability to distinguish between signal and noise. It requires the willingness to probe beyond polished summaries. It requires an understanding of where management confidence may be overstated, where unresolved issues may be minimizing deeper weakness, and where the organization’s formal narrative may be more mature than the operating reality underneath it.
In other words, governance has to become more forensic.
This does not mean boards should drift into management. It means they must become more precise in how they challenge it. Too often, GRC reporting still emphasizes completeness over clarity. It shows coverage, status, heat maps, and remediation trackers, but not always the deeper patterns that reveal whether the environment is strengthening or eroding. A board can review many pages of information and still miss the single question that matters most: where, in practical terms, is the organization easier to exploit than we are comfortable admitting?
To me, that is the mindset shift. Governance must evolve from reviewing activity to interrogating exposure.
This means understanding not just whether policies are current, but where exceptions are growing. Not just whether controls are documented, but where they are bypassed in practice. Not just whether issues are open, but why similar issues recur. Not just whether risk is mapped, but whether accountability for managing that risk is truly clear. Not just whether remediation exists, but whether the speed and seriousness of remediation reflect the real gravity of the issue.
The strongest boards, in my view, are not necessarily the ones with the most elaborate reporting. They are the ones with the clearest sense of where the organization is vulnerable, where management may be too comfortable, and where oversight must become more direct.
That is the essence of real governance. It is not passive receipt. It is active discernment.
Technology is now part of the control environment
If there is one point I would emphasize above all others, it is this: technology is no longer simply supporting the control environment. In most modern organizations, it has become part of the control environment itself.
That has profound implications.
For many years, technology could still be understood primarily as an enabler — a platform for efficiency, automation, connectivity, reporting, and scale. That remains true, of course. But today, technology does far more than enable business processes. It governs how those processes are actually executed. It determines who can access what, who can approve what, who can override what, who can move data, who can change system behaviour, and who can act without immediate visibility.
Once that is understood, the implications for governance become unmistakable.
Boards can no longer treat digital architecture as an operational detail sitting below the line of strategic oversight. Permissions, workflows, automated approvals, interfaces, exception logic, role design, audit trails, and privileged access arrangements are now part of the real architecture of power inside the organization. They shape control effectiveness in ways that board members do not need to manage directly, but absolutely do need to understand at a meaningful level.
This is especially important because one of the most common weaknesses in modern organizations is the gap between stated control intent and actual system capability. On paper, responsibilities may appear segregated. In reality, access paths may permit concentration of power. On paper, approvals may appear robust. In reality, override privileges or weak workflow configuration may allow those approvals to be bypassed. On paper, monitoring may appear comprehensive. In reality, logs may be incomplete, fragmented, or not meaningfully reviewed.
This is why I believe boards must become more comfortable asking technology-literate governance questions. Not because they must become technical experts, but because the integrity of the organization increasingly depends on what systems allow, restrict, record, or conceal.
A policy can assert discipline. A system can either uphold it or undermine it.
And in a digitally enabled enterprise, the system increasingly defines the truth of the control environment.
Segregation, access, and accountability still matter more than ever
For all the sophistication of modern operating models, some of the most powerful governance disciplines remain remarkably simple. That, to me, is one of the enduring lessons of control design.
No single individual should be able to dominate a critical activity from beginning to end without challenge. Access should exist for need, not convenience. Accountability should be clear, not implied. Exceptions should be managed consciously, not absorbed casually into business routine.
These principles are not old-fashioned. They are foundational.
In fact, I would argue that they matter more today precisely because organizations are more digital and more complex. The faster systems move, the greater the need for clear friction where it counts. The more automated workflows become, the more important it is to know where human oversight still sits. The more distributed authority becomes across systems and roles, the more vital it is to understand where control has concentrated in ways leadership may not fully see.
This is why segregation of duties remains such a critical discipline. It reduces the opportunity for misuse, concealment, and unchallenged error. It prevents too much power from sitting invisibly within one process, one role, or one group. Yet many organizations still compromise segregation more than they admit. They do so in the name of speed, specialist dependency, resource constraints, operational urgency, or simple habit.
The same is true of access discipline. Access tends to grow over time. Roles change, systems multiply, exceptions are granted, projects are launched, temporary rights become forgotten, and users accumulate influence they no longer truly need. Left unmanaged, this becomes one of the clearest signs of control drift in any institution.
And then there is accountability, which is often spoken about but less often enforced with precision. Clear accountability means more than naming an owner. It means ensuring that ownership is matched by authority, visibility, and consequence. It means there is no ambiguity about who is expected to understand the control, maintain the control, challenge weaknesses in the control, and respond when the control is failing.
In my experience, control weakness rarely exists in only one of these domains. Where access is broad, accountability is often blurred. Where accountability is blurred, segregation is often compromised. Where segregation is compromised, monitoring often becomes more important precisely because prevention has weakened.
That is why boards must not treat these disciplines as technical details. They are the mechanics of institutional integrity.
Monitoring must become more intelligent, timely, and meaningful
The modern organization produces a vast quantity of information. Reports, alerts, logs, dashboards, exceptions, metrics, and control outputs are generated continuously. Yet the existence of data should never be mistaken for the existence of visibility.
That distinction matters enormously.
Many organizations have become very good at documenting activity and less good at interpreting what that activity is really saying. Monitoring, in too many cases, is still more static than intelligent. It tells leadership what has happened in defined categories, but not always what is changing beneath the surface. It can describe incidents without highlighting the weak signals that preceded them. It can confirm control activity without revealing control erosion.
This is why I believe monitoring needs to evolve.
In a digitally enabled environment, effective oversight requires more than periodic review. It requires the ability to identify unusual behaviour, repeated deviations, suspicious timing, unexplained concentration of activity, abnormal data movement, access anomalies, dormant accounts becoming active, repeated override patterns, and changes that do not align with normal control pathways. It requires not just aggregation, but interpretation.
Boards should not need technical clutter. What they need is meaningful insight. They need to understand where risk is becoming harder to see, where exceptions are becoming more frequent, where remediation is slowing, where certain users or groups appear increasingly dominant, and where the organization may be learning too little from its own warning signs.
Near misses are important here. Repeated control failures are important. Overdue reviews are important. Long-open issues are important. They may not always rise to the level of headline incidents, but they often tell a more important story: that the environment is drifting, and that the organization is gradually becoming easier to disrupt, misuse, or circumvent.
To me, one of the clearest marks of GRC maturity is whether an organization can detect deterioration before it becomes a formal event. That is what separates retrospective administration from forward-looking oversight.
The issue is not whether the organization can report on what happened yesterday. The issue is whether it can sense, early enough, what is becoming risky today.
Culture is not separate from compliance. It is what makes compliance real
In many governance discussions, culture is treated as a softer topic — important, certainly, but somehow less concrete than policy, control, audit, or regulatory adherence.
I have never agreed with that view.
Culture is not the backdrop to compliance. It is the environment in which compliance either becomes real or becomes performative.
An organization may have clear policies and carefully designed controls, but culture determines whether those policies are respected or worked around, whether those controls are upheld or weakened by habit, whether concerns are surfaced or suppressed, and whether accountability is applied consistently or selectively. Culture shapes the practical force of every other governance mechanism.
This is why I believe boards need to engage with culture in a much more grounded way. Not as a matter of slogans or values statements, but as a matter of operational truth.
What behaviours are rewarded? What shortcuts are tolerated? Who is allowed to operate outside the norm? What happens when someone raises a difficult issue? How is challenge received? Do people believe the organization truly values integrity, or do they believe it values outcomes first and discipline second?
These are not abstract questions. They speak directly to whether the control environment is likely to hold under pressure.
Organizations rarely deteriorate ethically in sudden, dramatic leaps. More often, the decline is incremental. Exceptions are justified. Pressure is normalized. High performers are indulged. Technical experts are left unchallenged. Controls are framed as obstacles rather than safeguards. Over time, the organization becomes more tolerant of the very behaviours its frameworks claim to resist.
That is why culture sits at the heart of GRC maturity.
A strong culture does not eliminate risk. But it makes it far more likely that risk will be surfaced early, challenged appropriately, and dealt with honestly. A weak culture, by contrast, can hollow out even the best-designed governance framework from within.
To me, this is one of the deepest truths in leadership: an organization’s real control environment is not defined only by what it documents. It is defined by what it normalizes.
Internal audit and assurance must evolve with the risk environment
Boards depend on internal audit and assurance functions for independent perspective. That dependence is both necessary and appropriate. But it also requires a difficult question to be asked more often than it is: has assurance evolved fast enough to reflect the actual nature of contemporary organizational risk?
In many institutions, assurance remains strongest in traditional domains. Financial review, process adherence, sample-based control testing, policy conformance, and periodic audit cycles all remain important. But in a digitally enabled organization, that is no longer enough on its own.
Assurance must now be capable of looking deeply into access models, workflow design, exception handling, privileged activity, automated controls, change governance, digital dependencies, data integrity, and third-party operational exposure. It must be able to assess not only whether a control exists, but whether it can be bypassed, diluted, or undermined through the way the organization really operates.
This is where audit quality becomes strategically significant.
An audit function may be independent in structure and yet still limited in relevance if it cannot meaningfully interrogate the areas where modern exposure is actually growing. Similarly, a board may feel well assured because audit coverage appears extensive, while still lacking visibility into the precise areas where complexity, technology, and control design have created new forms of vulnerability.
To me, mature assurance has to do more than verify framework compliance. It has to illuminate the gap between intended control and actual control. It has to surface recurring patterns, uncomfortable truths, and unresolved weaknesses that management may be too close to fully appreciate.
And boards should watch closely not only what audit finds, but what happens after it is found.
The age of unresolved issues matters. The recurrence of similar issues matters. The seriousness with which high-risk findings are treated matters. These are not administrative details. They are indicators of how seriously the institution takes its own weaknesses.
In the end, assurance is only valuable if it helps leadership see clearly. And in a world of increasing digital complexity, clarity is no longer produced by coverage alone. It is produced by relevance, independence, and depth.
Third parties have expanded the risk perimeter
One of the defining realities of the modern enterprise is that the organization no longer ends where the org chart ends.
Critical capabilities now often sit across cloud providers, software vendors, external developers, consultants, managed service partners, contractors, data processors, offshore teams, and platform ecosystems that shape daily operations as materially as internal teams do. This has created enormous flexibility and scale. It has also fundamentally changed the perimeter of governance and control.
To me, this is one of the most underappreciated dimensions of modern GRC.
Many organizations still think of third-party risk primarily through the lens of procurement, service quality, or contractual compliance. Those things matter, of course. But they are only part of the picture. In reality, external parties now often hold access, influence, and operational significance that place them squarely inside the organization’s live risk environment.
If a third party can access sensitive systems, alter workflows, support production environments, move data, administer infrastructure, or influence the continuity of critical operations, then it is not peripheral to governance. It is part of governance.
That is why I feel strongly that accountability cannot be outsourced. Activity can be outsourced. Capability can be sourced externally. But accountability for integrity, resilience, and control remains with leadership.
Boards therefore need to understand far more than whether contracts exist and service reviews are conducted. They need to understand whether third-party access is genuinely limited, whether oversight remains active after onboarding, whether external dependencies are properly mapped, whether monitoring extends beyond internal teams, and whether the organization could respond effectively if an external partner became the weak point through which disruption, misconduct, or failure entered the enterprise.
The modern risk perimeter is porous. That is simply a fact. The role of governance is not to pretend otherwise, but to ensure that this porosity is understood, controlled, and matched by oversight that is equal to the reality of how the organization now functions.
What boards should do now
The practical implication of all this is clear: boards need to rethink GRC as a living discipline of oversight rather than a periodic discipline of review.
This begins with asking better questions. Not broader questions, but more pointed ones.
Where is real authority now sitting in the organization? Where are digital systems shaping risk more than formal structures? Where are exceptions accumulating? Where has access become too broad? Where does management rely too heavily on trust? Where are third-party dependencies most critical? Where do unresolved issues persist for too long? Where is the organization learning too little from repeated warning signs? And where, perhaps most importantly, does the board’s own line of sight remain weaker than it should be?
Boards should insist on management information that does more than reassure. It should reveal. It should connect systems, controls, culture, accountability, and exposure in a way that makes the organization’s real operating condition easier to understand. They should ask for evidence of control effectiveness, not just control existence. They should want visibility into internal exposure, not just external threat. They should expect assurance functions to keep pace with changing risk. And they should ensure that governance conversations are anchored in how the organization actually operates today, not how it once operated or how policy says it ought to operate.
In my view, this is where modern boards will increasingly distinguish themselves. Not by the volume of governance activity they oversee, but by the sharpness of the insight they demand and the seriousness with which they treat hidden exposure.
Because ultimately, GRC is not about bureaucracy. It is about institutional clarity. It is about ensuring that growth does not outpace discipline, that digital capability does not outstrip accountability, and that complexity does not become an excuse for weak oversight.
A Final reflection
Rethinking governance, risk, and compliance is not an academic exercise. It is a strategic imperative.
The digitally enabled organization is faster, more connected, more ambitious, and more exposed than anything most traditional governance models were originally designed to oversee. That does not mean those models are obsolete. But it does mean they must evolve. They must become more integrated, more technology-aware, more culturally grounded, and more honest about the gap between visible structure and actual exposure.
I believe the strongest boards will be those that recognize this early. They will not reduce governance to structure, risk to reporting, or compliance to obligation. They will understand that in a complex enterprise, GRC is one of the clearest expressions of leadership maturity. It is how an organization proves that it can grow without losing discipline, modernize without weakening control, and move at speed without surrendering accountability.
In the end, governance, risk, and compliance are not merely about avoiding failure.