Common Patterns in Governance Failures
Analysis of major corporate failures reveals several recurring themes that appear across different industries, time periods, and regulatory environments.
Board capture: The board, which should provide independent oversight of executive management, becomes effectively aligned with or dependent on the CEO or controlling shareholder. Signs of board capture include long-tenured directors whose appointment was controlled by the CEO, compensation committee arrangements that prioritise management relationships over shareholder interests, and board meeting dynamics where challenge to management positions is rare or unwelcome. Board capture is rarely obvious from the outside — it typically manifests as a pattern of deference rather than explicit coordination.
Concentrated power without accountability: Major corporate failures frequently involve executive leaders who accumulated authority without commensurate accountability mechanisms. When a single individual controls key information flows to the board, chairs the risk committee, and has informal authority over the compensation of the directors who are supposed to oversee them, the structural conditions for governance failure exist — regardless of how talented or well-intentioned that individual is.
Culture that suppresses bad news: Organisations where leaders respond to unwelcome information by shooting the messenger create information environments in which governance bodies cannot make well-informed decisions. When the senior team manages the information presented to the board rather than providing transparent disclosure, the board's oversight function is undermined from within.
Incentive misalignment: Compensation structures that reward short-term performance without reference to the sustainability of the results, or that create enormous payoffs for achieving specific targets regardless of how they are achieved, systematically bias management behaviour toward risk-taking and, in extreme cases, manipulation. The financial crisis of 2008 provided a stark illustration of how incentive structures at multiple levels of financial institutions collectively produced governance failure at scale.
Audit function weakness: In nearly every major corporate failure, subsequent investigations reveal that internal audit either did not examine the areas where the most serious problems were developing, or did examine them but its findings were suppressed, dismissed, or not effectively escalated to the board. This pattern reflects both the importance of a strong, independent audit function and the governance conditions — particularly a strong audit committee — that allow it to function effectively.
What Internal Audit Can Learn
Understanding these patterns should inform how internal audit approaches its risk assessment and audit planning. The structural risk factors that precede governance failure are auditable — board independence, compensation structure alignment, information quality reaching the board, culture and management behaviour, and the strength of the CAE's relationship with the audit committee.
Few audit functions explicitly include governance quality in their audit universe. Yet governance adequacy is the meta-risk that determines whether all other risks are being managed effectively. A technically excellent audit plan that ignores governance structure is examining the controls while leaving the environment in which those controls operate unexamined.
Internal audit's role in preventing governance failure is not to second-guess the board — it is to provide governance bodies with the independent information they need to exercise their oversight function effectively. When that information is accurate, complete, and honestly presented, governance bodies are better equipped to detect and respond to developing crises. When it is not, they are flying blind.
The Audit Committee Relationship as a Governance Safeguard
The single most important governance safeguard for an internal audit function is a strong, independent audit committee that understands its oversight responsibilities and actively exercises them. In major governance failures, audit committees that were technically independent on paper often failed to ask the hard questions, push back on management representations, or insist on access to information they were not being offered.
CAEs who invest in building a strong, trusting relationship with the audit committee — and who use that relationship to ensure the committee has the information it needs, not just the information management wants it to have — are performing a governance function that extends far beyond the production of audit reports.